Understanding Malware Types

Questions and Answers

Which of the following is the primary function of spyware?

• Delivering unwanted advertisements to the user's browser.
• Gaining unauthorized access to a system by bypassing authentication.
• Monitoring online activity and capturing sensitive data. (correct)
• Encrypting user data and demanding a ransom for its release.

Adware always operates independently and never comes bundled with other forms of malware.

False (B)

What type of malware bypasses normal authentication procedures to gain unauthorized access to a system?

Backdoor

_________ is a type of malware designed to hold a computer system or the data it contains captive until a payment is made.

Ransomware

What is the main tactic employed by scareware to trick users?

Displaying operating system-style windows warning of system risks. (C)

A rootkit primarily aims to deliver advertisements to the user's web browser.

False (B)

What is the defining characteristic of a virus that differentiates it from other types of malware?

Self-replication

A ___________ carries out malicious operations by masking its true intent and often exploits user privileges.

Trojan horse

Which of the following characteristics primarily distinguishes a worm from a virus?

Worms replicate independently and spread across networks, while viruses require a host program. (C)

Increased CPU usage and slower device performance are not indicative of a malware infection.

False (B)

Name two common symptoms that might indicate a system is infected with malware.

Decreased web browsing speed and modified files

In a social engineering attack, _________ involves an attacker calling an individual and lying to them in an attempt to gain access to privileged data.

Pretexting

Which social engineering tactic involves an attacker quickly following an authorized person into a secure location?

Tailgating (C)

Denial-of-Service DoS attacks always require sophisticated hacking skills and are difficult to carry out

False (B)

What is the primary goal of a Denial-of-Service (DoS) attack?

Interrupt network service

A ___________ occurs when a network, host, or application is sent an overwhelming amount of data that it cannot handle, causing it to crash.

Denial-of-Service

What is the key difference between a DoS attack and a DDoS attack?

A DDoS attack originates from multiple sources, while a DoS attack comes from a single source. (C)

In a botnet, infected hosts called 'zombies' are controlled by antivirus software to neutralize threats.

False (B)

What are infected computers in a botnet commonly called?

Zombies

A __________ is a group of bots connected through the Internet, often controlled through a command-and-control server.

Botnet

What is the primary purpose of an On-Path attack also known as 'man-in-the-middle'?

To intercept or modify communications between two devices. (C)

In a Man-In-The-Middle MITM attack, the attacker always requires physical access to the targeted devices.

False (B)

What type of attack involves taking control over a user's mobile device to exfiltrate sensitive information?

MitMo

__________ is a technique where attackers use search engine optimization to push malicious sites higher in search results.

SEO poisoning

What is the most common goal of SEO poisoning attacks?

To increase traffic to malicious sites. (C)

Password spraying involves trying a large number of passwords against a single user account.

False (B)

What is the primary goal of password spraying?

Avoiding account lockouts

A __________ attack systematically tries every word in a dictionary as a password to gain unauthorized access.

Dictionary

In what form are passwords stored in a computer system?

Hashed values (D)

Unlike brute-force attacks, rainbow attacks calculate each hash in real-time to find a password match.

False (B)

What is a primary risk of storing passwords in clear, readable text?

Interception

___________ involve multi-phase, long-term, stealthy, and advanced operations against a specific target.

Advanced Persistent Threats

Which of the following is a typical characteristic of Advanced Persistent Threats APTs?

They are typically well-funded and target organizations or nations for business or political reasons. (A)

Exploits refer specifically to hardware defects and not software vulnerabilities.

False (B)

What is the general term for any kind of software or hardware defect that can be exploited?

Security vulnerability

________ is a hardware exploit that involves repeatedly accessing a row of memory to cause electrical interferences and data corruption.

Rowhammer

What type of attack gained through the Meltdown and Spectre hardware vulnerabilities?

Side-channel attacks (D)

Hardware vulnerabilities are generally exploited through random compromising attempts, making them common in everyday malware attacks.

False (B)

What must you always verify the integrity of to avoid the SYNful knock vulnerability?

Downloaded IOS image

A _______ overflow vulnerability occurs when data is written beyond the limits of a buffer, potentially allowing access to memory allocated to other processes.

Buffer

Match the following attack types with thier descriptions.

Non-validated Input = Program accepts malicious content Race Conditions = Output depends on timing or order of events. Weakness in Security Policies = Using untested security algorithms. Access Control Problems = Improper use of access controls.

What is the main goal of software updates?

To stay current and avoid exploitation of vulnerabilities. (C)

Which type of malware is designed to automatically display advertisements to a user, often within a web browser?

Adware (A)

A worm requires user interaction to spread from one computer to another, similar to a virus.

False (B)

What is the primary goal of SEO poisoning?

increase traffic to malicious sites

A __________ attack occurs when a cybercriminal intercepts communication between two devices to steal information.

man-in-the-middle

Match the following social engineering techniques with their descriptions:

Pretexting = Creating a false scenario to trick someone into divulging information. Tailgating = Gaining unauthorized access to a secure area by following an authorized person. Quid pro quo = Offering something in exchange for information or access.

Flashcards

What is Malware?

Malware is any code used to steal data, bypass access controls, or compromise a system.

What is Spyware?

Spyware monitors online activity, logs keystrokes, and captures data, including sensitive info.

What is Adware?

Adware delivers unwanted ads, often via web browsers, and may include spyware.

What is a Backdoor?

A backdoor bypasses normal authentication to gain unauthorized system access.

What is Ransomware?

Ransomware holds data or systems captive, usually by encrypting data, until a ransom is paid.

What is Scareware?

Scareware uses 'scare' tactics with fake warnings to trick users into running malicious programs.

What is a Rootkit?

A rootkit modifies the operating system to create a backdoor for remote access.

What is a Virus?

A virus replicates, attaches to executable files, and requires user interaction to activate.

What is a Trojan Horse?

A Trojan Horse carries out malicious operations while disguised as legitimate software.

What is a Worm?

A worm replicates to spread from one computer to another without user interaction.

Symptoms of Malware?

Increased CPU usage, freezing, slow browsing, and unknown files can indicate malware.

What is Social Engineering?

Social engineering manipulates people into divulging confidential information or performing certain actions.

What is Pretexting?

Pretexting involves an attacker lying to gain access to privileged data.

What is Tailgating?

Tailgating is when an attacker quickly follows someone into a secure location.

What is Quid Pro Quo?

Quid pro quo is when an attacker requests information in exchange for something of perceived value.

What is a DoS Attack?

DoS attacks interrupt network service by overwhelming it with traffic.

Overwhelming Quantity of Traffic

A type of DoS attack that sends an enormous amount of data to crash a system.

Maliciously Formatted Packets

A type of DoS attack that sends packets containing errors that overload a system.

What is a DDoS Attack?

A DDoS attack originates from multiple coordinated sources, creating a botnet of infected 'zombies'.

What is a Botnet?

A botnet is a network of infected computers controlled by an attacker to perform malicious tasks.

What is a Man-in-the-Middle (MITM) attack?

MITM attacks intercept communications between devices to steal information.

What is a MAN-IN-THE-MOBILE (MITMO) attack?

A variation of MITM used to take control over a user's mobile device. When infected, it allows attackers to quietly capture two-step verification SMS messages.

What is SEO Poisoning?

SEO poisoning manipulates search engine results to push malicious sites higher in rankings.

What is Password Spraying?

Password spraying tries common passwords on many accounts to avoid lockouts.

What is a Dictionary Attack?

A dictionary attack systematically tries words from a dictionary to guess passwords.

What are Brute-Force Attacks?

Brute-force attacks try all possible character combinations to crack a password.

What are Rainbow Attacks?

Rainbow attacks use precomputed hashes to find password matches.

What is Traffic Interception?

Traffic interception exposes unencrypted passwords readable by others.

What are Advanced Persistent Threats (APTs)?

APTs are multi-phase, long-term, stealthy attacks against specific targets.

Security Vulnerabilities and Exploits?

Security vulnerabilities are software or hardware defects. Exploits take of advantage of them.

What is are Rowhammer exploits?

Rowhammer exploits electrical interferences to corrupt data by repeatedly hammering a row of memory.

What are Meltdown and Spectre?

Meltdown and Spectre are hardware vulnerabilities allowing attackers to read all memory; side-channel attacks.

What is SYNful Knock?

SYNful Knock allowed attackers to control enterprise-grade routers by installing altered IOS versions.

What is Buffer Overflow?

Buffer overflows occur when data is written beyond the allocated memory limits, potentially leading to system compromise.

What is Non-Validated Input?

Non-validated input can contain malicious content designed to force programs to behave unexpectedly.

What are Race conditions?

Race conditions occur depend on ordered or timed outputs, causing vulnerabilities.

What is Weakness in security Policies?

Weakness in security Policies introduces new vulnerabilities, better to leverage tested and verified security techniques instead.

What are Access control problems?

Improper access control creates vulnerabilities. Access control dictates who does what and ranges from managing physical access to equipment.

Why Update Software?

Software updates are crucial to avoid exploitation of vulnerabilities.

What is Cryptocurrency?

Cryptocurrency is digital money using encryption for secure transactions, recorded in a blockchain.

What is Crypto jacking?

Crypto jacking is using a user's machine to mine cryptocurrencies without their consent.

Study Notes

Types of Malware

• Cybercriminals use diverse malware to perform malicious actions.
• Malware includes any code used to steal data, bypass access controls, compromise systems or cause harm.
• Understanding malware types and how they spread is crucial for containment and removal.

Spyware

• Spyware tracks online activity and logs keystrokes to capture various data, including sensitive information.
• It modifies device security settings and often bundles with legitimate software or Trojan horses.

Adware

• Adware automatically delivers advertisements to users, often through web browsers.
• It commonly comes with spyware.

Backdoor

• Backdoor malware bypasses authentication procedures for unauthorized system access.
• Hackers can remotely access resources and issue system commands.
• Backdoors operate in the background and are hard to detect.

Ransomware

• Ransomware holds a computer system or data captive until a payment is made, usually by encrypting the data.
• It can exploit system vulnerabilities and is spread via phishing emails or software vulnerabilities.

Scareware

• Scareware tricks users into specific actions using 'scare' tactics.
• It uses operating system-style pop-up windows to warn of system risks and prompts the use of a specific program.
• Executing the prompted program infects the system.

Rootkit

• Rootkits modify the operating system to create backdoors for remote access.
• They exploit vulnerabilities for privilege escalation and modify system files.
• Rootkits modify system forensics and monitoring tools, making them hard to detect and often requiring a complete system wipe and software reinstall.

Virus

• Viruses replicate and attach to executable files by inserting their code.
• They need user interaction to activate and can be programmed to act on a specific date or time.
• Viruses can vary from harmless to destructive, modifying or deleting data.
• They can also mutate to evade detection and spread through USB drives, optical disks, network shares, or email.

Trojan Horse

• Trojan horses perform malicious operations while disguised as legitimate software.
• Unlike viruses, they don't self-replicate but trick users into installing malicious software.
• Commonly found in image, audio, or game files and exploits user privileges

Worms

• Worms replicate to spread from one computer to another.
• They do not require a host program or user participation, and spread quickly over networks.
• They exploit system vulnerabilities, propagate themselves, and carry malicious code (payloads) to damage systems or networks.
• In 2001, the Code Red worm infected over 300,000 servers in 19 hours.

Symptoms of Malware

• Increased CPU usage slowing down your device
• Computer freezing or crashing
• Decreased web browsing speed
• Unexplained network connection problems
• Modified or deleted files
• Presence of unknown files, programs, or desktop icons
• Unknown processes running
• Programs turning off or reconfiguring
• Emails sending without user knowledge or consent

Social Engineering

• Social engineering manipulates people into divulging confidential information or performing certain actions.
• Social engineers exploit the helpfulness or weaknesses of individuals.

Pretexting

• Pretexting involves an attacker lying to an individual to gain access to privileged data.
• Impersonating someone in need of personal or financial data to confirm identity.

Tailgating

• Tailgating involves an attacker quickly following an authorized person into a secure location.

Quid pro quo

• Quid pro quo is when attackers request personal information in exchange for something, such as a free gift.

Denial of Service (DoS) Attacks

• DoS attacks interrupt network services to users, devices, or applications.
• They are relatively simple to execute, even by unskilled attackers.

Overwhelming traffic

• An overwhelming quantity of traffic involves sending an unmanageable amount of data to a network, host, or application.
• This leads to slowdowns or crashes.

Maliciously formatted packets

• Maliciously formatted packets involve sending packets with errors or improper formatting over a network.
• The receiving device can't handle these packets, resulting in slow performance or crashes.

Distributed DoS (DDoS) Attacks

• DDoS attacks originate from multiple coordinated sources and are similar to DoS attacks.
• An attacker builds a botnet of infected hosts (zombies) controlled by handler systems, which scan and infect more hosts.
• The hacker instructs handler systems to use the botnet for a DDoS attack.

Botnets

• Botnets consist of infected computer by visiting unsafe websites or opening infected attachments/media files.
• A botnet is controlled by a command-and-control (C&C) server.
• Cybercriminals use botnets for activities like distributing malware, launching DDoS attacks, distributing spam, or brute-force password attacks.
• Cybercriminals rent botnets to third parties for nefarious purposes.
• Organizations use botnet traffic filters to identify botnet locations.
• Infected bots attempt to communicate with a C&C host and Cisco's firewall filters detect traffic from infected devices.
• Cloud-based Cisco Security Intelligence Operations (SIO) pushes down updated filters to firewalls for new botnets
• Cisco's security team is alerted to infected devices to mitigate threats.

On-Path Attacks

• On-path attackers intercept or modify communications between devices to collect information or impersonate.
• Also called man-in-the-middle (MitM) or man-in-the-mobile attacks.

Man-in-the-Middle (MitM)

• MitM attacks involve a cybercriminal taking control of a device without user knowledge to intercept and capture user information.
• Often used to steal financial information.

Man-in-the-Mobile (MitMo)

• A variation of MitM, targeting mobile devices to exfiltrate user-sensitive information.
• Ex: ZeuS malware captures two-step verification SMS messages.

SEO Poisoning

• Techniques to improve a website's visibility in search engine results.
• Attackers use SEO to promote malicious sites, called SEO poisoning.
• Goal of SEO poisoning to increase traffic to sites hosting malware or attempting social engineering.

Password Spraying

• Attacker tries common passwords across many accounts to avoid lockouts.

Dictionary Attacks

• Hacker systematically tries words from a dictionary as passwords.

Brute-Force Attacks

• Tries all possible character combinations.

Rainbow Table Attacks

• Uses precomputed hashes to crack passwords.
• Unlike brute-force, compares the hash of a password with those stored in the rainbow table.

Traffic Interception

• Intercepting unencrypted passwords in communications.

Advanced Persistent Threats (APTs)

• APTs are long-term, stealthy, multi-phase operations.
• Individual attackers usually lack resources to perform APTs.
• APTs are well-funded, targeting organizations or nations for business or political reasons, where the primary goal is to deploy customized malware and remain undetected.

Security Vulnerabilities and Exploits

• Security vulnerabilities : Software or hardware defects.
• Exploits : Programs written to take advantage of vulnerabilities.
• Attacks: Cybercriminals use exploits to carry out attacks to gain access to a system.

Hardware Vulnerabilities

• Hardware vulnerabilities often result from hardware design flaws.
• Rowhammer an exploit which triggers electrical interferences by repeatedly accessing a row of memory, corrupting RAM data.

Meltdown and Spectre

• Meltdown and Spectre are hardware vulnerabilities affecting CPUs released since 1995, allowing attackers to read all memory.
• Exploitations are side-channel attacks with capabilities to compromise large amounts of memory data.
• Traditional malware protection and physical security are sufficient protection for the everyday user.

Software Vulnerabilities

• Software vulnerabilities are usually introduced by errors in the operating system or application code.
• SYNful Knock vulnerability found in Cisco IOS allowed attackers to control enterprise-grade routers, through altered IOS versions.
• Integrity verification of downloaded IOS images, and limiting physical access to trusted personnel.

Buffer Overflow

• A vulnerability that occurs when data is written beyond the limits of a buffer. leads to a system crash, data compromise, or privilege escalation.

Non-Validated Input

• Incoming data with malicious content that causes a program to behave unexpectedly.

Race Conditions

• When the output of an event depends on ordered or timed outputs, which is used to create a vulnerability.

Weakness in Security Policies

• Using tested and verified coding algorithms for security is best practice, rather than creating your own which could introduce vulnerabilities.

Access Control Problems

• Access control is how you manage who accesses a system
• Many vulnerabilities are created by improper use of access controls.
• Physical access restrictions and data encryption help protect against compromised equipment.