Help
Options
Question
• What are the different types of malware?
click to flip
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't know
Question
• Which component of malware actually causes damage?
Remaining cards (219)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
TestOut Ethical Hack
TestOut Ethical Hacker Pro Q&A Chapter 9 System Malware
| Question | Answer |
|---|---|
| • What are the different types of malware? | |
| • Which component of malware actually causes damage? | |
| • What is the purpose of a Trojan horse? | |
| • What are some ways malware can infect a system? | |
| • What is the best way to analyze malware? | |
| Malware | Any software that is designed to perform malicious and disruptive actions. |
| The Computer Fraud and Abuse Act | This law was originally passed to address federal computer-related offenses and the cracking of computer systems. |
| The Patriot Act | This act expanded on the powers already included in the Computer Fraud and Abuse Act. |
| CAN-SPAM Act | This law was designed to thwart the spread of spam. |
| Crypter | Software that protects the malware code from being analyzed and reverse engineered. It also helps prevent detection from anti-virus software. |
| Exploit | The act of taking advantage of a bug or vulnerability to execute malware. |
| Injector | A program that injects malware into vulnerable running processes. |
| Obfuscator | The act of concealing malware through different techniques. |
| Packer | The act of compressing malware to help hide it. |
| Payload | The main piece of malware. The payload is the part that performs the malware's intended activity. |
| Malicious code | Code that defines the malware's basic functionality, such as deleting data or opening backdoors into the target. |
| Sheep dipping | The process of analyzing emails, suspect files, and systems for malware. |
| Computer Fraud and Abuse Act | The Computer Fraud and Abuse Act (CFFA) was first introduced in 1984 and has been updated many times since. The CFFA essentially defines what computer related crimes are and ensures that these crimes can be punished. |
| USA Patriot Act | The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) expanded on the powers already included in the CFAA. |
| CAN-SPAM Act | The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act was signed into law in 2003. The CAN-SPAM Act established the rules and guidelines for commercial emails efforts to curb the assault of spam emails. |
| Crypter | Basically a shell around the malware code that keeps the malware from being analyzed and reverse engineered. This also helps prevent detection by anti-malware programs. |
| Exploit | This takes advantage of a bug or vulnerability to execute the malware. |
| Injector | The program that injects, or places, the malware into vulnerable running processes. |
| Obfuscator | Uses different techniques to conceal the malware. |
| Packer | Compresses the malware to reduce its size and also helps hide it. |
| Payload | This is the main piece of the malware. The payload is what performs the intended activity of the malware. |
| Malicious code | The programming that performs the malware's basic functionality. |
| Virus | self-replicating malware that attaches itself inside a legitimate program. It must be attached to another program to run. |
| Direct action | Infects a program and runs only when that program is run. The virus stops when program is closed. The goal is to infect as many files and folders as possible. VCL.428 |
| Logic bomb | Triggered by an event, such as specific date/time or a program being executed. If triggered by date/time, it is referred to as a time bomb. AgentBase.exe |
| Overwrite | Overwrites the contents of an infected file or folder. The only way to get rid of this virus is to delete infected files. Loveletter |
| Browser hijacker | Infects web browsers so when the user attempts to go to a web page, the virus will redirect the browser to a fake website that can harm the computer. Onewebsearch |
| Web scripting | Resides in ads, videos, or the background of a website. When a user visits, the virus will infect the computer automatically through client-side scripting. There are two types of this virus, persistent and non-persistent. Persistent is when the user's cookies are stolen and can lead to session hijacking. Non-persistent is when the user is attacked without knowing. JS.fornight |
| Boot sector | Moves the MBR to another location on the hard drive and embeds itself in the original location. When the computer boots, the virus runs first, then passes control to the MBR. Polyboot.B |
| Cavity | Also known as an overwriting virus. This virus fills in empty space in a file or program without increasing the length of the file. It preserves the file or program's functionality. Lehigh Virus |
| A virus that is sent as an email attachment. This can be any type of virus. (almost any virus) | |
| Sparse-infector | Attempts to hide itself from antivirus by infecting at random times or by random triggers. These triggers can be a specific file size, name, date, or when a particular program is executed. Dark Avenger |
| Polymorphic | Contains a mutating engine that changes the code every time the virus is replicated while keeping the original malware algorithm intact. This makes the virus extremely difficult to detect. Elkern |
| Encryption | Also known as a cryptovirus, this virus infects the user files and folders and encrypts them. A decryption key is required to recover the data. Cryptolocker |
| What is the virus life cycle: | 1. Design – virus is created. 2. Replication – virus replicates and spreads within victim machine. 3. Launch – virus is launched and executes payloads. 4. Detection – virus is detected and identified as a threat. o Slow system o Frequent Blue Screen of Death (BSOD) o Deleted files o Operating system won’t load 5. Incorporation – antivirus software developers design defenses against virus. 6. Execute the damage routine – users update antivirus software and eliminate virus threat. |
| Worms | are entirely self-replicating. Worms effectively use the power of networks, malware, and speed to spread. These malware programs are generally not destructive in nature, but do consume a large amount of bandwidth and can take down a network system quickly if not caught. Worms can also carry additional payloads, such as viruses, which will be destructive. |
| This malware requires a file or executable program to infect. | Virues |
| Is Standalone malware program. | Worm |
| Thismalware Generally does not modify files or folders. | Worm |
| This type of malware Can be destructive and modify files including system files. | virus |
| This type of malware Can replicate through a network with no human interaction. | Worm |
| This type of malware Can spread to other computers only through email or other media. | virus |
| This type of malware Changes the way a computer operates without the user's knowledge. | virus |
| This malware Consume network and system resources, such as CPU cycles and network bandwidth. | Worm |
| This malware Spreads and replicates as programmed. | virus |
| This malware Can spread through a network extremely quickly. | Worm |
| countermeasures to combat viruses and worms: | • Install antivirus software that detects and removes infections as they appear. • Generate an antivirus policy for safe computing and distribute the policy to the staff. • Pay attention to the instructions while downloading files or any programs from the internet. • Update antivirus software regularly. |
| Trojan horse | can open backdoors into the system it infects, providing the hacker with covert remote access. Backdoor programs are embedded and hidden inside legitimate programs. When the user runs that program, the Trojan horse runs in the background without the user’s knowledge, giving the hacker remote access. |
| Symptoms of a Trojan horse | • Screen settings change by themselves. • Chat boxes appear. • Account passwords are changed. • Legitimate accounts are accessed without authorization. • Unknown purchase statements appear on credit card bills. • Ctrl+Alt+Del stops working. These are just a few of the symptoms. A general rule of thumb is that if a system begins experiencing weird abnormal actions, there's a decent chance it might be infected and should be examined |
| What does this type of Trojan do: horsesRemote access Trojan (RAT) | RATs are one of the most prevalent types of Trojan horses. They provide a hacker with remote desktop GUI access to the victim machine and complete control over the system. FatRat |
| What does this type of Trojan do: Backdoor | A backdoor Trojan is very similar to the RAT. This Trojan also provides complete administrative access to the remote system and can bypass security such as a firewall or IDS. The main difference between the backdoor and a RAT is the backdoor does not provide a remote desktop GUI access, only a shell. PoisonIvy |
| What does this type of Trojan do: Botnet | A botnet controls a large number of computers to carry out an attack. Once installed on a system, the Trojan reports back to its command and control (C&C) center. From the C&C center, the hacker can control the machines to carry out attacks. Kraken |
| What does this type of Trojan do: Distributed Denial of Service (DDoS) | Computers infected with a DDoS Trojan become zombies and listen for the command to attack. When the command is given, all infected computers attack the target simultaneously. The attacks system is almost identical to a botnet; the only difference is the function. ElectrumDoSMiner |
| What does this type of Trojan do: Destructive | These Trojans are designed to delete files on the target machine. Once a destructive Trojan infects the system, it will randomly delete files. W32.DisTrack (Shamoon) |
| What does this type of Trojan do: Banker | Banker Trojans are also called e-Banking Trojans. These malware programs monitor the victim's computer and steal information related to financial records such as bank account, credit cards, and bill pay data. Backswap |
| What does this type of Trojan do: IoT | Internet of Things devices are the target of IoT Trojans. Smart thermostats, lighting systems, HVAC systems are examples of IoT devices that are are vulnerable to this type of Trojan horse. Mirai |
| What does this type of Trojan do: Proxy server | The proxy server Trojan is a standalone application that allows the remote hacker to use the victim's machine as a proxy to access the internet. Proxy (Linux Trojan) |
| What does this type of Trojan do: Defacement | The defacement Trojan has the ability to change the code and modify the contents of a database or a website. These Trojans can change the way a website or program looks and functions, making them extremely destructive. Restorator |
| What does this type of Trojan do: Gaming | A gaming Trojan focuses on stealing user account information from online gamers. GameThief |
| What does this type of Trojan do: Mobile | These Trojans target mobile devices. With the increase in mobile device usage, the use of this Trojans type is increasing rapidly. Hummer |
| What does this type of Trojan do: Security software disabler | The security software disabler stops the security programs, such as the firewall and IDS, from working. These Trojans are known as entry Trojans, as they provide access so the hacker can perform the next level of attack. Certlock |
| What does this type of Trojan do: Command shell | The command shell Trojan gives remote control of a command shell on the target. It does not necessarily provide full system access like a backdoor Trojan. Netcat |
| How are trojan horses created | use a construction kit. customize their Trojan. Trojan horse creation kits will perform all steps in the Trojan creation process. After created, can be distributed using, email, USB , &websites. 1.Create the server. the file that is dropped into the target machine and what the hacker will connect to. 2.Create the dropper. the part of the packet that will install the malicious code onto the target's machine. 3.Wrap the dropper and server into a genuine application file. Wrapper performs this function. |
| What are some things a hacker can do after a trojan is installed. | Stealing data Installing other software Creating backdoors Recording from the webcam Modifying files |
| What are the 2 methods of communication for a trojan horse | Overt:s obvious, legitimate communication by the system. HTTP and TCP/IP are examples of overt communication. Covert: is any method of conveying information in a hidden or illegitimate manner. Covert channels violate the security policy on the system. |
| Port 2 Associated Trojans | Death |
| Port 20 Associated Trojans | Senna Spy |
| Port 21 Associated Trojans | Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash |
| Port 22 Associated Trojans | Shaft, SSH RAT |
| Port 23 Associated Trojans | Tiny Telnet Server |
| Port 25 Associated Trojans | Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth |
| Port 31 Associated Trojans | Hackers Paradise |
| Port 80 Associated Trojans | Poison Ivy, Executor |
| Port 421 Associated Trojans | TCP Wrappers Trojan |
| Port 456 Associated Trojans | Hackers Paradise |
| Port 555 Associated Trojans | Ini-Killer, Phase Zero, Stealth Spy |
| Port 666 Associated Trojans | Satanz Backdoor |
| Port 1001 Associated Trojans | Silencer, WebEx |
| Port 1011 Associated Trojans | Doly Trojan |
| Port 1095-98 Associated Trojans | RAT |
| Port 1170 Associated Trojans | Psyber Stream Server, Voice |
| Port 1234 Associated Trojans | Ultors Trojan |
| Port 1243 Associated Trojans | Subseven 1.0-1.8 |
| Port 1245 Associated Trojans | VooDoo Doll |
| Port 1177 Associated Trojans | njRAT |
| Port 485 Associated Trojans | WannaCry, Petya |
| Port 1492 Associated Trojans | FTP99CMP |
| Port 1600 Associated Trojans | Shivka-Burka |
| Port 1807 Associated Trojans | SpySender |
| Port 1981 Associated Trojans | Shockrave |
| Port 1999 Associated Trojans | BackDoor 1.00-1.03 |
| Port 2001 Associated Trojans | Trojan Cow |
| Port 2023 Associated Trojans | Ripper |
| Port 2115 Associated Trojans | Bugs |
| Port 2140 Associated Trojans | Deep Throat, The Invasor |
| Port 2155 Associated Trojans | Illusion Mailer, Nirvana |
| Port 3129 Associated Trojans | Masters Paradise |
| Port 3150 Associated Trojans | The Invasor |
| Port 4092 Associated Trojans | WinCrash |
| Port 4567 Associated Trojans | File Nail 1 |
| Port 4590 Associated Trojans | ICQTrojan |
| Port 5000 Associated Trojans | Bubbel |
| Port 5001 Associated Trojans | Sockets de Troie |
| Port 5321 Associated Trojans | Firehotcker |
| Port 5400-02 Associated Trojans | Blade Runner 0.80 Alpha |
| Port 1604 Associated Trojans | DarkComet RAT, Pandora RAT, HellSpy RAT |
| Port 6666 Associated Trojans | KillerRat, HoudiniRAT |
| Port 8080 Associated Trojans | Zeus |
| Port 5569 Associated Trojans | Robo-Hack |
| Port 6670-71 Associated Trojans | DeepThroat |
| Port 6969 Associated Trojans | GateCrasher, Priority |
| Port 7000 Associated Trojans | RemoteGrab |
| Port 7300-08 Associated Trojans | NetMonitor |
| Port 7789 Associated Trojans | ICKiller |
| Port 8787 Associated Trojans | BackOfrice 2000 |
| Port 9872-9875 Associated Trojans | Portal of Doom |
| Port 9989 Associated Trojans | iNi-Killer |
| Port 10607 Associated Trojans | Coma 1.0.9 |
| Port 11000 Associated Trojans | Sennsa Spy |
| Port 11223 Associated Trojans | Progenic Trojan |
| Port 12223 Associated Trojans | Hack´99 KeyLogger |
| Port 12345-46 Associated Trojans | GabanBus, NetBus |
| Port 12361-62 Associated Trojans | Whack-a-mole |
| Port 16969 Associated Trojans | Priority |
| Port 20001 Associated Trojans | Millennium |
| Port 20034 Associated Trojans | NetBus 2.0, Beta-NetBus 2.01 |
| Port 1863 Associated Trojans | XtremeRAT |
| Port 5000 Associated Trojans | SpyGate RAT, PunisherRAT |
| Port 1777 Associated Trojans | Java RAT, Agent.BTZ/ComRat, Adwind RAT |
| Port 21544 Associated Trojans | Girlfriend 1.0, Beta-1.35 |
| Port 2222 Associated Trojans | Prosiak |
| Port 23456 Associated Trojans | Evil FTP, Ugly FTP |
| Port 26274 Associated Trojans | Delta |
| Port 30100-02 Associated Trojans | NetSphere 1.27a |
| Port 31337-38 Associated Trojans | Back Orifice, DeepBO |
| Port 31339 Associated Trojans | NetSpy DK |
| Port 31666 Associated Trojans | BOWhack |
| Port 33333 Associated Trojans | Prosiak |
| Port 34324 Associated Trojans | BigGluck, TN |
| Port 40412 Associated Trojans | The Spy |
| Port 40421-26 Associated Trojans | Masters Paradise |
| Port 47262 Associated Trojans | Delta |
| Port 50505 Associated Trojans | Sockets de Troie |
| Port 50766 Associated Trojans | Fore |
| Port 53001 Associated Trojans | Remote Windows Shutdown |
| Port 54321 Associated Trojans | SchoolBus .69-1.11 |
| Port 61466 Associated Trojans | Telecommando |
| Port 65000 Associated Trojans | Devil |
| Countermeasures Trojan horse | The best countermeasure to Trojan horse malware programs is to avoid getting them in the first place. Some basic guidelines to prevent infection are: Avoid opening email attachments Block unnecessary ports on firewall Do not install unknown programs Monitor network traffic Install and maintain malware software If a system is infected, run in-depth scans with updated antivirus and anti-Trojan software. Additional steps may be needed, depending on the infection. |
| A system can be infected by malware in many ways. Some of the more common methods are: | USB drives Phishing emails Downloading and installing from website |
| Concerns with rootkits | he term comes from combining the words root, the equivalent of an administrator on Linux, and kit, the software being executed. A rootkit consists of different programs that give the hacker root, or administrator, access to the target machine, allowing the hacker to perform exploits such as installing keyloggers. A famous rootkit was distributed by Sony BMG (now Sony Music) in 2005. In an attempt to enforce copyright protection, |
| Concerns with Spyware | is a type of malware that is designed to collect and forward information regarding a victim’s activities to someone else. While this type of malware doesn’t usually cause damage to a machine, it is extremely invasive. Spyware can be especially dangerous because it can spy on everything the user is doing. People often associate spyware with web browsing activities, but spyware will also report on applications being run, instant messaging activity, and almost anything else the user does on the system. |
| Adware | Adware causes pop-up and pop-under advertisements on the infected system. Users often install adware as a bundle with freeware programs or when visiting a website that stealthily installs adware in the background. |
| Scareware | Scareware shows the user warnings about potential harm that could happen if they don’t take some sort of action, such as purchasing a specific program to clean their system. If the user falls for the attack, the software that is purchased will often contain other malware, and the hacker has the user's credit card information. |
| Ransomware | When ransomware infects a system, it will scan the computer for user files and encrypt them. To recover the files, there are usually instructions on how to pay a ransom using cryptocurrency to receive the decryption key. There is no guarantee that the user will receive the decryption key. |
| How are ports assigned? | Port numbers are assigned in various ways, based on three ranges: • System Ports (0-1023), System Ports are assigned by the "IETF Review" or "IESG Approval" procedures described in [RFC8126]. • User Ports (1024-49151), User Ports are assigned by IANA using the "IETF Review" process, the "IESG Approval" process, or the "Expert Review" process, as per [RFC6335]. • Dynamic and/or Private Ports (49152-65535); Dynamic Ports are not assigned. |
| Sheep Dipping | The process of analyzing emails, suspect files, and systems for malware is known as sheep dipping. The term comes from the process sheep farmers use to dip sheep in chemical solutions to clear them of parasites. |
| sheep dip computer | This computer is isolated from all networks, and it has port monitors, file monitors, network monitors, and anti-virus software. This system connects to a network only under extremely strict conditions. Along with the sheep dip computer, an anti-virus sensor system is used. This is a collection of software that detects and analyzes malware. |
| Static analysis | is also known as code analysis. This involves going through the actual code of the malware without executing it. This is done using a variety of tools and techniques in order to understand the malware's function and purpose. Because the malware itself is not being run, this method is relatively safe. |
| File fingerprinting | File fingerprinting is the process of identifying unique malware programs through generating a hash for the program. This hash can be checked throughout the analyzing process to see if it has changed. MD5 or SHA1 are the two most common hash functions used in file fingerprinting. File fingerprinting does not work well with encrypted files, password-secured files, or media files. |
| Scanning | This process involves scanning the malware with a local anti-malware program or using an online scanner. |
| String searching | When the malware's code is not obfuscated, the analyzer can search for strings of plain text in the code. These strings may show the malware's purpose and some of its functions. |
| Identify obfuscation/packing | Hackers use obfuscation techniques and packers to compress and encrypt their malware. Part of the analyzing process is to determine the method that was used. If the method is determined, the analyzer should be able to unpack the code without damaging or changing it, which allows for deeper analysis. |
| Malware disassembly | Disassembling the malware allows the analyzer to learn everything about the program and what it's designed to do. Loading the program into a disassembler or debugging program will generate the raw code, which can be analyzed to determine everything about the malware. |
| Dynamic Analysis | is the process of analyzing the malware by running it and observing how it behaves and its effects on the system. This type of analysis can be done only on the sheep dip computer. 1. Create a baseline |
| Host Integrity Monitoring | The process of studying the malware and its effects involves using the same tools and processes to take a snapshot of the system before and after the malware is executed. |
| Host Integrity Monitoring includes monitoring of | Ports Processes Registry Windows services Startup programs Event logs Installation Files and folders Device drivers Network traffic DNS Application Program Interface (API) calls |
| Ports are included in host integrity monitoring why? | Malware often opens ports on the computers. Using tools such as Netstat will show any open ports the malware is using. |
| Processes are included in host integrity monitoring why? | Malware can hide itself by posing as genuine Windows services or processes. Using a tool like Process Monitor can help determine if any processes are actually malware. |
| Registry are included in host integrity monitoring why? | Monitoring the registry for any changes by the malware is important, as malware will often create registry keys. Scanning the registry for suspicious keys can aid in tracking the malware infection. |
| Windows services are included in host integrity monitoring why? | Malware can spawn additional Windows services or rename malicious processes to look like a Windows service and evade detection. Windows Service Manager can detect changes in services and can also scan for suspicious Windows services. |
| Startup programs are included in host integrity monitoring why? | Malware can set itself to load with Windows in startup programs. Verifying the startup programs can be done manually or with a tool like WinPatrol or Autoruns. |
| Event logs are included in host integrity monitoring why? | Event logs should be analyzed to identify malicious or suspicious activities. |
| Installation are included in host integrity monitoring why? | When software is installed or uninstalled, traces of the application data can be left on the system. You can install monitor programs such as SysAnalyzer to help track anything being installed or uninstalled. |
| Files and folders are included in host integrity monitoring why? | Malware will normally modify a system's files and folders. Use file and folder integrity checkers such as Tripwire or SigVerif, which is the built-in Windows file verifier. |
| Device drivers are included in host integrity monitoring why? | Malware can hide itself inside untrusted or invalid device drivers. Verify that device drivers are valid and trusted. |
| Network traffic are included in host integrity monitoring why? | Most malware will generate network traffic. Analyzing network traffic with programs like Wireshark will help you see what the malware is doing and track it down. |
| DNS are included in host integrity monitoring why? | Some malware is capable of changing a system's DNS information. DNSQuerySniffer, DNSstuff, and similar programs can monitor DNS requests and settings of the system. The analyzer should use these tools to monitor DNS requests and identify whether the malware can change those settings. |
| Application Program Interface (API) calls are included in host integrity monitoring why? | APIs are parts of the Windows OS that allow external applications to access OS information such as file systems, threads, and errors. A program like API Monitor can help the analyzer see how the malware is interacting with the operating system. |
| What does a crypter program do | A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect. |
| Which of the following laws is designed to regulate emails? | CAN-SPAM Act |
| How is a logic bomb triggered | A logic bomb is triggered by an event, such as specific date and time or a program being executed. |
| A virus has replicated itself throughout the infected systems and is executing its payload. Which of the following phases of the virus lifecycle is the virus in? | Launch |
| Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using? | Worm |
| Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine? | Dropper |
| Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using? | Trojan horse |
| Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action? | Scareware |
| Patrick is planning a penetration test for a client. As part of this test, he will perform a phishing attack. He needs to create a virus to distribute through email and run a custom script that will let him track who has run the virus. Which of the following programs will allow him to create this virus? | JPS |
| Rudy is analyzing a piece of malware discovered in a pentest. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterwards and monitor different components such as ports, processes, event logs, and more for any changes. Which of the following processes is he using? | Host integrity monitoring |
| Analyzing emails, suspect files, and systems for malware is known as which of the following? | Sheep dipping |
| Which of the following best describes an anti-virus sensor system? | A collection of software that detects and analyzes malware. |
| What are the best methods for detecting malware? | |
| What steps should you take when penetration testing for malware? | |
| What actions should be taken when malware is discovered? | |
| Heuristic algorithm | Heuristic algorithms generate fairly accurate results in a short amount of time by focusing on speed instead of accuracy and completeness. |
| Anti-malware | is an umbrella term that encompasses several types of programs that prevent malicious software from infecting a system. Anti-malware includes anti-Trojan and antivirus software. Anti-Trojan software is designed specifically to counterattack Trojan horse programs. Anti-Trojan programs utilize scanning methods specifically designed to detect and clear a system of Trojans, rootkits, backdoors, and similar types of damaging software. |
| Antivirus software | is designed specifically to counterattack viruses and worms. Antivirus programs usually have a live monitoring system to immediately detect and stop viruses and worms from running. Often, the antivirus and anti-Trojan software is combined into a single anti-malware program. Some of the more popular anti-malware programs include: |
| What are some of the more popular anti-malware programs | Bitdefender McAfee Webroot Symantec Norton 360 Kaspersky AVG Avira ClamAV (Open Source Program) |
| What are the steps in development of anti-malware programs | Identify unique characteristics of malicious software. Write the scanning process. Update the anti-malware program. Scan the system. Anti-malware typically either quarantines or deletes the malware. Malware databases must be updated regularly. They cannot detect unknown threats. |
| Scanning | A malware scanner is a vital piece of the anti-malware software. The scanner should have live system monitoring to immediately detect malware. The anti-malware database should be updated on a regular basis to ensure that it can protect systems from newly devised threats. If not, the system is vulnerable to attack by new malware. |
| Integrity checking | Integrity checking establishes a baseline of the system and will alert the user if any suspicious system changes occur. Integrity checkers cannot determine if the change is from malware, a system failure, or some other cause. |
| Interception | Interception is mainly used against logic bombs and Trojans. If a request for network access or any request that could damage the system is made, the interceptor will notify the user and ask if they wish to approve and continue. |
| Code emulation | The anti-malware software opens a virtual environment to mimic CPU and RAM activity. Malware code is executed in this environment instead of the physical processor. This method works well against polymorphic and metamorphic viruses. |
| Heuristic analysis | Heuristic analysis aids in detecting new or unknown malware. The heuristic analysis is based on other known malware. Every malware program has a fingerprint, or signature. If an anti-malware program detects similar code, it marks it as malware and alerts the user. |
| Steps in penetration testing malware | 1. Scan for open ports. 2. Scan for running processes. 3. Check for suspicious or unknown registry entries. 4. Verify all running Windows services. 5. Check startup programs. 6. Look through event log for suspicious events. 7. Verify all installed programs. 8. Scan files and folders for manipulation. 9. Verify device drivers are legitimate. 10. Check all network and DNS settings and activity. 11. Scan for suspicious API calls. 12. Run anti-malware scans. |
| How to remove Malware | If malware is found on a system, follow these steps: 1. Isolate the system from the network immediately. 2. Verify that the anti-malware software is updated and running. If its not, update it and scan the system. 3. Sanitize the system using updated anti-malware software and appropriate techniques. |
| Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use? | ClamAV |
| Anti-malware software utilizes different methods to detect malware. One of these methods is scanning. Which of the following best describes scanning? | Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs. |
| Which of the following is the first step you should take if malware is found on a system? | Isolate the system from the network immediately. |
| Daphne suspects a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDN of where those programs are connecting to. Which command will allow her to do this? | netstat -f -b |
| what does netstat -f -b do? | shows the fully qualified domain name (FQDN) and the name of programs that are making connections. |
| what does netstat -a -b do? | shows the open ports on the local system and the names of programs that are making connections. |
| what does netstat -f -a do? | shows the fully qualified domain name and the open ports on the local system. |
| what does netstat -f -a -b do? | shows the fully qualified domain name, the open ports on the local system, and the names of programs that are making connections. |
| Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester will need to manually check many different areas of the system. After these checks have been completed, which of the following is the next step? | Run anti-malware scans |
Created by:
jacobth