Ch.3 Malicious Code Flashcards
Ryan wants to prevent logic bombs created by insider threats from impacting his organization. What technique will most effectively limit the likelihood of logic bombs being put in place?
A) Deploying antivirus software
B) Using a code review process
C) Deploying endpoint detection and response (EDR) software
D) Disabling autorun for USB drives
β
Correct Answer: B) Using a code review process
πΉ Explanation: Logic bombs are malicious code that executes under specific conditions, often placed by insiders. Code reviews allow security professionals to examine the code for suspicious logic and prevent such threats before they become active.
β Incorrect Answers:
A) Deploying antivirus software β Antivirus software typically detects known malware, but logic bombs may evade detection until they execute.
C) Deploying endpoint detection and response (EDR) software β EDR tools monitor for suspicious activity, but they may not prevent logic bombs from being planted.
D) Disabling autorun for USB drives β While useful for preventing malware from running automatically, it does not address logic bombs hidden within code.
Yasmine believes that her organization may be dealing with an advanced rootkit and wants to write IoC definitions for it. Which of the following is not likely to be a useful IoC for a rootkit?
A) File hashes
B) Command and control domains
C) Pop-ups demanding a ransom
D) Behavior-based identifiers
β
Correct Answer: C) Pop-ups demanding a ransom
πΉ Explanation: Rootkits are designed to hide malicious activity and provide persistent access to a system, not to demand ransom. A pop-up demanding a ransom is an indicator of ransomware, not a rootkit.
β Incorrect Answers:
A) File hashes β Unique file hashes can help identify malicious rootkit files.
B) Command and control domains β Rootkits often communicate with external servers, making C&C domains useful indicators.
D) Behavior-based identifiers β Rootkits may show behavioral patterns such as unauthorized privilege escalation or hidden system processes.
Nathan works at a school and notices that one of his staff appears to have logged in and changed grades for a single student to higher grades, even in classes that staff member is not responsible for. When asked, the staff member says that they did not perform the action. Which of the following is the most likely way that a student could have gotten access to the staff memberβs password?
A) A keylogger
B) A rootkit
C) Spyware
D) A logic bomb
β
Correct Answer: A) A keylogger
πΉ Explanation: Keyloggers record keystrokes, allowing an attacker to capture login credentials without the userβs knowledge. The student likely used a keylogger to obtain the staff memberβs credentials.
β Incorrect Answers:
B) A rootkit β Rootkits provide persistent access and conceal malicious activity, but they do not typically capture credentials directly.
C) Spyware β While some spyware can capture credentials, keyloggers are more specifically designed for this purpose.
D) A logic bomb β Logic bombs are triggered by specific conditions but do not actively steal credentials.
Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
A) Command and control
B) Spyware
C) A worm
D) A hijacked web browser
β
Correct Answer: A) Command and control
πΉ Explanation: TCP port 6667 is commonly associated with IRC-based command and control (C&C) traffic, which botnets and other malware use to communicate with an attackerβs server.
β Incorrect Answers:
B) Spyware β Spyware collects user data but does not typically use IRC for communication.
C) A worm β Worms spread independently but do not necessarily rely on IRC for control.
D) A hijacked web browser β Web browser hijacking typically involves redirecting users to malicious websites, not IRC-based communication.
Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his companyβs network. How should he describe or classify this malware?
A) A worm
B) Crypto malware
C) A Trojan
D) A backdoor
β
Correct Answer: D) A backdoor
πΉ Explanation: A backdoor is a malicious program that provides attackers with unauthorized remote access to a system, bypassing normal authentication mechanisms.
β Incorrect Answers:
A) A worm β Worms replicate themselves and spread, but they do not necessarily provide remote access.
B) Crypto malware β Crypto malware is ransomware that encrypts files rather than granting remote access.
C) A Trojan β Trojans may carry backdoors, but a backdoor itself is a specific type of malware that enables unauthorized access.
What is the primary impact of bloatware?
A) Consuming resources
B) Logging keystrokes
C) Providing information about users and devices to third parties
D) Allowing unauthorized remote access
β
Correct Answer: A) Consuming resources
πΉ Explanation: Bloatware consists of unnecessary applications that take up memory, CPU, and disk space, slowing down system performance.
β Incorrect Answers:
B) Logging keystrokes β This is associated with keyloggers, not bloatware.
C) Providing information about users and devices to third parties β This behavior aligns more with spyware.
D) Allowing unauthorized remote access β This is a characteristic of Trojans and backdoors.
Matt uploads a malware sample to a third-party malware scanning site that uses multiple anti-malware and antivirus engines to scan the sample. He receives multiple different answers for what the malware package is. What has occurred?
A) The package contains more than one piece of malware.
B) The service is misconfigured.
C) The malware is polymorphic and changed while being tested.
D) Different vendors use different names for malware packages.
β
Correct Answer: D) Different vendors use different names for malware packages.
πΉ Explanation: Different antivirus vendors classify and name malware differently, leading to multiple detections with different names.
β Incorrect Answers:
A) The package contains more than one piece of malware β While possible, the most common reason is vendor differences.
B) The service is misconfigured β This would not typically result in multiple different detections.
C) The malware is polymorphic and changed while being tested β Polymorphic malware changes signatures but would not necessarily lead to different names from vendors.
What type of malware is used to gather information about a userβs browsing habits and system?
A) A Trojan
B) Bloatware
C) Spyware
D) A rootkit
β
Correct Answer: C) Spyware
πΉ Explanation: Spyware is designed to collect user data, track browsing habits, and send the information to attackers.
β Incorrect Answers:
A) A Trojan β Trojans disguise themselves as legitimate software but do not necessarily gather user data.
B) Bloatware β Bloatware is unwanted software but does not typically collect user data.
D) A rootkit β Rootkits provide stealthy access but are not primarily designed for data collection.
Nancy is concerned that there is a software keylogger on the system sheβs investigating. What best describes data that may have been stolen?
A) All files on the system
B) All keyboard input
C) All files the user accessed while the keylogger was active
D) Keyboard and other input from the user
β
Correct Answer: D) Keyboard and other input from the user
πΉ Explanation: Keyloggers capture keystrokes and other user input, such as mouse movements and touchscreen interactions.
β Incorrect Answers:
A) All files on the system β Keyloggers do not exfiltrate files, just input data.
B) All keyboard input β While mostly correct, some keyloggers also capture non-keyboard input.
C) All files the user accessed while the keylogger was active β Keyloggers do not monitor file access directly.
A system in Elaineβs company has suddenly displayed a message demanding payment in Bitcoin and claiming that the data from the system has been encrypted. What type of malware has Elaine likely encountered?
A) Worms
B) A virus
C) Ransomware
D) Rootkit
β
Correct Answer: C) Ransomware
πΉ Explanation: Ransomware encrypts files and demands payment, often in cryptocurrency, to restore access.
β Incorrect Answers:
A) Worms β Worms spread automatically but do not demand ransoms.
B) A virus β Viruses replicate, but they do not typically demand payment.
D) Rootkit β Rootkits provide stealthy access but do not lock files for ransom.
Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs an anti-malware toolβs scanner, the system doesnβt show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?
A) Rerun the antimalware scan.
B) Mount the drive on another system and scan it that way.
C) Disable the systemβs antivirus because it may be causing a false negative.
D) The system is not infected and he should move on.
β
Correct Answer: B) Mount the drive on another system and scan it that way.
πΉ Explanation: Rootkits embed themselves deep in the operating system, often making them invisible to security tools running within that system. Scanning the drive from an external, trusted system bypasses the compromised OS, allowing detection.
β Incorrect Answers:
A) Rerun the antimalware scan β The rootkit may be hiding itself, so scanning again within the same OS is unlikely to help.
C) Disable the systemβs antivirus because it may be causing a false negative β This action does not address the fact that the rootkit is hiding itself.
D) The system is not infected and he should move on β If there are signs of infection, further investigation is warranted.
A recently terminated developer from Jayaβs organization has contacted the organization claiming that they left code in an application that they wrote that will delete files and bring the application down if they are not employed by the company. What type of malware is this?
A) Ransomware
B) Extortionware
C) A logic bomb
D) A Trojan
β
Correct Answer: C) A logic bomb
πΉ Explanation: A logic bomb is malicious code that triggers based on a specific condition, such as a developer leaving a company.
β Incorrect Answers:
A) Ransomware β Ransomware encrypts files and demands payment, while a logic bomb executes based on conditions.
B) Extortionware β Extortionware involves threats to release data, not system destruction upon a condition being met.
D) A Trojan β A Trojan disguises itself as legitimate software, but a logic bomb is embedded within an existing program.
What is the key difference between a worm and a virus?
A) What operating system they run on
B) How they spread
C) What their potential impact is
D) The number of infections
β
Correct Answer: B) How they spread
πΉ Explanation: The main difference is that worms spread automatically without user interaction, while viruses require user action to propagate (e.g., opening an infected file).
β Incorrect Answers:
A) What operating system they run on β Both worms and viruses can run on various OSes.
C) What their potential impact is β Both can cause significant damage.
D) The number of infections β Both can spread widely, but worms typically spread faster.
Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?
A) Run multiple antimalware tools and use them to remove all detections.
B) Wipe the drive and reinstall from known good media.
C) Use the delete setting in her antimalware software rather than the quarantine setting.
D) There is no way to ensure the system is safe and it should be destroyed.
β
Correct Answer: B) Wipe the drive and reinstall from known good media.
πΉ Explanation: The most foolproof way to remove malware, especially sophisticated threats like rootkits, is a full system wipe and reinstall from a trusted source.
β Incorrect Answers:
A) Run multiple antimalware tools and use them to remove all detections β This may not detect or remove all malware components, especially if a rootkit is present.
C) Use the delete setting in her antimalware software rather than the quarantine setting β This does not guarantee full removal.
D) There is no way to ensure the system is safe and it should be destroyed β Reinstalling from a clean source is sufficient in most cases.
Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
A) Run a decompiler against it to allow him to read the code
B) Open the file using a text editor to review the code
C) Test the code using an antivirus tool
D) Submit the Python code to a malware testing website
β
Correct Answer: B) Open the file using a text editor to review the code.
πΉ Explanation: Python is an interpreted rather than a compiled language, so Ben doesnβt need to use a decompiler. The Python source code is readable as plain text. Opening it in a text editor allows direct inspection of the code.
β Incorrect Answers:
A) Run a decompiler against it to allow him to read the code β Python does not require decompilation; its source is already readable.
C) Test the code using an antivirus tool β Antivirus tools may not detect Python-based scripts unless they are well-known threats.
D) Submit the Python code to a malware testing website β While this may provide some insights, manual review is the most direct method.
Which of the following defenses is most likely to prevent Trojan installation?
A) Installing patches for known vulnerabilities
B) Preventing downloads from application stores
C) Preventing the use of USB drives
D) Disabling autorun from USB drives
β
Correct Answer: B) Preventing downloads from application stores
πΉ Explanation: Trojans are most commonly disguised as legitimate software and downloaded by users from the internet or untrusted sources. Preventing users from downloading applications from unverified sources is the most effective way to stop Trojan infections. Many organizations implement application whitelisting to restrict what software can be installed.
β Incorrect Answers:
A) Installing patches for known vulnerabilities β Patching prevents exploitation of known software vulnerabilities but does not stop Trojans, which require user interaction to install.
C) Preventing the use of USB drives β This can help in some cases but is too broad, and not all Trojans are spread via USB.
D) Disabling autorun from USB drives β While this prevents some types of Trojans that rely on USB autorun, most Trojans come from downloads, making option B the better answer.
Jasonβs security team reports that a recent WordPress vulnerability seems to have been exploited by malware and that their organizationβs entire WordPress service cluster has been infected. What type of malware is most likely involved if a vulnerability in the software was exploited over the network?
A) A logic bomb
B) A Trojan
C) A worm
D) A rootkit
β
Correct Answer: C) A worm
πΉ Explanation: Worms spread automatically by exploiting vulnerabilities in software, making them a likely cause of widespread infection.
β Incorrect Answers:
A) A logic bomb β A logic bomb executes based on conditions, not network exploitation.
B) A Trojan β Trojans require user interaction, whereas worms do not.
D) A rootkit β Rootkits provide stealthy access, but they do not typically spread across systems automatically.
What type of malware connects to a command and control system, allowing attackers to manage, control, and update it remotely?
A) A bot
B) A drone
C) A vampire
D) A worm
β
Correct Answer: A) A bot
πΉ Explanation: Bots are infected systems controlled by attackers via command and control (C&C) servers, forming part of a botnet.
β Incorrect Answers:
B) A drone β Not a term used in malware classification.
C) A vampire β Not a term used in malware classification.
D) A worm β Worms spread automatically but do not necessarily rely on C&C infrastructure.
Huiβs organization recently purchased new Windows computers from an office supply store. The systems have a number of unwanted programs on them that load at startup that were installed by the manufacturer. What type of software is this?
A) Viruses
B) Trojans
C) Spyware
D) Bloatware
β
Correct Answer: D) Bloatware
πΉ Explanation: Bloatware refers to preinstalled software that takes up system resources but is not inherently malicious.
β Incorrect Answers:
A) Viruses β Viruses are malicious and replicate, while bloatware is simply unwanted.
B) Trojans β Trojans disguise themselves as legitimate applications, whereas bloatware is preinstalled.
C) Spyware β Spyware collects user data, whereas bloatware does not necessarily do so.
Randy believes that a system that he is responsible for was infected after a user picked up a USB drive and plugged it in. The user claims that they only opened one file on the drive to see who might own it. What type of malware is most likely involved?
A) A virus
B) A worm
C) A Trojan
D) A spyware tool
β
Correct Answer: A) A virus
πΉ Explanation: Viruses often spread via infected files on USB drives, requiring user interaction to execute and spread. Since the user opened a file, itβs likely that the file contained a virus that then infected the system.
β Incorrect Answers:
B) A worm β Worms spread automatically without user interaction, whereas this infection required the user to open a file.
C) A Trojan β A Trojan would look like a useful or desirable file, not just a file to determine the USBβs owner
D) A spyware tool β Spyware is designed to collect data covertly, but the question suggests an infection event, not data theft.
Which of the following characteristics best distinguishes bloatware from spyware?
A) Bloatware is always pre-installed on devices, whereas spyware is installed through malware campaigns.
B) Spyware is designed to secretly collect data, while bloatware is primarily unwanted but not always malicious.
C) Bloatware directly compromises user privacy, while spyware only affects system performance.
D) Spyware is always government-sponsored, whereas bloatware is installed by software vendors.
β
Correct Answer: B) Spyware is designed to secretly collect data, while bloatware is primarily unwanted but not always malicious.
πΉ Explanation: Spyware is specifically designed to collect user data, such as browsing habits or credentials, and send it to a remote attacker. Bloatware, on the other hand, consists of pre-installed or unnecessary programs that consume system resources but are not always malicious.
β Incorrect Answers:
A) Bloatware is always pre-installed on devices, whereas spyware is installed through malware campaigns. β Incorrect, because bloatware can also be installed later as part of software bundles.
C) Bloatware directly compromises user privacy, while spyware only affects system performance. β Incorrect, since spyware is the actual privacy risk, whereas bloatware just slows down devices.
D) Spyware is always government-sponsored, whereas bloatware is installed by software vendors. β Incorrect, spyware can be used by cybercriminals too, not just governments.
An analyst notices a workstation making repeated, encrypted outbound connections to a known command and control (C&C) server. The workstation has also started creating unexpected scheduled tasks. What type of malware is most likely responsible?
A) A rootkit
B) A keylogger
C) A Trojan
D) A worm
β
Correct Answer: A) A rootkit
πΉ Explanation: Rootkits are designed to provide long-term stealthy access to a system, often communicating with a C&C server to receive attacker commands. They can also create scheduled tasks to maintain persistence.
β Incorrect Answers:
B) A keylogger β Keyloggers capture user input but do not typically use C&C servers.
C) A Trojan β Trojans can open backdoors, but they do not persist as effectively as rootkits.
D) A worm β Worms spread rapidly but are not known for long-term stealthy access.
What is the most effective way to remove a rootkit from an infected system?
A) Run an anti-rootkit scanning tool.
B) Manually delete infected system files from Safe Mode.
C) Restore from a known good backup or reimage the system.
D) Disable all startup processes and delete suspicious registry keys.
β
Correct Answer: C) Restore from a known good backup or reimage the system.
πΉ Explanation: Rootkits embed themselves deeply in the operating system, often at the kernel level, making them very difficult to remove. The most reliable method is to completely wipe the system and restore from a trusted backup.
β Incorrect Answers:
A) Run an anti-rootkit scanning tool. β This may detect some rootkits but cannot guarantee complete removal.
B) Manually delete infected system files from Safe Mode. β Rootkits can hide system files, making this method ineffective.
D) Disable all startup processes and delete suspicious registry keys. β Rootkits hook into deeper system functions, so deleting registry keys wonβt remove them completely.
A user reports that their computer suddenly became unresponsive, and a message appeared demanding payment to unlock their files. The security team determines that no unauthorized programs were installed recently. Which indicator of compromise (IoC) would best confirm the type of attack?
A) Discovery of a new administrator account
B) Repeated failed login attempts in security logs
C) Sudden increase in network bandwidth usage
D) Unauthorized file encryption and ransom demand message
β
Correct Answer: D) Unauthorized file encryption and ransom demand message
πΉ Explanation: Ransomware encrypts files and then demands a ransom in exchange for the decryption key. The primary IoC is a notice demanding payment and inaccessible encrypted files.
β Incorrect Answers:
A) Discovery of a new administrator account. β More common in privilege escalation attacks.
B) Repeated failed login attempts in security logs. β More commonly seen in brute force attacks, not ransomware.
C) Sudden increase in network bandwidth usage. β Could indicate data exfiltration, but not necessarily ransomware.
What is the best mitigation technique for dealing with logic bombs?
A) Using endpoint detection and response (EDR) to detect logic bomb behavior
B) Implementing strict firewall rules to block logic bomb execution
C) Conducting regular code reviews and system audits
D) Disabling Windows scripting capabilities
β
Correct Answer: C) Conducting regular code reviews and system audits
πΉ Explanation: Logic bombs are typically inserted into scripts or applications by malicious insiders. The best defense is to review all code and system changes regularly to identify unauthorized logic.
β Incorrect Answers:
A) Using endpoint detection and response (EDR) to detect logic bomb behavior. β EDR can detect some activity, but logic bombs are often hidden until triggered.
B) Implementing strict firewall rules to block logic bomb execution. β Firewalls do not detect or prevent logic bombs inside legitimate software.
D) Disabling Windows scripting capabilities. β Logic bombs are not limited to scripting; they can be in compiled programs too.
An employee reports that they were using an online document editor when their web browser suddenly crashed. After reopening it, the browser redirected to suspicious websites and installed additional extensions without permission. What type of malware is most likely involved?
A) Fileless malware/virus
B) Bloatware
C) Keylogger
D) Ransomware
β
Correct Answer: A) Fileless malware/virus
πΉ Explanation: Fileless malware operates entirely in memory, often exploiting vulnerabilities in web browsers and executing malicious scripts without leaving a traditional file on disk.
β Incorrect Answers:
B) Bloatware β Bloatware does not spread itself or hijack browsers.
C) Keylogger β Keyloggers record user input, but they do not hijack browsers.
D) Ransomware β Ransomware encrypts files, but does not hijack browsers or install extensions.
Which of the following would be considered a valid indicator of compromise (IoC) for spyware?
A) The unexpected appearance of a new encryption key in the system
B) A sudden system reboot after executing a malicious macro
C) An increase in failed login attempts from an unknown IP address
D) A new registry entry launching an unknown executable at startup
β
Correct Answer: D) A new registry entry launching an unknown executable at startup
πΉ Explanation: Spyware often modifies system settings (e.g., adding registry keys) to ensure it runs persistently.
β Incorrect Answers:
A) The unexpected appearance of a new encryption key in the system. β More likely to indicate ransomware, not spyware.
B) A sudden system reboot after executing a malicious macro. β More common in macro-based malware, not spyware.
C) An increase in failed login attempts from an unknown IP address. β Suggests a brute force attack, not spyware.
What type of malware is most commonly responsible for allowing attackers to maintain long-term access to a compromised system while hiding from detection?
A) A keylogger
B) A rootkit
C) A virus
D) A Trojan
β
Correct Answer: B) A rootkit
πΉ Explanation: Rootkits are designed for stealthy, long-term access by manipulating system processes to avoid detection.
β Incorrect Answers:
A) A keylogger β Keyloggers record keystrokes, but they do not provide persistent access.
C) A virus β Viruses can spread and cause damage, but do not typically provide long-term hidden access.
D) A Trojan β Trojans may grant attackers access, but they do not specialize in stealth like rootkits.
I am malware that spreads without user interaction, typically through vulnerable services, email attachments, vulnerable devices such as iOT, or network file shares. What am I?
Worm
I am a type of malware that masquerades as a legitimate program but, once executed, provides an attacker with unauthorized access or control. Some of my variations include Remote Access Trojans (RATs). What am I?
Trojan
I am malware that is designed to persist on a system undetected while allowing attackers to maintain access. I often hook into system processes, alter system files, or embedded within firmware. I often create backdoors. What am I?
Rootkit
I capture user keystrokes, including usernames, passwords, and sensitive data. I can be software-based, capturing keystrokes via system APIs, or hardware-based, intercepting signals from keyboards. What am I?
Keylogger
I am not an independant malicious program, but a covert malware function or code hidden inside legitimate programs. I lie dormant until specific conditions are met, such as a certain date or event. What am I?
Logic bomb
I often spread through USB drives, but not always, by disguising myself as a legitimate or useful file. Once executed, I infect the system, sometimes giving an attacker remote control. What type of malware am I?
Trojans, or Trojan horses
What are common Indicators of Compromise (IoCs) associated with ransomware?
- Command and control (C&C) traffic
- Encryption of files
- Notices demanding payment
- Use of legitimate tools in abnormal ways
- Data exfiltration
What security practice is considered the most effective defense against ransomware?
Regular, isolated backups that cannot be accessed or encrypted by the malware.
What are common IoCs of spyware?
- Remote-access and remote-control related indicators
- Malicious processes disguised as system processes
- Injection attacks against browsers
- Known software file fingerprints
Since malware removal can be difficult, what is the standard best practice for ensuring complete removal?
Wiping the infected system and restoring it from a known good backup or performing a fresh reinstallation.
What malware category specifically gathers information on user activities, such as web browsing habits and system information, and sends it back to a central server?
Spyware
What are some common IoCs of rootkits?
- Unexplained system modifications
- Hidden processes or files
- Unexpected kernel-level behavior
- Opening of unknown network ports
I infect multiple systems and link them together under the control of a central attacker. I can be used for distributed denial-of-service (DDoS) attacks, credential stuffing, or spreading malware. What am I?
Botnet
When is wiping the system not enough to remove malware?
When the malware is BIOS/UEFI-resident.
Explanation:
1. Persistence beyond the OS:
Malware in BIOS/UEFI remains active even after wiping the OS or replacing the hard drive because it resides in the motherboardβs firmware.
- Survives reinstallation & reimaging:
Since firmware malware is embedded in the system firmware, reinstalling the OS or reimaging the system does not affect it. - Bypasses security tools:
Traditional antivirus and endpoint detection tools cannot scan firmware memory directly, making it difficult to detect. - Can reinfect a freshly installed OS:
If the infected BIOS/UEFI is not replaced or cleaned, the malware reinstalls itself on the new OS, keeping the system compromised.
What are IoCβs of Trojans?
Indicators of compromise for Trojans often include:
- Signatures for the specific malware applications or downloadable files
- Command and control system hostnames and IP addresses
- Folders or files created on target devices
I am malware that self-installs and do not need any assistance for any users to click on me. One time I went by the name Stuxnet and copied myself to thumb drives to bypass air-gapped systems. What am I?
Worm
Which of the following would be a key indicator that a system has been infected with a worm?
A) The system constantly attempts to connect to other hosts on the network
B) The system displays a ransom message demanding cryptocurrency
C) The user notices unexpected pop-up ads and browser redirects
D) The system reboots randomly without user input
β A) The system constantly attempts to connect to other hosts on the network
Which of the following is a common IoC for spyware?
A) Encrypted files with a ransom demand
B) Unauthorized access attempts on the company network
C) Pop-up ads appearing on every webpage
D) A user reporting a slow system due to heavy CPU usage
β C) Pop-up ads appearing on every webpage
Which of the following behaviors is a key IoC of a virus?
A) A process attempts to modify system files and replicate itself
B) The system suddenly loses access to the internet
C) The user receives fake warnings about system security
D) A process encrypts the userβs files and demands a ransom
β A) A process attempts to modify system files and replicate itself
Which log activity might indicate a spyware infection?
A) Repeated logins from an unfamiliar IP address
B) A large volume of outbound traffic to unknown domains
C) The system executing a sudden, unscheduled reboot
D) A device disconnecting and reconnecting to Wi-Fi frequently
β B) A large volume of outbound traffic to unknown domains
How do IoCs for viruses differ from worms?
A) Viruses self-replicate across networks, while worms require execution
B) Viruses communicate with C&C servers, while worms do not
C) Viruses only affect Windows systems, while worms affect all OS types
D) Viruses need a host file to infect, while worms spread without a host
β D) Viruses need a host file to infect, while worms spread without a host
Which of the following is a key IoC of a rootkit?
A) A process modifying system files and remaining hidden from detection
B) A large number of phishing emails being sent from the userβs account
C) The system slowing down due to high CPU usage
D) A network device failing to respond to ping requests
β A) A process modifying system files and remaining hidden from detection
Which system log entry might indicate a worm attack?
A) A process attempting to modify the Master Boot Record
B) Repeated failed login attempts from an external IP
C) Multiple SMB (Server Message Block) connection attempts from a single host
D) A user account attempting to execute privilege escalation commands
β C) Multiple SMB (Server Message Block) connection attempts from a single host
What are common IOCβs for rootkits?
- File hashes and signatures
- Command and control domains, IP addresses, and systems
- Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation
- Opening ports or creation of reverse proxy tunnels
An organization recently discovered that a malicious script was embedded within a critical database application. The script remained inactive for months until a specific date, at which point it executed and deleted important financial records.
What type of malware was used in this attack?
A) Rootkit
B) Trojan
C) Logic bomb
D) Worm
β Correct Answer: C) Logic bomb
Explanation:
A logic bomb is malware that remains dormant until a specific condition is met, such as a date, user action, or system event. In this case, the script activated on a particular date and performed a destructive action.
Incorrect Answers:
β A) Rootkit β A rootkit is used for maintaining unauthorized access and hiding malware, not for triggering actions at a specific time.
β B) Trojan β Trojans disguise themselves as legitimate software but do not remain dormant waiting for a specific condition.
β D) Worm β Worms spread automatically across networks; they do not wait for a trigger event like a logic bomb.
During a routine security audit, a cybersecurity analyst noticed that antivirus and endpoint detection tools were not detecting certain unauthorized processes running on a server. Upon further investigation, they found that attackers had embedded malicious software deep within the systemβs kernel to maintain persistent access while remaining undetected.
Which type of malware is most likely responsible?
A) Logic bomb
B) Rootkit
C) Spyware
D) Keylogger
β Correct Answer: B) Rootkit
Explanation:
A rootkit is malware designed to gain persistent access to a system while avoiding detection by security tools. Rootkits operate at the kernel level or manipulate system files to hide their presence.
Incorrect Answers:
β A) Logic bomb β A logic bomb activates based on a predefined condition but does not provide stealthy, long-term system access.
β C) Spyware β Spyware collects user data without authorization but does not embed itself deep in the operating system like a rootkit.
β D) Keylogger β A keylogger records keystrokes but does not have the ability to maintain hidden, persistent access.