Malware

Question 1

What is the primary goal of fileless malware?
A. Infect the file system to execute malicious code
B. Infect the system’s memory to execute malicious code
C. Target antivirus solutions with direct attacks
D. Leave a large amount of evidence on the system

Answer 1

Answer:
B. Infect the system’s memory to execute malicious code

Explanation:

Correct: Fileless malware operates in memory, avoiding reliance on the local file system to execute its payload.
Incorrect:
A: Fileless malware avoids the file system.
C: The goal is not to directly target antivirus but to bypass it.
D: Fileless malware leaves minimal evidence.

Question 2

(Choose Two)
Which of the following describe characteristics of fileless malware?
A. Relies heavily on the local file system
B. Executes directly in system memory
C. Often leaves behind limited evidence
D. Activates only with physical user interaction

Answer 2

Answer:
B. Executes directly in system memory
C. Often leaves behind limited evidence

Explanation:

Correct:
B: Fileless malware avoids the local file system and operates directly in memory.
C: It erases most traces after execution, leaving little evidence.
Incorrect:
A: Fileless malware does not rely on the local file system.
D: It can execute remotely without user interaction.

Question 3

What are the two primary components of the modern malware deployment model?
A. Downloader and Keylogger
B. Dropper and Downloader
C. Worm and Ransomware
D. Macro and Shell Code

Answer 3

Answer:
B. Dropper and Downloader

Explanation:

Correct: Modern malware uses a dropper to initiate infection and a downloader to retrieve additional malicious payloads.
Incorrect:
A, C, D: These combinations are unrelated to the deployment model.

Question 4

(Choose Three)
Which of the following are common malware delivery techniques?
A. Code Injection
B. Masquerading
C. DLL Sideloading
D. File Compression

Answer 4

Answer:
A. Code Injection
B. Masquerading
C. DLL Sideloading

Explanation:

Correct:
A, B, C: These are legitimate malware delivery techniques to inject malicious code or disguise it as legitimate.
Incorrect:
D: File compression is more of an anti-forensic strategy, not a delivery method.

Question 5

What does the acronym “DLL” stand for in malware exploitation techniques?
A. Data Link Layer
B. Dynamic Link Library
C. Direct Link Loader
D. Digital Library Link

Answer 5

Answer:
B. Dynamic Link Library

Explanation:

Correct: DLL refers to a library of code that can be injected or sideloaded during an attack.
Incorrect: The other options do not apply to this context

Question 6

What is the term for exploiting legitimate system tools, such as PowerShell, to conduct malicious activities?
A. Code Injection
B. Living off the Land
C. Shell Coding
D. Anti-Forensics

Answer 6

Answer:
B. Living off the Land

Explanation:

Correct: This strategy uses legitimate tools like PowerShell to mask malicious activities.
Incorrect:
A: Code injection disguises malicious code but is not the same as using system tools.
C: Shell coding is for executing exploits, not specifically leveraging legitimate tools.
D: Anti-forensics focuses on hiding malicious evidence, not tool exploitation.

Question 7

What are the four main stages of a modern malware attack?
A. Infiltration, Execution, Defense, Concealment
B. Installation, Execution, Expansion, Concealment
C. Dropper, Downloader, Action on Objectives, Concealment
D. Infiltration, Expansion, Exfiltration, Concealment

Answer 7

Answer:
C. Dropper, Downloader, Action on Objectives, Concealment

Explanation:

Correct: The attack involves initial infection (dropper), retrieval of tools (downloader), achieving goals (action on objectives), and hiding evidence (concealment).
Incorrect: Other options mix or misrepresent the stages of a malware attack

Question 8

Which malware component retrieves additional tools after the initial infection?
A. Dropper
B. Downloader
C. Shell Code
D. Ransomware

Answer 8

Answer:
B. Downloader

Explanation:

Correct: Downloaders are designed to retrieve and install additional malware components.
Incorrect:
A: Droppers initiate the infection.
C: Shell code refers to lightweight code for exploits, not retrieval.
D: Ransomware is a type of malware, not a retrieval mechanism.

Question 9

What is the primary characteristic of a computer virus?
A. It always requires user permission to execute.
B. It replicates and spreads across a network once executed.
C. It cannot infect executable files.
D. It only affects internet-connected devices.

Answer 9

Answer:
B. It replicates and spreads across a network once executed.

Explanation:

Correct: A virus spreads across a network by replicating itself after user action, such as running a malicious program.
Incorrect Options:
A: Viruses often execute without the user’s explicit knowledge or permission.
C: Viruses commonly infect executable files.
D: Viruses can infect devices regardless of internet connectivity.

Question 10

(Choose Two)
Which two types of files are most commonly targeted by macro viruses?
A. Microsoft Word documents
B. Video files
C. Microsoft Excel spreadsheets
D. Operating system log files

Answer 10

Answer:
A. Microsoft Word documents
C. Microsoft Excel spreadsheets

Explanation:

Correct: Macro viruses often target Word and Excel files, embedding malicious code in documents.
Incorrect Options:
B: Video files are not common targets for macro viruses.
D: Log files are not typically associated with macro viruses.

Question 11

Which virus type combines boot sector and program virus characteristics?
A. Polymorphic virus
B. Multipartite virus
C. Macro virus
D. Stealth virus

Answer 11

Answer:
B. Multipartite virus

Explanation:

Correct: A multipartite virus infects the boot sector and programs, ensuring persistence even after partial removal.
Incorrect Options:
A: Polymorphic viruses primarily focus on evading detection by altering their code.
C: Macro viruses target office documents.
D: Stealth viruses use techniques to avoid detection.

Question 12

List the 10 types of computer viruses.

Answer 12

Answer:

Boot Sector
Macro
Program
Multipartite
Encrypted
Polymorphic
Metamorphic
Stealth
Armor
Hoax
Explanation:
These categories encompass various methods and techniques viruses use to infect systems and evade detection.

Question 13

What is the key characteristic of an encrypted virus?
A. It alters its code to evade detection.
B. It uses encryption to hide its malicious payload.
C. It embeds in documents like Word or Excel.
D. It resides in the boot sector of the hard disk.

Answer 13

Answer:
B. It uses encryption to hide its malicious payload.

Explanation:

Correct: Encrypted viruses scramble their malicious payloads to evade detection by anti-virus software.
Incorrect Options:
A: Altering code to evade detection describes a polymorphic virus.
C: Embedding in documents is characteristic of a macro virus.
D: Residing in the boot sector applies to boot sector viruses.

Question 14

(Choose Three)
Which of the following techniques are commonly used by stealth viruses to evade detection?
A. Encrypting contents
B. Modifying the payload
C. Hiding in boot sector
D. Changing decryption modules

Answer 14

Answer:
A. Encrypting contents
B. Modifying the payload
C. Hiding in boot sector

Explanation:

Correct: Stealth viruses use techniques like encryption and payload modification to avoid anti-virus detection.
Incorrect Option:
D: Changing decryption modules is specific to polymorphic viruses.

Question 15

What is the primary objective of a hoax virus?
A. To spread across networks and infect multiple devices.
B. To scare users into taking undesirable actions.
C. To install itself in the boot sector of a hard disk.
D. To corrupt critical system files.

Answer 15

Answer:
B. To scare users into taking undesirable actions.

Explanation:

Correct: Hoaxes rely on social engineering to trick users into actions that may compromise their systems.
Incorrect Options:
A: Hoaxes don’t replicate like viruses.
C: Boot sector infections are characteristic of boot sector viruses.
D: Hoaxes typically do not involve direct file corruption.

Question 16

What is the primary difference between a virus and a worm?

A. A virus can replicate without user interaction, while a worm requires user action.
B. A worm can replicate without user interaction, while a virus requires user action.
C. A virus and a worm both require user action to spread.
D. Neither viruses nor worms require user interaction to spread.

Answer 16

Correct Answer:
B. A worm can replicate without user interaction, while a virus requires user action.
Explanation: A virus requires user action, such as opening a file or clicking a link, to spread, whereas a worm spreads autonomously by exploiting vulnerabilities.

Question 17

(Choose Two)
Which of the following are reasons worms are considered dangerous?

A. They can disrupt network traffic by replicating excessively.
B. They require user action to spread.
C. They can exploit vulnerabilities in unpatched systems.
D. They are only a threat to standalone systems without network access.

Answer 17

Correct Answers:
A. They can disrupt network traffic by replicating excessively.
C. They can exploit vulnerabilities in unpatched systems.
Explanation: Worms are dangerous because they can overwhelm networks and computing resources by replicating and spreading autonomously through vulnerabilities.

Question 18

What specific vulnerability did the Conficker worm exploit in 2009?

A. A flaw in web browsers.
B. An issue in file and printer sharing on Windows systems.
C. A vulnerability in email clients.
D. Weak passwords on user accounts.

Answer 18

Correct Answer:
B. An issue in file and printer sharing on Windows systems.
Explanation: Conficker exploited a vulnerability in Windows’ file and printer sharing, which was addressed by the Microsoft patch 08-067.

Question 19

(Choose Two)
What indicators might suggest that a worm is present on a network?

A. Slow network performance due to resource exhaustion.
B. Files being encrypted and held for ransom.
C. Increased CPU and memory usage on multiple systems.
D. Unauthorized remote connections made to external command servers.

Answer 19

Correct Answers:
A. Slow network performance due to resource exhaustion.
C. Increased CPU and memory usage on multiple systems.
Explanation: Worms consume significant network and compute resources as they replicate, leading to performance degradation.

Question 20

Which worm was able to spread across the internet in just 22 minutes in 2001?

A. Conficker
B. Nimda
C. WannaCry
D. Stuxnet

Answer 20

Correct Answer:
B. Nimda
Explanation: Nimda, which is “admin” spelled backward, spread quickly across the internet, even in the era of slow dial-up connections.

Question 21

What action should organizations take to mitigate the spread of worms?

A. Disable all network connections.
B. Perform regular security patching and implement security controls.
C. Only install antivirus software.
D. Avoid using file-sharing applications.

Answer 21

Correct Answer:
B. Perform regular security patching and implement security controls.
Explanation: Regular patching and proper security controls prevent worms from exploiting known vulnerabilities.

Question 22

What is a potential outcome if a worm replicates too rapidly on a network?

A. It could encrypt all files on the system.
B. It could cause a denial-of-service (DoS) attack.
C. It could open backdoors for unauthorized access.
D. It could redirect traffic to malicious websites.

Answer 22

Correct Answer:
B. It could cause a denial-of-service (DoS) attack.
Explanation: Excessive replication of worms can overwhelm network and server resources, effectively causing a denial-of-service condition.

Question 23

What is the primary characteristic of a Trojan in cybersecurity?

A. It self-replicates without user interaction.
B. It is disguised as a harmless or desirable piece of software.
C. It primarily infects through USB devices.
D. It can only function when connected to the internet.

Answer 23

Correct Answer: B
Explanation: A Trojan is malicious software disguised as a harmless or desirable program to trick the user into running it. Once executed, it performs both the promised function and malicious actions.

Incorrect Options:

A: This describes a worm, not a Trojan.
C: While Trojans can spread via USB devices, this is not their defining characteristic.
D: Trojans can perform malicious actions offline or online; they are not limited to internet connectivity.

Question 24

Which type of Trojan provides attackers with remote control of a victim’s machine?

A. RAT (Remote Access Trojan)
B. Bootkit
C. Ransomware
D. Worm

Answer 24

Correct Answer: A
Explanation: A RAT (Remote Access Trojan) is a specific type of Trojan that allows attackers to gain remote control over the victim’s machine.

Incorrect Options:

B: A Bootkit targets the boot process of a system and is not related to remote access.
C: Ransomware encrypts files and demands payment but does not typically provide remote access.
D: Worms self-replicate but are not related to remote control functionality.

Question 25

What historical event inspired the name “Trojan” in cybersecurity?

A. The siege of Troy, where a wooden horse was used to infiltrate the city.
B. A virus outbreak in ancient Greece.
C. The use of malicious scripts in the early internet era.
D. A vulnerability in early Microsoft operating systems.

Answer 25

Correct Answer: A
Explanation: The term “Trojan” originates from the story of the Trojan horse used by the Greeks to infiltrate Troy, symbolizing how Trojans disguise themselves as harmless objects to gain access.

Incorrect Options:

B: The name does not come from a virus outbreak.
C: While Trojans appeared early in internet history, the name has historical roots.
D: While Microsoft OS vulnerabilities have been exploited, they are unrelated to the origin of the term “Trojan.”

Question 26

What is the best method to prevent Trojans from infecting your system?
(Choose Two)

A. Use strong passwords for all accounts.
B. Scan all downloaded programs with antivirus software.
C. Ensure systems are patched against known vulnerabilities.
D. Disable all USB ports on your computer.

Answer 26

Correct Answers: B, C
Explanation:

B: Scanning downloaded programs with antivirus software helps detect Trojans before execution.
C: Patching systems against known vulnerabilities reduces the risk of exploitation by Trojans.
Incorrect Options:

A: While strong passwords are essential for security, they do not prevent Trojan infections.
D: Disabling USB ports could prevent certain attacks but is not a comprehensive solution for Trojans.

Question 27

What malicious actions can Trojans perform once executed?
(Choose Three)

A. Create backdoors for persistent access.
B. Spread independently across a network.
C. Conduct data exfiltration to steal sensitive documents.
D. Perform denial-of-service (DoS) attacks.
E. Open a remote connection for attackers.

Answer 27

Correct Answers: A, C, E
Explanation:

A: Trojans often create backdoors to allow attackers to regain access.
C: Data exfiltration is a common malicious activity performed by Trojans.
E: Remote connections are a hallmark of Remote Access Trojans (RATs).
Incorrect Options:

B: This is a characteristic of worms, not Trojans.
D: While Trojans can contribute to DoS attacks indirectly, it is not their primary function.

Question 28

What made the infected Tetris game example a Trojan?

A. It failed to run as expected.
B. It was spread via the internet.
C. It contained malicious code that performed additional functions, like creating a remote connection.
D. It required user action to download and run.

Answer 28

Correct Answer: C
Explanation: The infected Tetris game contained malicious code that created a remote connection, which is a hallmark of a Trojan.

Incorrect Options:

A: The Trojan still ran as expected, making it deceptive.
B: This example involved floppy disks, not the internet.
D: While true for Trojans, this is not the defining characteristic illustrated in the example.

Question 30

What is the difference between a threat vector and an attack vector?
A. Threat vectors are limited to only the infiltration method, while attack vectors describe the full process from infiltration to infection.
B. Threat vectors describe methods of infection, while attack vectors describe how an attacker gains access to the system.
C. Threat vectors are about software vulnerabilities, while attack vectors are about social engineering.
D. Threat vectors and attack vectors are interchangeable terms used in cybersecurity

Answer 30

Correct Answer: A. Threat vectors are limited to only the infiltration method, while attack vectors describe the full process from infiltration to infection.
Explanation: Threat vectors focus on the method of getting into the system (e.g., unpatched software, phishing), while attack vectors refer to the complete process that includes both infiltration and the infection stage.

B. Incorrect. Threat vectors are not directly about infection, they are just about the entry method.
C. Incorrect. Threat vectors can include various methods like USB drives and phishing, not just software vulnerabilities.
D. Incorrect. Threat vectors and attack vectors are not interchangeable, as they represent different parts of the malicious process.

Question 31

Which of the following would be an example of an attack vector?
A. A Trojan horse email sent to a user’s inbox
B. Using a zero-day exploit to breach a vulnerable software
C. Clicking on a malicious link that leads to malware installation
D. A malware-infected USB drive inserted into a target machine

Answer 31

Correct Answer: B. Using a zero-day exploit to breach a vulnerable software
Explanation: An attack vector is the means by which an attacker gains access to and infects a system. A zero-day exploit represents the full attack process—from exploiting the vulnerability to executing malware.

A. Incorrect. A Trojan horse email is an infiltration method (threat vector) but not a full attack vector.
C. Incorrect. Clicking a malicious link represents part of the attack vector process but not the full infection process.
D. Incorrect. The use of a USB drive as an infection method could be considered part of the attack vector, but it’s an infiltration method.

Question 32

Which of the following indicates a malicious attack vector being used on a network?
A. Unpatched operating system vulnerabilities being exploited by an attacker
B. A user mistakenly downloading a legitimate file from a trusted website
C. A user accessing a secure website without proper credentials
D. A software update that causes a network slowdown

Answer 32

Correct Answer: A. Unpatched operating system vulnerabilities being exploited by an attacker
Explanation: Exploiting unpatched vulnerabilities is a classic example of an attack vector. It combines infiltration (exploiting the vulnerability) and infection (deploying malicious code or taking control).

B. Incorrect. This is not an attack vector but rather a benign action.
C. Incorrect. While accessing a website without proper credentials could signal a security concern, it doesn’t directly represent an attack vector in the context of infection.
D. Incorrect. A network slowdown due to a software update isn’t an indicator of an attack vector.

Question 33

What is the role of a threat vector in a cyberattack scenario?
A. It is the way an attacker bypasses a system’s security and reaches the target.
B. It is the tool or software used by an attacker to infect a system.
C. It is the process of securing a system against unauthorized access.
D. It describes the method used to gain unauthorized access to a system.

Answer 33

Correct Answer: D. It describes the method used to gain unauthorized access to a system.
Explanation: A threat vector is any method that allows an attacker to infiltrate a system, such as phishing, USB drives, or unpatched software vulnerabilities.

A. Incorrect. This describes an attack vector, not a threat vector.
B. Incorrect. A tool or software is part of the infection process in an attack vector.
C. Incorrect. Securing a system is an action to prevent the use of threat vectors, not part of their role.

Question 34

What is ransomware designed to do?
(Choose One)
A. Block access to data by locking users out without encryption
B. Encrypt data to demand a ransom for decryption
C. Monitor system activity to alert users of vulnerabilities
D. Perform a system reset without user consent

Answer 34

Correct Answer: B. Encrypt data to demand a ransom for decryption
Explanation: Ransomware is designed to block access to a computer system or its data by encrypting it until a ransom is paid. The attacker demands payment in exchange for a decryption key to restore access to the encrypted files.

Question 35

Which of the following was a consequence of the 2021 Colonial Pipeline ransomware attack?
(Choose Two)
A. The pipeline was shut down for five days
B. It caused a data breach of sensitive customer information
C. The attackers demanded $4.4 million in Bitcoin
D. The pipeline experienced significant fuel supply disruptions

Answer 35

Correct Answers:
A. The pipeline was shut down for five days,
C. The attackers demanded $4.4 million in Bitcoin
Explanation: The Colonial Pipeline attack led to a five-day shutdown, causing fuel shortages, panic buying, and a spike in gas prices. The attackers demanded and received $4.4 million in Bitcoin for the decryption key.

Question 36

What is the most tragic impact of the ransomware attack on the University Hospital in Dusseldorf, Germany?
(Choose One)
A. The hospital’s computer systems were fully restored
B. A patient died due to delayed emergency treatment
C. The attackers were caught and arrested
D. The hospital’s patients received ransom demands

Answer 36

Correct Answer: B. A patient died due to delayed emergency treatment
Explanation: The ransomware attack forced the hospital to divert emergency patients, resulting in a life-threatening delay for one patient, who died as a result. This incident marked the first known death linked to a ransomware attack.

Question 37

Which security best practice is recommended to mitigate the impact of a ransomware attack?
(Choose Two)
A. Regularly back up important data
B. Never install software updates
C. Use multi-factor authentication
D. Click on suspicious links in unsolicited emails

Answer 37

Correct Answers:
A. Regularly back up important data,
C. Use multi-factor authentication
Explanation: Regular backups ensure data recovery in case of an attack, while multi-factor authentication adds an extra layer of security to prevent unauthorized access to systems

Question 38

If you find yourself a victim of ransomware, which of the following should you do first?
(Choose One)
A. Immediately pay the ransom
B. Disconnect the infected system from the network
C. Restart the system and wait for the decryption key
D. Ignore the attack and continue working

Answer 38

Correct Answer: B. Disconnect the infected system from the network
Explanation: Disconnecting the infected system from the network prevents the ransomware from spreading to other machines and systems, reducing the overall impact of the attack.

Question 39

What is the primary reason why paying the ransom is discouraged?
(Choose Two)
A. Paying the ransom guarantees the attacker will give the decryption key
B. Paying the ransom funds future criminal behavior
C. It can encourage attackers to target the victim again
D. It ensures the recovery of lost data

Answer 39

Correct Answers:
B. Paying the ransom funds future criminal behavior,
C. It can encourage attackers to target the victim again
Explanation: Paying the ransom doesn’t guarantee the attacker will provide the decryption key and instead funds further attacks. It can also increase the likelihood of future attacks from the same or other attackers.

Question 40

Which of the following is an effective way to prevent ransomware from exploiting system vulnerabilities?
(Choose One)
A. Use outdated antivirus software
B. Install regular software updates
C. Disregard security warnings from the system
D. Disable firewalls to improve system performance

Answer 40

Correct Answer: B. Install regular software updates
Explanation: Regular software updates ensure that known vulnerabilities, such as those exploited by ransomware (e.g., the EternalBlue exploit), are patched, reducing the risk of an attack.

Question 41

What is the primary purpose of a botnet?

A) To store illegal content across multiple devices
B) To launch a Distributed Denial of Service (DDoS) attack
C) To provide remote access to compromised devices for legitimate uses
D) To gather and store cryptocurrency

Answer 41

Correct answer: B) To launch a Distributed Denial of Service (DDoS) attack
Explanation:

A) To store illegal content across multiple devices: While botnets can be used for illegal activities like storing illegal content, this is not the primary purpose of a botnet. The main use is usually for launching attacks.
B) To launch a Distributed Denial of Service (DDoS) attack: Correct. Botnets are most commonly used to conduct DDoS attacks, where multiple machines attack a single target simultaneously to overload and crash the server.
C) To provide remote access to compromised devices for legitimate uses: This is incorrect. Botnets are created for malicious purposes, not legitimate uses.
D) To gather and store cryptocurrency: While botnets can be used for crypto mining (to steal processing power), this is just one of many possible uses. It is not the primary purpose.

Question 42

What is a “zombie” in the context of botnets?

A) A compromised computer or device under the control of an attacker
B) A command and control node that issues instructions to other devices
C) A type of malware used to infect devices
D) A server used to host illegal content

Answer 42

Correct answer: A) A compromised computer or device under the control of an attacker
Explanation:

A) A compromised computer or device under the control of an attacker: Correct. A zombie refers to a single compromised device that is part of a botnet and controlled remotely by an attacker.
B) A command and control node that issues instructions to other devices: This is incorrect. A command and control (C2) node is where the attacker sends commands, not the “zombie.”
C) A type of malware used to infect devices: This is not correct. The malware creates the botnet and turns devices into zombies, but the zombie itself is a device, not the malware.
D) A server used to host illegal content: This is incorrect. Zombies are compromised devices that perform tasks for the attacker, not servers for hosting illegal content.

Question 43

Which of the following is a common use of botnets?

A) Encrypting files for security purposes
B) Conducting Distributed Denial of Service (DDoS) attacks
C) Securing network connections
D) Preventing malware infections

Answer 43

Correct answer: B) Conducting Distributed Denial of Service (DDoS) attacks
Explanation:

A) Encrypting files for security purposes: This is incorrect. Botnets are not used for legitimate security purposes, such as encryption for security. They are used for malicious activities.
B) Conducting Distributed Denial of Service (DDoS) attacks: Correct. The most common use of botnets is to launch DDoS attacks, where many devices overwhelm a target server, causing it to crash.
C) Securing network connections: This is incorrect. Botnets are malicious and are not used for security or protecting networks.
D) Preventing malware infections: This is incorrect. Botnets are a form of malware used to infect and control devices, not to prevent infections.

Question 44

How do attackers typically avoid detection when using a botnet for tasks like crypto mining?

A) By using all of the device’s processing power
B) By using 20-25% of the device’s available processing power
C) By encrypting all their communications
D) By distributing the attack across multiple regions

Answer 44

Correct answer: B) By using 20-25% of the device’s available processing power
Explanation:

A) By using all of the device’s processing power: This is incorrect. Using all processing power would cause the device to become unresponsive, which would make it easier for the user to detect the compromise.
B) By using 20-25% of the device’s available processing power: Correct. Attackers avoid detection by using only a portion of the device’s processing power, making it harder for users to notice the abnormal behavior.
C) By encrypting all their communications: This is incorrect. While encryption may be used for certain tasks, it does not necessarily help with detection avoidance in the context of botnets.
D) By distributing the attack across multiple regions: This is not the main method of avoiding detection. The primary method is limiting the power used by the infected devices.

Question 45

What is the primary goal of a DDoS attack using a botnet?

A) To break through encryption schemes
B) To cause the target’s system to crash by overwhelming it with traffic
C) To mine cryptocurrency without the victim’s knowledge
D) To spread malware to other devices

Answer 45

Correct answer: B) To cause the target’s system to crash by overwhelming it with traffic
Explanation:

A) To break through encryption schemes: This is incorrect. While botnets can be used for brute-forcing encryption, DDoS attacks focus on overwhelming a target’s system with traffic.
B) To cause the target’s system to crash by overwhelming it with traffic: Correct. The goal of a DDoS attack is to send so much traffic to the target’s server that it crashes or becomes unavailable.
C) To mine cryptocurrency without the victim’s knowledge: This is incorrect in the context of DDoS. Crypto mining is another use of botnets, but it is not the goal of DDoS attacks.
D) To spread malware to other devices: This is incorrect. DDoS attacks do not focus on spreading malware but rather on disrupting service to a target.

Question 46

What is the primary function of a rootkit?
A) To create a backdoor for attackers
B) To gain administrative-level control over a system without detection
C) To monitor network traffic
D) To store illegal content on compromised systems

Answer 46

Correct Answer: B) To gain administrative-level control over a system without detection

Explanation: A rootkit’s primary function is to gain high-level administrative access (root or administrator) to a system and do so without being detected, making it extremely dangerous.
Incorrect Options:
A) Rootkits can provide access, but their primary function is not just creating backdoors.
C) While rootkits may be used for surveillance, monitoring network traffic is not their main function.
D) Rootkits may be used for malicious activities, but storing illegal content isn’t their primary function.

Question 47

Which permission ring is the most trusted in an operating system?
A) Ring 3
B) Ring 2
C) Ring 1
D) Ring 0

Answer 47

Correct Answer: D) Ring 0

Explanation: Ring 0, also called “kernel mode,” is the most trusted and powerful permission ring in an operating system. It allows the system to control critical hardware components.
Incorrect Options:
A) Ring 3 is the outermost and has the least privileges, typically used by regular users.
B) Ring 2 is not typically referenced in discussions about rootkits.
C) Ring 1 is for privileged access but not the most trusted.

Question 48

What technique do rootkits use to gain deeper access to a system?
A) Phishing
B) DLL injection
C) Brute force
D) Cross-site scripting (XSS)

Answer 48

Correct Answer: B) DLL injection

Explanation: DLL injection is a technique where malicious code is injected into a running process by exploiting dynamic link libraries (DLLs) on a Windows machine, helping rootkits hide.
Incorrect Options:
A) Phishing is used to steal sensitive information but not for rootkit installation.
C) Brute force is a method for cracking passwords, not related to rootkit functionality.
D) XSS is used for web-based attacks, not related to rootkit infiltration.

Question 49

What is the purpose of a “shim” in rootkit operations?
A) To inject malicious code into system processes
B) To prevent rootkits from being detected by antivirus software
C) To intercept and redirect communication between components
D) To perform encryption on system files

Answer 49

Correct Answer: C) To intercept and redirect communication between components

Explanation: A shim is a small piece of software that intercepts communication between two components, which in the case of rootkits, helps redirect calls to malicious code.
Incorrect Options:
A) The shim doesn’t inject code; it redirects calls between components.
B) While a shim can aid rootkits in evading detection, its main purpose is redirection, not prevention.
D) Shims do not perform encryption; their primary role is to redirect communication.

Question 50

What is the recommended method for detecting rootkits on a system?
A) Running antivirus software while logged in as a user
B) Booting the system normally and running a security scan
C) Using an external device to scan the internal hard drive
D) Monitoring network traffic for unusual activity

Answer 50

Correct Answer: C) Using an external device to scan the internal hard drive

Explanation: Rootkits are deeply embedded in the system, so using an external device to scan the internal hard drive (with live boot tools) is the most effective method.
Incorrect Options:
A) Running antivirus software while logged in is not effective as rootkits can evade detection from within the system.
B) Scanning the system in a normal booted state may not detect rootkits that are hiding deep within.
D) Monitoring network traffic is helpful for detecting certain attacks, but not for rootkits hiding in system internals.

Question 51

What is the main reason rootkits are difficult to detect?
A) They are too obvious and alert users immediately
B) They operate from the kernel, where they are hidden from the OS
C) They always delete system files
D) They use encryption to protect themselves from detection

Answer 51

Correct Answer: B) They operate from the kernel, where they are hidden from the OS

Explanation: Rootkits operate at a low level (kernel mode) in the operating system, which makes them very difficult to detect, as they can hide from both users and the OS itself.
Incorrect Options:
A) Rootkits are designed to be hidden, so they are not immediately obvious.
C) Rootkits do not necessarily delete files; they focus on hiding and controlling the system.
D) Rootkits are not primarily hidden by encryption, but by exploiting the system’s trust and access permissions.

Question 52

What is a backdoor in a computer system?
(Choose Two)
a) A method for bypassing normal security controls, often introduced by the system’s original programmers.
b) A feature that allows legitimate users to access systems more easily.
c) A security measure designed to strengthen a system’s authentication process.
d) A malware used to install unauthorized software on systems.

Answer 52

Answer:
a) Correct. A backdoor bypasses security and authentication controls, often created by system developers.
b) Incorrect. Backdoors are not designed to help legitimate users; they bypass security controls, often allowing unauthorized access.
c) Incorrect. Backdoors undermine security measures, rather than strengthening them.
d) Incorrect. While backdoors may be used to facilitate malware installation, they are not a type of malware themselves.

Question 53

What is a Remote Access Trojan (RAT)?
(Choose Two)
a) Malware used to give attackers remote access to a system.
b) A feature added to applications for fun, like Easter Eggs.
c) A tool that maintains persistent access to systems.
d) An anti-malware tool used to detect backdoors.

Answer 53

Answer:
a) Correct. RATs allow attackers to maintain remote access to a system.
b) Incorrect. Easter Eggs are harmless and serve as jokes, unlike RATs, which are malicious.
c) Correct. RATs allow attackers to maintain long-term access to the system.
d) Incorrect. RATs are malicious, not tools for detection.

Question 54

What is an Easter Egg in a software application?
(Choose Two)
a) A hidden feature or novelty, often a joke, inserted by software developers.
b) A method for attackers to hide malicious code in software.
c) A feature used to enhance the security of an application.
d) A vulnerability that can create additional security risks.

Answer 54

Answer:
a) Correct. Easter Eggs are hidden, non-functional features inserted as jokes.
b) Incorrect. Easter Eggs are not intended to hide malicious code, but they can sometimes expose vulnerabilities.
c) Incorrect. Easter Eggs do not enhance security; they can actually add risks.
d) Correct. Easter Eggs can introduce vulnerabilities due to lack of rigorous testing.

Question 55

What is the main difference between an Easter Egg and a logic bomb?
(Choose Two)
a) Easter Eggs are harmless jokes, while logic bombs are malicious code designed to execute under specific conditions.
b) Logic bombs are inserted as part of a developer’s fun features, while Easter Eggs are created by attackers.
c) Logic bombs execute harmful actions based on conditions like time or events, whereas Easter Eggs do not.
d) Easter Eggs are more dangerous than logic bombs because they can delete files.

Answer 55

Answer:
a) Correct. Easter Eggs are harmless jokes, while logic bombs have a malicious intent and are triggered by specific conditions.
b) Incorrect. Logic bombs are malicious, not fun features.
c) Correct. Logic bombs are triggered under certain conditions, whereas Easter Eggs are merely fun additions.
d) Incorrect. While Easter Eggs can create vulnerabilities, logic bombs are designed to cause harm under certain conditions.

Question 56

What is a logic bomb?
(Choose Two)
a) Malicious code inserted into software that executes when specific conditions are met.
b) A joke feature inserted by developers to amuse users.
c) A type of malware designed to delete files upon activation.
d) A harmless Easter Egg that executes at a specific time.

Answer 56

Answer:
a) Correct. Logic bombs are triggered by specific conditions and execute harmful actions.
b) Incorrect. Logic bombs have malicious intent, unlike Easter Eggs which are jokes.
c) Correct. Logic bombs can delete files or cause other harm when triggered.
d) Incorrect. Logic bombs are not harmless and are not intended for amusement like Easter Eggs.

Question 57

Why should modern applications avoid including backdoors, Easter Eggs, and logic bombs?
(Choose Two)
a) They go against secure coding standards and best practices.
b) They enhance the security of the system by providing hidden access points.
c) They can introduce vulnerabilities that attackers may exploit.
d) They are harmless features that pose no risk to the system.

Answer 57

Answer:
a) Correct. These practices violate secure coding standards and best practices.
b) Incorrect. These features undermine security by creating vulnerabilities.
c) Correct. They can create weaknesses that attackers might exploit.
d) Incorrect. These features are not harmless and can create risks in the system.

Question 58

What is a keylogger? (Choose Two)

A) A type of malware that records keystrokes on a computer or mobile device
B) A software designed to speed up computer performance
C) A device that prevents unauthorized access to devices
D) A tool that tracks the location of a device
E) A malicious tool used to steal sensitive information via recorded keystrokes

Answer 58

Answer:

A) A type of malware that records keystrokes on a computer or mobile device
E) A malicious tool used to steal sensitive information via recorded keystrokes
Explanation:

A and E are correct because a keylogger is a malicious software or hardware that records keystrokes to steal sensitive information, like passwords or usernames.
B and D are incorrect because keyloggers are not used for improving performance or tracking locations.
C is incorrect as keyloggers are designed to compromise security, not to protect it.

Question 59

Which of the following can help prevent keylogger attacks? (Choose Three)

A) Implementing multifactor authentication (MFA)
B) Conducting regular phishing awareness training
C) Installing more hardware on devices
D) Regularly updating and patching systems
E) Encrypting keystrokes sent to systems

Answer 59

Answer:

A) Implementing multifactor authentication (MFA)
B) Conducting regular phishing awareness training
D) Regularly updating and patching systems
Explanation:

A, B, and D are correct because implementing MFA ensures extra security beyond just passwords, educating users on phishing helps avoid software keyloggers, and regular updates close security vulnerabilities that could be exploited by keyloggers.
C is incorrect as adding more hardware does not specifically prevent keyloggers.
E is incorrect as while encryption is a good practice, it wasn’t mentioned as the top preventive measure for keyloggers in the lesson.

Question 60

What makes hardware-based keyloggers difficult to detect? (Choose Two)

A) They are installed via software updates
B) They resemble regular USB devices or keyboard cables
C) They can bypass anti-malware scans
D) They require specialized software to operate
E) They are disguised as application software

Answer 60

Answer:

B) They resemble regular USB devices or keyboard cables
C) They can bypass anti-malware scans
Explanation:

B and C are correct because hardware-based keyloggers are physically disguised as normal USB devices or keyboard cables, and they can bypass software-based security methods like antivirus scans.
A, D, and E are incorrect as hardware keyloggers do not rely on software updates, specialized software, or application disguise.

Question 61

Which of the following is a major risk posed by keyloggers in a corporate setting? (Choose Two)

A) Loss of financial data
B) Exposure of proprietary company information
C) Enhanced employee productivity
D) Compromise of customer confidentiality
E) Increased network speed

Answer 61

Answer:

B) Exposure of proprietary company information
D) Compromise of customer confidentiality
Explanation:

B and D are correct because keyloggers in a corporate environment can lead to the exposure of sensitive company data and compromise customer confidentiality, often resulting in reputational damage and financial loss.
A is incorrect because while personal financial data can be at risk in a personal setting, the focus in this context is on corporate information.
C and E are incorrect as they do not represent risks from keyloggers; they are unrelated to keylogger activity.

Question 62

What is spyware designed to do? (Choose Two)

A) Gather and send information about a user or organization without their knowledge
B) Improve system performance by managing resources
C) Monitor and transmit user data, such as passwords and credit card numbers
D) Provide advertisements based on user browsing habits
E) Protect personal data by encrypting it

Answer 62

Answer:

A) Gather and send information about a user or organization without their knowledge
C) Monitor and transmit user data, such as passwords and credit card numbers
Explanation:

A and C are correct because spyware is specifically designed to gather and transmit personal or sensitive data from users without their consent.
B, D, and E are incorrect because spyware is malicious software, not for improving performance or providing data protection.

Question 63

Which of the following methods can spyware be installed? (Choose Two)

A) Bundled with other software
B) Downloaded from official app stores
C) Installed through a malicious website
D) Clicked from a deceptive pop-up advertisement
E) Installed with system updates

Answer 63

Answer:

A) Bundled with other software
C) Installed through a malicious website
Explanation:

A and C are correct because spyware can be bundled with legitimate software or installed through malicious websites that trick the user into downloading it.
B, D, and E are incorrect because spyware is typically not found in official app stores, and while pop-ups can be used for installation, it’s not specifically through system updates.

Question 64

Which of the following is a common feature of bloatware? (Choose Two)

A) It consumes storage and system resources
B) It is intentionally malicious and steals personal information
C) It promotes third-party services and products
D) It enhances system security and performance
E) It comes pre-installed on devices without user request

Answer 64

Answer:

A) It consumes storage and system resources
C) It promotes third-party services and products
Explanation:

A and C are correct because bloatware uses up system resources and is often installed for marketing purposes to promote services.
B, D, and E are incorrect because bloatware is not inherently malicious, does not improve system security, and is typically not something the user explicitly requested.

Question 66

What is the main difference between spyware and bloatware? (Choose One)

A) Spyware is malicious software that gathers personal data, while bloatware is non-malicious but unwanted software
B) Spyware is used for marketing, while bloatware steals personal information
C) Spyware is typically pre-installed on devices, while bloatware is downloaded from websites
D) Spyware enhances system performance, while bloatware slows down the system

Answer 66

Answer:

A) Spyware is malicious software that gathers personal data, while bloatware is non-malicious but unwanted software
Explanation:

A is correct because spyware is malicious and collects personal information, while bloatware is unwanted but generally non-malicious software pre-installed on devices.
B, C, and D are incorrect as they misrepresent the purposes and characteristics of spyware and bloatware.

Question 67

What are the nine common indicators of malware attacks?
(Choose Nine)
A. Account lockouts
B. Concurrent session utilization
C. Blocked content
D. Unauthorized software installations
E. Impossible travel
F. Resource consumption
G. Resource inaccessibility
H. Out-of-cycle logging
I. Missing logs
J. Published or documented attacks

Answer 67

Answer:
A. Account lockouts, B. Concurrent session utilization, C. Blocked content, E. Impossible travel, F. Resource consumption, G. Resource inaccessibility, H. Out-of-cycle logging, I. Missing logs, J. Published or documented attacks

Explanation:

Correct: These nine indicators highlight common signs of malware activity.
Incorrect: Unauthorized software installations (D) is not listed among the nine indicators in this context.

Question 68

Which of the following indicators suggest credential theft or brute force attempts by malware?
A. Resource inaccessibility
B. Account lockouts
C. Published or documented attacks
D. Out-of-cycle logging

Answer 68

Answer:
B. Account lockouts

Explanation:

Correct: Account lockouts occur when multiple failed login attempts trigger a security mechanism, often caused by credential theft or brute force malware.
Incorrect:
A: Resource inaccessibility refers to ransomware encrypting files.
C: Published or documented attacks indicate malware activity reported by external parties.
D: Out-of-cycle logging involves logs being generated at unusual times.

Question 69

What does the term impossible travel indicate in the context of malware attacks?
(Choose Two)
A. A user traveling internationally without informing the organization
B. A user account accessed from two distant locations in a short time
C. Simultaneous logins from multiple geographic locations
D. A sudden change in user access permissions

Answer 69

Answer:
B. A user account accessed from two distant locations in a short time
C. Simultaneous logins from multiple geographic locations

Explanation:

Correct:
B: Impossible travel indicates a compromised account used in geographically distant locations within an implausibly short timeframe.
C: Simultaneous logins point to malware hijacking user credentials.
Incorrect:
A describes travel, not a malware indicator.
D refers to permission changes, not impossible travel.

Question 70

Which malware indicator involves unusual spikes in CPU, memory, or network bandwidth utilization?
A. Blocked content
B. Resource consumption
C. Out-of-cycle logging
D. Concurrent session utilization

Answer 70

Answer:
B. Resource consumption

Explanation:

Correct: Resource consumption is caused by malware like cryptominers or botnets consuming system resources.
Incorrect:
A: Blocked content refers to alerts from cybersecurity tools.
C: Out-of-cycle logging indicates logs at unexpected times.
D: Concurrent session utilization involves multiple logins from the same account.

Question 71

What is the primary risk associated with missing logs in cybersecurity monitoring?
A. Increased CPU usage
B. Covering tracks of an attacker
C. Unusual spikes in bandwidth utilization
D. Unauthorized software installations

Answer 71

Answer:
B. Covering tracks of an attacker

Explanation:

Correct: Missing logs are often deleted by attackers to erase evidence of malicious activity.
Incorrect:
A and C describe resource consumption indicators.
D refers to software installation, not log manipulation.