Unit 6 - Malicious Software

What is malware?

Software that has been designed for some nefarious (malicious) purpose

What does the acronym MALWARE stand for?

MALicious softWARE

What are the two general reasons a computer system is attacked?

It is specifically targeted by an attacker, or it is a target of opportunity

What is a targeted attack?

An attack chosen based on the attacker's motivation, often for political reasons, and not reliant on the target's specific hardware/software

What is a target of opportunity attack?

An attack on systems that have hardware or software vulnerable to a specific exploit; less difficult and time-consuming than targeted attacks

What are three steps to minimize possible attacks?

Ensure all OS and application patches are installed, limit running services, and limit public disclosure of private information about your organization

Why is patching vulnerabilities important?

It closes the point of entry for most malware

What is ransomware?

A form of malware that performs some action and extracts a ransom from the user

What is a Trojan horse?

A piece of software that appears to do one thing but hides some other (malicious) functionality

What is a worm?

A piece of code that attempts to penetrate networks and computer systems

What is a virus?

A piece of malicious code that replicates by attaching itself to another piece of executable code

What are the three main types of viruses?

Boot sector virus, program virus, and macro virus

What is a boot sector virus?

A virus that infects the boot sector of a storage device

What is a program virus?

A virus that attaches itself to executable program files

What is a macro virus?

A virus that is embedded in a document macro and executes when the document is opened

What is fileless malware?

Malware that operates in memory without writing files to disk making it harder to detect

What is polymorphic malware?

Malware that constantly changes its identifiable featuresâ€"such as file names, encryption keys, or signaturesâ€"to evade detection by traditional signature-based antivirus tools

What is multipartite malware?

Malware that infects multiple parts of a system simultaneously, typically combining boot-sector and file-system infections by targeting both the MBR and executable files

What is a Potentially Unwanted Program (PUP)?

A designation used by security companies and antivirus vendors to identify programs that may have adverse effects on a computer's security or privacy

What is a botnet?

A collection of compromised machines (zombies) that have malware agents installed by hackers

What is a zombie in the context of botnets?

A machine that has had a malware agent installed by a hacker and is part of a botnet

What is crypto-malware?

Malware that uses a system's resources to mine cryptocurrency; considered a theft-of-services attack

What makes crypto-malware a theft-of-services attack?

The attacker uses the CPU cycles of someone else's computer to perform cryptocurrency mining

What is a logic bomb?

Malicious software that is deliberately installed (generally by an authorized user), which sits dormant until some triggering event invokes its malicious payload

What is spyware?

Software that spies on users, recording and reporting on their activities, typically installed without user knowledge

What is adware?

Software that is supported by advertising; can come in many different forms

What is a keylogger?

A piece of software that logs all the keystrokes a user enters

What two conditions make a keylogger malicious?

(1) Its operation is unknown to the user, and (2) it is not under the user's control

What is a Remote-Access Trojan (RAT)?

A toolkit designed to provide covert surveillance capability and/or unauthorized access to a target system; often mimics keyloggers and packet sniffers

What is a rootkit?

A form of malware specifically designed to modify the operation of the operating system to facilitate nonstandard functionality

What is a backdoor/trapdoor in the context of malware?

Programs that attackers install after gaining unauthorized access to a system to ensure continued unrestricted access, even if the initial access method is discovered and blocked

What are best practices for defending against malware?

Use an antivirus/anti-malware program, keep software up to date, and track all software and vendor updates across the enterprise

What is the primary purpose of the Strings tool in malware analysis?

To find human-readable strings in binary files that may include API names and DLL files

What types of information can strings in a binary reveal?

API/function names, DLL names, fully qualified domain names (FQDNs), and IP addresses

What does it mean when a binary is packed?

The binary is obfuscated/compressed to hide its strings from malware analysts

What are the two functions that a packed binary must at least have?

LoadLibraryA and GetProcAddress (to find functions in memory at runtime)

What is UPX?

Ultimate Packer for eXecutables and an open-source packer that can compress/obfuscate binaries across multiple file formats and operating systems

How do you unpack a UPX-compressed binary from the command line?

Use the command: upx -o -d

What does the -n option do in the Strings tool?

Specifies the minimum string length; e.g.

What does the -o option do in the Strings tool?

Displays the offset in the file where each string was located

What is PEview used for in malware analysis?

To examine the PE (Portable Executable) file structure and detect embedded binaries within a file

What does PE stand for in the context of Windows executables?

Portable Executable

What are common sections in the PE file format?

`.text` (code), `.rdata` (read-only global data/imports/exports), `.data` (global data), `.rsrc` (resources), `.reloc` (relocation info)

What is the .rsrc section in a PE file?

The section containing resources the binary needs; can also harbor embedded binaries

What is the MZ header?

The first two ASCII characters (MZ / hex 4D 5A) found at the start of a PE file; indicates it is a Windows executable

What tool is used to extract an embedded binary from a PE file's resources?

Resource Hacker

What is the significance of seeing an MZ header inside a .rsrc section in PEview?

It indicates that another PE (executable) file is embedded within the binary

What does an FQDN stand for and what is it?

Fully Qualified Domain Name and a complete domain name that specifies its exact location in the DNS hierarchy (e.g.

What is the significance of finding an FQDN or IP address in a binary's strings?

It may indicate the malware communicates with a remote server (e.g.

What does it mean to form a hypothesis during malware string analysis?

To make an educated guess about the malware's behavior and purpose based on visible strings before deeper analysis

What is the significance of very few meaningful strings in a binary?

It is highly indicative that the binary is packed or obfuscated

What are APIs in the context of malware analysis?

Application Programming Interfaces â€" functions provided by DLLs that binaries call to perform operations; visible strings can reveal malware behavior

What is a virus hoax?

A false warning spread about a nonexistent or exaggerated virus threat

What is the best general security practice to avoid virus infection?

Always be cautious about executing programs or opening documents sent to you

What does it mean when functions from ws2_32.dll are called by ordinal rather than name?

It is a form of obfuscation to hide the use of Winsock (network) functions from string analysis