Malware Threats and Entry Points

Questions and Answers

Malware can only get into a system through removable devices.

False (B)

Social Engineered Click-jacking is a technique where users are tricked into clicking on seemingly harmless webpages.

True (A)

Drive-by Downloads require users to actively download malware from a website.

False (B)

A Trojan can be used to disable a computer's firewall and antivirus software.

True (A)

Ransomware is a type of malware designed to record audio and video from a victim's computer.

False (B)

A wrapper binds a Trojan executable with an innocent looking application, allowing it to install in the background while showing a fake interface.

True (A)

Botnet Trojans can only infect computers within a localized area, limiting their reach.

False (B)

Changing a Trojan's syntax, such as converting an EXE file to VB script, is a technique used to evade anti-virus detection.

True (A)

A Remote Access Trojan allows an attacker to gain complete GUI access to a victim's machine.

True (A)

Viruses are programs that require a user to run them in order to replicate and spread.

True (A)

A virus cannot replicate itself without human interaction.

True (A)

Encryption viruses can be detected directly using standard signature detection methods.

False (B)

Computer worms require user interaction to spread across a network.

False (B)

The incorporation stage of a virus life cycle involves the development of new variants of the virus.

False (B)

Vandalism is one of the reasons people might create computer viruses.

True (A)

Self-replication is a characteristic of computer viruses.

True (A)

Installing pirated software can potentially lead to a computer being infected by viruses.

True (A)

Computer worms can attach themselves to other programs like viruses do.

False (B)

The launch stage of a virus' life cycle occurs when it is activated by the user.

True (A)

Antivirus software can effectively eliminate all types of computer viruses without regular updates.

False (B)

Passive sniffing requires the use of switches to capture all network traffic.

False (B)

Active sniffing techniques can mislead a switch's Content Addressable Memory table.

True (A)

In promiscuous mode, a network interface controller (NIC) can capture traffic intended for all devices on a network segment.

True (A)

Modern networks primarily utilize hubs to send traffic to all connected devices.

False (B)

Sniffing is simply the act of sending packets within a network to observe traffic patterns.

False (B)

Protocols vulnerable to sniffing do not include HTTPS.

True (A)

A hardware protocol analyzer is designed to change the network traffic it captures.

False (B)

Sniffers can operate independently of the upper layers of the OSI model.

True (A)

Keystrokes including user names and passwords are protected when transmitted over Telnet.

False (B)

The initial compromise occurs at the Physical layer of the OSI model.

False (B)

Active wiretapping only monitors and records the traffic without altering it.

False (B)

Wiretapping without a warrant or consent is considered legal in most countries.

False (B)

Lawful interception requires a court order for intercepting data communication.

True (A)

Keysight N2X N5540A is classified as a protocol analyzer hardware.

True (A)

PRISM is a tool designed for monitoring domestic data communication exclusively.

False (B)

Passive wiretapping can alter the content of the communication being monitored.

False (B)

The FLUKE Networks OptiView® XG Network Analyzer is one of the tools used for wiretapping.

False (B)

An access switch/tap is used in lawful interception to monitor data communication.

True (A)

Wiretapping can only be done for traditional telecommunications and not for VoIP.

False (B)

The NSA uses PRISM to wiretap a large volume of domestic internet traffic.

False (B)

A dictionary attack uses a file loaded with potential password combinations to crack user accounts.

True (A)

Rainbow tables are an example of an online attack where the attacker cracks passwords in real-time on the victim's system.

False (B)

Brute forcing attacks attempt every possible password combination until the correct one is found.

True (A)

Default passwords are unique to each individual device and cannot be exploited by attackers.

False (B)

Trojan, spyware, and keylogger attacks involve physically infecting a victim's machine without their knowledge.

True (A)

Password cracking techniques are only used through electronic means.

False (B)

Escalating privileges in system hacking refers to acquiring the rights of another user or an admin.

True (A)

Covering tracks involves creating evidence of compromise.

False (B)

Active online attacks require the attacker to communicate directly with the victim machine.

True (A)

Rootkits are primarily used for password cracking.

False (B)

In a replay attack, an attacker captures packets and authentication tokens and uses them later to gain access.

True (A)

Rainbow table attacks make it extremely difficult to recover passwords from captured hashes.

False (B)

Packet sniffing tools can only capture data over wireless networks.

False (B)

Enabling information security audits is an effective measure against password attacks.

True (A)

Man-in-the-Middle attacks are relatively easy to perpetrate as it does not require trust from any party.

False (B)

Vertical privilege escalation involves assuming the identity of another user with the same privileges.

False (B)

Using a strong password for SYSKEY is recommended to protect the SAM database.

True (A)

Running users and applications on the least privileges is a method to prevent privilege escalation.

True (A)

Monitoring logs for brute force attacks is unnecessary if accounts are locked after multiple incorrect guesses.

False (B)

Encrypting sensitive data can protect it from unauthorized access during privilege escalation attacks.

True (A)

Flashcards

Malware Definition

Malicious software designed to harm or disable computer systems, or give unauthorized control to the creator for theft or fraud.

Trojan Horse Function

A type of malware that disguises itself as harmless software, allowing hackers to gain unauthorized access and control over a computer system.

Malware Distribution Techniques

Methods used by hackers to spread malware, including malicious websites, compromised legitimate sites, and drive-by downloads.

Trojan's Effects

Trojans can delete critical files, disable security software, generate attacks, create backdoors, and steal information.

Malware Infection Methods

Malware can enter systems through various means, such as malicious links, infected attachments, or exploiting software vulnerabilities.

Trojan Wrapper

A Trojan that bundles itself with a legitimate application (like a game or office program).

Command Shell Trojan

A Trojan that gives remote access to a command prompt (shell) on the victim's computer.

Remote Access Trojan (RAT)

A Trojan that provides complete graphical user interface (GUI) access to a victim's computer from a remote location.

Botnet Trojan

A Trojan that infects many computers to form a network controlled by the attacker's Command and Control center.

Virus

A self-replicating program that attaches to other programs or system files, spreading copies of itself.

Virus Characteristic

A computer virus infects other programs, alters data, replicates, corrupts files, encrypts itself, and damages systems.

Virus Life Cycle (Stage 1)

Virus development using programming languages or special kits.

Virus Life Cycle (Stage 2)

Virus replicates within a system, then spreads to others.

Virus Life Cycle (Stage 3)

Virus activation triggered by user action (like opening a file).

Virus Life Cycle (Stage 4)

A virus is identified and recognized as a threat.

Virus Life Cycle (Stage 5)

Antivirus developers create defenses against the virus.

Virus Life Cycle (Stage 6)

Users install updates or antivirus software to remove the virus.

Malware Motivation (Example)

People create viruses for various reasons, including harming competitors, personal gain, research, pranks, vandalism, or political messages.

Computer Infection Ways

Computers get infected by opening suspicious email attachments, installing pirated software, ignoring updates, and not using the latest antivirus.

Encryption Virus Feature

Encryption viruses encrypt their code to avoid detection by antivirus software.

Sniffing

A network attack where an attacker intercepts and reads network traffic passing through a network, potentially capturing sensitive data like passwords and user credentials.

Protocols Vulnerable to Sniffing

Certain network protocols transmit data in plain text, making them susceptible to sniffing attacks. Examples include HTTP, Telnet, FTP, and POP3.

Data Link Layer Sniffing

Sniffers operate at the Data Link layer of the OSI model, capturing network traffic before it's processed by higher layers, making it invisible to the targeted application.

Hardware Protocol Analyzer

A specialized device that captures network traffic without altering it, allowing security professionals to monitor network activity and detect suspicious behavior.

What is a hardware protocol analyzer used for?

Hardware protocol analyzers are used to monitor network traffic and identify malicious network traffic generated by hacking software installed on the network.

What does sniffing involve?

Sniffing is the process of capturing and analyzing network traffic data packets. This is done by listening to all data passing through a specific network segment, often using sniffing tools.

What is promiscuous mode?

Promiscuous mode is a network interface card (NIC) setting that allows the card to capture all network traffic passing through it, not just the data intended for the device. It enables sniffing tools to capture all data packets, even those not directed at the sniffing device.

Passive Sniffing

Passive sniffing involves capturing network traffic without actively modifying or altering the network. It typically occurs on networks using hubs where all traffic is broadcast to every device connected.

Active Sniffing

Active sniffing involves actively manipulating network traffic to capture data. This often involves using techniques like ARP spoofing to redirect traffic through the attacker's device, allowing them to capture data packets not intended for their device.

ARP Poisoning

ARP poisoning is a technique used in active sniffing where an attacker sends false ARP messages to a network, to deceive other devices and cause them to send traffic through the attacker's device.

Protocol Analyzer

A device that captures data packets, decodes them, and analyzes their content based on predefined rules. It provides insights into network traffic, helping identify issues and potential security threats.

Wiretapping

Secretly monitoring and recording conversations or data transmissions between two parties without their knowledge or consent. It's an invasive method of gathering information and often illegal.

Active Wiretapping

Wiretapping that not only monitors and records communication but also modifies it or injects new data into the traffic flow.

Passive Wiretapping

Wiretapping that solely focuses on monitoring and recording communication without making any changes to it.

Lawful Interception

Legally authorized monitoring of communications data for surveillance purposes, usually involving court orders or requests for wiretaps.

PRISM

A data collection program designed to gather and analyze foreign intelligence data that passes through US servers, raising concerns about privacy and potential abuse.

Hardware Protocol Analyzer Example

A physical device used for analyzing network traffic, providing in-depth insights into the network's behavior and performance.

Wiretapping Case Study

A real-world example of how wiretapping techniques are used to monitor and collect data, potentially raising ethical and legal concerns.

Data Packet

A unit of data transmitted over a network, containing information about the sender, receiver, and the data itself.

Predetermined Rules

Specific criteria or patterns used to analyze data packets, helping to identify anomalies or interesting information.

Offline Attack (Password Cracking)

An attacker steals a target's password file and attempts to decipher passwords offline using various methods.

Rainbow Table

A pre-computed database of password hashes used to quickly crack passwords offline.

Dictionary Attack

An attack that uses a list of common words and phrases to guess passwords.

Brute Forcing Attack

An attack that tries every possible combination of characters until the correct password is found.

Password Guessing Attack

An attacker uses gathered information to create a list of potential passwords and tries them manually.

What is System Hacking?

The process of exploiting system vulnerabilities to gain unauthorized access, escalate privileges, execute malicious code, hide activities, and cover tracks.

Password Cracking

Techniques used to recover passwords from systems, often by trying multiple combinations until the correct one is found.

Types of Password Attacks

Different approaches to cracking passwords, categorized by attacker's method and communication with the target system.

Non-Electronic Attacks

Password cracking methods that don't involve computers, relying on social engineering or physical access.

Active Online Attacks

Password cracking techniques that involve direct communication with the target system, such as brute forcing or phishing.

USB Drive Attack

An attacker copies downloaded files to a USB drive, then uses the drive to execute a program (like PassView) that steals passwords and stores them in a .TXT file on the USB drive.

Wire Sniffing

A passive online attack where attackers use tools to capture and record network traffic, including sensitive information like passwords and emails.

Replay Attack

An attacker captures and records authentication tokens from network traffic. They then replay these tokens to gain unauthorized access.

Man-in-the-Middle (MITM) Attack

An attacker intercepts communication between a victim and a server, gaining access to the information being exchanged.

Rainbow Table Attack

An offline attack that uses a precomputed table of password hashes to quickly crack passwords by comparing captured password hashes with the table.

Privilege Escalation

An attacker gaining higher access privileges on a system, often exploiting vulnerabilities to gain administrative control.

Vertical Privilege Escalation

Gaining access to a higher level of privileges than the current user's, for example, going from a regular user to an administrator.

Horizontal Privilege Escalation

Gaining the same level of privileges but assuming the identity of another user with similar permissions.

Restrict Interactive Logons

Limiting direct user access to a system as a defence against privilege escalation.

Least Privilege Principle

Running users and applications with the minimum privileges necessary to perform their tasks, limiting potential damage if a system is compromised.

Study Notes

Malware Threats

• Malware is malicious software damaging or disabling systems, giving the creator control for theft or fraud.
• Examples include Trojan horses, viruses, backdoors, worms, rootkits, spyware, ransomware, botnets, adware, and crypters.

Malware Entry Points

• Malware can enter systems via instant messenger applications (like IRC), removable devices, email attachments, malicious software disguised as legitimate software, browser/email bugs, NetBIOS (file-sharing), fake programs, untrusted websites/freeware, or downloads from internet sites.

Malware Distribution Techniques

• Blackhat SEO: Ranking malware pages highly in search results.
• Malvertising: Embedding malware in legitimate, high-traffic ad networks.
• Spearphishing: Mimicking legitimate institutions to steal login credentials.
• Compromised Websites: Hosting malware that spreads to visitors.
• Drive-by Downloads: Exploiting browser flaws to install malware on web visits.

Trojan Horse Usage by Hackers

• Trojans allow hackers to delete or replace critical system files.
• They can disable firewalls and antivirus.
• Trojans also generate fake traffic to create denial-of-service attacks (DoS).
• Recording victim's screen activity, audio, and video is also possible.
• Hackers use victim's PC for spamming and email blasting and malicious software downloads.
• Information theft includes passwords, security codes, credit card data via keylogging.

Trojan Infections

• Create a new Trojan packet via Trojan Horse Construction Kit.
• Create a dropper to install malicious code on the target system.
• Executable files or applications may be wrapped.
• Trojans are installed on the victim's machine by a wrapper.
• The trojan will propagate to other systems.
• Execute the damage routine specified beforehand.

Wrappers

• Bind a Trojan executable to an innocent-looking application (e.g., game, office app).
• Install the Trojan in the background after the user runs the wrapped application.
• Two programs can be wrapped into one file, creating confusion for users.
• Attackers often send birthday greetings or other enticing elements inside the wrapped Trojan.

Command Shell Trojans

• Provides remote control of a command shell on the victim's machine.
• The Trojan server is installed, opening a port for the attacker's client to connect.
• An attacker's client runs a command shell on the victim's machine to launch attacks.

Remote Access Trojans (RATs)

• This Trojan allows complete remote desktop access.
• Complete GUI control over the remote system is possible.
• The attacker gains complete access once the reverse connection is established.
• Typically employs a server.exe file to infect a system and establish a connection to the attacker.

Botnet Trojans

• Infects numerous computers forming a botnet.
• The botnet is controlled by a central command and control (C&C) server.
• Launching attacks, like denial of service, spamming, click fraud, or financial data theft, are possible using botnets.

Evading Antivirus

• Splitting the Trojan file into multiple pieces and zipping it.
• Writing a customized Trojan and embedding it into an application.
• Changing the Trojan's syntax (e.g., converting .EXE to VB script, changing extensions).
• Modifying the Trojan's content using hex editors to change checksums and encrypt the file.
• Avoid using Trojans downloaded from the web as antivirus can usually detect them.

Computer Viruses

• Self-replicating programs that attach to other programs, boot sectors, or documents.
• Common transmission methods include file downloads, infected media, and email attachments.
• Virus characteristics include infecting other programs, altering data, corrupting files, transforming itself, encrypting itself, replicating itself.

Virus Life Cycle

• Design: Virus code development.
• Replication: Virus copies itself within the target system.
• Launch: Triggered by user action.
• Detection: Antivirus detects the virus.
• Incorporation: Antivirus learns to fight against the virus and integrates defenses against it.
• Elimination: Users remove the virus.

Reasons for Creating Viruses

• Damage to competitors.
• Financial gain.
• Research projects.
• Play pranks.
• Vandalism.
• Spreading political messages.
• Cyber-terrorism.

Virus/Worm Infection

• Acceptance of files that users downloaded without verifying the source.
• Opening infected email attachments.
• Installing pirated software.
• Failure to update or install updated plug-ins.
• Not having the latest antivirus application installed and running.

Encryption Viruses

• Simple encryption encrypts code.
• Different encryption keys for each infected file create detection challenges for antivirus software via signatures.

Computer Worms

• Self-replicating programs but do not attach to other files.
• Propagate via network connections independently.
• Can spread quickly and consume network resources.
• May include payload to damage the infected system.
• Attackers create backdoors in infected computers to create zombie armies for further attacks.

Worm vs. Virus

• Worms replicate independently, while viruses need hosts.
• Worms leverage network features to spread; viruses usually attach to files.
• Worms do not need to attach to other programs, whereas viruses often do.

Antivirus Sensor Systems

• Detects and analyzes malicious threats (e.g., viruses, worms, Trojans).
• Monitors network traffic, checking for malicious code.
• Implements various detection mechanisms on different systems.

Detecting Trojans

• Scan suspicious open ports.
• Scan for suspicious startup programs.
• Scan running processes.
• Scan for suspicious files and folders.
• Examine registry entries.
• Monitor network activities.
• Look for suspicious device drivers.
• Check for Windows services.
• Execute a Trojan scanner.

Trojan Countermeasures

• Prevent opening email attachments from strangers.
• Keep operating systems and applications updated.
• Block unnecessary ports on firewalls.
• Use strong and updated password practices.
• Update virus detection software regularly.
• Exercise caution when downloading and running applications.

Backdoor Countermeasures

• Install and regularly update trusted antivirus products.
• Educate users not to download or run programs from unknown sources.
• Utilize robust antivirus tools to scan for and remove backdoors.