Malware and Indicators of Compromise Flashcards
A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization’s internal file server and backup server crash at exactly the same time. Examining the servers, it appears that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware?
Crypto-malware
Worm
Logic bomb
Logic bomb
As both servers crashed at exactly the same time, this is most likely a logic bomb. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload—in this case, 30 days after the disgruntled employee was fired
A desktop system on your network has been compromised. Despite loading different operating systems using different media on the same desktop, attackers appear to have access to that system every time it is powered up and placed on the network. This could be an example of what type of rootkit?
Application
Kernel
Firmware
Firmware
This is most likely a firmware rootkit, possibly in the video card or expansion card. In the given scenario, the rootkit has to reside outside of the operating system and applications loaded on that system
A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can’t tell what if anything was displayed in that command prompt window. Your colleague says “It’s been doing that for a while, but it’s no big deal.” Based on what you’ve seen, you suspect the animated screensaver is really what type of malware?
A worm
A Trojan
Ransomware
A Trojan
The animated screensaver is most likely a Trojan. The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the Trojan “inside the walls” when he downloaded and installed the software on his desktop
Several desktops in your organization are displaying a red screen with the message “Your files have been encrypted. Pay 1 bitcoin to recover them.” These desktops have most likely been affected by what type of malware?
Zotob worm
Adware
Ransomware
Ransomware
This is quite clearly ransomware. The malware has encrypted files on the affected systems and is demanding payment for recovery of the files
While port scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with netcat, you see a prompt that reads “Enter password for access:”. Your server may be infected with what type of malware?
Cryptolocker
Backdoor
Spyware
Backdoor
This prompt most likely belongs to a backdoor—an alternate way of accessing the system. The TCP service is listening for incoming connections and prompts for a password when connections are established. Providing the correct password would grant command-line access to the system
A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-ups every few minutes. It doesn’t seem to matter which websites are being visited—the pop-ups still appear. What type of malware does this sound like?
Adware
Virus
Ransomware
Adware
This is classic adware behavior. Unwanted pop-ups that appear during browsing sessions regardless of the website being viewed are very typical of adware
Your organization is struggling to contain a recent outbreak of malware. On some of the PCs, your antivirus solution is able to detect and clean the malware. On other PCs exhibiting the exact same symptoms, your antivirus solution reports the system is “clean.” These PCs are all running the same operating system and same antivirus software. What might be happening?
Your firewall rules are allowing attackers to backdoor those PCs.
The antivirus solution isn’t properly licensed on all systems.
Your systems are infected with polymorphic malware.
Your systems are infected with polymorphic malware.
This is most likely an infection with polymorphic malware. Polymorphic malware is designed to change its own code on a regular basis, but retain the same functionality. The changes in code are designed to mask the malware from signature-based detection. The “clean” PCs in this example are still infected, but with a variant of the malware that no longer matches any signature in the antivirus solution
Malware engineers sometimes take steps to prevent reverse engineering of their code. A virus, such as Zeus, that uses encryption to resist reverse engineering attempts is what type of malware?
Armored virus
Rootkit
RAT
Armored virus
An armored virus is a piece of malware specifically designed to resist reverse engineering attempts. Zeus uses encryption in its attempts to prevent security researchers from learning how it works, how it communicates, and so on
colleague can’t open any Word document he has stored on his local system. When you force open one of the documents to analyze it, you see nothing but seemingly random characters. There’s no visible sign the file is still a Word document. Regardless of what you use to view or open the Word documents, you don’t see anything but random characters. Your colleague was most likely a victim of what type of malware?
Virus
Crypto-malware
RAT
Crypto-malware
If specific file types are no longer usable and seem to be nothing but strings of random characters, it’s likely your colleague was a victim of crypto-malware. Crypto-malware encrypts files on a system to make them unusable to anyone without the decryption key
An employee at your organization is concerned because her ex-spouse “seems to know everything she does.” She tells you her ex keeps accessing her e-mail and social media accounts even after she has changed her passwords multiple times. She is using a laptop at home that was a gift from her ex. Based on what you’ve been told, you suspect the laptop has what type of malware loaded on it?
Adware
Keylogger
Logic bomb
Keylogger
This is most likely a keylogger, a piece of software that records all keystrokes entered by the user. If the ex was able to access the logs generated by the keylogger, he would be able to see the new passwords for e-mail and social media accounts as they were being changed
Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called “btmine” is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you’ve observed, you suspect these systems are infected with what type of malware?
Adware
Bot
Cryptolocker
Bot
These systems are most likely infected with a bot and are now part of a botnet. The systems are running an unknown/unauthorized process and communicating with an external IP address on UDP port 43232. These are all classic signs of bots and botnet activity
A piece of malware is infecting the desktops in your organization. Every hour more systems are infected. The infections are happening in different departments and in cases where the users don’t share any files, programs, or even e-mails. What type of malware can cause this type of infection?
Virus
BitLocker
Worm
Worm
This infection pattern is typical of a worm. Worms are self-propagating and don’t require any human interaction to spread to additional systems
Which of the following could be an indicator of compromise?
Unusual outbound network traffic
Increased number of logins
Large numbers of requests for the same file
All of the above
All of the above
Unusual network traffic, additional logins, and large numbers of requests for the same file are all potential indicators of compromise. Individually, they could be considered suspicious, but seen together and affecting the same system would definitely warrant a deeper inspection of that system
You notice some unusual network traffic and discover several systems in your organization are communicating with a rather dubious “market research” company on a regular basis. When you investigate further you discover that users of the affected systems all installed the same piece of freeware. What might be happening on your network?
These users unwittingly installed spyware.
These systems are all infected with ransomware.
This could be normal behavior and nothing to worry about.
These users unwittingly installed spyware.
If all the users installed the same piece of freeware, it is likely they are all infected with spyware. Spyware records and reports user behavior and can do everything from recording keystrokes to monitoring web usage. Spyware is often bundled with freeware
Which of the following are characteristics of remote-access Trojans?
They can be deployed through malware such as worms.
They allow attacks to connect to the system remotely.
They give attackers the ability to modify files and change settings.
All of the above.
All of the above.
All of these are characteristics of remote-access Trojans (RATs). RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system
