CYB4 V
CYB 4302, Cyber Warfare and Application 1
Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:
3. Scan networks for malware. 3.1 Describe viruses and worms and how they differ. 3.2 Identify standard virus tools. 3.3 Recognize how antivirus programs work.
5. Examine social engineering techniques.
5.1 Evaluate security assessments. Required Unit Resources Chapter 5: Social Engineering, Malware Threats, and Vulnerability Analysis—Read the following sections:
• Foundation Topics • Social Engineering • Malware Threats • Vulnerability Analysis • Summary
Unit Lesson
Malware Threats and Analysis In this lesson, we pivot from hacking and ethical hacking to the topic of malware. Malware can be used as a hacking tool, but it has the potential to cause significant harm and disruption on its own. You will learn the various types of malware including viruses, worms, trojans, spyware, and ransomware. We will cover the techniques used by these malicious programs and cover how organizations and individuals can protect themselves.
Viruses and Worms Malware is any computer program that is intended to cause harm. A virus program requires some action to trigger it, such as opening an infected file or running malicious code from a disreputable website. Once activated, the virus can infect other files on the host computer and attempt to gain a foothold in other systems. Worms are malicious applications like a virus, but a worm does not require a triggering action. A worm is self- sufficient and can self-propagate from computer to computer (Latto, 2020). A summary of viruses and worms is below.
• Viruses and worms are types of malware that can cause a wide range of damages, such as displaying error messages, crashing programs, or destroying data.
• Viruses place self-replicating code in other programs. • Worms are viruses that can be spread without human intervention. • Spyware is like a trojan and is used to steal information from a computer and consume bandwidth.
UNIT V STUDY GUIDE Malware, Threats, and Analysis
CYB 4302, Cyber Warfare and Application 2
UNIT x STUDY GUIDE Title
Types and Transmission Methods of Viruses and Malware Computer viruses have many methods that they use to make themselves at home on an infected machine. One form of an attack is to embed into the computer Master Boot Record (MBR). The MBR is the first computer code that is executed after the system BIOS checks are complete. When functioning correctly, the MBR is responsible for loading the operating system into memory and handing control over once the OS is loaded. What is crucial is that the MBR is the first program that is run on a system. This makes it an attractive target for virus programs. If the virus can control the MBR, it can modify everything else on the system, including any virus detection and removal software. Repairing and removing an MBR infection can be difficult. (Arntz, 2021). A file-infecting virus attaches itself to executable programs and finds other executable files to copy replicate with. Therefore, executable files of all types, including dynamic libraries, can hide malware. Macro viruses use programs that support a macro scripting language like Microsoft Word or Excel to contain them. The execution of the macro within the program will cause the virus to execute and propagate. Microsoft by default disables script execution, but users can still be tricked into enabling macros and running the malicious script. A polymorphic virus can use any transmission method, but it can also change through updates or self- modification. This behavior makes a polymorphic virus more difficult to detect because no single detection method will reliably work. Once an antivirus product develops a signature to identify the virus can be modified to avoid matching that signature (Chapple et al., 2021). Multipartite viruses can infect boot records and files, providing multiple vectors that it can use to propagate and avoid detection. For example, it may start by executing as part of an infected file but then re-format and compromise the boot record to control any antivirus application installed (Logix Consulting, 2019). A newer virus mechanism is to embed malicious code within pictures such as internet memes. For example, an active virus infection on a computer can monitor social media for instructions that are hidden inside memes using a method called steganography. This embedded information is not detectable by users viewing the picture but still contains secret instructions for the virus. (Mathews, 2018 ). A summary of these methods is in the list below.
• Basic ways viruses propagate: o Master boot record infection:
Attacks the master boot record of the hard drive o File infection:
Relies on the user to execute a file o Macro infection:
Exploit scripting services installed on the computer o Polymorphic o Multipartite o Meme
Viruses can take different paths to spread infections. Some viruses try to spread as rapidly and aggressively as possible, but this raises the probability of being detected. Sparse infector viruses spread over a longer time frame to be stealthier (Computer Knowledge, 2013a). Summary points are provided below:
• Fast infection viruses o Spreads quickly and infects all the files it can
• Sparse infection: o Takes longer to infect other files to avoid detection
Some viruses will try to make themselves resident in the computer system memory. This enables the virus to monitor the system continually and defeat antivirus attempts to detect and remove it. Non-resident viruses will stop executing once the system is shut down or rebooted. Resident viruses will load and resume execution when the system restarts rather than waiting for a trigger event. (Logix Consulting, 2021).
CYB 4302, Cyber Warfare and Application 3
UNIT x STUDY GUIDE Title
• RAM resident infection: o Loads itself in RAM
The only way boot sector viruses can spread
Virus Payloads Often a virus will infect an existing executable file on a computer system, but where does it place malicious code? There are two common answers to that question. The first is that the virus code is placed at the very beginning of an existing program. This method is called prepending, where the malicious code is placed at the beginning and executes before passing through to the regular functioning program afterward. The second method is called appending, where the malicious code is placed at the end of the regular code with a jump instruction at the beginning that passes execution to the malicious code at the end of the file (Daoud et al., 2008). The notes below summarize these terms.
• Prependers: o Place the virus code at the beginning of the infected file
• Appenders: o Place the virus code at the end of the infected file
Virus programs consist of multiple components that are required to provide all the virus functionality. In an era of modular programming, you can think of each of these as being constructed as functions with a purpose. The common viral functions are:
• Search routine: o Present in all viruses o Responsible for locating new files, disk space, or RAM to infect
• Infection routine: o Present in all viruses o Responsible for copying the virus and attaching it to a suitable host
• Payload routine: o Is not required o Contains the actual virus code
• Antidetection routine: o Helps the virus avoid detection
• Trigger routine: o Launches the payload at a given date and time
History of Viruses
Today’s computer users probably take for granted the risk of getting their computers infected with a virus; however, this was not always the case. The concept of replicating computer programs that hide and carry malicious artifacts developed over time with multiple steps becoming more complex and sophisticated (Conocimiento, 2019). The notes below provide a timeline of some of the significant milestones in the evolution of computer viruses.
• Fred Cohen coined the term computer virus in 1984. • Ralf Burger created one of the first replicated programs, Virderm, in 1985. (F-Secure, 2021c). • The Brain virus:
o The first documented computer attack recorded at the University of Delaware o Targets floppy disk’s boot sector
• Lehigh virus: (Kapersky, 2021a). o Discovered at Lehigh University o Hid itself in command.com and counted how many files were infected o Wipes out data on the floppy disk when the counter reached a predetermined number
• MacMag: (Computer Knowledge, 2013a). o Developed by Drew Davidson in 1988 o Shows drawing of the world on Mac machines
• Scores:
CYB 4302, Cyber Warfare and Application 4
UNIT x STUDY GUIDE Title
o Another Mac virus reported by EDS o Prevents users from saving data
• Staog: (F-Secure, 2021a). o The first well-known Linux virus found in 1996 o Attempts to affect binaries as the system user executes them
• Bliss (F-Secure, 2021a). o Considered the second Linux virus o Locates binary files with write access and overwrites them with its code
Well-Known Viruses and Worms
The 1980s saw the beginnings of very malicious and harmful virus infections. The evolution of malicious software, including methods of infections and ways to evade detection, continues to accelerate today. Below is a list of some of the most well-known and damaging malware that has been experienced (Jamaluddin, 2021).
• Late 1980s: o Stoned and Cascade viruses o RTM: First worm released on the internet
Protocol worm Developed by Robert Morris Disabled approximately 6,000 computers
• 1990s: o Norton Antivirus released in 1991 o Chameleon and Tequila: Polymorphic viruses o Win95Boza
First Windows 95 virus, released in 1996 o Melissa
First macro virus spread via email and infected the Normal .dot template in Microsoft Word • 2000 and beyond
o I Love You: hybrid mass-mailing worm o Anna Kournikova: 2001 VBS hybrid worm attacked Microsoft Outlook o Code Red: exploited.ida buffer overflow vulnerability o Nimba: Worm that targets IIS servers o Klez: Worm released in 2002 and exploited a vulnerability that enabled an incorrect MIME header
to cause IE to execute an email attachment o Slammer: Worm that targets SQL o MyDoom: Worm that spreads through email o Sasser: Worm that exploited lsass vulnerability o Virut: Used for cybercrime activities o Conficker: Uses dictionary attack on the Administrator account to propagate
Virus Creation Tools
In the historical days of virus and antivirus development, malicious code had to be created using assembly code and required some advanced computer knowledge and programming skill. This had the desirable effect of keeping the number and variations of viruses to a smaller number. Developing a virus from scratch can still be accomplished, of course. As a later development, groups that could create a virus started to produce virus toolkits that could produce much of the required virus programming in an automated fashion. Virus toolkits made virus creation much easier, lowering the barrier to entry. As a result, many more viruses started to be released. There are serious ethical issues with releasing tools that can be used to cause massive disruption and financial losses. Virus and antivirus researchers should follow ethical guidelines and processes to minimize the risk of their work having a negative impact (Inform IT, 2021). The list below identifies some of the virus toolkits that have been developed.
• VBS worm generator • Virus creation laboratory
CYB 4302, Cyber Warfare and Application 5
UNIT x STUDY GUIDE Title
• Macro virus development kit • Instant virus production kit • Windows virus creation tool kit • Smeg virus construction kit
Overview of Trojans
Trojan horse computer viruses refer to the story that the ancient Greeks tricked the residents of the city of Troy to open their gates and admit a gift wooden horse into the city. The story tells how the Greeks hid inside the wooden horse, sneaking out at night to take over the city (University of Oxford, 2014). Like the horse in this story, a trojan horse computer virus is malicious code hidden inside something the user wants like a legitimate computer program or email attachment. Referring to trojan programs as a virus is misleading. A computer virus, once activated, infects other files or systems. A trojan program is not self-replicating. Instead, it requires a user to trigger it each time. Thus, it is neither a virus nor a worm, but it is malicious software intended to cause harm (Fortinet, 2021). The features that define a trojan program are summarized below.
• A program that disguises itself as a legitimate program but delivers malicious content when executed • Cannot spread itself as worms and viruses do • Depends on a user to execute it
Trojan Types
Trojan software can be used to perform malicious activity across several dimensions. Trojans are classified into types based on the specific goal they are trying to accomplish, from extracting personal information like banking credentials to denial of service (Norton, 2020). The EC-Council groups trojan software into seven types based on what the software tries to accomplish. The list of these types is below.
• Remote access • Data hiding • E-banking • Denial-of-service • Proxy • FTP • Security software disablers
These groupings are defined by what the software is attempting to do. Trojans have gotten more sophisticated over their history, like other viruses. Trojan software is a frequent choice for organized crime and even nation-states. Trojan software can be used to obtain financial and credit card information valuable to criminal organizations. They can be used to search for and get trade secrets and insider information that can be used to gain a competitive advantage. Nation-states can use trojan programs to spy on adversaries or even use them as weapons. Data can be destroyed, causing financial harm (Balaban, 2021). The list below identifies the types of harm that trojan software can cause.
• Destroy data • Obtain credit card data • Obtain passwords • Obtain insider information • Data storage • Advanced Persistent Threat
Trojan Ports and Communication Methods
Trojan software might need to communicate information back to the party that distributes it. This can be used to exfiltrate data such as passwords or credit card information, for example. Trojans can choose a communication method that suits their purpose, but they are described as overt or covert. Overt channels can be observed using the network in an unintended way but may look like other innocuous communication such
CYB 4302, Cyber Warfare and Application 6
UNIT x STUDY GUIDE Title
as web browsing. Covert channels use the network in a manner that was not intended to avoid detection of the communication occurring with the trojan software. Coding information in ICMP packets is one example of a covert communication method (PostXplo, 2016b).
• Trojans can communicate using o Overt communications o Covert communications
Trojan software can also implement system backdoors to allow the attacker to access the system remotely that they would not have access to. This allows the attacker to issue remote commands on the compromised computer or initiate other types of attacks (Firewalls.com, 2020).
• Backdoors o A program allows a connection that bypasses the standard authentication process. o Some programs connect back to the hacker’s machine.
Trojan Infection Mechanisms
Trojan software can be passed through many different infection mechanisms. Common communication channels include email, instant messaging, free software downloads, and internet advertising, to name a few (Johansen & Norton, 2020). The list below provides a reference list of methods that are often used.
• Peer-to-peer networks • Instant messaging • Internet relay chat • Email attachments • Physical access • Browser bugs • Freeware
Trojan Tools
Trojan software has evolved from the 1990s through to today. Many of the most popular variants have unique names that are based on their purpose. Remote access trojans (RATs) are one example. Early versions of RATs were intended to be more amusing than destructive. Thus, early RATs included performances such as Nok Nok, NetBus, and SubSeven. Of course, it took hardly any time for these tools to be turned to more malicious purposes (Fiscutean, 2020). Back Orifice was the first RAT trojan to make use of a client-server model. Back Orifice was developed by the hacker group Cult of the Dead Cow and released as a toolkit for other developers to use (PCMag, 2020). Newer RAT software continued to add features and capabilities. Poison Ivy is another notorious variant that found itself used for cyberespionage and other nation-state purposes (Higgins, 2013). The list below identifies many of the most well-known RAT trojan variants that have been encountered.
• Tini: o Small backdoor coded in assembly language o Used on Windows systems o Listens to TCP port 7777 and opens a remote command prompt
• Qaz: o Copies itself to the computer by renaming Notepad.exe to Note.exe and naming itself
Notepad.exe o Listens for a connection at port 7597
• NetBus: o Older Trojan o When executed copies itself to the Windows directory and creates a file KeyHook.dll o Uses TCP and opens ports 12345 and 12346 o Can use redirection to send traffic to another machine
• SubSeven: o Can mutate and change its signature to avoid detection
CYB 4302, Cyber Warfare and Application 7
UNIT x STUDY GUIDE Title
o Usually distributed as an email attachment o Enables attacker to monitor victim’s keystrokes, watch through a webcam, and listens through the
microphone • Poison ivy
o Gives the hackers access to the local file system. o Hackers can browse, create, and delete directories and edit the Registry.
• GhostRat o Enables a hacker to turn on the webcam and record audio and use the microphone to spy on
people • Let me rule • Jumper • Phatbot • Amitis • Zombam.B • Beast • MoSucker
Distributing Trojans
Computer users do not choose to install harmful software on their systems. They are tricked into installing malicious software because it is hidden as part of other beneficial software that the computer user does want. Trojan software creators use special software tools to embed the malicious code with other legitimate software. These software bundling tools are called wrappers, which combine two or more executable files into a single executable. Software like screensavers has often been used as attractive software to bundle malicious code with. The various wrapper programs are identified as specific titles and have their marketing. A list of common wrappers is provided below.
• EliteWrap • Saran Wrap • Advanced File Joiner • Teflon Oil Patch • Restorator • Pretty Good Malware Protection (PGMP) (PostXplo, 2016b).
Trojan Toolkits
Today’s world is about automation, and trojan viruses are no different. Production of a functioning and dangerous trojan horse virus has never been easier. Like other types of viruses, trojan software can be constructed using toolkit software that allows the creator to select the features they want to have. The toolkit produces an executable file ready to be wrapped with other legitimate software and sent out into the world (Takahashi, 2009). There have been many trojan horse creation tools developed. This has led to an increase in the number of trojan software variants that are encountered today. The list below is a partial list of trojan creation tools that have been made available.
• Trojan horse construction kit: o Command-line utility that can be used to create a trojan with multiple features
• Senna Spy: o Requires Visual Basic o Enables many custom options such as file transfer, keyboard control, and executing DOS
commands • Stealth tool:
o Not a real Trojan toolkit but a stealth tool designed to make Trojans harder to detect (Multifilescv, 2020)
CYB 4302, Cyber Warfare and Application 8
UNIT x STUDY GUIDE Title
Once the malicious trojan software is created, it needs to be packaged to be successfully delivered and executed on a target computer. The steps to releasing a trojan program are summarized below.
• Creation of a trojan • Modification of a Trojan to avoid detection • Bind a trojan with a legitimate file • Transmit a trojan to a victim
Spyware
Spyware is another descriptive term for an unwanted software application that becomes resident on a computer system without the owner’s consent. Spyware can be considered distinct from other malicious software because it does not cause harm or disruption. Instead, it is trying to collect information. The information collected can have uses that range from annoying to criminal. Spyware is distributed in the ways that other viruses, worms, and trojan programs are. In addition, spyware can take advantage of security vulnerabilities or be bundled with legitimate applications or sent as an email attachment, among other methods (Malwarebytes, 2021). Once embedded on a target computer, it starts information collection. Spyware comes in various flavors depending on the type of information being collected. Spyware types include:
• Password stealers – Collects passwords used for accessing the system or for accessing web applications.
• Banking trojans – Attempt to obtain credentials used to access financial institutions. They may also try and create or modify transactions.
• Infostealers – Search for information like passwords, websites visited, or other valuable files. • Keyloggers – Spyware may be used to collect information entered on a keyboard.
Spyware runs in the background and attempts to be innocuous and difficult to notice or detect. Spyware has, in a broad sense, two potential purposes. (Kaspersky, 2021b).
• Surveillance • Advertising
There is a constant battle between the threats that exist and the defenses created to combat them. There are specific anti-spyware applications designed to detect and remove unwanted spyware from a system to prevent spyware. Many antivirus products also manage anti-spyware tasks. Some programs advertise themselves as being anti-spyware solutions but are, in fact, spyware themselves. (Smy Services, 2019). Below are some examples of legitimate anti-spyware solutions.
• Adaware • Microsoft Antispyware Beta • HijackThis • Pest Patrol • Spy Sweeper • Spybot Search and Destroy • Spyware Blaster • MacAfee Antispyware
Ransomware
Ransomware is yet another variant of malicious software. Ransomware is associated with encrypting or preventing access to a computer system until the attacker is paid some a ransom using bitcoins or other hard- to-rack financial tokens such as gift cards. Ransomware has risen to be a significant threat in the last few years. (CIS Security, 2019). Like other viruses and trojans, ransomware targets computers through spam email, phishing, or malicious websites. Most attacks use encryption to lock files from use, and the system user obtains the decryption key
CYB 4302, Cyber Warfare and Application 9
UNIT x STUDY GUIDE Title
by paying the ransom. However, there are cases where no decryption key is provided even after the ransom is paid. In addition, not all ransomware encrypts information; some merely say it has and make a payment demand. This is called scareware. Ransomware attacks are significant criminal enterprises that organized criminal groups frequently execute. In addition, there is now ransomware available as a service—groups that will allow criminal organizations access to their ransomware platform for a fee (Fruhlinger, 2020). There are several examples of ransomware in the list below:
• CryptoLocker • WannaCry • NotPetya • SimpleLocker • GandCrab • Thanos
The Emergence of APT’s
Advanced Persistent Threats (APTs) are sophisticated attacks that require substantial expertise and resources to accomplish. Originally APT’s were the sole domain of nation-states as they were the only enterprises with the resources and requirements to mount such an attack. The targets of APTs were other nation-states or multi-national corporations. Unlike a traditional malware attack that causes damage or steals information and moves on, APTs want to establish a long-term presence in the target. (Grimes, 2019). Frequently APTs were used as tools for espionage or to achieve some national security objective. Small and mid-size organizations have become more at risk as APT threats have targeted supply chains that can be used to achieve the objectives (Kaspersky, 2021b). Some examples of APT activity include: Stuxnet: A worm developed by the US and Israel to disrupt the Iranian nuclear program by targeting centrifuges used in uranium enrichment (Fruhlinger, 2017). SolarWinds hack: Hackers from the Russian Foreign Intelligence Service entered Texas-based SolarWinds’ software management system and added malicious code to their system monitoring software. Many large companies and government agencies use the SolarWinds software. The malicious software provided a method to perform long-term cyberespionage and demonstrated how supply chain targeting could be used for malicious purposes (Business Insider, 2021).
Analyzing Malware Analyzing malware provides an understanding of the purpose and methods that a specific example of malicious software has. This analysis assists in developing effective detection and removal processes. There are two basic methods for analyzing malicious software. The first is to perform a static analysis of the software while running using reverse engineering techniques such as disassemblers. Next, the software can be searched for suspicious strings like IP addresses or libraries that might indicate the purpose or origin of the software. The second analysis approach uses dynamic analysis and observes the software in operation to detect network communications and file access behavior as examples. Dynamic analysis is performed in a safe, isolated environment referred to as a sandbox (CrowdStrike, 2021).
• Static Analysis – Performs a technical analysis for the software executable to determine as much as possible about how it is constructed and operates. This method can miss functions that are obscured in the software.
CYB 4302, Cyber Warfare and Application 10
UNIT x STUDY GUIDE Title
• Dynamic Analysis – Performs analysis by carefully observing the software while it runs in a sandbox environment. This allows detection of network communication and system modifications that might be missed with static analysis.
Malware Countermeasures
With the prevalence of different types of malicious software in circulation, organizations can take countermeasures to mitigate their present risks. Some of the best protections are good basic operations practices like having a reliable backup and recovery solution that can be used to recover servers and other systems. Another basic operations practice is keeping software up to date with the current patches and security fixes. These steps will help minimize vulnerabilities and enable recovery if systems become infected. Beyond good basic operations and system hygiene, several recommendations can reduce the risk of malicious software. (UCI Information Security, 2021).
• Monitor systems to ensure they are running antivirus software, personal firewalls, and other required security software.
• Employ a quality antivirus solution and use automated signature updates to keep them up to date. • Configure anti-malware software to perform regular full system scans. • Scan removable media using antivirus software on insertion. • Employ email antivirus scanning and anti-spam solutions as part of the overall email environment.
Use alternate or multiple antivirus products to perform email scanning. • Malware detection events should be logged, and a security notification should be raised. • Disable autorun for removable media. • Consider a network quarantine approach to ensure devices are granted network access only if
properly patched and antivirus software is up to date.
Detecting Malware Malware detection can be accomplished using different approaches. The first is signature based detection. A hash value is calculated based on an executable or even a portion known to contain malicious code. This hash value is the signature for that specific virus or trojan. As they are scanned, files generate hashes compared to the signatures created from known virus infections. If there is a match, then the file is flagged as malicious and disabled or quarantined. The second method of detection is heuristic analysis, which is defining a set of rules. The rules can be things like opens network ports, accesses a camera, or attaches to a keyboard driver. If malicious software attempts these behaviors, then it is disabled, flagged, and isolated (Comodo, 2019). These methods are summarized below.
• Signature-Based Detection – Uses pre-calculated values based on known malicious software to compare against files or executables encountered on the protected computer.
• Heuristic Analysis – Defines rules for behaviors that would be used by malicious programs to determine if they are behaving acceptably.
Antivirus
Antivirus software is software that is intended to protect a system from malicious software. This type of software is considered an essential utility for today’s computer system. Antivirus software detects malicious software using a variety of signatures, behavior, and other checks. It removes detected malware from a computer system, in some cases placing it in a quarantine location for further review. Modern antivirus software can also provide online protections such as flagging websites known to distribute malware (Rubino, 2019). It is important to use certified antivirus solutions. Unfortunately, there is software advertised as antivirus protection that is malware. A few respected antivirus products are listed below (Wagenseil, 2021).
CYB 4302, Cyber Warfare and Application 11
UNIT x STUDY GUIDE Title
• Norton Antivirus • McAfee VirusScan • Trend Micro PC-cillin • Sophos Antivirus • AVG Antivirus
Summary
This lesson provided an overview of the different types of malicious software, including viruses, worms, trojans, spyware, and ransomware. In addition, information on the methods these types of software used to attack a system and tools and counter-methods that protect systems has been provided.
References
Arntz, P. (2021, March 18). Meet the master boot record. Malwarebytes Labs.
https://blog.malwarebytes.com/101/2014/09/meet-the-master-boot-record/ Balaban, D. (2021, January 14). 17 types of trojans and how to defend against them. CSO Online.
https://www.csoonline.com/article/3602790/17-types-of-trojans-and-how-to-defend-against-them.html Business Insider. (2021, April 15). The US is readying sanctions against Russia over the SolarWinds
cyberattack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal. https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber- security-2020-12?international=true&r=US&IR=T
Chapple, M., Bedell, C., & Wright, R. (2021, March 3). Virus (computer virus). SearchSecurity.
https://searchsecurity.techtarget.com/definition/virus CIS Security. (2019, September 27). Ransomware: Facts, threats, and countermeasures.
https://www.cisecurity.org/blog/ransomware-facts-threats-and-countermeasures/ Comodo. (2019, January 15). What is malware detection. https://enterprise.comodo.com/what-is-malware-
detection.php Computer Knowledge. (2013a, February 27). Chapter 8 MacMag.
https://www.cknow.com/cms/vtutor/chapter-8-macmag.html Computer Knowledge. (2013b, April 16). Sparse infectors. https://www.cknow.com/cms/vtutor/sparse-
infectors.html Conocimiento, V. A. (2019, August 28). The History of computer viruses. OpenMind.
https://www.bbvaopenmind.com/en/technology/digital-world/the-history-of-computer-viruses/ CrowdStrike. (2021, April 13). Malware analysis explained. https://www.crowdstrike.com/cybersecurity-
101/malware/malware-analysis/ Daoud, A. D., Jebril, I. H., & Zaqaibeh, B. (2008). Computer virus strategies and detection methods. Int. J.
Open Problems Compt. Math., 1(2)., 2. http://www.kurims.kyoto- u.ac.jp/EMIS/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.8).pdf
Firewalls.com. (2020). What is a backdoor trojan. https://www.firewalls.com/blog/security-terms/backdoor-
trojan/ Fiscutean, A. (2020, November 9). From pranks to APTs: How remote access trojans became a major
security threat. CSO Online. https://www.csoonline.com/article/3588156/from-pranks-to-apts-how- remote-access-trojans-became-a-major-security-threat.html
CYB 4302, Cyber Warfare and Application 12
UNIT x STUDY GUIDE Title
Fortinet. (2021). What Is a trojan horse? Trojan virus and malware explained. https://www.fortinet.com/resources/cyberglossary/trojan-horse-virus
Fruhlinger, J. (2017, August 22). What is Stuxnet, who created it and how does it work? CSO Online.
https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it- work.html
Fruhlinger, J. (2020, June 19). Ransomware explained: How it works and how to remove it. CSO Online.
https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove- it.html
F-Secure. (2021a). Linux/Bliss description. https://www.f-secure.com/v-descs/bliss.shtml F-Secure. (2021b). Linux/Staog description. https://www.f-secure.com/v-descs/staog.shtml F-Secure. (2021c). Virdem Description. https://www.f-secure.com/v-descs/virdem.shtml Grimes, R. A. (2019, February 7). 5 signs you’ve been hit with an APT. CSO Online.
https://www.csoonline.com/article/2615666/5-signs-youve-been-hit-with-an-apt.html Higgins, K. J. (2013, August 21). Poison Ivy Trojan just won’t die. Dark Reading.
https://www.darkreading.com/attacks-breaches/poison-ivy-trojan-just-wont-die/d/d-id/1140340 Inform IT. (2021). Virus construction kits. Informit.
https://www.informit.com/articles/article.aspx?p=366890&seqNum=7 Jamaluddin, A. (2021, May 2). 10 Deadliest computer viruses of all time. Hongkiat.
https://www.hongkiat.com/blog/famous-malicious-computer-viruses/ Johansen, A. G. & Norton. (2020). What is a trojan? Is it a virus or is it malware? Norton.
https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html Kapersky. (2021a). Virus.dos.lehigh. https://threats.kaspersky.com/en/threat/Virus.DOS.Lehigh/ Latto, N. (2020). Worm vs. virus: What’s the difference and does it matter? Avast. https://www.avast.com/c-
worm-vs-virus Logix Consulting. (2021, January 28). Resident vs Non-Resident computer viruses: What’s the difference?
https://www.logixconsulting.com/2020/05/25/resident-vs-non-resident-computer-viruses-whats-the- difference/
Logix Consulting. (2019, September 17). The Rise of multipartite viruses: What you should know.
https://www.logixconsulting.com/2019/09/12/the-rise-of-multipartite-viruses-what-you-should-know/ Malwarebytes. (2021). Spyware. What is it and how to remove it? https://www.malwarebytes.com/spyware Mathews, L. (2018, December 18). Cybercriminals are controlling malware through twitter memes. Forbes.
https://www.forbes.com/sites/leemathews/2018/12/18/cybercriminals-hide-malware-commands- twitter-memes/?sh=39b5afaf7abe
Multifilescv. (2020). How to use trojan horse construction kit. https://multifilescv311.weebly.com/how-to-use-
trojan-horse-construction-kit.html Norton. (2020). What is a Trojan? Is it a virus or is it malware? https://us.norton.com/internetsecurity-
malware-what-is-a-trojan.html PCMag. (2020). Definition of back orifice. https://www.pcmag.com/encyclopedia/term/back-orifice
CYB 4302, Cyber Warfare and Application 13
UNIT x STUDY GUIDE Title
PostXplo. (2016a, June 26). Overt & covert channels. https://www.postexplo.com/forum/security-in- general/terms/445-overt-covert-channels
PostXplo. (2016b, June 26). Trojans - wrappers. https://www.postexplo.com/forum/security-in-
general/terms/442-trojans-wrappers#post442 Rubino, C. A. (2019, February 5). Should I delete objects in malwarebytes’ quarantine? It Still Works.
https://itstillworks.com/should-delete-objects-malwarebytes-quarantine-3476.html Smy Services. (2019, November 14). The importance of anti-spyware for your computer.
https://smyservices.com/news/anti-spyware-for-your-computer/ Takahashi, D. (2009, June 12). How I created my very own trojan malware today. VentureBeat.
https://venturebeat.com/2009/06/11/how-i-created-my-very-own-trojan-malware-today/ UCI Information Security. (2021). Malware Defenses. https://security.uci.edu/security-plan/plan-control5.html University of Oxford. (2014). Did the trojan horse exist? Classicist tests Greek “myths.”
https://www.ox.ac.uk/news/arts-blog/did-trojan-horse-exist-classicist-tests-greek-myths Wagenseil, P. (2021, June 2). The best antivirus software 2021: Free antivirus and paid options tested.
Tom’s Guide. https://www.tomsguide.com/us/best-antivirus,review-2588.html Suggested Unit Resources In order to access the following resources, click the links below. Harvesting Credentials Using the SET Tool Kit The Social-Engineering Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the launch of http://www.social-engineer.org and has quickly become a standard tool in the pen testers’ arsenal. The attacks built into the toolkit are intended to target and focus attacks against a person or organization used during a penetration test. CSU-IDT. (2021, August 2). Harvesting credentials using the SET tool kit [Video]. Cielo24.
https://c24.page/ys43mkgm8hh5krbj9zfaj3gayf A transcript and closed-captioning are available once you access the video. Find Social Media Accounts Using Sherlock in CSI Linux In this video, you learn how to find social media accounts using a person’s username. With Sherlock, we can instantly hunt down social media accounts created with a unique screen name on many online platforms simultaneously. CSU-IDT. (2021, August 2). Find social media accounts using Sherlock in CSI Linux [Video]. Cielo24.
https://c24.page/y3gzvtft7v9n3xwtnpypcts8f7 A transcript and closed-captioning are available once you access the video.
- Course Learning Outcomes for Unit V
- Required Unit Resources
- Unit Lesson
- Malware Threats and Analysis
- Viruses and Worms
- Types and Transmission Methods of Viruses and Malware
- Virus Payloads
- History of Viruses
- Well-Known Viruses and Worms
- Virus Creation Tools
- Overview of Trojans
- Trojan Types
- Trojan Ports and Communication Methods
- Trojan Infection Mechanisms
- Trojan Tools
- Distributing Trojans
- Trojan Toolkits
- Spyware
- Ransomware
- The Emergence of APT’s
- Analyzing Malware
- Malware Countermeasures
- Detecting Malware
- Antivirus
- Summary
- References
- Suggested Unit Resources