Computer Security Ch 6 - Exam III

  1. malware or malicious software
    a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim
  2. propagate
    "spread" in reference to malware
  3. payloads
    "actions" in reference to malware - or what the virus does (besides spreading)
  4. blended attack
    an attack that uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack
  5. crimeware
    virus-creation toolkits that include a variety of propagation mechanisms and payload modules that even novices can combine, select, and deploy
  6. virus
    piece of software that can "infect" other programs, or any type of executable content, by modifying them - can't spread by itself
  7. infection mechanism/vector
    trigger/logic bomb
    three parts of a virus
  8. infection mechanism/vector
    the mans by which a virus spreads or propagates, enabling it to replicate
  9. trigger or logic bomb
    the event or condition that determines when the payload is activated or delivered
  10. dormant phase - idle
    propagation phase - copy
    triggering phase - activation
    execution - function is performed
    four phases a virus or worm goes through
  11. boot sector infector
    infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus
  12. file infector
    infects files that the operating system or shell consider to be executable
  13. macro virus
    infects files with macro or scripting code that is interpreted by an application
  14. multipartite virus
    infects files in multiple ways - capable of infecting multiple types of tiles
  15. encrypted virus
    concealment classification strategy of virus where; when a virus replicates, a different random key is selected
  16. stealth virus
    a form of virus explicitly designed to hide itself from detection
  17. polymorphic virus
    a virus that mutates with every infection
  18. metamorphic virus
    a type of virus that mutates with every infection and rewrites itself completely at each iteration
  19. mutation engine
    the portion of the virus that is responsible for generating keys and performing encryption/decryption
  20. worm
    a program that actively seks out more machines to infect, and then each infected machine serves as an automated launching pad for attacks on other machines
  21. scanning or fingerprinting
    searching done by worms for other systems to infect
  22. drive-by-download
    when the user views a Web page controlled by the attacker, it contains code that exploits the browser bug to download and install malware on the system without the user's knowledge or consent
  23. trojan horse
    a useful, or apparently useful, program or utility containing hidden code that, when invoked, performs some unwanted or harmful function
  24. ransomware
    malware that encrypts the user's data, and demands payment in order to access the key needed to recover this information
  25. logic bomb
    a key component of data corrupting malware that includes code embedded in the malware that is set to "explode" when certain conditions are met - ex: a date, presence or absence of certain files, particular configuration of some software, a particular user running the app, etc.
  26. bot (robot), zombie, or drone
    category of payload where the malware subverts the computational and network resources of the infected system for use by the attacker
  27. botnet
    a collection of bots capable of acting in a coordinated manner
  28. remote control facility
    what distinguishes a bot from a worm - a worm propagates itself and activates itself, whereas a bot is controlled from some central facility, at least initially
  29. keylogger
    captures keystrokes on the infected machine to allow an attacker to monitor sensitive information
  30. spyware payload
    developed by the attackers to subvert the compromised machine to allow monitoring of a wide range of activity on the system
  31. phishing attack
    attacker can "assume" the user's identity for the purpose of obtaining credit, or sensitive access to other resources & exploits social engineering to leverage user's trust by masquerading as communications from a trusted source
  32. spear-fishing attack
    email claiming to be from a trusted source where the recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically
  33. backdoor or trapdoor
    a secret entry point into a program that allows someone who is aware of it, to gain access without going through the usual security access procedures
  34. maintenance hook
    a programmer's back door created when the programmer is developing an application that has an authentication procedure, or a long setup, requiring the user to enter many different values to run the application
  35. rootkit
    a set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, while hiding evidence of its presence to the greatest extent possible
  36. prevention
    the ideal solution to the threat of malware
  37. policy
    vulnerability mitigation
    threat mitigation
    four main elements of prevention
  38. generic decryption
    enables the antivirus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds
  39. host-based behavior-blocking software
    integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions, and then blocks potentially malicious actions before they have a chance to affect the system
  40. ingress monitors
    type of monitoring software that is located between the enterprise network and the internet - ex: looks for incoming traffic to unused local IP addresses
  41. egress monitors
    type of monitoring software that Is located at the egress point of individuals LANs on the enterprise network as well as at the border between the enterprise network and the internet - designed to catch the source of a malware attack by monitoring outgoing traffic for signs of scanning or other suspicious behavior
  42. rate limiting
    limits the number of new machines a host can connect to in a window of time, detecting a high connection failure rate, and limiting the number of unique IP addresses a host can scan in a window of time
  43. rate halting
    immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts
Card Set
Computer Security Ch 6 - Exam III
Malicious Software