CISSP Chapter 21: Malicious Code and Application Attacks

____________ techniques display advertisements on infected computers.

Adware

______________ are undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.

Backdoors

______________ vulnerabilities exist when a developer doesn't properly validate user input to ensure that it is of an appropriate size.

Buffer Overflow

What main 3 areas should anti-malware software be used on?

Client systems, server systems, and content filters that help read code for maliciousness

The ____________ worm ran across IIS web servers in 2011, probing IP addresses, defacing HTML pages, and planting logic bombs to initiate a DoS attack against the White House.

Code Red

_________________ attacks occur when web applications contain some type of reflected input. Typically done by inserting <SCRIPT> </SCRIPT> portions into input boxes. Defeated by input validation.

Cross site scripting (XSS)

____________ web applications can provide information specific to an individual user. They use a database to create content on demand when the user makes a request.

Dynamic

____________ viruses use cryptographic techniques to avoid detection. They use a virus decryption routing to load and decrypt the main virus code stored elsewhere on the disk. Also changes the signature of the virus.

Encrypted

_____________ is done after compromising/breaking in to a system to get more comprehensive, administrative/root access.

Escalation of privileges

In an _________________ attack, the malicious individual simply reconfigures their system so that it has the IP address of a trusted system and then attempts to gain access to other external resources.

IP spoofing

_____________ are one of the first attacks usually done against a network. Automated tools simply attempt to ping each address in a range. Systems that respond to the request are logged for further analysis.

IT probes/sweeps/ping sweeps

The ___________ worm exploited 4 holes in the Unix OS • Sendmail debug mode • Password attack • Finger vulnerability (determining who was logon on) • Trust relationships (to spread along trusted paths).

Internet

______________ are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, and so on.

Logic bombs

____________ viruses propagate very quickly via macros in certain applications and infect things like documents.

Macro

_____________ are scripts that help automated repetitive tasks within an application.

Macros

______________ viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other.

Multipartite

What are the 4 types of viruses that attempt to escape detection?

Multipartite viruses, stealth viruses, polymorphic viruses, encrypted viruses

___________ viruses actually modify their own code as they travel form system to system, changing the signature of the virus each time it infects a new system to fool antivirus software.

Polymorphic

___________ show what public services are running on each machine defined by an IT probe.

Port scans

___________________ infects a target machine and then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator. They then ask for a ransom in exchange for the decryption key.

Ransomware

______________ are a common way of performing escalation of privilege attacks.

Rootkits

__________ attacks use unexpected input into web applications to gain unauthorized access to an underlying database.

SQL Injection

________________ viruses inject themselves into trusted runtime processes of the OS such as svchost.exe, winlogin.exe, and explorer.exe. By compromising these processes, the virus can avoid detection by antivirus software.

Service Injection

______________ occurs when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a technique to take over the session and assume the identity of the authorized user.

Session hijacking

________________ consists of tricking users for passwords with a call/email/etc. Typically rely on phishing emails now.

Social engineering

_____________ monitors your actions and transmits important details to a remote system that spies on your activity.

Spyware

___________ viruses hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally.

Stealth

_____________ was a highly sophisticated worm that searched for unprotected administrative shares, exploited zero-day vulnerabilities, connected to systems using default database passwords, and spreading by the use of shared infected USB drives. Appeared in Iran to allegedly disrupt their nuclear program.

Stuxnet

What are the 2 main functions of a computer virus?

To propagate and destroy.

A _______________ is a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network.

Trojan-horse

Rogueware and ransomware are what type of malicious software?

Trojan-horse

____________ produce reports about vulnerabilities on a system, letting attackers know where to attack.

Vulnerability scans

_____________ contain the same destructive potential as other malicious code but they propagate themselves without requiring any human intervention.

Worms

A variation of the file infector virus is the __________ virus. These viruses are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legit OS file.

companion

Many viruses infect different types of executables and trigger when the OS attempts to execute them. The propagation routines of _____________ viruses may slightly alter the code of an executable program, thereby implanting the technology the virus needs to replicate and damage the system. Sometimes the entire file is replaced with the infected version.

file infector

Many antivirus packages also use ___________-based mechanisms to detect potential malware infections. They analyze the behavior of software, looking for signs of virus activity, such as attempts to elevate privilege level, cover their electronic tracks, and alter unrelated or operating system files.

heuristic

The ____________ virus attacks the master boot record, which is the portion of bootable media (hard disk, USB drive, CD/DVD) that the computer uses to load the operating system during the boot process. These viruses store the majority of their code on another portion of the storage media. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in this alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the payload.

master boot record (MBR)

There are ______________ based anti-virus software packages that protect against specific common types of virus invasion vectors. It keeps a database of known telltale characteristics of all known viruses and can scan/detect them.

signature

The ______________ issue is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

time-of-check to time-of-use (TOC/TOU)

The computer _________ is the earliest form of malicious code and are highly prevalent.

virus