Malicious Software & Cyber Threats

Questions and Answers

Which characteristic distinguishes a worm from a virus?

• A worm can execute on its own, whereas a virus requires a host program to run. (correct)
• A worm is easily detected by antivirus software, whereas a virus is not.
• A worm primarily targets system files, whereas a virus targets user data.
• A worm replicates by inserting its code into other programs, whereas a virus executes independently.

Which type of malicious software is designed to monitor and record user keystrokes?

• Keylogger (correct)
• Ransomware
• Spyware
• Adware

What is the primary purpose of ransomware?

• To secretly monitor a user's online activity.
• To display unwanted advertisements to the user.
• To replicate itself and spread to other computers on the network.
• To encrypt a user's files and demand payment for decryption. (correct)

Which activity is an example of what a computer infected with malware might do without the user's knowledge?

Send copies of itself to other computers. (D)

In the context of insider attacks, what is a 'logic bomb'?

Malicious code that executes when a specific condition is met. (A)

Which of the listed strategies helps defend against insider attacks?

Ensuring multiple people maintain systems and conduct code walk-throughs. (B)

Arrange the phases of a virus lifecycle in correct order.

Dormant Phase, Propagation Phase, Triggering Phase, Action Phase (B)

What is the purpose of 'signatures' in the context of virus defense?

To uniquely identify and detect known viruses. (C)

Which of the following is a potential action that malware can perform on an infected computer?

Generate network traffic for DDoS attacks. (B)

Which type of attack involves overwhelming a target with a flood of packets?

Flooding-based DDoS attack (D)

In a reflection-based DDoS attack, what is the purpose of the attacker using the victim's IP address as the source IP in requests?

To ensure the responses are sent to the victim. (B)

What is the primary function of a botnet?

To perform automated tasks, often malicious, on a large scale. (C)

What is a key characteristic of a distributed botnet command and control infrastructure?

Bots communicate directly with each other. (C)

Which of these is a key factor that must be maintained in a crucial botnet component?

Stable connectivity (D)

Why is using a 'least privilege' principle important in defending against insider attacks?

It reduces the potential damage an insider can cause. (C)

Which feature is commonly associated with a backdoor in the context of system security?

It is a hidden feature that allows unauthorized access to a system. (A)

How do polymorphic viruses evade detection by antivirus software?

By constantly changing its code. (B)

In the context of botnets, what does the term 'command and control infrastructure' refer to?

The communication channels used to manage and direct the bots. (D)

What is characteristic of a metamorphic virus, distinguishing it from other types of viruses?

It rewrites its code with each iteration. (A)

Why are spam mailing companies interested in using botnets?

Because botnets offer a cost-effective solution to distribute large volumes of spam. (B)

Flashcards

Malicious Software

Software designed to cause harm to a computer system or network, often inserted intentionally.

Virus

Malicious software that replicates itself into other programs; needs a host to run.

Worm

Malicious software that can execute independently without needing a host program.

Keylogger

Software that records keystrokes to capture sensitive information like passwords.

Spyware

Software that secretly collects information and transmits it to another computer.

Ransomware

Malicious software that locks files and demands payment for their release.

Backdoor

A hidden entry point into a system, often created by insiders for later access.

Logic Bomb

Malicious code that executes when a specific condition is met.

Insider Attack

An attack from someone within an organization.

Least Privilege

A principle where each user has the minimum necessary access rights.

Flooding-based DDoS

An attack that overwhelms a system with a flood of network traffic.

Amplification DDoS

Exploits intermediary server to amplify the volume of attack traffic.

Botnet

A network of compromised computers controlled by a single attacker.

Command and Control (C&C)

Infrastructure involving centralized or decentralized model for botnet control.

Centralized Control

A C&C structure where a central server controls all bots.

Decentralized Control

A C&C structure where bots communicate directly with each other.

Study Notes

Malicious Software Overview

• Malware is a key topic, referring to software designed to cause harm to computer systems or networks.
• Understanding the implications of malware is crucial in cybersecurity.
• Flooding based DDoS attacks are a significant type of cyber threat.
• The operation and impact of Botnets needs to be understood.

Malicious Software Basics

• Malicious software can harm computing systems or networks through intentionally inserted code.
• Malware is a general term that encompasses various types of malicious software.
• A virus replicates itself into other programs, and its malicious code runs when executed.
• A worm can execute on its own without needing to attach to a host program.
• Keyloggers are a type of malicious software that captures keystrokes.
• Spyware collects information from one computer and illegally transmits it to another.
• Ransomware locks files on a computer, demanding payment for their release.

Insider Attacks

• Insider Attacks are generated by someone who is part of the development team.
• An example includes a programmer working on a project who introduces malicious code.
• Embedded malware can be installed as part of the OS or with applications.
• A backdoor is a hidden feature that provides unauthorized access or manipulation of a target system.
• Backdoors can provide remote access to computers.
• Backdoors can be used for legitimate or illegitimate purposes.
• A logic bomb executes malicious code when a specific trigger condition is met.

Logic Bomb Example

• Example of logic bomb code is shown here

legitimate code
if day is Friday the 13th;
crash_computer();
legitimate code

Defense Against Insider Attacks

• Multiple people should maintain systems to mitigate the risk of insider threats.
• Code walk-throughs can help identify malicious code inserted by insiders.
• The least privilege principle should be enforced to limit the access of insiders.
• Employee behavior should be monitored to detect potential insider threats.

Virus Phases

• The dormant phase is when the virus is inactive and waiting for a trigger.
• The propagation phase involves the virus replicating and spreading to other systems.
• The triggering phase is when a specific event causes the virus to activate.
• The action phase is when the virus performs its malicious activity.

Virus Defense

• Detection and use of antivirus software is a key defense mechanism.
• Evasion techniques, like encryption, can be used by viruses to avoid detection.
• Polymorphic viruses change their code to avoid detection by signature-based antivirus software.
• Metamorphic viruses rewrite their entire code with each infection to evade detection.
• It is possible to use of signatures to identify known viruses.
• In-order signatures must match the exact sequence of bytes in a virus.
• Conjunction signatures require the presence of multiple specific byte sequences.
• Probabilistic signatures use statistical analysis to identify likely virus code.

Actions of Malware

• Malware can send copies of itself to spread to other systems.
• Malware can take actions without the user's knowledge.
• Malware can generate network traffic, leading to DoS and DDoS attacks.
• Malware can harvest passwords, encrypt files and data, and delete files.
• Malware can infect other machines.

Flooding Based DDoS Attacks

• Flooding attacks overwhelm the victim with a high volume of traffic.
• Examples include ICMP Flood and UDP Flood attacks.
• Multiple bots are involved in the attack.
• Bots send a flood of packets to the victim, disrupting its services.

Reflection and Amplification DDoS Attacks

• Amplification attacks use intermediaries to increase the volume of attack traffic.
• Small requests are sent to DNS/NTP servers with the source IP spoofed to be the victim's IP.
• The DNS/NTP servers send large responses to the victim.
• Multiple bots are involved in the attack.

Botnets

• A bot is a program that performs automated tasks.
• A bot itself is not inherently bad, but it can be used for malicious purposes.
• A botnet is a collection of computers connected and working under the instruction of a master.
• Botnets are typically used for committing computer crimes.
• A botnet is controlled by a person or a group of people.
• Botnets are usually driven by monetary interests.
• Botnets are used by advertisement companies and spam mailing companies.

Botnet Components

• The command and control infrastructure is essential for managing the botnet.
• In a centralized model, a central server controls all the bots.
• In a distributed model, bots work more autonomously, often called peer-to-peer botnets.
• Reliable connectivity, robustness, and quick reaction time are crucial for botnet effectiveness.
• The communication protocol is used for communication between the botmaster and the bots.

Centralized Control

• A central server directly controls all the bots in the botnet.

Decentralized Control

• Bots communicate with each other, leading to a more resilient botnet structure.