Computer Security
SoBig Virus
2003. Was multimodal. Was particularly virulent because it would copy itself to any shared drives on your network and would email itself out to everyone in your address book. If one person on network opened email containing virus, his machine would be infected, but so would every shared drive on the network that he had access to. Had telltale signs in the email subject or title that could be used to identify the email as one infected by a virus. After you opened the attached file, it would copy itself to the system directory. Spread so far brought networks to a standstill. Did not destroy files or damage the system, but it generated a great deal of traffic that bogged down the networks it infected.
flame virus
2012. The first item that makes this virus notable is that it was specifically designed by the U.S. government for espionage. Used to spy on Iranian govt sites. Flame is spyware that can monitor network traffic and take screenshots of the infected system.
metamorphic virus
A metamorphic virus is a special case of the polymorphic virus that completely rewrites itself periodically. Is very rare
Polymorphic virus
A polymorphic virus literally changes its form from time to time to avoid detection by antivirus software.
Trojan horse
A program that looks benign but actually has a malicious purpose.
Boot sector virus
As the name suggests, this type of virus infects the boot sector of the drive. Such viruses can be difficult for antivirus software to find because most antivirus software runs within the operating system, not in the boot sector.
When looking at the behavior of an executable, what can an antivirus program look for?
Attempting to copy itself Attempting to access the address book of the system's email program Attempting to change Registry settings in Windows
Nonvirus Virus
Basically a hoax. a hacker sends an email to every address he has. The email claims to be from some well-known antivirus center and warns of a new virus that is circulating. The email instructs people to delete some file from their computer to get rid of the virus. The file, however, is not really a virus but part of a computer's system. The jdbgmgr.exe virus hoax, for example.
What is the primary way a virus scanner works
By comparing files against a list of known virus profiles
What other way can a virus scanner work
By looking at files for virus-like behavior
Gameover Zeus
Creates a peer-to-peer botnet. Establishes communication between infected computers and the command and control computers, allowing the attacker to control the various infected computers. In 2014 the U.S. Department of Justice was able to temporarily shut down communication with the command and control computers; then in 2015 the FBI announced a reward of $3 million for information leading to the capture of Evgeniy Bogachev for his alleged involvement with Gameover ZeuS.
Shamoon virus
Discovered 2012, variant resurfaced 2017. Shamoon acts as spyware but deletes files after it has uploaded them to the attacker. The virus attacked Saudi Aramco workstations, and a group named Cutting Sword of Justice claimed responsibility for the attack.
Petya virus
Discovered 2016 and continued to spread until 2018. 2018. It targeted Windows machines, infecting the boot sector and encrypting the hard drive's file system. It then demanded payment in bitcoin. This is an excellent example of a virus combining multiple features. Name comes from Goldeneye movie.
What are some things a trojan can do?
Download harmful software from a website. Install a key logger or other spyware on your machine. Delete files. Open a backdoor for a hacker to use.
2nd thought application
Downloads to a person's PC and then blasts it with advertisements. This is an example of adware
Creeper Virus
First Computer virus. 1971 Bob Thomas. Spread through ARPAnet. "I'm the creeper, catch me if you can"
FakeAV
First appeared in July 2012, affected Windows systems ranging from Windows 95 to Windows 10 and Windows Server 2016. It was a fake antivirus (thus the name FakeAV) that would pop up fake virus warnings.
Cryptowall
First found in Aug. 2014. Behaved much like cryptolocker. Would communicate with a command and control server and even take a screenshot of an infected machine as well as encrypting sensitive files. In 2015, variant discovered that was bundled with spyware TSPY_FAREIT.YOI, which actually steals credentials from infected systems in addition to holding files for ransom.
MacDefender
First seen in 2011. variants still seen today. today. It is embedded in some web pages, and when a user visits those web pages, she is given a fake virus scan that tells her she has a virus, and it needs to be fixed. The "fix" is actually downloading a virus. The point of the virus is to get end users to purchase the MacDefender "antivirus" product. Scareware.
Bagle virus
Fourth Quarter 2003. The email it sent claimed to be from your system administrator. It would tell you that your email account had been infected by a virus and that you should open the attached file to get instructions. Once you opened the attached file, your system was infected. It spread both through email and by copying itself to shared folders. Second, it could scan files on your PC, looking for email addresses. Finally, it would disable processes used by antivirus scanners. Took out your computers "immune system".
buffer overflow attack
Happens when someone tries to put more data in a buffer than it was designed to hold. when you try to place too much information into a buffer, that information is then either simply truncated or outright rejected. Modern operating systems not usually susceptible to buffer overflow attacks. However, possible for Internet enabled applications to be susceptible.
Wannacry
Hit March 2017; is that there was a patch for the vulnerability it exploited, and that patch had been available for weeks. Had a built in kill switch. If a particular URL was registered, would kill Wannacry. Marcus Hutchins discovered kill switch and stopped Wannacry. Could have been prevented with good patch management.
Atlanta's Ransomware attack
Hit March 2018. Many of the city's systems impacted. Two Iranian hackers, Faramarz Savandi and Mohammed Mansouri, were indicted for the attack. Used the SamSam ransomware, which gets access to systems not through phishing but rather via brute-force password guessing. The second issue is that Atlanta had previously been criticized for failing to spend adequately on security. Audit 2 months before attack found 1500-2000 vulnerabilities.
Kedi Rat
In September 2017 the Kedi RAT (Remote Access Trojan) virus was spreading through phishing emails. Once on an infected system, it would steal data, and then it would exfiltrate that data by emailing it via a Gmail account. It specifically attempted to identify personal and/or financial data on the infected system to sell.
Macro
Infect the macros in office documents; is written into a macro in some business application
sparse infector
Infects only on certain occasions - for example, it may infect every 10th program executed, or it might wake up once a month and infect. This strategy makes it more difficult to detect the virus.
What step should all computer users take to protect against virus attacks
Install and use antivirus software.
Cryptolocker
Is ne of the most widely known examples of ransomware. First discovered in 2013. Utilized asymmetric encryption to lock the user's files. Several varieties of CryptoLocker have been detected.
How can we mitigate malware
It is important to educate end users. For example: Was this attachment expected? Is the email expected? Do you have significant doubts about the authenticity of an email attachment?
The SpywareGuide Website www.spywareguide.com
Lists spyware that you can get right off the Internet should you feel some compelling reason to spy on someone's computer activities. Absolute Keylogger, Tiny Keylogger, and TypO. 2nd Thought application
What are some ways virus scanners work
Looks for a signature (or pattern) that matches a known virus. to look at the behavior of an executable.
what are some of the most widely known antiviruses
McAfee, Bitdefender, Kaspersky, AVG, and Malwarebytes
What are some things a rootkit can do
Monitor traffic and keystrokes Create a backdoor into the system for the hacker's use Alter log files Attack other machines on the network Alter existing system tools to circumvent detection
Which of the following is a method that any person can use to protect against virus attacks? Easttom, Chuck. Computer Security Fundamentals (Pearson IT Cybersecurity Curriculum (ITCC)) (p. 264). Pearson Education. Kindle Edition.
Most companies do not send alerts via email
Black Orifice
One of the earliest and most widely known trojan horses.
Computer virus
Program that self replicates; rapid spread
Morris Worm
Robert Tappan Morris, Jr., then a student at Cornell University, wrote this worm and launched it from an MIT system on November 2, 1988. Morris did not actually intend to cause damage with the worm. Instead, he wanted the worm to reveal bugs in the programs it exploited in order to spread. However, bugs in the code allowed an individual computer to be infected multiple times, and the worm became a menace. Each additional "infection" spawned a new process on the infected computer. At a certain point, the large number of processes running on an infected machine slowed down the computer to the point of being unusable. At least 6000 UNIX machines were infected with this worm. Led to creation of Computer Emergency Response Team (Cert).
Rombertik virus
Rombertik wreaked havoc in 2015. This malware uses the browser to read user credentials to websites. It is most often sent as an attachment to an email. In some situations Rombertik will either overwrite the master boot record on the hard drive, making the machine unbootable, or begin encrypting files in the user's home directory.
Which virus exploited buffer overflows
Sasser
What can you do with a firewall to help virus attacks?
Shut down all unneeded ports
what is the most common damage caused by virus attacks?
Slowing down networks by the virus traffic
Apple Viruses 1, 2, 3
Some of the first viruses "in the wild" or public domain. These viruses, which were found on the Apple II operating system in 1981, spread through Texas A&M via pirated computer games.
Impact of viruses
Taiwan Semiconductor Manufacturing Company, one of the largest chipmakers and a supplier for Apple, said it had been hit by a computer virus that had affected computer systems and fabrication tools. Estimates placed the damages over $170 million. The specific virus was not described in the news reports, but a single company being hit with a single virus causing so much havoc illustrates the dangers of computer viruses.
Keylogger
This data can be stored in a small file hidden on your machine for later extraction or sent out in TCP packets to some predetermined address. In some cases, the software is even set to wait until after hours to upload this data to some server or to use your own email software to send the data to an anonymous email address. There are also some key loggers that take periodic screenshots from your machine, revealing anything that is open on your computer.
Mimail Virus
This virus collected email addresses not only from your address book but also from other documents on your machine so would spread further than other viruses. Had its own built in email engine so did not have to piggyback. Could spread regardless of email software used. Multimodal.
Elitewrap
Tool to help people create trojans. Essentially, it can bind any two programs together.
It is common to find combination virus/Trojan horse attacks. In these cases the Trojan Horse spreads like a virus.
True
The security firm Mandiant tracked several APTs over a period of 7 years, all originating in China—specifically, Shanghai and the Pudong region. These APTs were simply named APT1, APT2, and so on. The attacks were linked to the UNIT 61398 of China's military. The Chinese government regards this unit's activities as classified, but it appears that offensive cyber warfare is one of its tasks. Just one of the APTs from this group compromised 141 companies in 20 different industries. APT1 was able to maintain access to victim networks for an average of 365 days, and in one case for 1764 days. APT1 is responsible for stealing 6.5TB of information from a single organization over a 10-month time frame.
True
Spam
Unwanted and unsolicited email that is sent out to multiple parties. Often it is used for marketing purposes, but it can be used for much more malicious goals. For example, spam is a common vehicle for spreading viruses and worms. Spam is also used to send emails enticing recipients to visit phishing websites in order to steal their identities.
How to avoid viruses
Use a virus scanner If you are unsure about an attachment, don't open it. Exchange code words with friends. Don't believe security alerts that are sent out to you
Armored virus
Uses techniques that make it hard to analyze, like code confusion or compressed code
Sasser virus
Was buffer overflow attack. Combo attack b-c the virus spreads by exploiting a buffer overrun. Sasser copies itself to the Windows directory as avserve.exe and creates a Registry key to load itself at startup. Makes computer reboot. To prevent, block ports 9996 and 5554 and update system regularly.
Wabbit Virus
Was found in 1974, made multiple copies of itself, thus adversely affecting the performance of the infected computer.
Rootkit
a collection of tools that a hacker uses to mask her intrusion and obtain administrator-level access to a computer or computer network. intruder installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. The rootkit then collects user IDs and passwords to other machines on the network, thus giving the hacker root or privileged access. First documented in early 1990's.
Advanced Persistent Threat (APT)
a relatively new term for a continuous process of attacking. It can involve hacking, social engineering, malware, or combinations of attacks. The issue is that the attack must be relatively sophisticated, thus the term advanced , and it must be ongoing, thus the term persistent . .
logic bomb
a type of malware that executes its malicious purpose when a specific criterion is met.
Worm
any program that can propagate without human intervention.
multi partite
attack the computer in multiple ways, for example, infecting the boot sector of the hard disk and one or more files.
what method is most common for virus propagation
email method
How do viruses spread?
emails itself to everyone in your address book; scans computer for connections to network and then copy itself to other machines on the network that your computer has access to
counterexploitation website
for a lengthy list of known spyware products circulating on the Internet and for information about methods you can use to remove them.
websites to read about past or current viruses
https://us.norton.com/internetsecurity-malware-virus-faq.html? https://www.us-cert.gov/publications/virus-basics http://www.techrepublic.com/pictures/the-18-scariest-computer-viruses-of-all-time/ https://www.technewsworld.com/perl/section/viruses-malware/
Malicious Web-Based Code or Web based mobile code
refers to code that is portable to all operating systems or platforms, such as HTTP, Java, and so on. The "malicious" part implies that it is a virus, worm, Trojan horse, or some other form of malware. Doesn't care what operating system or web browser is in use. Infects them all blindly. The majority of damage caused by malicious code happens in the first hours after a first-strike attack occurs—before there is time for countermeasures. The costs of network downtime or theft of IP make malicious code a top priority.
code confusion
the code is written in such a way that if the virus is disassembled, the code won't be easily followed
Is it possible to mask a virus with a legit file; trojan horse
true
It is also possible that when you visit a certain website, spyware may download in the background while you are simply perusing the website.
true
Most antivirus software today offers additional features, such as the ability to warn the user of known phishing websites, detect spyware as well as viruses, and even detect likely phishing attempts. Any modern antivirus product should be a comprehensive package, protecting against a variety of attacks, rather than just stopping viruses.
true
Most common method for spyware getting on a computer is a trojan.
true
if you are using both host-based antivirus and network antivirus, you should use products from two different vendors.
true
