07 CEH: Malware Threats
Which *netstat* flag displays active TCP connections and includes the process ID (PID) for each connection?
-o
What 2 things differentiate a *worm* from a *virus*?
1. A worm replicates on its own, instead of attaching to other programs 2. A worm spreads throughout the network, but a virus spreads throughout different aspects of a particular host
What are the 7 steps of *infecting systems using a trojan*?
1. Create a new Trojan packet 2. Employ a dropper or downloader to install the malicious code on the target system 3. Employ a wrapper to bind the Trojan to a legitimate file 4. Employ a crypter to encrypt the Trojan 5. Propagate the Trojan by various methods 6. Deploy the Trojan on the victim's machine by executing dropper or downloader on the target machine 7. Execute the damage routine
What are the 6 stages in the *virus lifecycle*?
1. Design 2. Replication 3. Launch 4. Detection 5. Incorporation 6. Execution of the damage routine
What are the 4 phases that *fileless malware attack*?
1. Point of Entry 2. Code Execution 3. Persistence 4. Achieving Objectives
What are the 6 phases in the *Advanced Persistent Threat (APT) Lifecycle*?
1. Preparation (define target, research target, organize team, build or attain tools, test for detection) 2. Initial Intrusion 3. Expansion 4. Persistence 5. Search and Exfiltration 6. Cleanup
What is DNSQuerySniffer?
A DNS resolution monitoring tool
What is DriverView?
A device driver monitoring tool
What is AntiVirus Pro 2017?
A fake antivirus program
What is Antivirus 10?
A fake antivirus program
What is PCSecureSystem?
A fake antivirus program
What is Netwrix Auditor?
A file and folder monitoring tool
What is PA File Sight?
A file and folder monitoring tool
What is Tripwire?
A file and folder monitoring tool
What is Capsa?
A network traffic monitoring / analysis tool
What is PEid?
A packing / obfuscation identification tool
What is TCPView?
A port monitoring tool
What is BitPaymer?
A ransomware family
What is CTB-Locker?
A ransomware family
What is Cerber?
A ransomware family
What is CryptXXX?
A ransomware family
What is Crypto Defense Ransomware?
A ransomware family
What is Crypto Locker Ransomware?
A ransomware family
What is Cryptobit Ransomware?
A ransomware family
What is Cryptowall Ransomware?
A ransomware family
What is Sodinokibi?
A ransomware family
What is jv16 PowerTools?
A registry monitoring tool
What is *Autoruns for Windows*?
A startup program monitoring tool
What is WinPatrol?
A startup program monitoring tool
What is BinText?
A string search tool
What is PE Explorer?
A tool for finding PE information about an executable
What is Godzilla?
A trojan downloader
What is Dridex?
A trojan dropper
What is Emotet?
A trojan dropper
What is Senna?
A trojan generator
What is Advanced File Joiner?
A trojan wrapper
What is Elite Wrap?
A trojan wrapper
What is IExpress Wizard?
A trojan wrapper
What is Bhavesh?
A virus maker
What is DELmE?
A virus maker
What is JPS?
A virus maker
What is Beapy?
A worm
What is Bondat?
A worm
What is Monero?
A worm
What is a type of network attack where an attacker gains unauthorized access to a target network from the outside and *remains undetected for a long period of time*?
Advanced Persistent Threat (APT)
What is API Monitor?
An API call monitoring tool
What is Angler?
An exploit kit
What is Magnitude?
An exploit kit
What is RIG?
An exploit kit
What is another word for *dynamic malware analysis*?
Behavioral analysis
What is the CVE number of the Windows VBScript engine remote code execution vulnerability?
CVE-2018-8174
What type of virus stores itself with the same filename as the target program file, infects the computer upon executing the file, and modifies hard-disk data?
Camouflage virus
What ransomware is delivered when an attacker uses the RIG exploit kit by taking advantage of outdated versions of applications such as Flash, Java, Silverlight, and Internet Explorer?
Cerber
What is another word for *static malware analysis*?
Code analysis
What virus detection method involves AV executing malware inside a virtual machine and analyzing its behavior to categorize it?
Code emulation method
What is software that protects malware from undergoing reverse engineering or analysis?
Crypter
In what stage of the virus lifecycle is the virus developed?
Design
In what stage of the virus lifecycle is the virus identified as a threat?
Detection
What is do you call exploiting flaws in browser software to install malware just by visiting a web page?
Drive-by download
In what stage of the virus lifecycle does the user update their AV solution, eliminating the virus?
Execution of the damage routine
At what phase in the APT lifecycle does the attacker obtain administrative access and/or spread malware to other systems within the environment?
Expansion
What is a platform to deliver exploits and payloads?
Exploit kit
What is the process of computing the hash value for a given binary?
File fingerprinting
What is Divergent?
Fileless malware
What is malware that infects legitimate software, applications, and other protocols existing in the system to achieve its goals?
Fileless malware / non-malware
What type of virus detection method is proficient at detecting new viruses from known virus strains?
Heuristic analysis
What is the fileless malware attack in which an attacker injects a malicious payload into the RAM that targets a legitimate process without leaving any footprints?
In-memory exploit
In what stage of the virus lifecycle is the virus's signature integrated into AV solutions?
Incorporation
At what phase in the APT lifecycle does the attacker send spear-phishing emails, perform social engineering, exploit vulnerabilities, and deploy malware?
Initial intrusion
What is a program that injects its code into other vulnerable running processes?
Injector
What is Mirekusoft Install Monitor?
Installation monitoring tool
What virus detection method involves integrity checking products that work by reading the entire disk and recording integrity data that act as a signature for the files and system sectors?
Integrity checking method
What virus detection method involves monitoring the operating system calls?
Interception method
In what stage of the virus lifecycle is the virus activated by particular user actions?
Launch
What is embedding malware in *ad-networks* that display across hundreds of legitimate, high-traffic sites?
Malvertising
What fileless technique is used by an attacker to exploit operating systems such as Windows that include pre-installed tools such as PowerShell and Windows Management Instrumentation?
Native applications
What is a program that conceals its code via various techniques?
Obfuscator
What is a program that allows all files to bundle together into a single executable file via compression to bypass security software detection?
Packer
At what phase in the APT lifecycle does the attacker create additional footholds within the target environment by creating services and installing applications in rarely-scanned locations?
Persistence
What type of virus is an enhanced encryption virus that uses a code engine to cipher itself as it replicates, constantly mutating its appearance while maintaining its original functionality?
Polymorphic virus
At what phase in the APT lifecycle does the attacker perform any preliminary configurations such as registering domains, hosting malware sites, creating malware, and configuring C2 servers?
Preparation
What is *black hat Search Engine Optimization (SEO)*?
Ranking malware pages highly in search results
What is Dharma?
Ransomware
What is eCh0raix?
Ransomware
In what stage of the virus lifecycle does the virus replicate itself within the target system?
Replication
What *protocol* does the WannaCry ransomware exploit during the attack on any Windows machine?
SMB
What ransomware adopts the RSA-2048 asymmetric encryption technique to encrypt local files in infected systems?
SamSam
What virus detection method involves looking through traffic for particular signatures?
Scanning method
What is a computer installed with port monitors, file monitors, network monitors, and antivirus software that only connects to a network under strictly controlled conditions for the purpose of analyzing malware?
Sheep dip computer
What type of virus infects only occasionally upon satisfying certain conditions or when the length of the file falls within a narrow range?
Sparse infector virus
What is the main objective of *Advanced Persistent Threats (APTs)*?
The main objective behind these attacks is to obtain sensitive information, rather than sabotaging the organization and its network
What type of virus transfers all controls of the host code to where it resides in the memory, selects the target program to be modified, and corrupts it?
Transient virus
What type of virus hides itself from antivirus programs by actively altering and corrupting service call interrupts while running?
Tunneling / stealth virus
What are the 3 types of *fileless malware*?
Type 1, Hardware: no file activity performed at all Type 2, Execution/Injection: No files written on disk, but some files used indirectly Type 3: Exploit: Files required to achieve fileless persistence
What is a *self-replicating* program that produces its own copy by attaching itself to another program, computer boot sector, or document?
Virus
What is a false alarm claiming reports about a non-existing virus that may contain virus attachments?
Virus hoax
What is the networking DLL that a Windows application will leverage to connect to a network or perform network-related tasks?
WSock32.dll
What is SrvMan?
Windows Service Manager is a tool for monitoring Windows services
By conducting what type of monitoring techniques can a security professional identify the presence of any malware that manipulates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys to hide its processes?
Windows services monitoring
What is a malicious program that independently replicates, executes, and spreads *across the network*?
Worm
