Malware Threats and Distribution Techniques

Questions and Answers

Malware can be distributed through social engineered click-jacking.

True (A)

A Trojan horse can only delete files on a computer.

False (B)

Drive-by downloads exploit flaws in browser software to install malware.

True (A)

Adware is a type of malware that typically only delivers advertisements to users.

True (A)

Compromised legitimate websites are a method used by hackers to distribute malware.

True (A)

A wrapper binds a Trojan executable with a visible .EXE application.

True (A)

A Botnet Trojan infects a single computer to control it for various attacks.

False (B)

A Command Shell Trojan allows an attacker to gain remote control of a victim's command shell.

True (A)

Changing a Trojan's syntax can help it evade detection by antivirus software.

True (A)

Viruses are non-replicating programs that do not attach themselves to other software.

False (B)

A computer worm can replicate itself but cannot attach to other programs.

True (A)

Computer viruses can be detected using signature detection methods.

False (B)

One reason people create computer viruses is for financial benefits.

True (A)

Users can prevent infections by installing pirated software.

False (B)

The stages of a virus life include design, replication, launch, detection, incorporation, and elimination.

True (A)

A worm requires human interaction to spread across networks.

False (B)

Antivirus software developers assimilate defenses against viruses during the elimination phase.

False (B)

Opening infected email attachments can lead to viral infections.

True (A)

Computer viruses use self-replication as a method of spreading.

False (B)

A key difference between a virus and a worm is that a worm spreads automatically without attaching to other programs.

True (A)

Sniffing is a method used to capture data packets over a network.

True (A)

Passive sniffing sends additional data packets to capture traffic.

False (B)

Active sniffing is primarily used in switch-based networks.

True (A)

In a hub-based network, only the host sending the data can capture the traffic.

False (B)

MAC flooding is a technique used in active sniffing.

True (A)

A hacker can extract passwords from redirected traffic.

True (A)

Protocols like HTTPS are vulnerable to sniffing.

False (B)

Sniffers operate at the Data Link layer of the OSI model.

True (A)

A hardware protocol analyzer alters the traffic it captures.

False (B)

Passwords and data sent in clear text are not susceptible to interception.

False (B)

Active wiretapping involves monitoring, recording, and altering communication traffic.

True (A)

Lawful interception requires consent from all parties involved in the communication.

False (B)

Wiretapping is considered a criminal offense without a warrant in most countries.

True (A)

PRISM is a tool designed specifically for domestic surveillance within the United States.

False (B)

A protocol analyzer allows attackers to view individual data bytes of data packets.

True (A)

Passive wiretapping can alter the traffic it monitors.

False (B)

The Keysight N2X N5540A is a type of protocol analyzer.

True (A)

The Access Switch/Tap is not part of the lawful interception process.

False (B)

Wiretapping requires the use of complex algorithms for basic monitoring tasks.

False (B)

The NSA utilizes PRISM to wiretap foreign internet traffic that passes through U.S. servers.

True (A)

In an offline attack, the attacker tries to crack passwords on their own system after copying the target's password file.

True (A)

A brute forcing attack attempts to guess a password using predefined dictionary words.

False (B)

Default passwords are typically supplied by the manufacturer with new equipment.

True (A)

A keylogger sends back user credentials to the attacker after infecting the victim's machine.

True (A)

Password guessing attacks have a high failure rate because the attacker guesses randomly.

True (A)

A rainbow table is used to capture sensitive information like passwords from raw network traffic.

False (B)

In a replay attack, attackers capture packets and authentication tokens to gain access to a system.

True (A)

Enabling information security audit can help monitor and track password attacks.

True (A)

The passive online attack known as Wire Sniffing is computationally complex and hard to perpetrate.

False (B)

Attacks that utilize cleartext protocols are more secure than those using strong encryption.

False (B)

Using a random string as a prefix or suffix with the password enhances security before encrypting it.

True (A)

Vertical privilege escalation involves acquiring the same level of privileges as another user.

False (B)

Implementing multi-factor authentication can help defend against privilege escalation.

True (A)

Locking out an account after too many incorrect password guesses can prevent brute force attacks.

True (A)

Malicious applications executed during the attack phase are used to gather information and maintain access.

True (A)

Password cracking techniques are used to recover passwords from computer systems.

True (A)

Active online attacks involve the attacker communicating indirectly with the victim machine.

False (B)

Shoulder surfing is a type of non-electronic password attack.

True (A)

Trojans can only be used for deleting files on a computer.

False (B)

Hiding files is a significant goal during the system hacking stage.

True (A)

Flashcards

Malware definition

Malicious software designed to harm or disable computer systems, potentially granting control to the creator for theft or fraud.

Trojan Horse

A type of malware disguised as legitimate software, often used to gain unauthorized access to a system.

Malware distribution methods

Ways attackers spread malware, including exploiting software bugs, social engineering tricks, and compromised websites.

Trojan uses

Trojans can be used to delete files, disable security, generate attacks, create backdoors, and steal information, among other actions.

Trojan Infection Steps

Creating the Trojan, adding a dropper to install it, using a wrapper to install, spreading it, and executing the dropper are steps in using a Trojan.

Trojan Wrapper

A malicious program that disguises itself as a legitimate application, installing a Trojan in the background and then running the legitimate program in the foreground.

Command Shell Trojan

A malicious program that gives attackers remote control of a command shell on a victim's computer.

Remote Access Trojan

A Trojan that allows hackers to gain complete graphical user interface (GUI) access to a remote computer.

Botnet Trojan

A Trojan designed to create a network of infected computers (bots) controlled by an attacker (C&C center).

Virus

A self-replicating program that attaches itself to other programs, computer boot sectors, or documents, copying itself.

Virus Characteristics

Viruses infect programs, alter data, replicate, corrupt files, and encrypt themselves. They're self-replicating.

Virus Life Cycle-Replication

A virus replicates within a system before spreading it.

Virus Life Cycle-Launch

Virus starts working when a user activates an infected program.

Why Create Computer Viruses?

People create computer viruses for various motives, including causing damage, financial gain, research, pranks, vandalism, political messaging.

Computer Worm

Self-replicating malicious program that spreads across a network automatically, often consuming resources.

Virus vs. Worm

Worms spread automatically through networks, while viruses need to attach to programs.

Encryption Viruses

Viruses that encrypt files preventing access. Anti-virus often cannot detect them.

Infection Methods

Downloading from unknown sources, opening infected email, using pirated software, incomplete program updates.

Virus Replication

The process where a virus makes copies of itself to spread.

Virus Removal

Antivirus software and updates eliminate viruses.

Network Sniffing

The act of monitoring and capturing network data packets passing through a network, like eavesdropping on network conversations.

Promiscuous Mode

A network interface card (NIC) setting that captures all data packets passing through it, regardless of the intended recipient, making it a powerful tool for sniffing.

Passive Sniffing

Capturing network traffic without actively interfering, like a silent observer on a network.

Active Sniffing

A more aggressive form of sniffing that involves actively injecting packets into a network to control the flow of information.

ARP Poisoning

A type of active sniffing where an attacker tricks devices into thinking they are a different network device, allowing them to intercept traffic normally meant for that device.

Sniffing

Intercepting network traffic to capture data packets, including passwords and sensitive information.

Protocols Vulnerable to Sniffing

Communication protocols that send data in plain text, making them susceptible to sniffing attacks.

Data Link Layer Sniffing

Sniffing data in the Data Link layer of the OSI model, where network traffic is captured, allowing attackers to see all the data.

Hardware Protocol Analyzer

A device that captures network traffic without altering it, used to monitor network activity and identify malicious traffic.

How Sniffing Works

Attackers redirect traffic from the victim's machine to themselves, allowing them to capture sensitive information.

Protocol Analyzer

A device that captures and analyzes network data packets, providing insights into network communication.

Wiretapping

The act of intercepting and monitoring communication between two parties without their consent.

Active Wiretapping

Wiretapping that involves not only monitoring and recording but also altering or injecting data into the communication.

Passive Wiretapping

Wiretapping that solely monitors and records communication without interfering with it.

Lawful Interception

Legally authorized monitoring of data communication for the purpose of surveillance, usually by law enforcement agencies.

PRISM

A data collection program designed by the NSA to intercept and analyze foreign intelligence passing through American servers.

What is the purpose of a protocol analyzer?

To capture and analyze network traffic to understand communication patterns, identify security issues, and troubleshoot network problems.

What is the difference between active and passive wiretapping?

Active wiretapping modifies the communication while passive wiretapping only monitors and records it.

Why is lawful interception necessary?

To provide law enforcement agencies with legal access to intercepted data for investigations and to prevent crime.

What is the significance of the PRISM program?

It highlights concerns about government surveillance and data privacy, as it involves collecting large amounts of data from international communication.

Password Cracking Techniques

Methods used to recover passwords from computer systems, often exploiting weak passwords. Attackers use these to gain unauthorized access.

Non-Electronic Password Attacks

Attackers don't need technical skills, relying on social engineering, observation, or physical access to obtain passwords.

Active Online Attacks

Directly communicating with the victim's machine to crack passwords.

Passive Online Attacks

Password cracking without communicating with the victim's machine. Information is intercepted 'passively.'

Types of Password Attacks

Classifications of password cracking techniques based on how the attacker interacts with the target system.

Offline Attack

An attacker copies a target's password file and attempts to crack passwords offline, outside the target's system.

Dictionary Attack

A password cracking method that involves using a pre-compiled list of common words and phrases to try and guess passwords.

Brute Forcing Attack

A method that systematically tries every possible combination of characters until the correct password is found.

Password Guessing

A less frequent attack where an attacker manually attempts a list of possible passwords based on information gathered through social engineering or other means.

Trojan/Spyware/Keylogger Attack

An attacker installs malicious software that secretly records keystrokes (passwords) and sends them to the attacker.

Privilege Escalation

An attack where an attacker with a low-level account gains higher privileges, often using vulnerabilities in the OS or software to reach administrator level.

Vertical Privilege Escalation

Gaining privileges higher than your current ones, like going from a standard user to an administrator.

Horizontal Privilege Escalation

Acquiring the same level of privileges you already have, but taking on the identity of another user with those privileges.

Restricting Interactive Logon Privileges

Limiting the ability to log in directly to a system with administrative privileges, making unauthorized access harder.

Executing Malicious Applications

When attackers run malicious programs on a compromised machine to steal information, gain access, or install backdoors.

USB Drive Attack

An attacker copies downloaded files to a USB drive. When inserted, the autorun feature (if enabled) executes a program (e.g., PassView), capturing passwords and saving them to a text file on the drive. The attacker then extracts the passwords from the file.

Wire Sniffing

Attackers use packet sniffer tools to monitor and record all network traffic on a local area network (LAN). This can capture sensitive information like passwords, emails, and other data.

Replay Attack

Attackers capture network packets containing authentication tokens using a sniffer. They then replay these tokens on the network to gain unauthorized access to the target system.

Rainbow Table Attack

Attackers use precomputed tables containing lists of passwords and their corresponding hash values. They then compare captured password hashes to the table to find matches and crack passwords.

Password Change Policy

A set of rules that dictate how often users must change their passwords and what criteria they must meet. A strong policy can make password cracking less effective.

Study Notes

Malware Threats

• Malware is malicious software designed to damage or disable computer systems, granting the creator limited or full control for theft or fraud.
• Examples of malware include Trojan Horses, viruses, backdoors, worms, rootkits, spyware, ransomware, botnets, adware, and crypters.

Ways Malware Enters Systems

• Instant messaging applications (IRC, etc.)
• Browser and email software bugs
• Removable devices
• Attachments
• Legitimate "shrink-wrapped" software (disgruntled employee)
• NetBIOS (FileSharing)
• Fake programs
• Untrusted sites and freeware
• Downloading files, games, and screensavers from Internet sites

Malware Distribution Techniques

• Blackhat SEO: Ranking malware pages highly in search results.
• Social Engineering (Clickjacking): Tricking users into clicking on innocent-looking webpages.
• Malvertising: Embedding malware in ad networks displayed across many legitimate sites.
• Spearphishing Sites: Mimicking legitimate institutions to steal login credentials.
• Compromised Legitimate Websites: Hosting embedded malware that spreads to visitors.
• Drive-by Downloads: Exploiting browser flaws to install malware by visiting a webpage.

How Hackers Use Trojans

• Delete or replace critical operating system files.
• Disable firewalls and antivirus.
• Generate fake traffic to create DDoS attacks.
• Record screenshots, audio, and video of victim's PC.
• Use victim's PC for spamming, blasting email messages, and downloading malicious files.
• Create backdoors to gain remote access.
• Infect victim's PC as a proxy server for relaying attacks.
• Use victim's PC as a botnet to perform DDoS attacks.
• Steal information like passwords, security codes, credit cards using keyloggers.

How to Infect Systems Using a Trojan (Steps)

• Create a new Trojan packet using a Trojan Horse Construction Kit.
• Create a dropper, which installs malicious code on the target system.
• Create a wrapper using wrapper tools to install Trojan on the victim's computer.
• Propagate the Trojan.
• Execute the dropper.
• Execute the damage routine.

Wrappers

• Bind a Trojan executable with an innocent-looking .EXE application, like games or office programs.
• Installation happens in the background while the application runs in the foreground.
• Two programs are wrapped into a single file.
• Attackers might send a birthday greeting that installs a Trojan.

Command Shell Trojans

• Give remote control of a command shell.
• Trojan server installed on the victim's machine opens a port for attacker connection.
• The attacker's client machine launches a command shell on the victim's machine.

Remote Access Trojans (RATs)

• Trojan works like a remote desktop access program.
• Hacker gains complete GUI access to the remote system.
• An attacker can control the infected computer remotely.

Botnet Trojans

• Infect a large number of computers geographically to create a network of controllable "bots" (Command and Control Center).
• Botnet is used to launch various attacks like denial-of-service attacks, spamming, click fraud, and theft of financial information.

Evading Anti-Virus Techniques

• Break the Trojan file into multiple pieces and zip them as a single file.
• Write your own Trojan and embed it in an application.
• Change Trojan's syntax (e.g., convert EXE to VB script, change extensions).
• Change content using a hex editor, alter checksum, and encrypt the file.
• Never use Trojans downloaded from the web.

Introduction to Viruses

• Self-replicating programs that spread by attaching to programs, boot sectors, or documents.
• Typically spread via downloads, infected drives, or email attachments.
• Virus Characteristics: Infects other programs, alters data, transforms itself, corrupts files, and encrypts or replicates itself.

Stages of Virus Life Cycle

• Design (developing the virus code).
• Replication (virus replicates in the system).
• Launch (virus gets activated, runs the infected program).
• Detection (the virus is identified as a threat).
• Incorporation (antivirus software developers create defenses against the virus).
• Elimination (users install antivirus software to remove virus threats).

Why People Create Computer Viruses

• Inflict damage to competitors
• Financial benefits
• Research projects
• Play pranks
• Vandalism
• Distribute political messages
• Cyberterrorism

How a Computer Gets Infected by Viruses

• Accepting files/downloads without checking the source.

Encryption Viruses

• Encipher the code with a different key for each affected file.
• Difficult for antivirus scanners to directly detect due to encryption.

Computer Worms

• Malicious programs that replicate, execute, and spread across networks independently.
• Created to replicate and spread across a network; some carry payloads to damage the system.
• Attackers use worms to install backdoors (turning computers into zombies), creating botnets for further attacks.

Worms vs. Viruses

• Worms replicate independently, spreading through networks.
• Worms don't need to attach themselves to another program, while viruses do.

Anti-Virus Sensor Systems

• Collection of software detecting and analyzing malicious code threats (viruses, worms, Trojans).

How to Detect Trojans

• Scan for suspicious open ports, running processes, files/folders, registry entries, network activities, device drivers and Windows services.
• Use Trojan scanners.

Trojan Countermeasures

• Avoid opening email attachments from unknown senders.
• Install operating system and application patches/updates.
• Block unnecessary ports using a firewall.
• Avoid accepting programs from instant messaging.
• Harden default configuration settings.
• Monitor internal network traffic.
• Scan CDs/DVDs with antivirus software.
• Restrict permissions in the desktop and avoid blindly installing programs.
• Maintain local workstation file integrity.
• Avoid downloading from untrusted sources.
• Use host-based AV, firewall, and intrusion detection software.

Backdoor Countermeasures

• Use commercial antivirus (scans and detects backdoor programs).
• Educate users not to install apps from untrusted sources and attachments.
• Use anti-virus tools (e.g., McAfee, Norton).

Virus and Worm Countermeasures

• Install anti-virus software to prevent and remove infections.
• Be attentive when downloading and pay attention to instructions.
• Avoid opening unknown sender attachments.
• Create an antivirus policy.
• Update the anti-virus software regularly.
• Back up data regularly as viruses can corrupt it.
• Don't accept disks or programs without proper checking.
• Use currently updated anti-virus software.

Virus and Worms Countermeasures (Continued)

• Ensure executable codes sent to organization is approved.
• Avoid booting with infected bootable disks.
• Know about the latest virus threats.
• Check DVDs/CDs for virus infections.
• Use pop-up blockers and internet firewalls.
• Run disk cleanup, registry scanner, and defragmentation.
• Turn on firewall if using Windows XP.
• Run anti-spyware/adware.
• Don't open files with multiple extensions.
• Be cautious about files transmitted via instant messaging.

Anti-Virus Tools

• (A list of common anti-virus tools is) included.