CompTIA® Security+ Exam Notes : Given a scenario, analyze and determine the type of malware

1. Threats, Attacks and Vulnerabilities

1.1 Given a scenario, analyze and determine the type of malware

Viruses, worms, and Trojan horses are all harmful pieces of software. The way they differ is how they infect the computers, and spread across the systems and networks.

Virus: A computer virus attaches itself to a program or file so it can spread from one computer to another. Most of the viruses are attached to an executable file, and it cannot infect your computer unless you run or open the malicious program. Note that, usually, a virus cannot be spread without a human action, (such as running an infected program) to keep it going.

WORM: Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. The danger with a worm is its capability to replicate itself. Unlike Virus, which sends out a single infection at a time, a Worm could send out hundreds or thousands of copies of itself, creating a huge devastating effect.

Trojan Horse: The Trojan Horse, at first glance appears to be a useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening it because it appears to be receiving legitimate software or file from a legitimate source.

Rootkit: A rootkit is a collection of tools that enable administrator-level access to a computer. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to gain root access to the computer and, possibly, other machines on the network. A rootkit may consist of spyware and other programs that monitor traffic, keystrokes, etc. using a "backdoor" into the system.

Backdoor: Back doors allow unauthorized access to a remote system through an entrance in the system of which the user is typically not aware. It allows an attacker to bypass access controls and gain unauthorized access and possible even take remote control of a system. Once the back door is installed the attacker can steal or damage information or implement other tools for further escalation of the attack. A backdoor attack can be used to bypass the security of a network. A back door is a program that allows access to the system without usual security checks. These are caused primarily due to poor programming practices.

The following are known back door programs:

1. Back Orifice: A remote administration program used to remotely control a computer system.

2. NetBus: This is also a remote administration program that controls a victim computer system over the Internet. Uses client - server architecture. Server resides on the victim's computer and client resides on the hackers computer. The hacker controls the victim's computer by using the client.

3. Sub7: Sub7, or SubSeven or Sub7Server, is the name of a popular backdoor program. This is similar to Back Orifice, and NetBus. Used to take control of victim's computer over the Internet. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven".

Ransomware: Ransomware is a form of malicious software (or malware) that, once it's taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising not always truthfully - to restore access to the data upon payment.

Crpto-malware: Type of ransomware that encrypts user's files, and demands ransom. Sophisticated crypto-malware uses advanced encryption methods so files could not be decrypted without unique key.

Adware: Software that automatically displays or downloads advertisements when it is used.

Bots: A set of computers that has been infected by a control program called a bot that enables attackers to exploit the computers to mount attacks.

Zombies: Zombies are malware that puts a computer under the control of a hacker. Hackers use zombies to launch DoS or DDoS attacks. The hacker infects several other computers through the zombie computer. Then the hacker sends commands to the zombie, which in turn sends the commands to slave computers. The zombie, along with slave computers start pushing enormous amount of useless data to target computer, making it unable to serve it legitimate purpose. This type of attack is known as DDoS attack.

Computer under the control of an intruder is known as a zombie or bot. A group of co-opted computers is known as a botnet or a zombie army. Both Kaspersky Labs and Symantec have identified botnets - not spam, viruses, or worms - as the biggest threat to Internet security.

Keylogger: A hardware device or software application that recognizes and records every keystroke made by a user

Logicbomb: A piece of code that sits dormant on a target computer until it is triggered by the occurrence of specific conditions, such as a specific date and time

The Diamond Model of Intrusion Analysis is a cognitive model used by the threat intelligence community to describe a specific event. As an example, a completed diamond could take the following form:

Diamond Model of Intrusion Analysis

Vulnerability is not a formal node of the Diamond Model for Intrusion Analysis.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad