Security+ SY0-701 - Chapter 3

CompTIA Security+ Study Guide Exam SY0-701

Malware

Software intentionally designed to cause harm to systems and devices, networks, or users.

Ransomware

Malware that takes over a computer system and demands financial compensation.

Phishing Campaign

Delivery device for a significant number of ransomware attacks.

Acronym: C&C

Command and Control

IoCs for Ransomware

• C&C traffic and/or contact to known malicious IP addresses

• Use of legitimate tools in abnormal ways to retain control of a compromised system

• Lateral movement processes that seek to attack or gain information about other systems

• Encryption of files

• Notices to end users of the encryption process with demands for financial compensation

• Data exfiltration, especially large file transfers

File Backup System

One of the most important defenses against ransomware.

Trojan

Malware disguised as legitimate software.

IoCs for Trojans

• Signatures for specific malware applications or downloadable files

• C&C hostnames and IP addresses

• Folders or files created on target devices

Acronym: EDR

Endpoint Detection and Response

Mitigation Practices for Spyware and Trojans

• User awareness training

• Control of software allowed on devices and systems

• Antimalware, EDR, and other such tools

Botnet

A collection of compromised systems remotely controlled and told what to do.

Worm

Malware that spreads itself without requiring user interaction.

IoCs for Worms

• Known malicious files

• Downloads of additional components from remote systems

• C&C contact to remote systems

• Malicious behaviors using systems commands for injection and other activities

• Hands-on keyboard attacker activity

Acronym: IPS

Intrusion Prevention System

Mitigation Practices for Worms

• Firewalls, IPS devices, network segmentation

• Patching and configuring services to limit attack services

• Antimalware, EDR, and other such tools

• Reinstallation or resetting to original firmware

Spyware

Malware designed to obtain information about an individual, organization, or system.

Stalkerware

A type of spyware used to illicitly monitor partners in relationships.

IoCs for Spyware

• Remote-access and remote-control-related indicators

• Known software file fingerprints

• Malicious processes, often disguised as systems processes

• Injection attacks against browsers

Bloatware

Unwanted applications installed on systems by manufacturers.

Virus

Malware that self-copies and self-replicates once activated. Typically has a trigger and a payload.

Types of Viruses

• Memory-resident

• Non-memory-resident

• Boot Sector

• Macro

• Email

• Fileless

Memory-resident

A type of virus that remains in memory while the device is running.

Non-memory-resident

A type of virus that executes, spreads, and then shuts down.

Boot Sector

A type of virus that resides in the boot sector of a drive or storage media.

Macro

A type of virus which uses macros or code inside of word processing software or other tools to spread.

Email

A type of virus that is spread via email either as attachments or as a small part of the email itself using flaws inside email clients.

Fileless

A type of memory-resident virus that spreads via spam email and malicious sites and exploit flaws in browser plug-ins and web browsers themselves.

IoC for Fileless Viruses

Registry entry to repeat shell code and download execution at boot.

Keylogger

A program designed to capture keystrokes from a keyboard or other inputs such as mouse movement, touchscreen inputs, or credit card swipes from attached devices.

IoCs for Keyloggers

• File hashes and signatures

• Exfiltration activity to command and control systems

• Process names

• Known reference URLs

Logic Bomb

Malware placed inside existing programs that will activate when certain conditions are met.

Malware Analysis Techniques

• Online analysis tools such as VirusTotal

• Sandbox tools in a protected environment.

• Manual code analysis, particularly with scripts and interpreted code such as Python and Perl

• Tools like strings, to look for recoverable artifacts

Acronym: MBR

Master Boot Record

Driver Hooking

The practice of intercepting or modifying the normal behavior of a driver by inserting a piece of code (called a "hook") that allows you to monitor or alter operations before they reach the underlying system.

Rootkit

Malware specifically designed to allow attackers to access a system through a backdoor. Concealment techniques include hooking file-system drivers and infecting start-up code in the MBR of a disk.

IoCs for Rootkits

• File hashes and signatures

• Command and control domains, IP addresses, and systems

• Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation

• Opening ports or creation of reverse proxy tunnels