Malware and Cybercrime

Questions and Answers

What is the primary goal of an Advanced Persistent Threat?

To display pop-up ads on a victim's browser

To break into new machines remotely

To generate new malware using a variety of supplied propagation and payload mechanisms

To compromise the confidentiality, integrity, or availability of a target's data or system (correct)

What is the purpose of a Downloader?

To exploit a browser vulnerability on a client system

To install other malware on a compromised system (correct)

To remove malware from a compromised system

To bypass normal security checks on a system

What is a Backdoor (trapdoor)?

A type of advertising integrated into software

A type of malware used to break into new machines remotely

A set of tools for generating new malware

A mechanism that bypasses normal security checks on a system (correct)

What is the primary method of attack used in a Drive-by Download?

Exploiting a vulnerability in a browser to attack a client system

What is Adware?

Advertising integrated into software

What is an Auto-rooter?

Malicious hacker tools used to break into new machines remotely

What type of malware uses macro or scripting code embedded in a document to run and replicate itself?

Macro Virus

What is the primary function of a Rootkit?

To set of hacker tools used after an attacker has broken into a computer system

What type of malware appears to have a useful function, but also has a hidden and potentially malicious function?

Zombie, Bot

What type of malware carries out a denial-of-service (DoS) attack by generating a large volume of data?

Flooder

What type of malware collects information from a computer and transmits it to another system?

Spyware

What type of malware is inserted into a system and lies dormant until a predefined condition is met, then triggers an unauthorized act?

Logic Bomb

What is the primary goal of optimizing the spread of a worm?

To locate as many vulnerable machines as possible in a short time period

What is the purpose of using functionally equivalent instructions and encryption techniques in worms?

To adopt polymorphic techniques

What is the ideal payload for a worm to spread rapidly?

Malicious payloads including spyware and spam email generators

What is the benefit of exploiting a zero-day vulnerability?

It achieves maximum surprise and distribution

What was significant about the year 2015 in the context of zero-day exploits?

It was the year with 54 zero-day exploits discovered, significantly more than in previous years

What is a characteristic of metamorphic worms?

They have a repertoire of behavior patterns unleashed at different stages of propagation

A malware that replicates itself by attaching to other executable machine or script code is classified as a

Virus

What is the primary difference between a worm and a virus?

Worms are independent, self-contained programs, while viruses need a host program

What is the term for a malware that does not replicate itself?

Trojan

What is the purpose of an attack kit?

To develop and deploy malware

What is the characteristic of an Advanced Persistent Threat (APT)?

They are well-resourced, persistent, and targeted attacks

What is the primary function of a virus's infection mechanism?

To spread the virus to other programs

What is the term for a virus that attaches itself to documents and uses the macro programming capabilities of the document's application to execute and propagate?

Macro virus

What is the term for a worm that spreads through electronic mail or instant messenger facilities?

E-mail worm

What is the primary function of a worm's target discovery mechanism?

To scan for other systems to infect

What is the term for a worm that uses a list of potential vulnerable machines to infect?

Hit-list worm

What is the primary purpose of ransomware attacks like WannaCry?

To demand a ransom payment in exchange for restoring access to encrypted files

What is the term for programs that can be executed on multiple platforms with identical semantics?

Mobile code

What is the primary mechanism used by drive-by-downloads to infect systems?

Exploiting browser and plugin vulnerabilities

What is the primary goal of phishing attacks?

To steal sensitive information

What is the term for a set of hidden programs installed on a system to maintain covert access to that system?

Rootkit

What is the primary advantage of host-based behavior-blocking software?

It can block malware in real-time before it has a chance to affect the system

What is the term for a malicious program that replicates itself by sending copies to other devices via Bluetooth or MMS?

Mobile phone worm

What is the primary goal of sandbox analysis?

To detect malware by running it in a controlled environment

What is the primary advantage of perimeter scanning approaches?

They can detect malware at the network boundary, preventing it from entering the system

What is the primary goal of ideal malware countermeasure approaches?

To prevent malware from being installed in the first place

Study Notes

Malware

• Malware is a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system.
• Types of malware:
  • Virus: a piece of software that infects programs, modifies them to include a copy of the virus, and replicates itself.
  • Worm: a computer program that can run independently and propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities.
  • Trojan: a program that appears to be legitimate but is actually malicious, allowing unauthorized access to a system or data.
  • Bot: a malware that allows remote control of a compromised system.

Virus

• Components:
  • Infection mechanism: means by which a virus spreads or propagates.
  • Trigger: event or condition that determines when the payload is activated or delivered.
  • Payload: what the virus does (besides spreading).
• Phases:
  • Dormant phase: virus is idle and will eventually be activated by some event.
  • Triggering phase: virus is activated to perform the function for which it was intended.
  • Propagation phase: virus places a copy of itself into other programs or into certain system areas on the disk.
  • Execution phase: function is performed.

Worm

• Exploits software vulnerabilities in client or server programs to spread from system to system.
• Can use network connections to spread from system to system.
• Can spread through shared media (USB drives, CD, DVD data disks).
• Types of worms:
  • E-mail worms: spread through email attachments or instant messaging.
  • Instant messaging worms: spread through instant messaging services.

Malware Propagation

• Mechanisms:
  • Infection of existing content by viruses.
  • Exploit of software vulnerabilities by worms.
  • Social engineering attacks.
• Target discovery:
  • Scanning: searching for other systems to infect.
  • Hit-list: using a list of potential vulnerable machines.
  • Topological: using information contained on an infected victim machine to find more hosts to scan.

Advanced Persistent Threats (APTs)

• Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets.
• Typically attributed to state-sponsored organizations and criminal enterprises.
• Characteristics:
  • Advanced: using a wide variety of intrusion technologies and malware.
  • Persistent: determined application of the attacks over an extended period.
  • Targeted: careful target selection and stealthy intrusion efforts.

Malware Countermeasures

• Approaches:
  • Prevention: policy, awareness, vulnerability mitigation, and threat mitigation.
  • Detection: identifying malware through various techniques (e.g., signature-based, behavior-based).
  • Removal: removing malware from a system.
  • Sandbox analysis: running potentially malicious code in an emulated sandbox or on a virtual machine.
  • Host-based behavior-blocking software: integrates with the operating system and monitors program behavior in real-time for malicious action.### Types of Malware
• Exploits: Code specific to a single vulnerability or set of vulnerabilities
• Flooders (DoS client): Used to generate a large volume of data to attack networked computer systems, carrying out a denial-of-service (DoS) attack
• Keyloggers: Capture keystrokes on a compromised system
• Logic bomb: Code inserted into malware by an intruder, lying dormant until a predefined condition is met, triggering an unauthorized act
• Macro Virus: A type of virus that uses macro or scripting code, typically embedded in a document, triggered when the document is viewed or edited, to run and replicate itself into other documents

Malware Categories

• Mobile Code: Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
• Rootkit: Set of hacker tools used after attacker has broken into a computer system and gained root-level access
• Spammer: Programs used to send large volumes of unwanted e-mail
• Spyware: Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information

Malware Behavior

• Zombie, bot: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms
• Worms: Penetrate systems in various ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications; or via shared media
• Worm propagation: Optimize rate of spread to maximize likelihood of locating vulnerable machines in a short time period
• Worm evasion: Use virus polymorphic technique to evade detection, skip past filters, and foil real-time analysis
• Metamorphic worms: Have a repertoire of behavior patterns that are unleashed at different stages of propagation

Worm Technologies

• Transport vehicles: Worms can rapidly compromise a large number of systems, making them ideal for spreading malicious payloads
• Zero-day exploit: Exploit an unknown vulnerability, achieving maximum surprise and distribution, with 54 zero-day exploits discovered and exploited in 2015

Description

This quiz covers types of malware, including Trojan horses and adware, as well as advanced persistent threats and cybercrime targeting businesses and political organizations.