CompTIA Security+ (SY0-601): Malware Infections

Threat Vector:
Method used by an attacker to access a victim’s machine

Attack Vector:
Method used by an attacker to gain access to a victim’s machine in order to infect it with malware

Malware is placed on a website that you know your potential victims will access

Ex: DionTraining.com = correct
DionTranings.com = incorrect (potentially malicious)

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access

Backdoors are used to bypass normal security and authentication functions

Remote Access Trojan (RAT) is placed by an attacker to maintain persistent access

Logic Bomb
Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Easter Egg
Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature

Logic bombs and Easter eggs should not be used according to secure coding standards

Hard drives, files, or applications are not accessible anymore
Strange noises occur
Unusual error messages
Display looks strange
Jumbled printouts
Double file extensions are being displayed, such as textfile.txt.exe
New files and folders have been created or files and folders are missing/corrupted
System Restore will not function

o Identify symptoms of a malware infection
o Quarantine the infected systems
o Disable System Restore (if using a Windows machine)
o Remediate the infected system
o Schedule automatic updates and scans
o Enable System Restore and create a new restore point
o Provide end user security awareness training

If a boot sector virus is suspected, reboot the computer from an external device and scan it

Viruses, worms, trojans, ransomware, spyware, rootkits, spam, worms, & trojans are best detected with anti-malware solutions

Scanners can detect a file containing a rootkit before it is installed…
Removal of a rootkit is difficult and the best plan is to reimage the machine

Verify your email servers aren’t configured as open mail relays or SMTP open relays

Remove email addresses from website
Use whitelists and blacklists
Train and educate end users

Describes the specific method by which malware code infects a target host

Most modern malware uses file-less techniques to avoid detection by signature-based security software

How does an APT use modern malware to operate?

Dropper or downloader

Maintain access

Strengthen access

Actions on objectives

Concealment

Malware designed to install or run other types of malware embedded in a payload on an infected host

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Exploit technique that runs malicious code with the identification number of a legitimate process:

Masquerading

DLL injection

DLL sideloading

Process hollowing

Droppers are likely to implement anti-forensics techniques to prevent detection and analysis

Exploit techniques that use standard system tools and packages to perform intrusions

Detection of an adversary is more difficult when they are executing malware code within standard tools and processes

Credentialed:
Require logging in with a given set of credentials
Conducted with a trusted user’s eye view of the environment
Uncover many vulnerabilities that non-credentialed scans may overlook

Non-credentialed:
Do not require credentials & do not get trusted access to the systems they are scanning
Tend to miss most vulnerabilities within a target environment