Malware Threats and Distribution Methods

Questions and Answers

What type of malware is specifically designed to take control of a computer system for the purpose of theft or fraud?

• Spyware
• Worm
• Adware
• Trojan Horse (correct)

Which method of malware distribution involves tricking users into clicking on seemingly harmless web pages?

• Blackhat Search Engine Optimization
• Social Engineered Click-jacking (correct)
• Drive-by Downloads
• Malvertising

What is a common technique hackers use to embed malware in advertisements across legitimate websites?

• Spearphishing
• Blackhat SEO
• Malvertising (correct)
• Drive-by Downloads

Which step is NOT part of infecting a system using a Trojan?

Create a firewall (C)

How can malware commonly enter a system through legitimate software?

Shrink-wrapped software packaged by a disgruntled employee (A)

What is the primary function of a wrapper in the context of a Trojan executable?

To disguise the Trojan by bundling it with an innocuous application (B)

What allows a Command Shell Trojan to provide remote control over a victim's machine?

Deployment of a Trojan server that opens a port for connections (D)

How does a Remote Access Trojan establish communication with an attacker?

Through the creation of a direct connection using an established port (D)

What is a common method used by Botnet Trojans to control infected computers?

Control via a centralized Command and Control (C&C) center (A)

Which tactic should be avoided to evade detection by anti-virus software?

Using Trojans that are available for download from the internet (A)

What is a primary characteristic of a computer virus?

Infects other programs (A)

At which stage does a virus get activated?

Launch (C)

Which of the following is NOT a reason people create computer viruses?

Enhancing system performance (D)

How do encryption viruses evade detection by antivirus software?

They encrypt their code with different keys (A)

What differentiates a computer worm from a virus?

Worms can replicate independently (C)

What is the first stage in the life cycle of a virus?

Design (B)

Which method is commonly exploited to infect computers with viruses?

Opening infected email attachments (C)

What is the purpose of antivirus software in the context of viruses?

To eliminate virus threats (B)

What is a key characteristic of worms compared to viruses?

They primarily replicate and consume resources (C)

Which of the following actions increases the risk of computer virus infection?

Not running antivirus applications (D)

Which protocol is known to be vulnerable to sniffing due to sending data in clear text?

FTP (B)

At which layer of the OSI model do sniffers primarily operate?

Data Link Layer (B)

What type of device captures network signals without altering the traffic?

Hardware Protocol Analyzer (A)

Which of the following is NOT a protocol identified as vulnerable to sniffing?

TLS (A)

What can be extracted from redirected traffic by an attacker in a sniffing attack?

Usernames and passwords (B)

What does a sniffer do in the context of network security?

Monitors and captures data packets on the network (A)

What feature is utilized by a sniffer to listen to all transmitted data on its network segment?

Promiscuous Mode (B)

Which of the following describes passive sniffing?

Monitoring packets without sending additional data (B)

Which active sniffing technique involves overwhelming a switch's memory?

MAC Flooding (A)

In a modern network, why is hub usage considered outdated?

Hubs send traffic to all ports, allowing easy interception (A)

What is the primary function of a hardware protocol analyzer?

To capture, decode, and analyze data packets (D)

Which type of wiretapping involves monitoring and also altering the communication traffic?

Active wiretapping (A)

What is required for lawful interception in a communication system?

A request for wiretap authorized by a court (B)

What is the primary purpose of PRISM as a wiretapping case study?

To collect and process foreign intelligence (C)

What is the difference between active and passive wiretapping?

Active wiretapping modifies the traffic while passive does not (B)

Which of the following best describes passive wiretapping?

It records data without altering the communications (D)

Which piece of hardware is used for monitoring and analyzing network traffic?

Protocol analyzer (D)

What makes wiretapping without consent a criminal act in most countries?

It infringes on privacy rights (C)

In the lawful interception process, what role does the service provider play?

Sets an access switch/tap on an exchange router (C)

What is the significance of a Central Management Server (CMS) in lawful interception?

It stores intercepted data for future access (A)

What is the primary goal of a passive online attack using wire sniffing?

To record and analyze raw network traffic (D)

Which of the following is a characteristic of a rainbow table attack?

It relies on comparing captured hashes with precomputed hash tables (C)

What is a requirement for successfully executing a replay attack?

Trusted access must be established on both sides of the communication (D)

What is a recommended practice to defend against password cracking?

Implementing a password change policy every 30 days (D)

Which of the following accurately describes the function of a Man-in-the-Middle (MITM) attack?

Attacker captures and modifies messages in transit between two parties (D)

What is the primary goal of escalating privileges during the system hacking stage?

To acquire rights of another user or an admin (C)

Which of the following techniques is NOT typically used for hiding files during system hacking?

Phishing (A)

Which password cracking technique involves direct interaction with the victim machine?

Brute Forcing Attack (A)

What is the illegal practice of accessing someone's passwords using available vulnerabilities in systems referred to as?

Active Online Attack (D)

What is a primary characteristic of a dictionary attack?

It relies on a list of possible passwords to test against user accounts. (B)

Which method used during system hacking is primarily focused on clearing logs to hide evidence of compromise?

Covering Tracks (C)

What is an example of offline attack methods?

Trying combinations of passwords using a local copy of a password file. (A)

What is the main approach of a brute forcing attack?

Trying every conceivable combination of characters until the password is cracked. (D)

What is a significant challenge with password guessing attacks?

High failure rate due to the random nature of potential passwords. (A)

Which step is NOT part of a Trojan/Spyware/Keylogger attack?

Sending stolen credentials directly to the victim. (D)

What is the best technique to defend against privilege escalation?

Implementing multi-factor authentication (D)

Which type of privilege escalation involves gaining higher privileges than the existing ones?

Vertical Privilege Escalation (A)

Which of the following actions could lead to account lockout due to too many incorrect password attempts?

Implementing brute force attacks on accounts (C)

What should be avoided when creating strong passwords?

Including personal information like birthdays (C)

What does executing malicious applications involve during an attack?

Gathering information for exploitation (A)

Flashcards

Malware definition

Malicious software designed to harm or disable computer systems, or to gain unauthorized control for theft or fraud.

Trojan Horse

A type of malware disguised as legitimate software.

Malware distribution methods

Methods used by attackers to spread malware, often including social engineering, compromised websites, and malicious advertisements.

Trojan effects

Trojans can damage systems by deleting files, disabling security, creating backdoors, stealing information, and more.

Malvertising

Malicious code embedded within online advertisements, often seen on legitimate websites.

Trojan Wrapper

A Trojan that disguises itself as a legitimate program, such as a game or application.

Command Shell Trojan

A Trojan that gives an attacker remote control of the command shell on a victim's computer.

Remote Access Trojan (RAT)

A Trojan granting complete graphical user interface (GUI) access to a remote computer.

Botnet Trojan

A Trojan that infects many computers, creating a network controlled by a central command and control (C&C) server

Virus

Self-replicating program that attaches to other programs or files to spread.

Virus Characteristics

Computer viruses infect programs, alter data, and replicate themselves, corrupting files and programs, often encrypting themselves.

Virus Life Cycle Stage: Design

Virus code development through programming languages or construction kits.

Virus Life Cycle Stage: Launch.

When a user activates an infected program, initiates its spread.

Encryption Virus

A type of virus that encrypts data, making it difficult to access without the encryption key. AV scanners often can't easily detect them.

Computer Worm

Malware that replicates and spreads through network connections automatically, often without user interaction.

Worm vs. Virus

Worms spread through networks, while viruses rely on human action to spread.

Virus Infection Methods

Methods of infecting a computer include opening email attachments, installing pirated software, not updating software, and antivirus software.

Motives for Creating Viruses

People create viruses for reasons like inflicting damage to competitors, financial gain, pranks, vandalism, cyber terrorism or political purposes.

Virus Life Cycle Stage: Replication

The stage where the virus makes copies of itself.

Detection Stage

The stage where the infection is discovered.

Sniffing

The process of monitoring and capturing network data packets, often used for malicious purposes by attackers.

Promiscuous Mode

A network interface card (NIC) setting that allows a sniffer to capture all data packets on a network segment, regardless of the intended recipient.

Passive Sniffing

Capturing network traffic without actively manipulating the network. It's like listening in on a conversation without saying anything.

Active Sniffing

Manipulating the network to capture traffic. It's like injecting your own voice into a conversation to hear specific things.

ARP Poisoning

A technique used in active sniffing where an attacker sends fake ARP (Address Resolution Protocol) messages to trick a network. This allows the attacker to intercept traffic intended for other devices.

Protocols Vulnerable to Sniffing

Certain protocols, like HTTP, Telnet, and FTP, transmit information in plain text, making them easily accessible to sniffers. Imagine your passwords traveling in an open letter on a crowded street.

Data Link Layer Sniffing

Sniffers operate at the 'Data Link' layer of the OSI model, capturing data before it's processed by higher layers. This means the targeted software is unaware of the sniffing.

Hardware Protocol Analyzer

A specialized device used to capture network traffic, offering clear visibility into network activity, including malicious traffic. Think of it as a sophisticated 'network camera' recording everything.

What does sniffing target?

Sniffing aims to capture and steal sensitive information like passwords, credit card details, and private conversations. It's like pilfering the contents of a briefcase while someone's looking the other way.

Protocol Analyzer

A tool that captures, decodes, and analyzes network traffic based on predefined rules.

Active Wiretapping

Monitoring, recording, altering, and even injecting data into network traffic.

Passive Wiretapping

Monitoring and recording network traffic without altering or injecting anything.

Lawful Interception

Legally intercepting network communication for surveillance purposes, often with court orders.

PRISM

A program designed to collect and process foreign intelligence data passing through US servers.

Wiretapping Device

Hardware, software, or a combination used to monitor and record communication.

What is the difference between active and passive wiretapping?

Active wiretapping involves altering or injecting data into the communication, while passive wiretapping only monitors and records.

How does a protocol analyzer work?

It captures network packets, decodes them, and analyzes their contents according to specific rules.

What is lawful interception?

Legally intercepting communication for surveillance purposes, often with court authorization.

Why is PRISM controversial?

It raises concerns about privacy and the collection of foreign intelligence data.

Password Cracking

Techniques used by attackers to recover passwords from computer systems, often by exploiting weak or easily guessable passwords.

Shoulder Surfing

A non-electronic password attack where an attacker observes someone entering their password, often over their shoulder.

Dictionary Attack

A type of password cracking where the attacker uses a list of common passwords to try and guess the correct one.

Brute Force Attack

A password cracking method where the attacker tries every possible combination of characters until the correct password is found.

Escalating Privileges

A hacking stage where the attacker tries to gain higher access levels or permissions within the system.

Offline Attack

An attacker steals a password file and attempts to crack passwords offline using techniques like rainbow tables or distributed networks.

Rule-based Attack

A password cracking method that uses known information about the target, such as their name or birthday, to predict possible passwords.

Password Guessing

An attacker uses social engineering or other methods to gather information about a victim's potential passwords and then tries them manually.

USB Passview Attack

An attacker copies files to a USB drive, executes PassView, and then extracts passwords from the resulting text files on the USB drive.

Wire Sniffing

Attackers use packet sniffer tools to capture and record raw network traffic, which may contain sensitive information such as passwords and emails.

Replay Attack

Attackers capture authentication tokens using a sniffer, then replay them back on the network to gain access.

Rainbow Table Attack

Attackers compare captured password hashes against a table of precomputed hash values to crack passwords.

Defending Against Password Cracking

Strategies to protect against password cracking include regular audits, unique passwords, strong passwords, and secure storage.

Privilege Escalation

An attack where an attacker gains higher privileges on a system than they initially had. This can be used to access sensitive data, install malware, or take complete control of the system.

Vertical Privilege Escalation

A type of privilege escalation where an attacker gains access to a higher level of privileges than they already have, like going from a normal user to an administrator.

Horizontal Privilege Escalation

A type of privilege escalation where an attacker gains access to the same level of privileges as another user, but with a different identity.

Restrict Interactive Logon Privileges

A security measure that limits the ability of users to log in to a system directly, potentially reducing the risk of privilege escalation.

Run Services as Unprivileged Accounts

A security best practice to run services with the least amount of privileges necessary, reducing the impact of a potential compromise.

Study Notes

Malware Threats

• Malware is malicious software designed to damage or disable computer systems. It grants limited or full control to the creator for theft or fraud.
• Examples of malware include Trojan horses, viruses, backdoors, worms, rootkits, spyware, ransomware, botnets, adware, and crypters.

Different Ways Malware Enters a System

• Instant messaging applications (e.g., IRC)
• Browser and email software bugs
• Removable devices
• Attachments
• Legitimate software (packaged by disgruntled employees)
• Fake programs
• Untrusted websites and freeware software
• Downloading files, games, screensavers from the internet

Common Techniques for Distributing Malware

• Blackhat SEO: Ranking malware pages highly in search engine results.
• Social Engineering: Tricking users to click on innocent-looking webpages (Click-jacking).
• Malvertising: Embedding malware in ad networks displayed on legitimate high-traffic sites.
• Spearphishing: Mimicking legitimate institutions to steal login credentials.
• Compromised websites: Hosting embedded malware that spreads to unwitting visitors.
• Drive-by Downloads: Exploiting browser software flaws to install malware just by visiting a website.

How Hackers Use Trojans

• Delete or replace critical operating system files.
• Disable firewalls and antivirus software.
• Generate fake traffic to create denial-of-service (DoS) attacks.
• Record screenshots, audio, and video of the victim's PC.
• Use the victim's PC for spamming and blasting emails.
• Download spyware, adware, and malicious files.
• Create backdoors to gain remote access.
• Infect the victim's PC as a proxy server to relay attacks.
• Use the victim's PC as a botnet to perform DDoS attacks.
• Steal information (passwords, security codes, credit cards) using keyloggers.

How to Infect Systems Using a Trojan

• Create a new Trojan packet using a Trojan Horse Construction Kit.
• Create a dropper to install the malicious code onto the target system.
• Create a wrapper to hide the Trojan.
• Propagate the Trojan (spread it).
• Execute the dropper.
• Execute the damage routine.

Wrappers

• Trojans can be bundled with seemingly innocent applications (e.g., games, office apps) using wrappers.
• Wrappers hide Trojans inside legitimate-looking files (Chess.exe, File Size: 110 KB).
• Attackers use wrappers for deceptive greetings.

Command Shell Trojans

• Command shell Trojans give remote control of a command shell on a victim's machine.
• A Trojan server is installed on the victim's machine, opening a port for the attacker's client to connect.
• The attacker's client installs on their machine to launch the command shell on the target machine.

Remote Access Trojans (RATs)

• These Trojans act like remote desktop access software.
• Hackers gain complete GUI access to the remote system.
• Victim computers are infected with server.exe and Reverse Connecting Trojan.
• Trojans connect to port 80 to the attacker in Russia (and other locations).
• Attackers have complete control over the victim's machine.

Botnet Trojans

• Botnet Trojans infect multiple computers to create a botnet controlled by a central location (C&C center).
• Botnets launch denial-of-service attacks, spam campaigns, click fraud, and financial theft.

Evading Anti-Virus Techniques

• Breaking the Trojan into multiple pieces and zipping it.
• Writing custom Trojans and embedding them into applications.
• Changing Trojan syntax to evade detection.
• Altering file content and checksums (using hex editors).
• Converting executable files to other types (e.g., script files).
• Downloading Trojans from the internet (evading detection).

Introduction to Viruses

• Viruses replicate by attaching themselves to other programs, computer boot sectors, or documents.
• Viruses spread through downloads, infected disks/flash drives, and email attachments.
• Virus characteristics include infecting other programs, altering data, transforming themselves, corrupting files/programs, encrypting themselves, and self-replicating.

Stages of Virus Life

• Design: Creating the virus using programming kits or languages.
• Replication: Virus replicates in the targeted system.
• Launch: Virus activates.
• Detection: Anti-malware software identifies virus as threat.
• Incorporation: Anti-malware developers adapt to the virus to avoid vulnerability.
• Elimination: Users eliminate virus threats.

Why People Create Computer Viruses

• Inflict damage to competitors.
• Financial benefits.
• Research projects.
• Cyber terrorism.
• Play pranks.
• Vandalism.

How Computers Get Infected By Viruses

• Accepting files or downloads without proper verification.
• Opening infected email attachments.
• Installing pirated software (unverified).
• Failing to keep software/plug-ins updated.
• Not running the latest anti-virus/anti-malware software.

Encryption Viruses

• Encryption viruses encrypt the code. The encrypted virus has a different key for each infected file.
• Anti-virus scanners can't directly detect these, as they utilize encryption methods.

Computer Worms

• Computer worms are malicious programs that replicate, execute, and spread across networks autonomously.
• They spread through network connections.
• Worms may carry a payload (for damage).
• Some worms use infected computers to create large botnets.

How Worms Differ from Viruses

• Worms can replicate independently without attaching to other programs.
• Worms use network resources to spread.
• Viruses need to attach to a host to spread, whereas worms can replicate and spread independently.

Anti-Virus Sensor Systems

• Detect and analyze malicious code threats (viruses, worms, and Trojans)

How to Detect Trojans

• Scan for suspicious open ports.
• Scan for suspicious startup programs.
• Scan for suspicious running processes.
• Scan for suspicious files and folders.
• Scan for suspicious registry entries.
• Scan for suspicious network activities.
• Scan for suspicious device drivers.
• Scan for suspicious Windows services.
• Run Trojan scanner to detect Trojans.

Trojan Countermeasures

• Avoid opening email attachments from unknown senders.
• Install security updates for operating systems and applications.
• Block unnecessary ports and use a firewall.
• Avoid accepting programs through instant messaging.
• Harden weak default configuration settings for programs.
• Monitor internal network traffic for unusual ports or encrypted traffic.
• Scan CDs and DVDs with antivirus before use.
• Restrict application permissions.
• Avoid downloading applications or files from untrusted sources.
• Maintain local workstation file integrity.
• Employ anti-virus and intrusion detection software.

Backdoor Countermeasures

• Use commercial anti-virus software to automatically scan and detect backdoors.
• Educate users about safe application installation practices.
• Use anti-virus tools like McAfee or Norton to detect and eliminate the backdoors.

Virus and Worms Countermeasures

• Install effective anti-virus software.
• Pay attention to download instructions from legitimate sources.
• Avoid opening attachments from unknown senders.
• Generate an anti-virus policy for appropriate computing practices.
• Update antivirus software regularly.
• Back up data regularly in the event of virus infection.
• Do not accept disks or programs without verifying their safety.
• Implement anti-virus software to detect infections.
• Ensure all executable code complies with organization policy.
• Do not boot from infected bootable disks.
• Stay informed about the latest virus threats.
• Implement internet security policies.
• Use antivirus/firewall for protection.
• Be cautious with instant messages.

Anti-Virus Tools

• List of popular anti-virus tools provided. (specific URLs for each provided).