Malware Threats and Distribution Techniques

Questions and Answers

What is the primary purpose of malware?

• To enhance user experience
• To provide software updates
• To damage or disable computer systems (correct)
• To improve system performance

Which method is NOT commonly used to distribute malware?

• Downloading games from the Internet
• Using blackhat SEO techniques
• Visiting compromised legitimate websites
• Sending unencrypted emails (correct)

What is one of the functions of a Trojan in a cyber attack?

• Creating backdoors for remote access (correct)
• Creating legitimate software updates
• Enhancing antivirus capabilities
• Blocking users from malware sites

Which of the following is a type of malware?

Worm (A)

How can malware installations occur through drive-by downloads?

By exploiting browser software flaws (B)

What is the primary function of a wrapper when used with a Trojan executable?

To bind the Trojan with an innocent application (C)

Which of these is a characteristic of a Remote Access Trojan?

Provides the attacker with complete GUI access (D)

What technique can be used to evade anti-virus detection?

Changing the .EXE extension to obscure formats (C)

What do Botnet Trojans primarily accomplish?

Create a network of controlled computers for various attacks (B)

What defines a computer virus?

A self-replicating program that attaches to other programs (D)

What is one characteristic of a computer virus?

Self-replication (A)

What is the first stage of a virus's life cycle?

Design (D)

Which of the following is a reason people create computer viruses?

Cyber terrorism (A)

How can a computer become infected by a virus?

By accepting files without proper checks (D)

Which type of virus can encrypt its code?

Encryption viruses (B)

What distinguishes a worm from a virus?

Worms self-replicate across networks (B)

During which stage does antivirus software assimilate defenses against a virus?

Incorporation (C)

What happens during the launch stage of a virus's life?

User actions activate the virus (D)

How do attackers use worm payloads?

To install backdoors in infected systems (A)

What is a common misconception about how viruses function?

They can operate without a host (B)

What is the process of capturing and monitoring data packets in a network called?

Sniffing (C)

Which sniffing method involves injecting packets into the network to manipulate the switch’s CAM table?

Active Sniffing (A)

What mode must a network interface card (NIC) be set to in order to capture all data on a segment?

Promiscuous Mode (B)

Which of the following is NOT classified as a technique of active sniffing?

Traffic Analysis (A)

What is a common issue due to open switch ports in enterprises?

Unmonitored access to the network (A)

What is the primary function of wiretapping?

To monitor and record conversations. (A)

Which of the following is a type of wiretapping that involves altering data traffic?

Active Wiretapping (C)

Which hardware protocol analyzer is NOT listed in the provided content?

Cisco Packet Tracer (A)

What must typically exist for lawful interception to take place?

Court order or request (D)

Which tool is specifically designed to collect and process foreign intelligence data passing through American servers?

PRISM (A)

What type of information does passive wiretapping primarily focus on?

Monitoring and recording data traffic. (B)

What is a potential consequence of wiretapping without consent?

Criminal offense in most countries. (C)

Which component is involved in lawful interception for accessing intercepted data?

Access Switch/Tap (D)

What role do service providers play in lawful interception?

They set an access switch/tap on exchange routers. (D)

Which type of wiretapping strictly observes data without altering it?

Passive Wiretapping (D)

Which of the following protocols is NOT vulnerable to sniffing?

SSH (C)

What is the function of a hardware protocol analyzer?

To capture and analyze signals without modifying data (C)

At which layer of the OSI model do sniffers primarily operate?

Data Link layer (D)

Which of the following types of data is most at risk during sniffing attacks?

Passwords and sensitive information (A)

Why might upper layers of the OSI model remain unaware of sniffing occurring at the Data Link layer?

Upper layers are designed to work independently. (D)

What is the primary goal when performing password cracking techniques?

To bypass access controls (A)

Which of the following is considered a non-electronic attack for password cracking?

Shoulder Surfing (C)

Which technique is used to execute applications once access to the system has been gained?

Trojans (C)

What type of attack involves the attacker communicating directly with the victim machine?

Active Online Attack (A)

What technique is primarily used to hide evidence of a hacker's activities?

Clearing Logs (D)

What is a dictionary attack primarily based on?

User account information and a list of potential passwords (B)

Which of the following options best describes a brute forcing attack?

Trying every possible combination of characters (A)

How does a Trojan/Spyware/Keylogger attack typically operate?

By running in the background to capture user credentials (B)

What is a significant characteristic of password guessing attacks?

They have a low success rate and are conducted with automated tools. (C)

What type of password is primarily targeted in default password attacks?

Manufacturer-supplied passwords for new devices (D)

What is the primary method used by attackers in a rainbow table attack?

Precomputing and using a hash value table (C)

What is a key characteristic of a Replay Attack?

It uses previously captured authentication tokens (A)

Which of the following is NOT a recommended defense against password cracking?

Using system default passwords (C)

Which technique is used to monitor network traffic in a passive online attack?

Packet Sniffing (B)

What must an attacker ensure in order to effectively execute a Man-in-the-Middle (MITM) attack?

Trust from one or both communication sides (D)

What is vertical privilege escalation?

Gaining higher privileges than the existing ones (D)

Which method can be employed to defend against privilege escalation attacks?

Implement multi-factor authentication (C)

What should be avoided when creating passwords?

Incorporating personal information like names or birthdays (D)

What occurs during the phase referred to as 'owning' the system?

Executing malicious programs remotely on the victim's machine (B)

What action should be taken when an account has too many incorrect password guesses?

Lock the account temporarily (B)

Flashcards

Malware Definition

Malicious software designed to harm or disable computer systems, often giving attackers control for theft or fraud.

Trojan Horse Malware

Disguised software that tricks users into installing malicious code, granting attackers unauthorized access to a system.

Malware Distribution Techniques

Methods used by attackers to spread malware, often through social engineering, compromised websites, or malicious advertisements.

Trojan Infection Steps

A step-by-step process for an attacker to install malicious software onto a targeted system using Trojans, including creating a Trojan packet, dropper, wrapper, and propagation.

Malware Infection Vectors

The various ways malware can enter a system, such as through instant messaging, file attachments, legitimate software, or malicious websites.

Trojan Wrapper

A Trojan that disguises itself as a legitimate application, installing a malicious program in the background before running the wrapping application.

Command Shell Trojan

A Trojan that gives remote access to a command shell on the victim's computer, allowing attackers to control it from their own system.

Remote Access Trojan (RAT)

A Trojan that provides complete graphical access to the victim's system, just like a remote desktop application controlled by the attacker.

Botnet Trojan

A Trojan that infects many computers, creating a network of bots controlled by a central command center for various attacks, like denial-of-service.

Virus

A self-replicating program that spreads by attaching itself to other programs or files, often through downloads or infected media.

Virus Characteristics

Computer viruses infect programs, alter data, transform themselves, corrupt files/programs, encrypt themselves, and self-replicate.

Virus Replication

The process where a virus copies itself, spreading within the target system before spreading further.

Virus Launch

The activation of a virus when a user triggers an infected program or performs actions that activate the virus.

Virus Detection

The process of identifying a virus that has infected the target system.

Computer Worm

A malicious program that replicates itself and spreads through networks without human interaction.

Worm vs. Virus (Difference)

Worms replicate themselves in the network, while viruses attach to programs. Worms use network features, viruses attach.

Encryption Virus

A virus that encrypts files using different keys, making it harder for antivirus software to detect.

How a computer gets infected

Opening infected file attachments, installing pirated software, and failing to update antivirus software.

Virus Motivation

Creating viruses can be for causing damage to competitors, financial gain, research, pranks, vandalism, cyberterrorism, or spreading messages.

Virus Stages

Virus development, replication, launch, detection, antivirus incorporation, and elimination are the stages of virus lifecycle.

Sniffing

A common technique for attackers to intercept and capture network traffic going between computers, often without the sender or receiver's knowledge.

Protocols Vulnerable to Sniffing

Protocols that transmit data in plain text, making them susceptible to sniffing, as attackers can easily read the contents of communications.

Data Link Layer Sniffing

Sniffing occurs at the Data Link layer of the OSI model, allowing attackers to capture network packets before they are processed by upper OSI layers.

Hardware Protocol Analyzer

A dedicated device that captures network traffic without interfering with the flow of data, providing detailed information for network monitoring and security analysis.

Why is Sniffing a Threat?

Sniffing allows attackers to steal sensitive information like passwords, credit card details, or confidential communications, posing a serious threat to cybersecurity.

Promiscuous Mode

A network interface card (NIC) mode where it captures all data packets on the network, not just those intended for the device itself.

Passive Sniffing

Sniffing data packets on a network using a hub.

Active Sniffing

Sniffing data packets on a network using a switch, which involves injecting ARP packets to change how the switch directs traffic.

ARP Poisoning

A technique used in active sniffing where an attacker sends false ARP packets to associate their device with a victim's IP address, redirecting traffic to them.

Protocol Analyzer

A tool that captures network data packets, decodes them, and analyzes their content based on predefined rules.

Wiretapping

The act of secretly listening to or recording communications (phone calls, internet traffic) without the consent of the parties involved.

Active Wiretapping

A type of wiretapping where the attacker not only monitors and records traffic but also modifies or injects data into the communication.

Passive Wiretapping

A type of wiretapping where the attacker only listens and records the communication without altering or injecting anything.

Lawful Interception

The legal process of intercepting communications for surveillance purposes under court order or legal authorization.

PRISM

A data collection program designed to collect and process foreign intelligence data passing through American servers.

Data Packet

A unit of data transmitted over a network, containing information like the sender, receiver, and the actual data being sent.

Data Flow

The movement of data through a communication system, like a stream of information flowing from one point to another.

Foreign Intelligence

Information gathered about the activities of other countries or organizations, particularly for national security purposes.

U.S. Server

A computer located within the United States that stores and processes data, often used for hosting websites, applications, and online services.

Password Cracking

Methods used to gain unauthorized access to systems by recovering passwords. Often relies on weak or easily guessed passwords.

Shoulder Surfing

Non-electronic password attack where the attacker observes someone typing their password.

Dictionary Attack

Active online attack that tries to guess a password by using a list of common words and phrases.

Wire Sniffing

Passive online attack that intercepts network traffic to capture passwords and data.

Man-in-the-Middle

Passive online attack where an attacker intercepts communication between two parties, appearing as both.

Offline Attack

An attack where the attacker copies the target's password file and attempts to crack passwords offline, without directly interacting with the victim's system.

Brute Forcing Attack

A password cracking technique where the attacker systematically tries every possible combination of characters until the correct password is found.

Rule-based Attack

A password cracking technique where the attacker uses information about the password, such as its length or character types, to narrow down the possibilities.

Trojan/Spyware/Keylogger Attack

An attack where the attacker installs malicious software (Trojan, Spyware, Keylogger) on the victim's computer to steal their credentials.

USB Drive Attack

An attacker copies downloaded files to a USB drive, then uses the autorun feature to execute a program that steals passwords and stores them on the USB drive.

Replay Attack

Attackers capture network packets and authentication tokens using a sniffer and then replay them later to gain unauthorized access.

Man-in-the-Middle (MITM) Attack

Attackers intercept communication between a user and a server, gaining access to information exchanged between them.

Rainbow Table Attack

Attackers use precomputed tables containing common passwords and their hash values to crack captured passwords.

Privilege Escalation

An attacker gaining higher privileges than their current access level.

Vertical Privilege Escalation

Gaining higher privileges than the current level, like going from a user to an administrator.

Horizontal Privilege Escalation

Gaining the same level of privileges but assuming the identity of another user with similar access.

Restrict Interactive Logon

Limiting who can directly log in to a system, reducing the chance of unauthorized access.

Least Privilege Principle

Running users and applications with the minimal privileges necessary for their tasks, minimizing potential damage.

Study Notes

Malware Threats

• Malware is malicious software that damages or disables computer systems, granting limited or complete control to the creator for theft or fraud.
• Examples of malware include Trojan Horses, viruses, backdoors, worms, rootkits, spyware, ransomware, botnets, adware, and crypters.

Ways Malware Enters a System

• Instant messenger applications (IRC, etc.)
• Browser and email software bugs
• Removable devices
• Attachments
• Legitimate "shrink-wrapped" software (planted by disgruntled employees)
• NetBIOS (File Sharing)
• Fake programs
• Untrusted sites and freeware
• Downloading files, games, and screensavers from the internet.

Common Malware Distribution Techniques

• Blackhat SEO: Ranking malware pages highly in search results.
• Social Engineering: Tricking users into clicking malicious links or downloads.
• Clickjacking: Tricking users into clicking innocent-looking links or webpages that trigger malware installation.
• Malvertising: Embedding malware within ad networks.
• Spearphishing: Mimicking legitimate institutions to steal login credentials.
• Compromised Legitimate Websites: Hiding malware on legitimate websites to infect visitors.
• Drive-by Downloads: Exploiting vulnerabilities in browser software to install malware simply by visiting a webpage.

How Hackers Use Trojans

• Deleting or replacing critical operating system files.
• Disabling firewalls and antivirus software.
• Generating fake traffic to trigger DOS attacks.
• Recording screenshots, audio, and video of the victim's PC.
• Using the victim's PC for spamming and sending emails.
• Downloading spyware, adware, and malicious files.
• Creating backdoors for remote access.
• Infecting as a proxy server for relaying attacks.
• Using the victim's PC as a botnet to execute DDoS attacks.
• Stealing information like passwords, security codes, and financial details using keyloggers.

How to Infect Systems Using a Trojan

• Create a new Trojan packet using a Trojan Horse Construction Kit.
• Create a dropper, which installs the malicious code on the target system.
• Create a wrapper using wrapper tools to install the Trojan on the victim's computer.
• Propagate the Trojan.
• Execute the dropper.
• Execute the damage routine.

Wrappers

• Bind a Trojan executable to an innocent-looking application (games or office apps).
• After execution, first install the Trojan in the background and then run the wrapping application in the foreground.
• Combine multiple programs into one single file.
• Attackers might disguise a greeting as a malicious Trojan installation.

Command Shell Trojans

• Give remote control of a command shell on a victim's machine.
• The Trojan server is installed on the victim's machine, opening a port for the attacker to connect.
• The attacker's client machine is used to launch a command shell on the victim's machine.

Remote Access Trojans (RATs)

• Acts like a remote desktop access, granting hackers complete GUI access to the target system.
• The Trojan infects a computer (e.g., server.exe) and connects to Port 80, establishing a reverse connection with the attacker.
• The attacker gains complete control over the infected machine.

Botnet Trojans

• Infects a large number of computers to create a network of bots controlled by a C&C (Command and Control) center.
• Launching various cyber-attacks such as denial-of-service, spamming, click fraud, and financial information theft.

Evading Anti-Virus Techniques

• Breaking the Trojan file into multiple pieces and zipping them as a single file.
• Writing custom Trojans and embedding them into applications.
• Changing Trojan syntax (e.g., converting EXE to VB script, changing extensions).
• Modifying Trojan content using a hex editor and changing checksums.
• Never using Trojans downloaded from the web.

Introduction to Viruses

• Self-replicating programs that copy themselves by attaching to programs, boot sectors, or documents.
• Often transmitted via file downloads, infected flash drives, and email attachments.
• Characteristics include infecting other programs, altering data, corrupting files, transforming themselves, encrypting themselves, and self-replicating.

Stages of Virus Life Cycle

• Design: Developing virus code using programming languages or construction kits.
• Replication: Virus replicates for a time in the target system before spreading.
• Launch: Virus is activated when the user performs certain actions.
• Detection: Antivirus software detecting the virus.
• Incorporation: Antivirus software incorporating defenses against the virus.
• Elimination: Users install antivirus updates to remove the virus threat.

Why People Create Computer Viruses

• Inflict damage to competitors.
• Achieve financial benefits.
• Conduct research projects.
• Play pranks
• Vandalism
• Cyberterrorism
• Distribute political messages

How a Computer Gets Infected by Viruses

• Accepting files and downloads without checking the source.
• Opening infected email attachments.
• Installing pirated software.
• Not updating or installing new versions of plug-ins.
• Not running the latest antivirus application.

Encryption Viruses

• Viruses that use simple encryption to encipher the code.
• Each infected file is encrypted using a different key.
• Antivirus scanners cannot detect them using signature detection methods.

Computer Worms

• Self-replicating malicious programs that spread across networks without human interaction.
• Most spread to consume resources, some carry a payload to damage the system.
• Attackers use worm payloads to create backdoors on infected computers, forming botnets for further attacks.

How a Worm Differs from a Virus

• Worms replicate on their own and use memory to spread; viruses cannot attach to other programs.
• Worms utilize network features for propagation, while viruses don't spread automatically across a network.

Anti-Virus Sensor Systems

• Computer software that detects and analyzes malicious code.
• Detects various threats, including viruses, worms, and Trojans.
• Commonly used with sheep dip computers.

How to Detect Trojans

• Scanning for suspicious open ports.
• Scanning for suspicious startup programs.
• Scanning for suspicious running processes.
• Scanning for suspicious files and folders.
• Scanning for suspicious registry entries.
• Scanning for suspicious network activities.
• Scanning for suspicious device drivers.
• Scanning for suspicious Windows services.
• Running a Trojan scanner.

Trojan Countermeasures

• Avoid opening unknown email attachments.
• Install security updates for operating systems and applications.
• Block unnecessary network ports.
• Avoid accepting programs via instant messaging.
• Harden default configuration settings.
• Monitor network traffic for anomalies.
• Scan CDs and DVDs with antivirus software.
• Restrict permissions for applications and prevent malicious applications' installation.
• Avoid typing commands and pre-fabricated programmes.
• Ensure file integrity.
• Download and run software only from trusted sources.
• Run host-based antivirus, firewall, intrusion detection software.

Backdoor Countermeasures

• Utilize commercial antivirus products for automatic backdoor detection and removal.
• Educate users to avoid downloading applications from untrusted sources and phishing links.
• Utilize anti-virus tools to detect and remove backdoors.

Virus and Worms Countermeasures

• Install reliable anti-virus software to detect and remove viruses and worms.
• Implement an anti-virus policy for safe computing.
• Regularly update anti-virus software.
• Maintain data backups.
• Carefully inspect any software or files before execution.
• Use a current antivirus version when verifying if a file isn't malicious from an unknown source.
• Employ pop-up blockers and firewalls to prevent malicious program execution.
• Scan DVDs and CDs before opening.
• Be cautious with emails and instant messages.

Anti-Virus Tools

• Provides a list of various anti-virus tools with associated URLs.