software that enters a computer system without the user's knowledge or consent and then performs an unwanted and usually harmful action
malware (malicious software)
how does malware deliver a malicious "payload"
How can malware be classified
by using the primary trait that the malware possesses
What are the classifications of malware. by their primary trait
- circulation
- infection
- concealment
- payload capabilities
what is a legal term used by some jurisdictions in place of "malware"
there are many new malware that have emerged but we still classify it by types. What is another way of grouping malware
because threat actors often tweak their malware so that it evades the latest security defenses, many instances of malware are similar. These similar instances of malware are referred to as
primary trait spreading rapidly to other systems to impact a large number of users.
how does malware circulate
Can happen automatically or may require action by the user
once the malware reaches a system through circulation it embeds itself into the system. This is known as
Once malware has infected a system how often can it run
it can run once or it can remain in the system and be launched infinite number of time
some malware has as its primary trait avoiding detection by concealing its presence from software scanners that are looking for malware. This primary trait is
When this is the primary trait of malware,
the goal is the nefarious actions the malware performs.
some malware can have more than one trait. How do we classify them in this case
based on the primary trait
Two types of malware that have the primary trait of circulation
- viruses
- worms
malicious computer code that reproduces itself on the same computer
are virus and malware interchangeable terms
No. Strictly speaking virus is only one type of malware
a virus that infects an executable program file
A virus can also be part of a data file. The most common is called what
a series of instructions that can be grouped together as a single command.
Often used to automate a complex set of tasks or a repeated series of tasks
this virus first attaches or appends itself to the end of the infected file. Then it inserts at the beginning of the file a jump instruction that points to the end of the file which is the beginning of the virus code
Bc appender infection viruses can easily be detected by virus scanners. Armored viruses were developed to avoid detection. What do the techniques include
- swiss cheese infection
- split infection
- mutation
viruses inject themselves into executable code which "scrambled" to make it more difficult to detect. They also divide the engine to unscramble or decrypt the virus code. The different pieces are injected throughout the infected code
virus splits into several parts. Parts of it are placed at random positions in the host program. These parts may contain unnecessary "garbage" code to mask its true purpose
instead of hiding some viruses can change
this virus changes its internal code to one of a set number of predefined mutations whenever it is executed
this virus completely changes from its original form whenever it is executed
this virus can actually rewrite its own code and thus appears different each time it is executed by creating a logical equivalent of its code whenever it is run
what are the two actions that a virus performs
- unloads a payload to perform a malicious action
- reproduces itself by inserting its code into another file on the same computer
what are viruses attached to
can a virus automatically spread to another computer
no. it relies on user action to spread
by transferring infected files
what two carriers must a virus have
a file to which it attaches and a human to transport it to other computers
a malicious program that uses a computer network to replicate
what is another name that we sometimes use for worms
what are the two things worms may do
- consume resources
or
- leave behind a payload to harm infected systems
sends copies of itself to other network devices. Once it exploits a vulnerability in a device it immediately searches for another computer
where does a worm replicate
does a worm need a user action for it to spread
an executable program that is advertised as performing one activity but which also performs a malicious activity
a trojan that also gives the threat agent unauthorized access to the victim's computer by using specially configured communication protocols
remote access trojan (RAT)
three examples of malware that have a primary trait of infection
- trojans
- ransomware
- crypto-malware
malware that prevents a user's device from properly and fully functioning until a fee is paid.
It is highly profitable
the earliest ransomware displays a screen and prevents the user from accessing the computer's resources. This is called what
malware that encrypts all the files on the device so that they cannot be opened
because a person could just reinstall their operating system to get control over their computer and files when they got a blocker ransomware, threat actors developed this
crypto-malware
it encrypts all files on the device so that none of them can be opened
how does crypto-malware work
- software connects to the threat actor's command and control (C&C) server to receive instructed or updated data
- locking key is generate for the encrypted files and that key is encrypted with another key that has been dowloaded from the C&C
- second key is sent to the victims once they pay the ransom
malware that hides its presence or the presence of other malware
hide or remove traces of log-in records, log entries
may alter or replace operating system files with modified versions that are specifically designed to ignore malicious activity
why can't user trust their computer that contains a rootkit
the rootkit is in charge and hides what is occurring on the computer
where can the destructive power of malware be found
in its payload capabilities
what are the primary payload capabilities
- collect data
- delete data
- modify system security settings
- launch attacks
malware that collects data includes what types
- spyware
- adware
tracking software that is deployed without the consent or control of the user
uses the computer's resources for the purposes of collecting and distributing personal or sensitive information
spyware that silently captures and stores each keystroke that a user types on the computer's keyboard
What are the two forms of keyloggers
- hardware device- inserted between the computer keyboard connection and USB port
- Software- do not require physical access to the user's computer. Often installed as a trojan or virus. Sends captured info back to the attacker via internet
not all spyware is malicious. Give an example of this
spyware monitoring tools used by parent to keep track of their children's online activities
a software program that delivers advertising content in a manner that is unexpected and unwanted by the user
why do users disapprove of adware
- may display objectionable content
- frequent popup ads can interfere with user's productivity
- popup ads can slow a computer or even cause crashes and the loss of data
- unwanted ads can be a nuisance
computer code that lies dormant until it is triggered by a specific logical event
what type of malware payload is a logic bomb
- difficult to detect before it is triggered
- often embedded in large computer programs that are not routinely scanned
undocumented yet benign hidden feature that launches a set of special commands, key combinations, or mouse clicks
Easter egg
(not the same as a logic bomb)
a software code that gives access to a computer program or a service that circumvents any normal security protections
when installed on a computer, they allow the attacker to return at a later time and bypass security settings
this a common practice by developers who may need to access a program or device on a regular basis, yet do not want to be hindered by continual requests for passwords or other security approvals
an infected computer that is under the remote control of an attacker for the purpose of launching attacks
bot
also known as a zombie
when hundreds, thousands, or even millions of bot computers are gathered into a logical computer network they create what
infected zombie computers wait for instruction through a command and control (C&C) structure from the bot herders. What is a common C&C mechanism used today
HTTP, which is more difficult to detect and block
botnets are used for what type of attacks
- spamming
- spreading malware
- manipulating online polls
- denying services
a means of gathering information for an attack by relying on the weaknesses of individuals
social engineering attacks rely on what
psychological approaches involving person-to-person contact
name some of the techniques social engineers use to gain trust
- provide a reason
- project confidence
- use evasion and diversion
- make them laugh
what are the principles used by social engineers (7)
- authority
- intimidation
- consensus
- scarcity
- urgency
- familiarity
- trust
a socials engineering effectiveness principle in which the victim is influenced by confidence
a socials engineering effectiveness principle in which the victim is influenced by the claim that the victim is well known and well received
a socials engineering effectiveness principle in which the victim is influenced by the claim that immediate action is needed
a socials engineering effectiveness principle in which the victim is influenced by the idea that something is in short supply
a socials engineering effectiveness principle in which the victim is frightened and coerced by threat
a socials engineering effectiveness principle in which the attack is directed by someone impersonating an authority figure or falsely citing their authority
a socials engineering effectiveness principle in which the victim is influenced by what others do
social engineering attacks with psychological approaches often involve
- impersonation
- phishing
- spam
- hoaxes
- and watering hole attacks
a social engineering attack that involves masquerading as a real or fictitious character and then playing out the role of that person on a victim
attackers will often impersonate what type of person
an authority figure because victims generally resist saying "no" to anyone in power
sending an email or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
what are the variations of phishing attacks
- spear phishing
- whaling
- vishing
about which percentage of all attacks start with phishing
a phishing attack that targets only specific users
a phishing attack that targets only wealthy individuals
a phishing attack that uses telephone calls instead of emails
unsolicited emails that is sent to large numbers of recipients
look for specific words and block the email
why is spam such a lucrative business
cost spammers very little to send millions of spam messages
uses graphical images of text in order to circumvent text based filters. Often contains nonsense text so it appears legitimate
who do hoax messages usually claim they are from
what do hoax messages try to get the victim to do
erase specific files or change security configurations
a malicious attack that is directed toward a smaller group of specific individuals by embedding malware in a website frequented by those individuals
two of the most common physical procedures used by social engineers
- dumpster diving
- tailgating
the act of digging through trash receptacles to find information that can be useful in an attack
An electronic variation of physical dumpster diving is to use Google’s search
engine to look for documents and data posted online that can be used in an attack. This is called
what are some items that are retrieved in dumpster diving
- calendars
- inexpensive computer hardware, such as USB flash drives or portal hard drives
- memos
- organizational charts
- phone directories
- policy manuals
- system manuals
when an unauthorized individual enters a restricted-access building by following an authorized user
An employee conspires with an unauthorized person to allow him to walk in with him through the open door
watching a user enter secret information