CH 8 - Malware

Question 1

In a botnet, what are the systems that tell individual bots what to do called?

A. C2 servers
B. IRC servers
C. HTTP servers
D. ISC2 servers

Answer 1

A.
C2 servers

Question 2

What is the primary difference between a worm and a virus?

A. A worm uses polymorphic code.
B. A virus uses polymorphic code.
C. A worm can self‐propagate.
D. A virus can self-propagate

Answer 2

C.
A worm can self‐propagate.

Question 3

What is one advantage of static analysis over dynamic analysis of malware?

A. Malware is guaranteed to deploy.
B. Dynamic analysis is untrustworthy.
C. Static analysis limits your exposure to infection.
D. Static analysis can be run in virtual machines.

Answer 3

C.
Static analysis limits your exposure to infection.

Question 4

What would you use VirusTotal for?

A. Checking your system for viruses
B. Endpoint protection
C. As a repository of malware research
D. Identifying malware against antivirus engines

Answer 4

D.
Identifying malware against antivirus engines

Question 5

What are two sections you would commonly find in a portable executable file?

A. Text and binary
B. Binary and data
C. Addresses and operations
D. Text and data

Answer 5

D.
Text and data

Question 6

What could you use to generate your own malware?

A. Empire
B. Metasploit
C. Rcconsole
D. IDA Pro

Answer 6

B.
Metasploit

Question 7

What is the purpose of a packer for malware?

A. To obscure the actual program
B. To ensure that the program is all binary
C. To compile the program into a tight space
D. To remove null characters

Answer 7

A.
To obscure the actual program

Question 8

What is the primary purpose of polymorphic code for malware programs?

A. Efficiency of execution
B. Propagation of the malware
C. Antivirus evasion
D. Faster compilation

Answer 8

C.
Antivirus evasion

Question 9

What would be one reason not to write malware in Python?

A. The Python interpreter is slow
B. The Python interpreter may not be available.
C. Library support is inadequate.
D. Python is a hard language to learn.

Answer 9

B.
The Python interpreter may not be available.

Question 10

What would you use Cuckoo Sandbox for?

A. Static analysis of malware
B. Malware development
C. Dynamic analysis of malware
D. Manual analysis of malware

Answer 10

C.
Dynamic analysis of malware

Question 11

If you wanted a tool that could help with both static and dynamic analysis of malware, which would you choose?

A. Cutter
B. IDA
C. PE Explorer
D. MalAlyzer

Answer 11

B.
IDA

Question 12

What is the purpose of using a disassembler?

A. Converting opcodes to mnemonics
B. Converting mnemonics to opcodes
C. Translating mnemonics to operations
D. Removing the need for an assembler

Answer 12

A.
Converting opcodes to mnemonics

Question 13

What does the malware that is referred to as a dropper do?

A. Drops antivirus operations
B. Drops CPU protections against malicious execution
C. Drops files that may be more malware
D. Drops the malware into the Recycle Bin

Answer 13

C.
Drops files that may be more malware

Question 14

Why would you use an encoder when you are creating malware using Metasploit?

A. To compile the malware
B. To evade antivirus
C. To evade user detection
D. To compress the malware

Answer 14

B.
To evade antivirus

Question 15

If you were to see the following command in someone’s history, what would you think had happened?

A. A poison pill was created.
B. A malicious program was generated.
C. Existing malware was encoded.
D. Metasploit was started.

Answer 15

B.
A malicious program was generated.

Question 16

What is the difference between a virus and ransomware?

A. Ransomware may be a virus.
B. Ransomware includes Bitcoins.
C. Ransomware is generated only in Russia.
D. A virus runs only on Windows systems.

Answer 16

A.
Ransomware may be a virus.

Question 17

Why would someone use a Trojan?

A. It acts as malware infrastructure.
B. It evades antivirus.
C. It pretends to be something else.
D. It’s polymorphic.

Answer 17

C.
It pretends to be something else.

Question 18

Which of these tools would be most beneficial when trying to dynamically analyze malware?

A. Cutter
B. OllyDBg
C. Metasploit
D. AV-TEST

Answer 18

B.
OllyDBg

Question 19

Which end of a client‐server communication goes on the infected system if it is communicating with infrastructure?

A. Client
B. Satellite
C. Server
D. Master station

Answer 19

C.
Server

Question 20

Which of these would be a reason why it is best for communications to originate from inside the infected network?

A. Antivirus
B. Virtual machines
C. Intrusion detection
D. Firewall

Answer 20

D.
Firewall

Question 21

What is the tactic of allowing software to continue running across reboots of a system called?

A. Obfuscation
B. Persistence
C. Disassembly
D. Packing

Answer 21

B.
Persistence

Question 22

What tool could you use to deeply analyze malicious software?

A. Strings
B. Hashing
C. Ghidra
D. Metasploit

Answer 22

C.
Ghidra

Question 23

What practice could an organization use to protect itself against data loss from ransomware?

A. Implement anti‐malware
B. Implement endpoint detection and response
C. Sweep for indicators of compromise
D. Implement good backup practices

Answer 23

D.
Implement good backup practices

Question 24

What piece of software could you use to recover from a ransomware attack?

A. Decryptor
B. Encryptor
C. Anti‐malware
D. Endpoint detection and response

Answer 24

A.
Decryptor

Question 25

What persistence mechanism might allow malware to protect itself against anti‐malware software?

A. Scheduled tasks
B. WMI event subscriptions
C. Pre‐boot malware
D. HKEY___ LOCAL___ MACHINE Registry key

Answer 25

C.
Pre‐boot malware