CIS 1680- Chapter 2

Collect Data

-Different types of malware are designed to collect important data from the user's computer and make it available at the attacker -This type of malware includes: --spyware --adware

Viruses cannot automatically spread to another computer

-relies on user action to spread -viruses are attached to files -viruses are spread by transferring infected files

What is the name of the threat actor's computer that gives instructions to an infected computer?

Command and Control (C&C) server

Attacks Using Malware

Malicious software (malware) -Enters a computer system without the owner's knowledge or consent -Uses a threat vector to deliver a malicious "payload" that performs a harmful function once it is invoked Malware is a general term that refers to a wide variety of damaging or annoying software

Summary 1

Malware is malicious software that enters a computer system without the user's knowledge or consent and includes an unwanted and harmful action. One method of classifying the various types of malware is by using the primary trait that the malware possesses. These traits are circulation, infection, concealment, and payload capabilities.

Summary 7

One of the most popular payloads of malware is software that will allow the infected computer to be placed under the remote control of an attacker. This infected robot computer is known as a bot. When multiple bot computers are gathered into a logical computer network, they create a botnet.

Ebba received a message from one of her tech support employees. In violation of company policy, a user had downloaded a free program to receive weather reports, but the program had also installed malware on the computer that gave the threat actor unrestricted access to the computer. What type of malware had been downloaded?

RAT

Some armored virus infection techniques include:

Swiss cheese infection, split infection, mutation

remote access Trojan (RAT)

a Trojan that also gives the threat agent unauthorized remote access to the victim's computer by using specially configured communication protocols

hoax

a false warning

Hoaxes

a false warning, usually claiming to come from the IT department -Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system -attackers may also provide telephone numbers for the victim to call for help, which will put them in direct contact with the attacker

How can an attacker use a hoax?

a hoax could convince a user that a bad Trojan is circulating and that he should change his security settings

Which of the following is NOT correct about a rootkit?

a rootkit is always the payload of a Trojan

Macro

a series of instructions that can be grouped together as a single command -common data file virus is a macro virus that is written in a scrip known as a macro

A watering hole attack is directed against which of the following?

a smaller group of specific users

impersonation

a social engineering attack that involves masquerading as a real or fictitious character and then playing out the role of that person on a victim

adware

a software program that delivers advertising content in a manner that is unexpected and unwanted by the user

Trojans

an executable program that does something other than advertised -contain hidden code that launches an attack -sometimes made to appear as data file Ex: user downloads "free calendar program", program scans system for credit card numbers and passwords, transmits information to attacker through network

Trojan

an executable program that is advertised as performing one activity but which also performs a malicious activity

Which of these items retrieved through dumpster diving would NOT provide useful information?

books

logic bomb

computer code that lies dormant until it is triggered by a specific logical event

Which of the following is NOT a primary trait of malware?

diffusion

Dumpster diving

digging through trash to find information that can be useful in an attack -An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online --Called Google Dorking

Program virus

infects an executable program file

computer virus

malicious code that reproduces itself on the same computer

Mutation

some viruses can mutate or change -an oliogomorphic virus changes its internal code to one of a set of numbers of predefined mutations whenever executed -a polymorphic virus completely changes from its original form when executed -a metamorphic virus can rewrite its own code and appear different each time it is executed

Summary 2

One of the types of malware that has the primary trait of circulation is a computer virus. A virus is malicious computer code that reproduces itself on the same computer. A virus inserts itself into a computer file (a data file or program) and then looks to reproduce itself on the same computer as well as unload its malicious payload. Most viruses go to great lengths to avoid detection. Another type of such malware is a worm, which travels through a network and is designed to take advantage of vulnerability in an application or an operating system to enter a user's computer. Once the worm has exploited the vulnerability on one system, it immediately searches for another computer that has the same vulnerability.

Summary 6

The payload of other types of malware deletes data on the computer. A logic bomb is computer code that is typically added to a legitimate program but lies dormant until it is triggered by a specific logical event. Once it is triggered, the program then deletes data or performs other malicious activities. The payload of some types of malware attempts to modify the system's security settings so that more insidious attacks can be made. One type of malware in this category is called a backdoor. A backdoor gives access to a computer, program, or service that circumvents any normal security protections.

Infection

Three examples of malware that have the primary trait of infection: -Trojans -Ransomware -Crypto-malware

Physical Procedures

Two of the most common physical procedures are: -dumpster diving -tailgating

crypto-malware

malware that encrypts all the files on the device so that they cannot be opened

Malware can be classified by using the primary trait that the malware possesses:

-Circulation-spreading rapidly to other systems in order to impact a large number of users -Infection- how it embeds itself into a system -Concealment-avoid detection by concealing its presence from scanners -Payload Capabilities-what actions the malware performs

Tailgating

-Following behind an authorized individual through an access door -an employee could conspire with an authorized person to allow him to walk in with him (called piggybacking) -watching an authorized user enter a security code on a keypad is known as shoulder surfing

Viruses

-Most viruses today go to great lengths to avoid detection (called an armored virus)

Special type of trojan

-Remote access Trojan (RAT)- gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols

Payload Capabilities

-The destructive power of malware can be found in its payload capabilities -Primary payload capabilities are to: --collect date --delete data --modify system security settings --launch attacks

Delete Data

-The payload of other types of malware deletes data on the computer -Logic bomb- computer code that lies dormant until it is triggered by a specific logical event --difficult to detect before it is triggered --often embedded in large computer programs that are not routinely scanned

Psychological Approaches

-psychological approaches goal: to persuade the victim to provide information or take action -Attackers use a variety of techniques to gain trust without moving quickly: --provide a reason --project confidence --use evasion and diversion --make them laugh -Psychological approaches often involve: impersonation, phishing, spam, hoaxes, and watering hole attacks

Viruses can perform two actions:

-unloads a payload to perform a malicious action -reproduces itself by inserting its code into another file on the same computer Ex: cause a computer to repeatedly crash, erase files from or reformat hard drive, or turn off computer's security settings

Summary 3

Another category of malware has infection as its primary trait. A Trojan is a program advertised as performing one activity but in addition does something malicious. A special type of Trojan is a remote access Trojan (RAT), which has the basic functionality of a Trojan but also gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols. Ransomware prevents a user's device from properly and fully functioning until a fee is paid. Ransomware embeds itself onto the computer in such a way that the it cannot be bypassed, and even rebooting still causes the ransomware to launch again. Crypto-malware encrypted all the files on the device so that none of them could be opened until a ransom is paid.

Summary 9

Attackers can use hoaxes (false warnings) as a first step in an attack, often contained in an email message claiming to come from the IT department. Recipients are told that they should erase specific files or change security configurations, and then forward the message to other users. A watering hole attack is directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company.

Concealment

Rootkits-software tools used by an attacker to hide actions or presence of other types of malicious software --hide or remove traces of log-in records, log entries -May alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity -Users can no longer trust their computer that contains a rootkit --the rootkit is in charge and hides what is occurring on the computer

Summary 8

Social engineering is a means of gathering information for an attack by relying on the weaknesses of individuals. Many social engineering attacks rely on psychology, which is the mental and emotional approach rather than the physical. At its core, social engineering relies on an attacker's clever manipulation of human nature to persuade the victim to provide information or take actions. Several basic principles make psychological social engineering highly effective. These include authority, intimidation, consensus, scarcity, urgency, familiarity, and trust. Impersonation means to masquerade as a real or fictitious character and then play out the role of that person on a victim. Phishing is sending an email or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information. Several variations on phishing attacks exist, such as spear phishing, whaling, and vishing. Spam, or unsolicited email that is sent to a large number of recipients, is annoying, interferes with work productivity, and can be a security vulnerability.

Summary 4

Some malware has as its primary trait avoiding detection. A rootkit can hide its presence or the presence of other malware (like a virus) on the computer by accessing lower layers of the operating system or even using undocumented functions to make alterations.

Summary 10

Some social engineering attacks rely on physical acts. Dumpster diving involves digging through trash receptacles to find information that can be useful in an attack. Organizations invest large sums of money to install specialized doors that only permit access to authorized users who possess a special card or who can enter a specific code, yet they do not always control how many people enter the building when access is allowed. Following an authorized person through an open door is known as tailgating. If an attacker cannot enter a building as a tailgater without raising suspicion, an alternative is to watch an individual entering secret information, such as the security code on a keypad. This is known as shoulder surfing.

Summary 5

The destructive power of malware is to be found in its payload capabilities. Different types of malware are designed to collect important data from the user's computer and make it available at the attacker. Spyware is tracking software that is deployed without the consent or control of the user. One type of spyware is a keylogger, which silently captures and stores each keystroke that a user types on the computer's keyboard. A keylogger can be a software program or a small hardware device. Adware is a software program that delivers advertising content in a manner that is unexpected and unwanted by the user.

Circulation

Two types of malware have the primary traits of circulation: -viruses -worms

Watering Hole attack

a malicious attack that is directed toward a small group of specific individuals who visit the same website Ex: major executives working for a manufacturing company may visit a common website, such as a parts supplier to the manufacturer

watering hole attack

a malicious attack that is directed toward a smaller group of specific individuals by embedding malware in a website frequented by these individuals

worm

a malicious program that uses a computer network to replicate

social engineering

a means of gathering information for an attack by relying on the weaknesses of individuals

Social engineering

a means of gathering information for an attack by relying on the weaknesses of individuals -attacks can involve psychological approaches as well as physical procedures

Crypto-malware

a more malicious form of ransomware where threat actors encrypt all files on the device so that none of them could be opened -Once infected with crypto-malware: --the software connects to the threat actor's command and control (C&C) server to receive instructed or updated data --a locking key is generated for the encrypted files and that key is encrypted with another key that has been downloaded from the C&C --second key is sent to the victims once they pay the ransom

spear phishing

a phishing attack that targets only specific users

whaling

a phishing attack that targets only wealthy individuals

vishing

a phishing attack that uses telephone calls instead of emails

bot

an infected computer that is under remote control of an attacker for the purpose of launching attacks, also known as a zombie

Bot or zombie

an infected computer that is under the remote control of an attackers -groups of zombie computers are gathered into a logical computer network called a botnet under the control of the attacker (bot herder) -Infected zombie computers wait for instructions through a command and control (C&C) structure from bot herdrs --a common C&C mechanism used today is HTTP, which is more difficult to detect and block

computer contaminant

any data, information, image, program, signal or sound that is designed or has the capability to: contaminate, corrupt, consume, damage, destroy, disrupt, modify, record, or transmit; or; cause to be contaminated, corrupted, consumed, damaged, destroyed, disrupted, modified, recorded and transmitted, any other data, information, image, program, signal or sound contained in a computer, system or network without the knowledge or consent of the person who owns the other data, information, image, program, signal or sound or the computer, system or network

Impersonation

attacker pretends to be someone else: -Help desk support technician -IT support -Manager -Trusted third party -Fellow employee --Attacker will often impersonate a person with authority because victims generally resist saying "no" to anyone in power

Linnea's father called her to say that a message suddenly appeared on his screen that says his software license has expired and he must immediately pay $500 to have it renewed before control of the computer will be returned to him. What type of malware is this?

blocking ransomware

What is the term used for a threat actor who controls multiple bots in a botnet?

bot herder

Keylogger

captures and stores each keystroke that a user types on the computer's keyboard -attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information -can be a small hardware device or software program -as a hardware device, it is inserted between the computer keyboard connection and the USB port -software keyloggers are programs installed on the computer that silently capture information An advantage of software keyloggers is that they do not require physical access to the user's computer -often installed as a Trojan or virus, can sent captured information back to the attacker via Internet

Astrid's computer screen suddenly says that all flies are now locked until money is transferred to a specific account, at which time she will receive a means to unlock the files. What type of malware has infected her computer?

crypto-malware

Backdoor

gives access to a computer, program, or service that circumvents normal security to give a program access --when installed on a computer, they allow the attacker to return at a later time and bypass security settings

Hedda pretends to be the help desk manager and calls Steve to trick him into giving her his password. What social engineering attack has Hedda performed?

impersonation

Lykke receives a call while working at the help desk from someone who needs his account reset immediately. When Lykke questions the caller, he says, "if you don't reset my account immediately, I will call your supervisor!" What psychological approach is the caller attempting to use on Lykke?

intimidation

Each of these is a reason why adware is scorned EXCEPT ________.

it displays the attacker's programming skills

virus

malicious computer code that reproduces itself on the same computer

Worm

malicious program that uses a computer network to replicate -sends copies of itself to other network devices Worms may: consume resources or leave behind a payload to harm infected systems Ex: deleting computer files or allowing remote control of a computer by an attacker

rootkit

malware that hides its presence or the presence of other malware

Ransomware

malware that prevents a user's device from properly and fully functioning until a fee is paid

Which type of mutation completely changes a virus from its original form by rewriting its own code whenever it is executed?

metamorphic

Ransomeware

prevents a user's device from properly operating until a fee is paid; is highly profitable -a variation of ransomware displays a fictitious warning that a software license has expired or there is a problem and users must purchase additional software online to fix the problem

Adware

program that delivers advertising content in a manner unexpected and unwanted by the user -typically displays advertising banners and pop-up ads -may open new browser windows randomly Users disapprove of adware because: -adware can display objectionable content -frequent popup ads can interfere with a user's productivity -popup ads can slow a computer or even cause crashes and the loss of data -unwanted advertisements can be a nuisance

Which of these could NOT be defined as a logic bomb?

send spam email to Moa's inbox on Tuesday

Phishing

sending an email claiming to be from a legitimate source -tries to trick user to giving away private information -the emails and fake websites are difficult to distinguish from those that are legitimate Variations on phishing attacks: -spear phishing-targets specific users -whaling-targets the "big fish" -vishing- instead of using email, uses a telephone call isntead -About 97% of all attacks start with phishing

phishing

sending an email or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information

backdoor

software code that gives access to a computer, program or a service that circumvents any normal security protections

Which statement regarding a keylogger is NOT true?

software keyloggers are generally easy to detect

Malware

software that enters a computer system without the user's knowledge or consent and then performs an unwanted and usually harmful action

Spyware

software that gathers information without user consent --uses the computer's resources for the purpose of collecting and distributing personal or sensitive information

Which of these is a general term used for describing software that gathers information without the user's consent?

spyware

keylogger

spyware that silently captures and stores each keystroke that a user types on the computer's keyboard

Which of the following is defined as following an authorized person through a secure door?

tailgating

dumpster diving

the act of digging through trash receptacles to find information that can be useful in an attack

spyware

tracking software that is deployed without the consent or control of the user

Spam

unsolicited e-mail -primary vehicles for distribution of malware -sending spam is a lucrative business --cost spammers very little to send millions of spam messages -Filters look for specific words and block the email Image spam- uses graphical images of text in order to circumvent text-based filters --often contains nonsense text to it appears legitimate

Which type of malware requires a user to transport it from one computer to another?

virus

Virus infection method: Appender infection

virus appends itself to end of a file -easily detected by virus scanners

Split infection

virus splits into several parts -parts placed at random positions in host program -the parts may contain unnecessary "garbage" done to make their true purpose

Swiss cheese infection

viruses inject themselves into executable code -virus code is "scrambled" to make it more difficult to detect

shoulder surfing

watching a user went secret information

Which variation of a phishing attack sends phishing messages only to wealthy individuals?

whaling

tailgating

when an authorized individual enters a restricted-access building by following an authorized user