SSCP Study Guide 7 - Malicious Code
Terms in this set (28)
Is program or piece of code, which has been loaded without permission, it can hide itself, can reproduce itself, and can attach to any other program. Will try to do undesirable/unwanted things
A program, which can replicates itself over a computer network and usually performs malicious actions
A destructive program, which has been inserted inside an apparently harmless program. This program can do the intended function in foreground as well as undesirable function in the background
A program, or portion of a program, which lies dormant until a specific piece of program logic or system event is activated. If the specific logic is fulfilled then it will generally perform security-compromising activity
Infects the boot record on hard disks, floppy disks. If the infected computer boots successfully, then the boot sector virus stays in the memory and infects floppies and other media when the infected computer writes them.
Master Boot Record (MBR)
Infect the MBR (Master Boot Record) instead of the boot sector. File infector viruses: Infect files, which contain executables code, such as .EXE and .COM files, infect other files when they are executed
Infect certain types of data files (Microsoft Office files, such as
Word Documents, Excel Spreadsheets, PowerPoint Presentations, and Access Databases). These are typically
using the Visual Basic macro language, which is built into Microsoft Office applications.
Source Code Virus
These viruses add code to actual program source code.
A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects
a new files in order to keep from being detected by an anti-virus program.
In order to avoid detection, a virus will often take over system functions likely to spot it and use them to
Multi-partite viruses share the characteristics of more than one virus type (these are having duel personality). For example, a multi-partite virus might infect both the boot record and program files
Viruses that attempted to appear as a harmless program to scanners
How malicious code can be introduced into the computing environment
Network attacks, Spoofing (masquerading), Alteration of authorized code and introducing malicious code, Email Spamming or bombing, Active-X, Mobile code, Trap doors
Trying to get the username and password by brute forcing or dictionary attack. After successful exploitation introducing virus file or malicious code.
Sending email that appears to have originated from one source when it actually was sent from another source.
Email Spamming or bombing
Sending email to hundreds or thousands of users with attached virus file
Set of platform independent technologies developed by Microsoft that enable software components to interact with one another in a networked environment. This functionality of Active X components can be exploited by malicious mobile code
Code that can be transferred from a system to another system to be executed
Mechanism, which is intentionally built often for the purpose of providing direct access. Hidden code or hardware device used to circumvent security controls.
Buffer Overflow Attack
A common DoS attack. Occurs when a process receives much more data than expected. If the process has no
programmed routine to deal with this excessive amount of data, it acts in an unexpected way that the intruder can
exploit. Several types of buffer overflow attacks exist, with the most common being the "Ping of Death" (large packet Ping attack) or the use of over 256-character user or filenames in email.
A common DoS attack. Occurs when an attacker exploits the use of the buffer space during a TCP session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to "time out" while waiting for the proper response, which makes the system crash or become unusable.
A common DoS attack. Consists of modifying the length and fragmentation offset fields in sequential IP packets. The target system then becomes confused and crashes after it receives contradictory instructions on how the fragments are offset on these packets
A common DoS attack. Uses a combination of IP spoofing and ICMP to saturate a target network with traffic, thereby launching a denial of service attack. It consists of three elements — the source site, the bounce site, and the target site. The attacker (the source site) sends a spoofed PING packet to the broadcast address of a large network (the bounce site). This modified packet contains the address of the target site. This causes the bounce site to broadcast the misinformation to all of the devices on its local network. All of these devices now respond with a reply to the target system, which is then saturated with those replies.
IP Spoofing Attacks
Involves an alteration of a packet at the TCP level, which is used to attack Internet connected systems that provide various TCP/IP services. The attacker sends a packet with an IP source address of a known, trusted host to convince a system that it is communicating with a known entity that gives an intruder access. This target host may accept the packet and act upon it.
TCP Sequence Number Attacks
Exploit the communications session, which was established between the target and the trusted host that initiated the session. The intruder tricks the target into believing it is connected to a trusted host and then hijacks the session by predicting the target's choice of an initial TCP sequence number. This session is then often used to launch various attacks
IP fragmentation attacks
Use varied IP datagram fragmentation to disguise its TCP packets from a target's IP filtering devices.
Tiny Fragment Attack
Occurs when the intruder sends a very small fragment that forces some of the TCP header field into a second fragment. If the target's filtering device does not enforce minimum fragment size, this illegal packet can then be passed on through the target's network.
Overlapping Fragment Attack
Another variation on a datagram's zero-offset modification (like the teardrop attack). Subsequent packets overwrite the initial packet's destination address information and then the second packet is passed by the target's filtering device. This can happen if the target's filtering device does not enforce a minimum fragment offset for fragments with non-zero offsets.