CISSP Chapter 21: Malicious Code and Application Attacks
____________ techniques display advertisements on infected computers.
Adware
______________ are undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.
Backdoors
______________ vulnerabilities exist when a developer doesn't properly validate user input to ensure that it is of an appropriate size.
Buffer Overflow
What main 3 areas should anti-malware software be used on?
Client systems, server systems, and content filters that help read code for maliciousness
The ____________ worm ran across IIS web servers in 2011, probing IP addresses, defacing HTML pages, and planting logic bombs to initiate a DoS attack against the White House.
Code Red
_________________ attacks occur when web applications contain some type of reflected input. Typically done by inserting <SCRIPT> </SCRIPT> portions into input boxes. Defeated by input validation.
Cross site scripting (XSS)
____________ web applications can provide information specific to an individual user. They use a database to create content on demand when the user makes a request.
Dynamic
____________ viruses use cryptographic techniques to avoid detection. They use a virus decryption routing to load and decrypt the main virus code stored elsewhere on the disk. Also changes the signature of the virus.
Encrypted
_____________ is done after compromising/breaking in to a system to get more comprehensive, administrative/root access.
Escalation of privileges
In an _________________ attack, the malicious individual simply reconfigures their system so that it has the IP address of a trusted system and then attempts to gain access to other external resources.
IP spoofing
_____________ are one of the first attacks usually done against a network. Automated tools simply attempt to ping each address in a range. Systems that respond to the request are logged for further analysis.
IT probes/sweeps/ping sweeps
The ___________ worm exploited 4 holes in the Unix OS • Sendmail debug mode • Password attack • Finger vulnerability (determining who was logon on) • Trust relationships (to spread along trusted paths).
Internet
______________ are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, and so on.
Logic bombs
____________ viruses propagate very quickly via macros in certain applications and infect things like documents.
Macro
_____________ are scripts that help automated repetitive tasks within an application.
Macros
______________ viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other.
Multipartite
What are the 4 types of viruses that attempt to escape detection?
Multipartite viruses, stealth viruses, polymorphic viruses, encrypted viruses
___________ viruses actually modify their own code as they travel form system to system, changing the signature of the virus each time it infects a new system to fool antivirus software.
Polymorphic
___________ show what public services are running on each machine defined by an IT probe.
Port scans
___________________ infects a target machine and then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator. They then ask for a ransom in exchange for the decryption key.
Ransomware
______________ are a common way of performing escalation of privilege attacks.
Rootkits
__________ attacks use unexpected input into web applications to gain unauthorized access to an underlying database.
SQL Injection
________________ viruses inject themselves into trusted runtime processes of the OS such as svchost.exe, winlogin.exe, and explorer.exe. By compromising these processes, the virus can avoid detection by antivirus software.
Service Injection
______________ occurs when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a technique to take over the session and assume the identity of the authorized user.
Session hijacking
________________ consists of tricking users for passwords with a call/email/etc. Typically rely on phishing emails now.
Social engineering
_____________ monitors your actions and transmits important details to a remote system that spies on your activity.
Spyware
___________ viruses hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally.
Stealth
_____________ was a highly sophisticated worm that searched for unprotected administrative shares, exploited zero-day vulnerabilities, connected to systems using default database passwords, and spreading by the use of shared infected USB drives. Appeared in Iran to allegedly disrupt their nuclear program.
Stuxnet
What are the 2 main functions of a computer virus?
To propagate and destroy.
A _______________ is a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network.
Trojan-horse
Rogueware and ransomware are what type of malicious software?
Trojan-horse
____________ produce reports about vulnerabilities on a system, letting attackers know where to attack.
Vulnerability scans
_____________ contain the same destructive potential as other malicious code but they propagate themselves without requiring any human intervention.
Worms
A variation of the file infector virus is the __________ virus. These viruses are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legit OS file.
companion
Many viruses infect different types of executables and trigger when the OS attempts to execute them. The propagation routines of _____________ viruses may slightly alter the code of an executable program, thereby implanting the technology the virus needs to replicate and damage the system. Sometimes the entire file is replaced with the infected version.
file infector
Many antivirus packages also use ___________-based mechanisms to detect potential malware infections. They analyze the behavior of software, looking for signs of virus activity, such as attempts to elevate privilege level, cover their electronic tracks, and alter unrelated or operating system files.
heuristic
The ____________ virus attacks the master boot record, which is the portion of bootable media (hard disk, USB drive, CD/DVD) that the computer uses to load the operating system during the boot process. These viruses store the majority of their code on another portion of the storage media. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in this alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the payload.
master boot record (MBR)
There are ______________ based anti-virus software packages that protect against specific common types of virus invasion vectors. It keeps a database of known telltale characteristics of all known viruses and can scan/detect them.
signature
The ______________ issue is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.
time-of-check to time-of-use (TOC/TOU)
The computer _________ is the earliest form of malicious code and are highly prevalent.
virus
