CHAPTER 1
Malware and Indicators of Compromise
In this chapter, you will
• Examine the types of malware
• Understand the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, and rootkits
• Learn how artifacts called indicators of compromise can tell you if a system has been attacked
There are various forms of malicious software, software that is designed to compromise an end system, leaving it vulnerable to attack. In this chapter we examine the various types of malware (malicious software) and indicators of compromise that demonstrate a system has been attacked.
Certification Objective This chapter covers CompTIA Security+ exam objective 1.1, Given a scenario, analyze indicators of compromise and determine the type of malware. This is a performance-based question testable objective, which means expect a question in which one must employ the knowledge based on a scenario. The best answer to a question will depend upon details in the scenario, not just the question. The question may also involve tasks other than just picking the best answer from a list. Instead, choices, such as order things on a diagram, rank order answers, match two columns of items, may be found.
Malware
Malware refers to software that has been designed for some nefarious purpose. Such software can be designed to cause damage to a system, such as by deleting all files, or it can be designed to create a backdoor in the system to grant access to unauthorized individuals. Generally the installation of malware is done so that it is not obvious to the authorized users. Several different types of malicious software can be used, such as viruses, Trojan horses, logic bombs, spyware, and worms, and they differ in the ways they are installed and their purposes.
Polymorphic Malware
The detection of malware by anti-malware programs is primarily done through the use of a signature. Files are scanned for sections of code in the executable that act as markers, unique patterns of code that enable detection. Just as the human body creates antigens that match marker proteins, anti-malware programs detect malware through unique markers present in the code of the malware.
Malware writers are aware of this functionality and have adapted methods to defeat it. One of the primary means of avoiding detection by sensors is the use of polymorphic code, which is code that changes on a regular basis. These changes or mutations are designed not to affect the functionality of the code, but rather to mask any signature from detection. Polymorphic malware is malware that can change its code after each use, making each replicant different from a detection point of view.
Viruses
The best-known type of malicious code is the virus. Much has been written about viruses because several high-profile security events have involved them. A virus is a piece of malicious code that replicates by attaching itself to another piece of executable code. When the other executable code is run, the virus also executes and has the opportunity to infect other files and perform any other nefarious actions it was designed to do. The specific way that a virus infects other files, and the type of files it infects, depends on the type of virus. The first viruses created were of two types—boot sector viruses and program viruses.
Armored Virus
When a new form of malware/virus is discovered, antivirus companies and security researchers will decompile the program in an attempt to reverse engineer its functionality. Much can be determined from reverse engineering, such as where the malware came from, how it works, how it communicates, how it spreads, and so forth. Armoring malware can make the process of determining this information much more difficult, if not impossible. Some malware, such as the Zeus Trojan, employs encryption in ways to prevent criminals from stealing the intellectual property of the very malware that they use.
Crypto-malware
Crypto-malware is an early name given to malware that encrypts files on a system and then leaves them unusable either permanently, acting as a denial of service, or temporarily until a ransom is paid, making it ransomware, which is discussed in the next section. Crypto-malware is typically completely automated, and when targeted as a means of denial of service, the only repair mechanism is to rebuild the system. This can be time consuming and/or impractical in some cases, making this attack mechanism equivalent to physical destruction of assets.
In May of 2017, a crypto-worm form of malware, WannaCry, was released, resulting in a ransomware attack that swept across many government computers in Europe, including medical devices in England’s National Health Service (NHS). This ransomware created havoc by exploiting a vulnerability in Microsoft Windows systems that was exposed by the group known as Shadow Brokers.
Ransomware
Ransomware is a form of malware that performs some action and extracts ransom from a user. A current ransomware threat, first appearing in 2013, is CryptoLocker. CryptoLocker is a Trojan horse that will encrypt certain files using RSA public key encryption. When the user attempts to get the files, they are provided with a message instructing them how to purchase the decryption key. Because the system is using 2048-bit RSA encryption, brute force decryption is out of the realm of recovery options. RSA encryption is covered in more detail in Chapter 27. The system is highly automated and users have a short time window to get the private key. Failure to get the key will result in the loss of the data.
EXAM TIP Cryto-malware and ransomware are both new to the Security+ objectives. Adding these attack vectors and how to differentiate them from other attacks to your knowledgebase will be useful for the exam.
Worm
It was once easy to distinguish between a worm and a virus. Recently, with the introduction of new breeds of sophisticated malicious code, the distinction has blurred. Worms are pieces of code that attempt to penetrate networks and computer systems. Once a penetration occurs, the worm will create a new copy of itself on the penetrated system. Reproduction of a worm thus does not rely on the attachment of the virus to another piece of code or to a file, which is the definition of a virus.
Viruses were generally thought of as a system-based problem, and worms were network-based. If the malicious code is sent throughout a network, it may subsequently be called a worm. The important distinction, however, is whether the code has to attach itself to something else (a virus) or if it can “survive” on its own (a worm).
Some examples of worms that have had high profiles include the Sobig worm of 2003, the SQL Slammer worm of 2003, the 2001 attacks of Code Red and Nimba, and the 2005 Zotob worm that took down CNN Live. Nimba was particularly impressive in that it used five different methods to spread: via e-mail, via open network shares, from browsing infected websites, using the directory traversal vulnerability of Microsoft IIS 4.0/5.0, and most impressively through the use of backdoors left by Code Red II and sadmind worms.
EXAM TIP Worms act like a virus but also have the ability to travel without human action.
Trojan
A Trojan horse, or simply Trojan, is a piece of software that appears to do one thing (and may, in fact, actually do that thing) but hides some other functionality. The analogy to the famous story of antiquity is very accurate. In the original case, the object appeared to be a large wooden horse, and in fact it was. At the same time, it hid something much more sinister and dangerous to the occupants of the city of Troy. As long as the horse was left outside the city walls, it could cause no damage to the inhabitants. It had to be taken in by the inhabitants, and it was inside that the hidden purpose was activated. A computer Trojan works in much the same way. Unlike a virus, which reproduces by attaching itself to other files or programs, a Trojan is a stand-alone program that must be copied and installed by the user—it must be “brought inside” the system by an authorized user. The challenge for the attacker is enticing the user to copy and run the program. This generally means that the program must be disguised as something that the user would want to run—a special utility or game, for example. Once it has been copied and is inside the system, the Trojan will perform its hidden purpose with the user often still unaware of its true nature.
A good example of a Trojan is Back Orifice (BO), originally created in 1999 and now offered in several versions. BO can be attached to a number of types of programs. Once it is attached, and once an infected file is run, BO will create a way for unauthorized individuals to take over the system remotely, as if they were sitting at the console. BO is designed to work with Windows-based systems. Many Trojans communicate to the outside through a port that the Trojan opens, and this is one of the ways Trojans can be detected.
EXAM TIP Ensure you understand the differences between viruses, worms, Trojans, and various other types of threats for the exam.
Rootkit
Rootkits are a form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality. The history of rootkits goes back to the beginning of the UNIX operating system, where rootkits were sets of modified administrative tools. Originally designed to allow a program to take greater control over operating system function when it fails or becomes unresponsive, the technique has evolved and is used in a variety of ways. One high-profile case occurred at Sony BMG Corporation, when rootkit technology was used to provide copy protection technology on some of the company’s CDs. Two major issues led to this being a complete debacle for Sony: first, the software modified systems without the users’ approval; and second, the software opened a security hole on Windows-based systems, creating an exploitable vulnerability at the rootkit level. This led the Sony case to be labeled as malware, which is the most common use of rootkits.
A rootkit can do many things—in fact, it can do virtually anything that the operating system does. Rootkits modify the operating system kernel and supporting functions, changing the nature of the system’s operation. Rootkits are designed to avoid, either by subversion or evasion, the security functions of the operating system to avoid detection. Rootkits act as a form of malware that can change thread priorities to boost an application’s performance, perform keylogging, act as a sniffer, hide other files from other applications, or create backdoors in the authentication system. The use of rootkit functionality to hide other processes and files enables an attacker to use a portion of a computer without the user or other applications knowing what is happening. This hides exploit code from antivirus and anti-spyware programs, acting as a cloak of invisibility.
Rootkits can load before the operating system loads, acting as a virtualization layer, as in SubVirt and Blue Pill. Rootkits can exist in firmware, and these have been demonstrated in both video cards and expansion cards. Rootkits can exist as loadable library modules, effectively changing portions of the operating system outside the kernel. Further information on specific rootkits in the wild can be found at www.antirootkit.com.
EXAM TIP Five types of rootkits exist: firmware, virtual, kernel, library, and application level.
Once a rootkit is detected, it needs to be removed and cleaned up. Because of rootkits’ invasive nature, and the fact that many aspects of rootkits are not easily detectable, most system administrators don’t even attempt to clean up or remove a rootkit. It is far easier to use a previously captured clean system image and reimage the machine than to attempt to determine the depth and breadth of the damage and attempt to fix individual files.
Keylogger
As the name suggests, a keylogger is a piece of software that logs all of the keystrokes that a user enters. Keyloggers in their own respect are not necessarily evil, for you could consider Microsoft Word to be a keylogger. What makes a keylogger a malicious piece of software is when its operation is 1) unknown to the user, and 2) not under the user’s control. Keyloggers have been marketed for a variety of uses, from surveillance over your children’s activity, to that of a spouse, to maintaining records of what has been done on a machine. Malicious keyloggers have several specific characteristics; they are frequently hidden from the user’s view, even when you look at task manager; and they are used against the end-user’s interests. Hackers use keyloggers to obtain passwords and other sensitive pieces of information, enabling them to use these secrets to act as the user without the user’s consent. Keylogger functionality has even been found in legitimate programs, where keystrokes are recorded for “legitimate” purposes and then are stored in a fashion that enables unauthorized users to steal the data.
Adware
The business of software distribution requires a form of revenue stream to support the cost of development and distribution. One form of revenue stream is advertising. Software that is supported by advertising is called adware. Adware comes in many different forms. With legitimate adware, the user is aware of the advertising and agrees to the arrangement in return for free use of the software. This type of adware often offers an alternative, ad-free version for a fee. Adware can also refer to a form of malware, which is characterized by software that presents unwanted ads. These ads are sometimes an irritant, and at other times represent an actual security threat. Frequently, these ads are in the form of pop-up browser windows, and in some cases they cascade upon any user action.
Spyware
Spyware is software that “spies” on users, recording and reporting on their activities. Typically installed without user knowledge, spyware can perform a wide range of activities. It can record keystrokes (commonly called keylogging) when the user logs onto specific websites. It can monitor how a user applies a specific piece of software, such as to monitor attempts to cheat at games. Many uses of spyware seem innocuous at first, but the unauthorized monitoring of a system can be abused very easily. In other cases, the spyware is specifically designed to steal information. Many states have passed legislation banning the unapproved installation of software, but spyware can circumvent this issue through complex and confusing end-user license agreements.
Bots
A bot is a functioning piece of software that performs some task, under the control of another program. A series of bots is controlled across the network in a group, and the entire assembly is called a botnet (combining the terms bot and network). Some botnets are legal and perform desired actions in a distributed fashion. Illegal botnets work in the same fashion, with bots distributed and controlled from a central set of servers. Bots can do a wide array of things, from spam to fraud to spyware and more.
Botnets continue to advance malware threats. Some of the latest botnets are designed to mine bitcoins, using distributed processing power for gain. Some of the more famous botnets include Zeus, a botnet that performs keystroke logging and is used primarily for the purpose of stealing banking information. Zeus has been linked to the delivery of cryptolocker ransomware. Another famous botnet is conficker, which has infected millions of machines worldwide. The conficker botnet is one of the most studied pieces of malware, with a joint industry–government working group convened to battle it.
RAT
A remote-access Trojan (RAT) is a toolkit designed to provide the capability of covert surveillance and/or the capability to gain unauthorized access to a target system. RATs often mimic similar behaviors of keylogger or packet sniffer applications using the automated collection of keystrokes, usernames, passwords, screenshots, browser history, e-mails, chat logs, and more, but they also do so with a design of intelligence. RATs can also employ malware to infect a system with code that can be used to facilitate the exploitation of a target. Rather than just collect the information, RATs present it to an attacker in a form to facilitate the capability to gain unauthorized access to the target machine. This frequently involves the use of specially configured communication protocols that are set up upon initial infection of the target computer. This backdoor into the target machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, access connected systems, and more. RATs are commonly employed by the more skilled threat actors, although there are RATs that are easy enough for even beginners to employ.
A RAT should be considered as another form of malware, but rather than just being a program, it has an operator behind it, guiding it to do even more persistent damage. RATs can be delivered via phishing e-mails, watering holes, or any of a myriad of other malware infection vectors. RATs typically involve the creation of hidden file structures on a system and are vulnerable to detection by modern anti-malware programs. There are several major families of RATs, but an exhaustive list would be long and ever increasing. When facing a more skilled adversary, it is not uncommon to find RAT packages that have been modified for specific use, such as the program used in the Ukraine electric grid attack in 2015.
Logic Bomb
Logic bombs, unlike viruses and Trojans, are a type of malicious software that is deliberately installed, generally by an authorized user. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload. An example of a logic bomb might be a program that is set to load and run automatically, and that periodically checks an organization’s payroll or personnel database for a specific employee. If the employee is not found, the malicious payload executes, deleting vital corporate files.
If the event is a specific date or time, the program will often be referred to as a time bomb. In one famous example of a time bomb, a disgruntled employee left a time bomb in place just prior to being fired from his job. Two weeks later, thousands of client records were deleted. Police were eventually able to track the malicious code to the disgruntled ex-employee, who was prosecuted for his actions. He had hoped that the two weeks that had passed since his dismissal would have caused investigators to assume he could not have been the individual who had caused the deletion of the records.
Logic bombs are difficult to detect because they are often installed by authorized users and, in particular, have been installed by administrators who are also often responsible for security. This demonstrates the need for a separation of duties and a periodic review of all programs and services that are running on a system. It also illustrates the need to maintain an active backup program so that if your organization loses critical files to this sort of malicious code, it loses only transactions that occurred since the most recent backup, resulting in no permanent loss of data.
Backdoor
Backdoors were originally (and sometimes still are) nothing more than methods used by software developers to ensure that they could gain access to an application even if something were to happen in the future to prevent normal access methods. An example would be a hard-coded password that could be used to gain access to the program in the event that administrators forgot their own system password. The obvious problem with this sort of backdoor (also sometimes referred to as a trapdoor) is that, since it is hard-coded, it cannot be removed. Should an attacker learn of the backdoor, all systems running that software would be vulnerable to attack.
The term backdoor is also, and more commonly, used to refer to programs that attackers install after gaining unauthorized access to a system to ensure that they can continue to have unrestricted access to the system, even if their initial access method is discovered and blocked. Backdoors can also be installed by authorized individuals inadvertently, should they run software that contains a Trojan horse (introduced earlier). Common backdoors include NetBus and Back Orifice. Both of these, if running on your system, can allow an attacker remote access to your system—access that allows them to perform any function on your system. A variation on the backdoor is the rootkit, discussed in a previous section, which is established not to gain root access but rather to ensure continued root access.
EXAM TIP The Security+ exam objectives include the ability to compare and contrast different forms of attacks, including keyloggers, adware, spyware, bots, RATs, logic bombs, and backdoors. To prepare for the exam, you should understand the differences between these attacks.
Indicators of Compromise
Indicators of compromise (IOCs) are just as the name suggests: indications that a system has been compromised by unauthorized activity. When a threat actor makes changes to a system, either by direct action, malware, or other exploit, forensic artifacts are left behind in the system. IOCs act as bread crumbs for investigators, providing little clues that can help identify the presence of an attack on a system. The challenge is in looking for, collecting, and analyzing these bits of information and then determining what they mean for a given system. This is one of the primary tasks for an incident responder, gathering and processing these disparate pieces of data and creating a meaningful picture of the current state of a system.
Fortunately, there are toolsets to aid the investigator in this task. Tools such as YARA can take a set of signatures (also called IOCs) and then scan a system for them, determining whether or not a specific threshold is met indicating a particular infection. Although the specific list will vary based on the system and the specific threat that one is looking for, a common set of IOCs that firms should monitor include
• Unusual outbound network traffic
• Anomalies in privileged user account activity
• Geographical irregularities in network traffic
• Account login red flags
• Increases in database read volumes
• HTML response sizes
• Large numbers of requests for the same file
• Mismatched port-application traffic, including encrypted traffic on plain ports
• Suspicious registry or system file changes
• Unusual DNS requests
• Unexpected patching of systems
• Mobile device profile changes
• Bundles of data in the wrong place
• Web traffic with nonhuman behavior
• Signs of DDoS activity, even if temporary
No single compromise will exhibit everything on this list, but monitoring these items will tend to catch most compromises, because at some point in the compromise lifecycle, every compromise will exhibit one or more of the preceding behaviors. Then, once detected, a responder can zero in on the information and fully document the nature and scope of the problem.
As with many other sophisticated systems, IOCs have developed their own internal languages, protocols, and tools. Two major, independent systems for communicating IOC information exist:
• OpenIOC Originally developed by Mandiant (acquired by FireEye) to facilitate information of IOC data. Mandiant subsequently made OpenIOC open source.
• STIX/TAXII/CybOx MITRE designed Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and Cyber Observable Expression (CybOX) to specifically facilitate automated information sharing between organizations.
Chapter Review
This chapter examined the types of malware commonly found in today’s environment, including viruses, polymorphic malware, ransomware, worms, Trojans, keyloggers, rootkits, and more. The chapter then looked at systems including RATs, logic bombs, and backdoors. The chapter concluded with an examination of the topic of indicators of compromise, examining this as a means of determining a past or active infection.
Questions
To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.
1. A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization’s internal file server and backup server crash at exactly the same time. Examining the servers, it appears that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware?
A. Crypto-malware
B. Trojan
C. Worm
D. Logic bomb
2. A desktop system on your network has been compromised. Despite loading different operating systems using different media on the same desktop, attackers appear to have access to that system every time it is powered up and placed on the network. This could be an example of what type of rootkit?
A. Application
B. Kernel
C. Firmware
D. Virtual
3. A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can’t tell what if anything was displayed in that command prompt window. Your colleague says “It’s been doing that for a while, but it’s no big deal.” Based on what you’ve seen, you suspect the animated screensaver is really what type of malware?
A. A worm
B. A Trojan
C. Ransomware
D. Adware
4. Several desktops in your organization are displaying a red screen with the message “Your files have been encrypted. Pay 1 bitcoin to recover them.” These desktops have most likely been affected by what type of malware?
A. Zotob worm
B. Adware
C. Ransomware
D. Rootkit
5. While port scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with netcat, you see a prompt that reads “Enter password for access:”. Your server may be infected with what type of malware?
A. Virus
B. Cryptolocker
C. Backdoor
D. Spyware
6. A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-ups every few minutes. It doesn’t seem to matter which websites are being visited—the pop-ups still appear. What type of malware does this sound like?
A. Adware
B. Virus
C. Ransomware
D. BitLocker
7. Your organization is struggling to contain a recent outbreak of malware. On some of the PCs, your antivirus solution is able to detect and clean the malware. On other PCs exhibiting the exact same symptoms, your antivirus solution reports the system is “clean.” These PCs are all running the same operating system and same antivirus software. What might be happening?
A. Your firewall rules are allowing attackers to backdoor those PCs.
B. The antivirus solution is reporting false negatives on some of the PCs.
C. The antivirus solution isn’t properly licensed on all systems.
D. Your systems are infected with polymorphic malware.
8. Malware engineers sometimes take steps to prevent reverse engineering of their code. A virus, such as Zeus, that uses encryption to resist reverse engineering attempts is what type of malware?
A. Armored virus
B. Rootkit
C. RAT
D. Cryptolocker
9. A colleague can’t open any Word document he has stored on his local system. When you force open one of the documents to analyze it, you see nothing but seemingly random characters. There’s no visible sign the file is still a Word document. Regardless of what you use to view or open the Word documents, you don’t see anything but random characters. Your colleague was most likely a victim of what type of malware?
A. Virus
B. Crypto-malware
C. RAT
D. Backdoor
10. An employee at your organization is concerned because her ex-spouse “seems to know everything she does.” She tells you her ex keeps accessing her e-mail and social media accounts even after she has changed her passwords multiple times. She is using a laptop at home that was a gift from her ex. Based on what you’ve been told, you suspect the laptop has what type of malware loaded on it?
A. Adware
B. Keylogger
C. Logic bomb
D. Ransomware
11. Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called “btmine” is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you’ve observed, you suspect these systems are infected with what type of malware?
A. Adware
B. Bot
C. Cryptolocker
D. Armored Virus
12. A piece of malware is infecting the desktops in your organization. Every hour more systems are infected. The infections are happening in different departments and in cases where the users don’t share any files, programs, or even e-mails. What type of malware can cause this type of infection?
A. Virus
B. RAT
C. BitLocker
D. Worm
13. Which of the following could be an indicator of compromise?
A. Unusual outbound network traffic
B. Increased number of logins
C. Large numbers of requests for the same file
D. All of the above
14. You notice some unusual network traffic and discover several systems in your organization are communicating with a rather dubious “market research” company on a regular basis. When you investigate further you discover that users of the affected systems all installed the same piece of freeware. What might be happening on your network?
A. These users unwittingly installed spyware.
B. These systems are all infected with ransomware.
C. This could be normal behavior and nothing to worry about.
D. These systems are infected with logic bombs.
15. Which of the following are characteristics of remote-access Trojans?
A. They can be deployed through malware such as worms.
B. They allow attacks to connect to the system remotely.
C. They give attackers the ability to modify files and change settings.
D. All of the above.
Answers
1. D. As both servers crashed at exactly the same time, this is most likely a logic bomb. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload—in this case, 30 days after the disgruntled employee was fired.
2. C. This is most likely a firmware rootkit, possibly in the video card or expansion card. In the given scenario, the rootkit has to reside outside of the operating system and applications loaded on that system.
3. B. The animated screensaver is most likely a Trojan. The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the Trojan “inside the walls” when he downloaded and installed the software on his desktop.
4. C. This is quite clearly ransomware. The malware has encrypted files on the affected systems and is demanding payment for recovery of the files.
5. C. This prompt most likely belongs to a backdoor—an alternate way of accessing the system. The TCP service is listening for incoming connections and prompts for a password when connections are established. Providing the correct password would grant command-line access to the system.
6. A. This is classic adware behavior. Unwanted pop-ups that appear during browsing sessions regardless of the website being viewed are very typical of adware.
7. D. This is most likely an infection with polymorphic malware. Polymorphic malware is designed to change its own code on a regular basis, but retain the same functionality. The changes in code are designed to mask the malware from signature-based detection. The “clean” PCs in this example are still infected, but with a variant of the malware that no longer matches any signature in the antivirus solution.
8. A. An armored virus is a piece of malware specifically designed to resist reverse engineering attempts. Zeus uses encryption in its attempts to prevent security researchers from learning how it works, how it communicates, and so on.
9. B. If specific file types are no longer usable and seem to be nothing but strings of random characters, it’s likely your colleague was a victim of crypto-malware. Crypto-malware encrypts files on a system to make them unusable to anyone without the decryption key.
10. B. This is most likely a keylogger, a piece of software that records all keystrokes entered by the user. If the ex was able to access the logs generated by the keylogger, he would be able to see the new passwords for e-mail and social media accounts as they were being changed.
11. B. These systems are most likely infected with a bot and are now part of a botnet. The systems are running an unknown/unauthorized process and communicating with an external IP address on UDP port 43232. These are all classic signs of bots and botnet activity.
12. D. This infection pattern is typical of a worm. Worms are self-propagating and don’t require any human interaction to spread to additional systems.
13. D. Unusual network traffic, additional logins, and large numbers of requests for the same file are all potential indicators of compromise. Individually, they could be considered suspicious, but seen together and affecting the same system would definitely warrant a deeper inspection of that system.
14. A. If all the users installed the same piece of freeware, it is likely they are all infected with spyware. Spyware records and reports user behavior and can do everything from recording keystrokes to monitoring web usage. Spyware is often bundled with freeware.
15. D. All of these are characteristics of remote-access Trojans (RATs). RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system.