Week 8: Malware and Attack Vectors

avatar
Created by
High-pitchedBeetle8111

Cards (71)

  • Malicious software/Malware
    Any program that carries out actions that the computer user does not intend, often with the goal of causing harm to a system, data, or reputation.
  • Virus
    an executable program that attaches itself to, or infects, other executable programs and then replicates to infect other programs
  • Some viruses also perform destructive activities after they replicate. These types of viruses are made up of executable instructions that infect and replicate, called the virus operational segment, and the executable instructions that carry out its intent, called the payload.
  • virus operational segment
    executable instructions that infect and replicate
  • payload
    executable instructions that carry out a virus's intent
  • Not all viruses carry a payload that inflicts harm; some are just annoying or focus on replicating. Other viruses hide their payload and install a backdoor. A backdoor is a hidden way to bypass access controls and allow access to a system or resource. Therefore, the victim may not notice the virus or may not immediately notice its damage.
  • three primary types of viruses
    system infectors, file infectors, and data infectors
  • system infectors
    viruses that target computer and device hardware and software startup functions
  • file infectors
    viruses that attack and modify executable programs (such as COM, EXE, SYS, and DLL files in Microsoft Windows)
  • macro/data file infectors
    viruses that attack document files containing embedded macro programming capabilities
  • Rootkit

    Malware that modifies or replaces programs to hide the fact that the computer has been compromised; concealing presence
  • Ransomware
    attempts to generate funds directly from a computer user; limits the user’s ability to access important stored data
  • Worms
    self-contained programs designed to propagate from one host to another without human intervention; do not require host programs to survive and replicate
  • Spam
    any noise or other excessive communication that overwhelms the main message
  • Trojans
    any program that masquerades as useful program while hiding its malicious intent
  • Logic bombs
    a program that executes a malicious function of some kind when it detects certain conditions
  • active content
    refers to components, primarily on websites, that provide functionality to interact with users; these components include any dynamic objects that do something when the user opens the webpage
  • Spyware
    unsolicited background process that installs itself on a user’s computer and collects information about the user’s browsing habits and website activities
  • Adware
    trigger such nuisances as popup ads and banners on certain websites
  • web defacement/web graffiti
    someone gaining unauthorized access to a web server and altering the index page of a site on the server
  • smurf attack
    attackers direct forged Internet Control Message Protocol (ICMP) echo request packets to IP broadcast addresses from remote locations to generate DoS attacks
  • injection action
    malicious software provides deliberately invalid input to some other software, the purpose of which is to cause an error condition and, hopefully, some state that allows an attack to occur
  • Moderately skilled attackers generally perpetrate unstructured attacks against network resources. Often, the initial intent of the attacker is simply personal gratification—the thrill of the challenge and claim of prestige—of gaining illegal access.
  • Structured attacks
    • conducted by highly motivated and skilled attackers
    • complex tools and focused efforts
    • sophisticated techniques to carry out malicious activities
    • motivated by money, anger, destruction, or politics
    • can inflict serious damage
  • Direct attacks
    • against specific targets
    • can target organizations or classes (networks using certain hardware, OS versions, or services)
    • can be structured or unstructured
    • occur in real-time
  • Indirect attacks
    • result of preprogrammed hostile code exploits (e.g., worms or viruses)
    • indiscriminate; propagate rapidly and widely
    • goal of direct attack against a specific target may be to establish an indirect attack against a wide population
  • Phases of an attack:
    1. Reconnaissance and probing
    2. Gaining access
    3. Maintaining access
    4. Covering your tracks
  • Incident Detection Tools and Techniques
    Antivirus scanning software
    Network monitors and analyzers
    Content/context filtering and logging software
    Honeypots and honeynets
  • Attack Prevention Tools and Techniques
    Application defenses
    Operating system defenses
    Network infrastructure defenses
  • The most prevalent types of system infectors are boot device Master Boot Record infectors, which travel primarily through media exchange.
  • A Master Boot Record infector...

    moves or destroys the original Master Boot Record of a boot device, replacing it with viral code, after which it can gain control from the bootstrap program and perform its hostile mission
  • Both types of boot record infectors commonly load instructions that can bypass the ROM-based system services. Loading at this level allows the virus to intercept all normal application and operating system hardware requests, which include functions such as opening and closing files and file directory services. This type of virus can also execute other types of malicious code routines and cover its own tracks. A virus with this dual-action capability is called a multipartite virus.
  • File infector viruses exhibit the classic “replicate and attach” behavior. They attach themselves to the original program file, where they control the execution of that file until it can replicate and infect other files and possibly deliver a payload.
  • Malware developers write and compile many of these viruses using high-level languages. C and C++ languages are common choices because of their ability to provide the power and flexibility viruses need to be successful along with easy access to the underlying hardware. In contrast, they often use assembly language to write boot record infectors.
  • Because of the wide acceptance and popularity of Microsoft Windows– based operating systems, most well-known file infectors target those systems. They typically attack program files with .com or .exe file extensions.
  • One type of file infector, a companion virus, is really a separate program file that does not attach itself to the original host program. Instead, it--

    creates a new program with a matching filename but with an extension that executes earlier than the original; when the user runs the program, the operating system calls the malware instead of the legitimate program.
  • Macro viruses
    Infect document files and insert their own commands so that, when users share the infected document with other users, the malware spreads and replicates.
  • email bomb
    a form of malicious macro attack, which typically involves an email attachment that contains macros designed to inflict maximum damage; anyone who receives the email bomb need only open the attachment, and, in some cases, simply preview the email message to activate it
  • A global macro pool infection attacks...
    commonly shared documents
  • Polymorphic viruses
    include a separate encryption engine that stores the payload in encrypted format while duplicating the body of the virus; exposes only the decryption routine for possible detection, and embeds the operational segment of the virus in the decryption routine, which seizes control of the target system and decrypts the payload of the virus so that it can execute