CompTIA Security+ (SY0-601): Malware

Boot sector

Stored in the first sector of a hard drive and are loaded into memory upon boot up

Macro

Virus embedded into a document and is executed when the document is opened by the user

Program

Program viruses infect an executable or application

Multipartite

Virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

Encrypted

Stealth

Armored (Have a layer of protection to confuse an analyst)

Hoax

Polymorphic

Advanced version of an encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection

Metamorphic

Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)

Software that isn’t benign nor malicious and tends to behave improperly without serious consequences

Software designed to gain administrative level control over a system without detection

DLL injection is commonly used by rootkits to maintain their persistent control

Rootkits are activated before booting the operating system and are difficult to detect

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

Occurs by the use of a shim

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

Occurs by the use of a shim

A piece of software code that is placed between two components to intercept calls and redirect them

Malware authors can use shims to get around security features (like UAC) or to elevate privileges

Windows compatibility mode is an example of a shim

Malware only running in memory

No artifacts left on the endpoint that can be detected with traditional file type-based tools

The process of rewriting the internal processing of the code, without changing its external behavior.