3.malware

ransomware

malware that encrypts a device's files or steals them until the user pays ransom

crypto malware

type of ransomware that makes files inaccisble through encryption

trojan

What malware is described here. A user downloads malware disguised as a legitimate software or app. When the user runs the malware, it collects data and sends it to a remote command & control server. Think of a horse statue with enemy soliders inside.

remote access trojan

A type of Trojan that infects systems by posing as legitimate remote access tools. Once the user downloads the Trojan, the attacker has remote access to the infected system. The acronym is RATS

command & control

remote server attackers use to remotely issue commands to infected systems. The infected device issues a call home function that allows the attacker to communicate with and exfiltrate data from the compromised device. The initial are C&C

botnet

Malware in an infected device under the control of a C&C spreads to other devices on the same network, which gives the attacker remote access to those devices. What is being described here? Think of zombies.

worm

malware that self-activates and spreads from system to system and network to network without user interaction.

spyware

malware that secretly gathers information from a system. Think of what an intelligence operative at an intelligence agency does.

injection attacks against browsers

spyware IoC, akin to a spy placing eavesdropping devices in an office.

stalkerware

A type of spyware used to illegally spy on a romantic partner. Think of the individual who would do this; what are they called?

keylogger

malware that captures user keystrokes from a system. Usually done to steal credentials.

logicbomb

malicious code programmed to run when certain conditions are met, such as time and date or user action. It never runs independently. Think of something that goes of when a timer reaches zero.

rootkit

Malware that exploits a system’s backdoor to gain root-level access to a system. It remains hidden by altering a compromised system’s files.

virus

malware that self-copies and spreads to other devices on the same network after user interaction. Compare it to the term for a type of sickness

memory-resident virus

A type of virus that remains in a system’s memory after user interaction.

non-memory-resident virus

A type of virus that shuts down after spreading and activates after a user interaction. It doesn’t remain in a system’s memory

boot sector virus

A type of virus that hides in the boot sector of a hard drive or other storage devices, allowing it to activate and spread when booting up a device while avoiding detection

marco virus

A type of virus that exploits the macro functionality of apps like word processors and spreadsheets to infect and spread. It commonly disguises itself as a legitimate macro.

boot sector

Part of a hardrive or other storage device that’s the first to run when starting a device. Think of what cowboys were on their feet.

macro

Function of several apps, mostly word processors and spreadsheets, that allow users to automate repetitive tasks in those apps.

email virus

A type of virus that spreads through phishing emails or their attachments.

fileless virus

A type of virus that spreads via phishing email or malicious site by exploiting vulnerabilities in web browsers, plug-ins, or other apps to hide in a system’s memory. Once it reaches the memory of a system, it doesn’t create malicious files.

boot sector, memory-resident, non-memory-resident, email, macro, and fileless

list the 6 types of viruses

An email virus requires that the user open the file in an email while a fileless virus exploits a vulnerabilities in a web browser, plug-in, or other app without downloading malicious files.

difference between an email and fileless virus

worm:no user interaction virus:user interaction

The difference between a worm and a virus. what does one need to run that the other does not

backdoor

vulnerability created during maintenance that gives attackers remote access to a system or network by bypassing routine security controls. Think of maintenance workers leaving a door unlocked after they finish.

Communication between compromised systems and suspicious IP addresses or remote servers.

ransomware, trojans, and rootkits IoC, akin to communicating with a stranger before being kidnapped or worse.

legitimate tools are used in irregular ways to maintain control of a system.

A ransomware IoC where an encryption program is used to encrypt multiple files without a user’s knowledge or consent.

lateral movement processes are used to gather information on other systems in a network.

A ransomware IoC where the malware goes to steal and encrypt files on different devices

lateral movement process

The process used by attackers during ransomware attacks to gain control of other systems on a network. Think of how offices with devices are structured in an office. There’s a desk in front of you, behind you, and to your side.

files are encrypted by someone other than the user. A message from an attacker informs the user of the encryption until ransom is paid.

A ransomware IoC that’s essentially the primary thing it does

data extraction of large files until a ransom is paid.

A ransomware IpC that’s akin to a kidnapper asking for ransom.

finding files and folders not created by a user in a system.

trojan IoC that’s akin to Greek soldiers taking positions in Troy after exiting the horse statue but in the digital realm.

An attacker gains remote access to a system, usually to gather information.

spyware IoC that’s essentially it’s primary purpose.

Finding known software fingerprints in a system.

spyware IoC. A counterintelligence agent finds fingerprints belonging to mole in their agency. Apply that to the digital realm.

Malicious processes disguise themselves as system processes.

spyware IoC, akin to a spy pretending to be a foreign aid worker to gain a public official’s trust.

spyware

injections attacks against browsers akin to platning eavesdropping devices.

Finding known malicious files and additional components from remote systems.

worm IoC, akin to a worm shitting all over your floor but in the digital space.

compromised device is communicating with and under the control of a remote server.

worm IoC compared to a criminal taking control of an office and communicating with others located at hq.

Systems commands are used for injections and other malicious acts and evidence of a hands-on-keyboard attack.

worm IoC that involves remote control, but with code.

hands-on-keyboard attack

An attack where an attacker controls a system remotely in real-time and not through automated scripts. What do you call the act of doing something rather than theroy and what would an attacker use in this type of attack?

Finding file hashes and signatures.

keylogger and rootkit IoC compared to finding evidence of a break-in, such a broken locks and a thief’s calling cards, but in the digital space.

data exfiltration sends data such as user input back to a remote C&C server.

keylogger IoC that’s essentially it’s primary purpose

phishing campaigns

how are ransomware attacks usually carried out? hint, it involves a form of deceptive communication?

ransomware

storing files in a backup system is a mitigation effort for what malware? In what situation can you benefit from having a backup of a file that can’t be accessed?

security awareness and antimalware of EDR that can detect Trojan and RAT-like behaviors

3 ways to mitigate trojans. Think of training employees to identify impostors, and if the guards defending a building inspect a gift before letting it in. Now apply that to the digital realm.

spyware

what malware tracks user actions such as browsing activity and installed apps and reports back to a remote C&C server?

security awareness, managing installed apps, and spyware.

what are three ways to mitigate spyware? compare it to teachers telling students not to talk to strangers, airport security, and the job of a counterintelligence specialist but in digital format.

security awareness and antimalware detecting viruses in a systems memory, disk, or during execution

two ways to mitigate viruses? Compare it to a professor teaching students about viruses and other diseases and a police officer finding criminals hiding in two places or in the act of commiting a crime.

ransomware: takes over the device until ransom is paid. trojan: disguises itself as legitimate software. worm: self-spreading and installing without user interaction. spyware: collects user and system data. bloatware: unwanted software. virus: self-copies and spreads after user interaction. keylogger: captures keystrokes and other user actions. logic bomb: malicious code that executes under certain conditions. rootkit: sneaky malware that provides an attacker with privileged access.

compare the types of malware. think of kidnappers disguised as cops, horse statue with enemy combatants, autonomy, underground bugs, the NSA, unsolicited products, COVID, reading someone’s diary, something set to go off when a timer ends, and a sneaky thief sleeps with your wife.

the trigger is the conditions that execute the virus and the payload is the malicious actions of the virus.

describe the trigger and payload functions of a virus? compare them to the functions of a bomber plane or a soldier with a rocket launcher.

trojan, worms, and viruses

what malware is antimalware effective against? Think of a horse statue, a bug that lives underground, and COVID.

trojans and worms

what two malware are EDR tools effective against? Think of the horse statue and the bug that lives underground

trojans, spyware, and viruses

what 3 malware are effectively handled through security awareness training? think of a horse statue, the NSA, and COVID.

discovering suspicious behaviors such as unwanted background services, executables, and system configurations.

rootkit IoC akin to a thief leaving evidence of a break-in, such as a surprise in the toilet, broken items, leaving the fan on.