Malware

Question 1

Malicious software designed to infiltrate computer systems and potentially damage them without user consent

Answer 1

Malware

Question 2

Method used to infiltrate a victim’s machine

Examples:
○ Unpatched software
○ USB drive installation
○ Phishing campaigns

Answer 2

Threat Vector

Question 3

Means by which the attacker gains access and infects the system. Combines both infiltration method and infection process

Answer 3

Attack Vector

Question 4

Viruses, Worms, Trojans, Ransomware, Zombies/Botnets, Rootkits, are examples of what?

Answer 4

Malware Attacks

Question 5

Made up of malicious code that’s run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been run

Answer 5

Computer Virus

Question 6

Attach to clean files, spread, and corrupt host files

Answer 6

Viruses

Question 7

Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker

Answer 7

Ransomware

Question 8

Compromised computers remotely controlled in a network for malicious purposes

Answer 8

Zombies and Botnets

Question 9

Hide presence and activities on a computer, operate at the OS level

Answer 9

Rootkits

Question 10

Backdoors allow unauthorized access, logic bombs execute malicious
actions

Answer 10

Backdoors and Logic Bombs

Question 11

Record keystrokes, capture passwords or sensitive information

Answer 11

Keyloggers

Question 12

Spyware monitors and gathers user/system information, bloatware
consumes resources without value

Answer 12

Spyware and Bloatware

Question 13

The following signs are indicators of what?
● Account lockouts
● Concurrent session utilization
● Blocked content
● Impossible travel
● Resource consumption
● Inaccessibility
● Out-of-cycle logging
● Missing logs
● Documented attacks

Answer 13

Malware Attacks

Question 14

Virus that is stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up

Answer 14

Boot Sector

Question 15

Form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed.

Answer 15

Macro Virus

Question 16

Try to find executables or application files to infect with their malicious code

Answer 16

Program Virus

Question 17

Combination of a boot sector type virus and a program virus.

Able to place itself in the boot sector and be loaded every time the
computer boots

It can install itself in a program where it can be run every time the
computer starts up

Answer 17

Multiparite Virus

Question 18

Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software

Answer 18

Encrypted Virus

Question 19

Advanced version of an encrypted virus, but instead of just encrypting the contents it will actually change the viruses code each time it is executed by altering the decryption module in order for it to evade detection.

Answer 19

Polymorphic Virus

Question 20

Able to rewrite themselves entirely before it attempts to infect a given file

Answer 20

Metamorphic Virus

Question 21

Technique used to prevent the virus from being detected by the anti-virus software

Answer 21

Stealth Virus

Question 22

Have a layer of protection to confuse a program or a person who’s trying to analyze it

Answer 22

Armored Virus

Question 23

Form of technical social engineering that attempts to scare our end users into taking some kind of undesirable action on their system

Answer 23

Hoax Virus

Question 24

Piece of malicious software, much like a virus, but it can replicate itself without any user interaction

Able to self-replicate and spread throughout your network without a user’s consent or their action

Best known for spreading far and wide over the internet in a relative short amount of time

Answer 24

Worm

Question 25

Piece of malicious software that is disguised as a piece of harmless or desirable software. Claims that it will perform some needed or desired function for you.

commonly used today by attackers to exploit a vulnerability in your
workstation and then conducting data exfiltration to steal your sensitive documents, creating backdoors to maintain persistence on your systems, and other malicious activities.

Answer 25

Trojans

Question 26

Widely used by modern attackers because it provides the attacker with remote control of a victim machine

Answer 26

Remote Access Trojan (RAT)

Question 27

Network of compromised computers or devices controlled remotely by malicious actors

Answer 27

Botnet

Question 28

Name of a compromised computer or device that is part of a botnet. Used to perform tasks using remote commands from the attacker without the user’s knowledge

Attackers usually only use about 20-25% of any zombie’s power

Answer 28

Zombie

Question 29

Computer responsible for managing and coordinating the activities of other nodes or devices within a network

Answer 29

Command and Control Node

Question 30

______ are used

■ as pivot points
■ disguise the real attacker
■ to host illegal activities
■ to spam others by sending out phishing campaigns and other malware

used by attackers to combine processing power to break through different types of ecnryption schemes

Answer 30

Botnets

Question 31

Occurs when many machines target a single victim and attack them at the exact same time

Answer 31

Distributed Denial-of-Service (DDoS) Attack

Question 32

Designed to gain administrative level control over a given computer system without being detected.

it tries to move from Ring 1 to Ring 0 so that it
can hide from other functions of the operating system to avoid detection

closer the malicious code is to the kernel (ring 0), the more permissions
it will have and the more damage it can cause on your system

extremely powerful, and they are very difficult to detect because the
operating system is essentially blinded to them

Answer 32

Rootkit

Question 33

How can we protect ourselves and our organizations against ransomware?

Answer 33

■ Always conduct regular backups
■ Install software updates regularly
■ Provide security awareness training to your users
■ Implement Multi-Factor Authentication (MFA)

Question 34

What should you do if you find yourself or your organization as the victim of a ransomware attack?

Answer 34

Never pay the ransom
Disconnect infected system from the network
notify the authorities
restore the data from known good backups

Question 35

Where user level permissions are used

Answer 35

Ring 3 (Outermost Ring)

Question 36

Operating in ______ __ is called “kernel mode”

Answer 36

Ring 0 (Innermost or Higher Permission Level)

Question 37

Allows a system to control access to things like device drivers, your
sound card, your video display or monitor, and other similar things

Answer 37

Kernel Mode

Question 38

If you login as the administrator or root user on a system, you have root permission and you will be operating at ______ __ of the operating system

Answer 38

Ring 1

Question 39

Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library

Answer 39

DLL Injection

Question 40

Collection of code and data that can be used by multiple programs
simultaneously to allow for code reuse and modularization in software development

Answer 40

Dynamic Link Library (DLL)

Question 41

Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them.

Answer 41

Shim

Question 42

Originally placed in computer programs to bypass the normal security and authentication functions

Most often put into systems by designers and programmers

(Remote Access Trojan is an example of this)

Answer 42

Backdoor

Question 43

a hidden feature or novelty within a program that is typically inserted by the software developers as an inside joke

Code often has significant vulnerabilities

Answer 43

Easter Egg

Question 44

Malicious code that’s inserted into a program, and the malicious code will only execute when certain conditions have been met

Answer 44

Logic Bombs

Question 45

Piece of software or hardware that records every single keystroke that is made on a computer or mobile device

can be either software-based or hardware-based

Answer 45

Keylogger

Question 46

Malicious programs that get installed on a victim’s computer

Often bundled with other software or delivered through social
engineering attacks, like phishing or pretexting attacks

Answer 46

Software Keyloggers

Question 47

Physical devices that need to be plugged into a computer

These will resemble a USB drive or they can be embedded within a
keyboard cable itself

Answer 47

Hardware Keyloggers

Question 48

■ Perform regular updates and patches
■ Rely on quality antivirus and antimalware solutions
■ Conduct phishing awareness training for your users
■ Implement multi-factor authentication systems
■ Encrypt keystrokes being sent to your systems
■ Perform physical checks of your desktops, laptops, and servers

Answer 48

Protects your organization from keyloggers

Question 49

Malicious software that is designed to gather and send information about a user or organization without their knowledge

Answer 49

Spyware

Question 50

Any software that comes pre-installed on a new computer or smartphone that you, as the user, did not specifically request, want, or need.

isn’t malicious, but it can
● waste your storage space
● slow down the performance of your devices
● introduce security vulnerabilities into your systems

Answer 50

Bloatware

Question 51

Specific method by which malware code penetrates and infects a targeted system.

Answer 51

Malware Exploitation Technique

Question 52

Piece of malware that is usually created as a lightweight shellcode
that can be executed on a given system

Primary function is to retrieve additional portions of the malware code and to trick the user into activating it.

Answer 52

Stage 1 Dropper or Downloader

Question 53

Specific malware type designed to initiate or run other malware
forms within a payload on an infected host

Answer 53

Dropper

Question 54

Retrieve additional tools post the initial infection facilitated by a
dropper

Answer 54

Downloader

Question 55

Broader term that encompasses lightweight code meant to
execute an exploit on a given target

Answer 55

Shellcode

Question 56

Downloads and installs a remote access Trojan to conduct
command and control on the victimized system

Answer 56

Stage 2: Downloader

Question 57

Threat actors will execute primary objectives to meet core
objectives like
■ data exfiltration
■ file encryption

Answer 57

“Actions on Objective” Phase

Question 58

Used to help the threat actor prolong unauthorized access to a
system by
■ hiding tracks
■ erasing log files
■ hiding any evidence of malicious activity

Answer 58

Concealment

Question 59

A strategy adopted by many Advanced Persistent Threats
and criminal organizations

The threat actors try to exploit the standard tools to
perform intrusions

Answer 59

“Living Off the Land”

Question 60

Malware, especially those designed for credential theft or brute force
attacks, can trigger multiple failed login attempts that would result in a user’s account being locked out

(Indicator of Malware Attack)

Answer 60

Account Lockouts

Question 61

If you notice that a single user account has multiple simultaneous or
concurrent sessions open, especially from various geographic locations

(Indicator of Malware Attack)

Answer 61

Concurrent Session Utilization

Question 62

If there is a sudden increase in the amount of blocked content alerts you are seeing from your security tools

(Indicator of Malware Attack)

Answer 62

Blocked Content

Question 63

Refers to a scenario where a user’s account is accessed from two or more geographically separated locations in an impossibly short period of time

(Indicator of Malware Attack)

Answer 63

Impossible Travel

Question 64

If you are observing any unusual spikes in CPU, memory, or network
bandwidth utilization that cannot be linked back to a legitimate task

(Indicator of Malware Attack)

Answer 64

Resource Consumption

Question 65

● Ransomware
● If a large number of files or critical systems suddenly become inaccessible
or if users receive messages demanding payment to decrypt their data

(Indicator of Malware Attack)

Answer 65

Resource Innacessability

Question 66

If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place (such as in the middle of the night when no employees are actively working)

(Indicator of Malware Attack)

Answer 66

Out-of-Cycle Logging

Question 67

If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason

(Indicator of Malware Attack)

Answer 67

Missing Logs

Question 68

If a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack

(Indicator of Malware Attack)

Answer 68

Published or Documented Attack