Malware and Cyber Security Quiz

Questions and Answers

Name two malware programs from the early days of computing that targeted specifically the .exe and .com file types.

Jerusalem and the Morris Worm, both targeted these file types.

What is a notable example of a malware program that spread through email and caused significant disruption by overwhelming email systems with mass-mailing?

The Melissa virus is a notable example of a virus that spread through email and caused disruptions by mass-mailing.

What type of attack, notably used on the Iran nuclear program, utilizes a worm to sabotage industrial control systems thereby making it a powerful tool for cyber-warfare?

Stuxnet is a sophisticated worm that was specifically designed to target and sabotage industrial control systems, making it an example of cyber-warfare.

What dangerous malware was spread through network vulnerabilities and weak passwords to create a massive botnet?

The Conficker malware spread through vulnerabilities and weak passwords.

What was the most significant consequence of the ILOVEYOU virus?

The ILOVEYOU virus caused an estimated $10 billion in damages.

Describe the impact of the SQL Slammer worm.

The SQL Slammer worm quickly spread across the internet causing widespread service disruptions.

What is the primary target of the Godfather banking Trojan?

Financial apps worldwide.

What's a prominent example of ransomware that targets large organisations and demands significant ransom payments?

Ryuk is a powerful example of ransomware that targets large organizations and demands high ransoms.

Explain the purpose of the Duqu malware.

Duqu is a malware program used for espionage, gathering information from industrial systems.

What are two ways mobile malware is now evolving to evade security measures?

New fraud mechanics and commoditization of cutting-edge techniques.

Give two examples of how mobile malware can negatively impact device performance.

Frozen apps and difficulty connecting to the network.

What is one way malware can affect the security of a computer?

It can turn off antivirus and firewall programs.

Describe one way mobile malware can affect a user's personal data.

It can steal personal information.

What is one symptom that indicates a potential malware infection on a computer?

Increased CPU usage.

How might a user realize their mobile device is infected with malware?

The device might send unauthorized SMS messages.

Why is the ongoing development of malware a challenge for security vendors?

Malware constantly evolves to stay ahead of security solutions.

What was the first known mobile worm, and what operating system did it target?

Cabir was the first known mobile worm, and it targeted Symbian OS on Nokia devices.

Describe how the 'Skulls' Trojan infected Symbian phones.

The 'Skulls' Trojan replaced icons on Symbian phones with skull images, rendering apps unusable.

What is the significance of 'Duts' in the evolution of mobile malware?

'Duts' was the first known virus to infect Windows Mobile operating systems, expanding malware threats beyond Symbian.

How did 'RedBrowser' trick users into sending premium-rate SMS messages?

'RedBrowser' used a Java-based Trojan that deceived users into sending premium-rate SMS messages, generating revenue for the attackers.

Why was 'DroidDream' significant, especially considering it was found on the Google Play store?

'DroidDream' was one of the first widespread Android malware strains, found on the official Google Play Store, highlighting the need for app security measures.

What particular capability did 'Geinimi' have that made it a more sophisticated threat?

'Geinimi' was a sophisticated Android Trojan that could steal personal data and install other malicious apps remotely.

What was 'MasterKey' and what vulnerability did it exploit?

MasterKey was an Android vulnerability. By exploiting this vulnerability, attackers could modify legitimate apps without invalidating the app's signature, effectively bypassing security checks.

How did 'XcodeGhost' infect iOS apps, and what was the target of the attack?

'XcodeGhost' infected iOS apps by targeting developers using a compromised version of Apple's Xcode IDE.

What are the two common ways spyware spreads?

Spyware spreads by exploiting software vulnerabilities, bundling itself with legitimate software, or through trojans.

What capability does Adware have that makes it different from other types of malware?

Adware automatically delivers advertisements, which is a distinct characteristic that differentiates it from other forms of malware.

Why are Adware/Spyware bundles more dangerous than Adware alone?

Adware/Spyware bundles are more dangerous because spyware is capable of tracking user activity and stealing information, whereas Adware is solely designed to deliver advertisements.

What is Ransomware? What is the goal of a Ransomware attack?

Ransomware holds a computer system captive while demanding a ransom. It restricts user access to the computer by either encrypting files on the hard drive or locking down the system, displaying messages that force the user to pay the malware creator to remove it.

How did the SQL Slammer worm spread so quickly? Why was it so effective?

SQL Slammer exploited a known buffer overflow vulnerability in Microsoft SQL Server 2000's server resolution service. It was able to infect a vulnerable population in less than 10 minutes due to its fast replication rate.

In the text, what are the two primary modes of spread for worms?

Worms spread by using network services and exploiting vulnerabilities like buffer overflows. They can also spread through the user downloading a malicious file that contains the worm.

What was the original vulnerability exploited by the SQL Slammer Worm? When was a patch for this vulnerability released?

The SQL Slammer Worm exploited a buffer overflow vulnerability in the Server Resolution Service of SQL Server 2000. A patch for this vulnerability was released in July 2002 as part of Bulletin MS02-39.

What is the main difference between a computer worm and a virus?

A virus infects a computer system and spreads by attaching itself to other executable programs. A worm spreads between computers autonomously and infects systems through networks.

What is one way that malware can achieve persistence on a system?

Malware can achieve persistence by storing code in the system registry.

How does reflective DLL injection work, and what impact can it have on a system?

Reflective DLL injection injects malicious code into legitimate processes, which allows the malware to avoid detection by traditional security measures and potentially steal data, execute commands, or mine cryptocurrency.

What is spyware and how does it typically get installed on a device?

Spyware gathers confidential information about a user and relays it to third parties. It is typically installed without user consent disguised as a legitimate app or by infecting a legitimate app.

What information can spyware gather from a mobile device?

Spyware can gather contacts, location data, messaging habits, browsing history, preferences, downloads, device information like OS version, product ID, IMEI number, and IMSI number.

Explain how mobile trojans work and give an example of a malicious action they can take.

Mobile trojans infect devices by attaching themselves to seemingly harmless apps and then carry out malicious actions such as hijacking the browser, sending unauthorized texts, or stealing login information.

What is the difference between mobile trojans and mobile viruses?

Mobile trojans are typically installed alongside legitimate apps, while mobile viruses can infect devices through various means like malicious links or infected files. Both can carry out harmful actions on the device.

How is mobile phishing similar to phishing on desktop computers?

Mobile phishing employs fake websites designed to look legitimate to steal user credentials or other sensitive information, similar to how phishing is carried out on desktop computers, but uses smaller screens to potentially hide deceptive tactics.

Describe one way that mobile phishing can be carried out and provide an example of what an attacker might do.

Mobile phishing can be done using rogue mobile apps disguised as system updates or marketing offers. These apps could then steal user credentials like bank login information.

Describe two common methods used by malware to hide within code.

Malware can hide within code using methods like prepending, appending, and cavity malware insertion. Prepending places malware before the targeted executable, appending places it after, and cavity malware inserts it into empty spaces within the executable.

What are two ways malware can achieve persistence on a compromised system, ensuring it continues to run after a system reboot?

Malware can achieve persistence by using "auto-start" methods, such as adding itself to the Startup folder, modifying system files like WIN.INI or SYSTEM.INI, or using system startup scripts to run itself on system boot.

What is a 'packer' in the context of malware, and how does it contribute to the malware's ability to evade detection?

A packer is a tool used to compress, encrypt, and obfuscate malware, making it harder for antivirus software to identify and detect it. This process often involves techniques like polymorphism, anti-debugging, and adding junk code, further complicating analysis.

What are two ways mobile malware can operate in the background of a user's device, potentially stealing sensitive information or performing other malicious actions without the user being aware?

Mobile malware can operate in the background by hiding itself in the device's processes and using hidden code to perform actions like monitoring user activity, stealing data, or sending information to the attacker.

Explain the concept of a 'botnet' and how it relates to more advanced forms of malware.

A botnet is a network of infected computers or devices controlled by an attacker, creating a distributed system for malicious activities. Advanced malware can use botnets to achieve greater impact by coordinating attacks, distributing malware, and launching DDoS attacks.

What is the main function of a 'Hypervisor' in a computer system, and why might it be a target for malware developers?

A hypervisor manages and controls virtual machines, allowing multiple operating systems to run simultaneously on a single physical machine. Attacking the hypervisor can enable attackers to control all virtualized systems running on that machine, making it a high-value target.

What are the two main stages of a malware attack, and explain their importance to the attacker's goals?

Two main stages of a malware attack are targeting and exploitation. The attacker must first identify and target specific susceptible systems or vulnerabilities. Once targeted, the attacker exploits those weaknesses to gain access to the victim's system or steal sensitive data.

Describe two ways malware can negatively impact a user's personal data, beyond simply stealing it.

Malware can compromise the integrity of personal data by corrupting or deleting it. It can also be used to spread misinformation, steal personal identities, or manipulate data for malicious purposes.

Flashcards

Zero-day exploits

Attacks exploiting vulnerabilities before developers fix them.

Cabir

The first known mobile worm, targeting Symbian OS via Bluetooth.

CommWarrior

A mobile worm that spread via MMS and Bluetooth on Symbian devices.

HummingBad

Ad fraud malware that infected millions of Android devices.

DroidDream

Widespread Android malware found in official Google Play apps.

Pegasus

Sophisticated spyware for iOS and Android, used in targeted surveillance.

MasterKey

An Android vulnerability allowing attackers to modify apps undetected.

Geinimi

A sophisticated Android Trojan that steals data from infected devices.

Jerusalem Virus

A DOS virus that infected .exe and .com files, activating on Fridays the 13th.

Klez Worm

A worm that infected Windows machines and spread through email, known for spoofing addresses.

Morris Worm

Considered the first major internet-based worm, spread in the late 80s.

Michelangelo Virus

A boot sector virus that activated on March 6, damaging computers' data.

AIDS Trojan

One of the first ransomware attacks, demanding payment to restore encrypted filenames.

Melissa Virus

A mass-mailing macro virus spreading through email, causing disruptions in 1999.

Stuxnet

A sophisticated worm targeting Iran’s nuclear program to sabotage industrial control systems.

Ryuk Ransomware

A ransomware targeting large organizations, demanding significant ransom payments.

Registry modification

Malware stores code in the registry for persistence.

Reflective DLL injection

Injects malicious code into legitimate processes, making detection hard.

Mobile spyware

Secretly gathers personal data from users without consent.

Adware

Spyware that primarily targets users for advertising purposes.

Mobile Trojan

Infects devices by attaching to harmless apps and performs malicious actions.

Mobile phishing

Fraudulent sites that steal user credentials on mobile devices.

Rogue mobile apps

Trojanized apps that disguise malicious intent as updates or offers.

Device information gathering

Spyware collects device details for future attacks.

Mobile Malware

Malicious software that targets mobile devices, hiding and operating in the background.

Hidden Processes

Malware that runs invisibly, executing tasks without user awareness.

Malware Targeting

The specific applications or systems that malware seeks to exploit.

Overwriting Malware

Malware that replaces legitimate code in an executable file.

Appending Malware

Adding malicious code to the end of an executable file.

Cavity Malware

Malware that hides within the structure of a legitimate executable file.

Packers

Tools that compress, encrypt or modify malware to evade detection.

Auto Start Locations

Specific files and directories where malware can set itself to run at startup.

Buffer Overflow

An exploitation vulnerability where a program writes more data to a buffer than it can hold.

SQL Slammer

A computer worm that exploited SQL Server 2000's buffer overflow vulnerability.

Spyware

Malware that secretly monitors user activity and collects information without consent.

Spyware/Adware Bundles

Combined malware that includes adware and spyware, posing greater risks to user privacy.

Ransomware

Malware that holds a computer hostage, demanding a ransom for access restoration.

Vulnerable Population

A group of systems or servers that are susceptible to specific exploits or attacks.

Encryption

The process of converting data into a coded format to prevent unauthorized access.

Godfather Trojan

An Android banking Trojan designed to steal login credentials and intercept SMS-based two-factor authentication.

Mobile Malware Evolution

The progression from simple threats to sophisticated spyware, banking Trojans, and ransomware.

Malware Effects

Malware can steal personal information, delete files, and perform click fraud.

Computer Symptoms of Malware

Common signs include blue screens, increased CPU usage, and slow performance.

Mobile Symptoms of Malware

Stability issues such as frozen apps, battery drainage, and unauthorized SMS messages.

Detection Arms Race

The ongoing battle between malware creators and security vendors, leading to new fraud mechanics.

Commoditization of Techniques

Cutting-edge malware techniques becoming mainstream, allowing widespread use.

Autonomous Actions of Malware

Malware can send emails/messages automatically without user knowledge and modify system settings.

Study Notes

Malware Overview

• Malware is malicious software designed to damage or disable a target system.
• Computer attacks can be done manually or automatically using malware.
• Common types of malware include viruses, Trojans, rootkits, botnets, adware, ransomware, and worms.
• Malware can exploit vulnerabilities in software or systems to gain control or access to data.

Malware Classification

• Malware can be classified into host-program and independent types.
• Host-program malware embeds itself in an existing program.
• Examples of host-program malware include: trapdoors/backdoors, logic bombs, Trojan horses
• Independent malware operates independently; examples include: viruses, bacteria, worms, zombies.

Attack Methodology

• Footprinting involves gathering public information about a target.
• Scanning identifies open ports and services on a target system.
• Enumeration gathers information about accounts and shared resources on a system.
• Penetration is the actual attack phase aiming to gain control.
• Denial-of-Service attacks flood the target system to make it unavailable.
• Elevation of privilege attempts to acquire higher-level access.
• Data pilfering involves copying or stealing data.
• Techniques for concealing actions and covering tracks are used.

Malware Definition

• Malware is any code that performs malicious actions.

• Malware disrupts computer operations, steals data, or bypasses controls.

• Malware comes in various forms, including executable code, scripts, active content, and software variants.

Malware Evolution

• Malware has evolved from simple to complex over time.
• New techniques and tactics are constantly being developed.
• This evolution makes preventing and identifying malware more challenging.

Motivations of Network Attacks

• Wannabe Lamers: Aspiring hackers motivated by a desire to be recognized.
• Script Kiddies: Inexperienced hackers using readily-available tools.
• Crackers: Hackers trying to break into systems for illicit purposes.
• Ethical Hackers: Professionals employed to find and fix vulnerabilities.
• Cyber Warriors: Hackers motivated by political ideologies.
• Industrial Spies: Hackers employed to steal business secrets.
• Government Agents: Hackers working on behalf of a government.
• Military Hackers: Hackers working on behalf of a military.
• These hackers have different motives, from personal gain to political purposes to espionage.

Malware Targets

• Attackers target executable files, interpreted files, kernels, services, MBRs, and hypervisors.

• Targets can vary depending on the goals of the attack.

Hiding Malware in Code

• Common methods of hiding malware include overwriting, prepending, appending, and cavity modifications

• These methods make it harder to detect the existence of malicious code.

Malware Vectors

• Malicious actors can embed malware into host programs, infect OS boot sectors, masquerade as normal programs, create independent executable code, or operate at the kernel level.

Types of Malware

• Virus: A self-replicating program attached to another program.
• Worm: A self-replicating program that spreads through networks without requiring an existing program.
• Trojan: Disguised as a legitimate program, but carries malicious software.
• Rootkit: Hides malicious activity and grants unauthorized access.
• Botnet: A network of compromised computers controlled remotely.
• Adware: Displays unwanted advertisements.
• Spyware: Gathers information about users without their knowledge.
• Ransomware: Encrypts files and demands payment for their release.
• Spam: Unsolicited electronic messages, often used to distribute malware.
• Fileless Malware: Resides in memory and doesn't create traditional files.

Malware Infection Vectors

• Malware can spread through websites, instant messages, emails, and vulnerabilities in software or systems.

• Fileless malware spreads by exploiting system tools and memory-based operations.

Symptoms of Infection

• Malware infection can cause slow performance, unusual behavior, and the appearance of unexpected files or programs.

• Symptoms in mobile devices might include battery drain, unexpected app behavior, or unusual data usage.

Prevention from Malware

• Employing strong passwords, keeping software updated, and avoiding suspicious links/programs are key defences.
• Using anti-virus software and security measures is crucial.