Chapter 5 Malware

A comprehensive set of Q&A flashcards covering malware concepts, virus/worm differences, virus types, notable outbreaks, Trojan horses, buffer-overflow attacks, spyware, ransomware, IoT threats, defense strategies, and related topics from the Chapter 5 notes.

What is the defining hallmark of a computer virus as described in this chapter?

Self-replication and rapid spread.

How does a computer worm differ from a virus according to the notes?

A worm propagates without human intervention.

Name three famous viruses mentioned in the chapter introduction.

WannaCry, Pegasus, and Titanium.

What makes WannaCry notable besides its rapid spread?

There was a patch available weeks earlier, and it had a built-in kill switch that was triggered by registering a domain.

Who is credited with discovering the WannaCry kill switch?

Marcus Hutchins.

What is the Titanium malware described in the notes?

A backdoor APT that installs in multiple stages, often hidden in a carrier image like a PNG and capable of stealing files and receiving commands from a remote server.

What is Black Basta and why is it notable?

A ransomware first discovered in April 2022 with Linux and Windows variants that disables Windows Defender and encrypts data after stealing it, then demands ransom.

Describe the Petya outbreak.

Petya infected Windows machines by infecting the boot sector, encrypted the file system, and demanded payment in Bitcoin.

What did Shamoon do in its notable attacks?

Acted as spyware but deleted files after uploading them to the attacker, notably against Saudi Aramco.

What is Rombertik known for?

It uses a browser to read user credentials and can overwrite the master boot record or encrypt files in the home directory; often delivered as an email attachment.

What is Gameover ZeuS?

A peer-to-peer botnet that established encrypted communications with a command-and-control computer; Evgeniy Bogachev was sought; DoJ/FBI reward.

What is CryptoLocker and CryptoWall?

Ransomware families using encryption; CryptoWall added data theft and screenshots; CryptoLocker appeared in 2013, CryptoWall in 2014.

What was Mirai?

IoT malware that infected Linux devices to form a botnet used for distributed denial of service (DDoS) attacks in 2016.

What was notable about the Atlanta ransomware attack in 2018?

Used the SamSam ransomware via brute-force password guessing; exposed security vulnerabilities; two Iranian hackers indicted.

What is Mindware in the context of ransomware?

A 2022 ransomware that targeted nonprofit mental health providers and stole data; payloads are configured per target.

What is Thanatos and how does it operate?

Ransomware first seen in 2018; encrypts files and places a readme.txt; keys are on a remote server; decrypt often not provided even if ransom paid.

What is Clop ransomware and what makes it notable?

Variant of CryptoMix; appeared 2019 and widely in 2021; encrypts files and blocks about 600 Windows processes; operates as ransomware as a service; high payouts.

What is FakeAV and MacDefender?

Scareware that simulates antivirus warnings to trick users into downloading malware; MacDefender targeted Mac users.

What is Kedi RAT?

A 2017 phishing-based remote access trojan that steals data and exfiltrates via Gmail.

What is Sobig and why is it significant?

Sobig (2003) used multimodal spreading via email and shared drives; caused heavy traffic and printing problems; variants could modify Windows Registry.

What is the Morris Internet Worm and its significance?

1988 worm by Robert Morris Jr. intended to reveal bugs; infected ~6000 UNIX machines; led to creation of CERT.

What is Flame and why is it important?

Spyware discovered in 2012 designed for espionage; can monitor traffic and take screenshots; targeted Windows; linked to government interests.

What are Trojan horses and how are they used?

Programs that look harmless but perform malicious actions; can download malware, install spyware, delete files, or open backdoors; Back Orifice is an early example.

What is Sasser and how does it spread?

A worm exploiting an LSASS.EXE buffer-overflow in Windows; scans random IPs on port 1068; uses FTP on 5554 and a remote shell on 9996; causes reboots; mitigated by patching and port blocking.

What is Pegasus spyware?

Mobile spyware first seen in 2016 with 2022 variants; tracks calls/locations, reads messages, collects passwords; originally developed for the Israeli government.

How do antivirus programs detect malware?

By signature matching or by analyzing behavior; must be kept up to date; many products offer phishing protection and spyware detection; recommend using two different vendors for host and network protection.

What are logic bombs and a notable example?

Malware that executes when a specific date/time or condition is met; UBS Duronio 2006 is a notable example; emphasizes deactivating former employees’ access.

What is a rootkit?

A set of tools to mask an intrusion and obtain administrator-level access; can monitor traffic/ keystrokes, create backdoors, alter log files, and attack other machines.

What is malicious web-based code?

Code delivered via websites or web content (HTML, Java, ActiveX, JavaScript) that can infect across operating systems; spreads through scripting languages and web technologies.

What are APTs and provide an example from the notes?

Advanced persistent threats are continuous, sophisticated attacks; e.g., APT1 attributed to UNIT 61398; compromised 141 companies; average access around 365 days; stolen terabytes of data.

What are deep fakes and how are they discussed in the chapter?

Not malware per se but a growing threat; deepfakes use ML/GANs; 5G and cloud enable real-time manipulation for videos and conferencing.

What is the role of machine learning in malware and defense?

ML is used for stealing attacks and also for defense; static malware detection is evolving with deep learning; references include Panda Security, ZDNet, and arXiv work.

What are some basic rules to avoid virus infections?

Use a reputable antivirus (McAfee, Norton, Kaspersky, AVG, Malwarebytes); don’t open unknown attachments; verify security alerts; consider using a VM for risky browsing.

What is the difference between virus and worm definitions as discussed in the notes?

The author defines a virus as any self-replicating file, while a worm is a program that propagates without human interference; some call MyDoom a worm, but definitions vary.

What is a buffer-overflow attack and why is it dangerous?

Occurs when more data is written to a buffer than it can hold; requires programming knowledge and target understanding; can allow malicious code to run or crash the system; modern systems are less vulnerable but custom apps may still be.