2.2 Malware

Potentially unwanted program (PUP)

A PUP is a software inadvertently installed that contains adware, installs toolbars, or has other objectives. PUP is software that contains adware, installs toolbars, or has other unclear objectives. A PUP is different from malware because the user gives consent to download it. If you download a program from the internet but forget to read the download agreement, you may end up with unwanted programs being downloaded. A few signs that you have PUPs on your computer include browser popups recommending fake updates or other software; webpages you typically visit not displaying properly; and ads appearing where they shouldn't.

Zombie

A computer that is infected with malware and is controlled by a command and control center called a zombie master. A zombie is a malware infected computer that allows remote software updates and control by a command and control center called a zombie master. A zombie: Is also known as a bot, short for robot. Commonly uses Internet Relay Chat (IRC) channels, also known as chat rooms), to communicate with the zombie master. Is frequently used to aid spammers. Is used to commit click fraud. The internet uses a form of advertising called pay-per-click, in which a developer of a website places clickable links for advertisers on the website. Each time the link is clicked, a charge is generated. Zombie computers can be used to commit click fraud by imitating a legitimate user clicking an ad. Is used for performing denial-of-service attacks.

Fileless virus

A fileless virus uses legitimate programs to infect a computer. Because it doesn't rely on files, it leaves no footprint, making it undetectable by most antivirus, whitelisting, and other traditional endpoint security solutions. Fileless malware works in a similar way as a traditional virus, but it operates in memory. It never touches the hard drive. Attackers use social engineering schemes to get users to click a link in a phishing email. When the webpage opens, the virus gets into the inner recesses of a trusted application such as PowerShell or Windows script host executables.

Botnet

A group of zombie computers that are commanded from a central control infrastructure. A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet: Operates under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order the bots to perform actions. Is detected through the use of firewall logs to determine if a computer may be acting as a zombie participating in external attacks.

Script kiddy

A less-skilled hacker who often relies on automated tools or scripts written by crackers to scan systems and exploit weaknesses.

Trojan horse

A malicious program that is disguised as legitimate or desirable software. A Trojan horse: Cannot replicate itself. Does not need to be attached to a host file. Often contains spying functions, such as a packet sniffer, or backdoor functions that allow a computer to be remotely controlled from the network. Often is hidden in useful software, such as screen savers or games. A wrapper is a program that is used legitimately, but has a Trojan attached to it. The Trojan infiltrates the computer that runs the wrapper software. Relies on user decisions and actions to spread.

Cracker

A person actively engaged in developing and distributing worms, Trojans, and viruses; engaging in probing and reconnaissance activities; creating toolkits so that others can hack known vulnerabilities; and/or cracking protective measures.

Hacker

A person who commits crimes through gaining unauthorized access to computer systems.

Virus

A program that attempts to damage a computer system and replicate itself to other computer systems.

Which of the following describes a logic bomb?

A program that performs a malicious activity at a specific time or after a triggering event.

Scareware

A scam to fool a user into thinking there is some form of malware on the system. Scareware is a scam to fool users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.

Worm

A self-replicating malware program. A worm: Does not require a host file to propagate. Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without any user assistance. Infects one system and spreads to other systems on the network.

Rootkit

A set of programs that allows attackers to maintain hidden, administrator-level access to a computer. A rootkit is a set of programs that allows attackers to maintain permanent administrator-level, hidden access to a computer. A rootkit: Is almost invisible software. Resides below regular antivirus software detection. Requires administrator privileges to install and maintains those privileges to allow subsequent access. Is not always malicious. Often replaces operating system files with alternate versions that allow hidden access.

A collection of zombie computers have been set up to collect personal information. Which type of malware do the zombie computers represent?

Botnet

In 2001, a worm exploited vulnerabilities in Microsoft Internet Information Services (IIS) to infect over 250,000 systems in under nine hours. What was this worm called?

Code Red

Which kind of virus operates only in memory and usually exploits a trusted application like PowerShell to circumvent traditional endpoint security solutions?

Fileless virus

Additional Preventive Measures

In addition, implement the following measures: Train users to not download files from unknown sources or open files in suspicious emails. Spyware, adware, crimeware, and Trojans all take advantage of downloads. Remove removable drives to prevent unauthorized software from being installed on a system. Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change files that are normally deemed harmless. For example, adding the extension .TXT.EXE to a file will make the file appear as a text file in an attachment when, in reality, it is an executable. Enable antivirus scanning for all email attachments. Enable antivirus scanning for all removable storage, such as USB flash drives and CD-ROMs. Block executable files that have been copied from another computer. Require that they be manually unblocked before execution. Enable privacy controls in Windows Internet Explorer. Delete browsing history. Configure Autocomplete settings to not store entries such as usernames, passwords, web addresses, and forms. Use third-party tools to scan for issues and cleanup problems.

Malware Recovery

Malware can permanently damage your system. Recovery from malware can include the following steps: You may have to reinstall applications, features, or even the entire operating system from scratch. If your organization uses imaging solutions, you can quickly re-image a machine if it is infected with malware. Re-imaging or installing from scratch is often faster and more effective than malware removal and cleanup. Remediation is the process of correcting problems. Most antivirus software remediates problems automatically or semi-automatically by prompting you to identify the action to take. Possible actions in response to problems are: Repair the infection. Repair is possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state, if possible. Quarantine the file. Quarantine moves the infected file to a secure folder where it cannot open or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time. Delete the file. You should delete malicious files such as worms, Trojan horse programs, spyware, or adware programs. Periodically review the quarantine folder and delete any files you do not want to recover.

Logic bomb

Malware designed to execute only under predefined conditions. It is dormant until the predefined condition is met. A logic bomb is designed to execute only under predefined conditions. It lies dormant until the predefined condition is met. A logic bomb: Uses a trigger activity such as a specific date and time, the launching of a specific program, or the processing of a specific type of activity. Does not self-replicate. Is also known as an asynchronous attack.

Crimeware

Malware designed to perpetrate identity theft. It allows a hacker access to online accounts at financial services, such as banks and online retailers. Crimeware is designed to perpetrate identity theft to allow access to online accounts at financial services, such as banks and online retailers. Crimeware can: Use keystroke loggers to capture keystrokes, mouse operations, or screenshots and transmit those actions back to the attacker to obtain passwords. Redirect users to fake sites. Steal cached passwords. Conduct transactions in the background after logon.

Ransomware

Malware that denies access to a computer system until the user pays a ransom. Ransomware denies access to a computer system until the user pays a ransom.

Remote access Trojan (RAT)

Malware that includes a back door to allow a hacker administrative control over the target computer. A RAT is a malware program that includes a back door that allows administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program, such as a game or an email attachment. A RAT can: Use keystroke loggers that capture keystrokes, mouse operations, or screenshots, and transmits those actions back to the attacker to obtain passwords. Access confidential information, like credit card and social security numbers. Format drives. Activate a system's webcam and record video. Delete, download, or alter files and file systems. Distribute viruses and other malware.

A type of malware that prevents the system from being used until the victim pays the attacker money is known as what?

Ransomware

Crypto-malware

Ransomware that encrypts files until a ransom is paid. Crypto-malware is ransomware that encrypts files until a ransom is paid.

Malware Prevention

Regardless of the type of malware, there are some common things you can do to prevent malware infection: Use the latest version and patch level for your web browser. Install the latest patches for the operating system. Install antivirus, anti-spyware, anti-rootkit, and personal firewall software. Keep definition files up-to-date. Use a pop-up blocker to prevent adware. Use software to control cookies on the system. Perform regular scheduled scans to look for malware. Choose anti-malware software from a reputable company. Don't let scareware fool you into purchasing a product that may not work.

Which kind of malware provides an attacker with administrative control over a target computer through a backdoor?

Remote Access Trojan (RAT)

Which of the following are characteristics of a rootkit? (Select two.)

Resides below regular antivirus software detection. Requires administrator-level privileges for installation.

You have installed antivirus software on the computers on your network. You update the definition and engine files and configure the software to update those files every day. What else should you do to protect your systems from malware? (Select two.)

Schedule regular full-system scans. Educate users about malware.

Malware

Software designed to take over or damage a computer without the user's knowledge or approval.

Spyware

Software installed without the user's consent or knowledge and is designed to intercept or take partial control of the user's computer. Spyware is software that is installed without the user's consent or knowledge. It is designed to intercept or take partial control over the user's interaction with the computer. Spyware: Is installed on a machine when the user visits a particular web page or runs a particular application. Collects various types of personal information, such as internet surfing habits and passwords. It sends the information back to its originating source. Uses tracking cookies to collect and report a user's activities. Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity.

Stoned

The 1987 Stoned virus was one of the first viruses. It was very common and widespread in the early 1990s. The virus infects the master boot record of a hard drive and floppy disks.

Michelangelo

The 1991 Michelangelo virus was designed to infect MS-DOS systems and remain dormant until March 6, the birthday of Renaissance artist Michelangelo. The virus infects the master boot record of a hard drive. Once a system becomes infected, any floppy disk inserted into the system becomes immediately infected, as well.

CIH/Chernobyl Virus

The 1999 Chernobyl virus was the first computer virus that affected computer hardware. It infected executable files, then spread after the file was executed. After it was initiated, CIH would continue until the entire hard drive was erased. Then it would overwrite the system BIOS, causing machines to crash.

Melissa

The 1999 Melissa worm was the first widely distributed macro virus that was propagated in the form of an email message containing an infected Word document as an attachment.

ILOVEYOU

The 2000 ILOVEYOU worm was propagated in the form of an email message containing an infected VBScript (Microsoft Visual Basic Scripting) attachment. When executed, the VBScript would alter the registry keys to allow the malware to start up at every boot. It would also search for and replace *.jpg, *.jpeg, *.vbs, *.vbe, *.js, *.jse, *.css, *.wsh, *.sct, *.doc, and *.hta files with copies of itself while appending the file name with a .vbs extension.

Code Red

The 2001 Code Red worm was designed to attack and exploit vulnerabilities within Microsoft Web IIS servers. It replicated from port to port with remarkable speed, infecting over 250,000 systems in under 9 hours.

Nimda

The 2001 Nimda worm took advantage of weaknesses found in the Windows platform and propagated itself in several ways, including email, infected websites, and network shares. It also left multiple back doors to allow for additional attacks.

Klez

The 2001-2002 Klez worm propagated through email. It infected executables by creating a hidden copy of the original host file and then overwriting the original file with itself. It attacked unpatched versions of Outlook and Outlook Express to allow attackers to control the system.

Which of the following is a program that appears to be a legitimate application, utility, game, or screensaver, but performs malicious activities surreptitiously?

Trojan horse

Which of the following best describes spyware?

It monitors the actions you take on your machine and sends the information back to its originating source.

Adware

Malware that monitors a user's personal preferences and sends pop-up ads that match those preferences.