Malware and Social Engineering Flashcards
What is the difference between a worm and a virus?
A. A worm is self-replicating but a virus isn’t self-replicating
B. A virus is self-replicating but a worm isn’t self-replicating
C. A virus runs in response to an event such as a date, but a worm runs on its own schedule D. A worm runs in response to an event such as a date, but a virus runs on its own schedule
A. A worm is self-replicating. Viruses are not self-replicating but require user interaction to run. A logic bomb runs in response to an event such as a date, but worms and viruses do not run in response to events.
After downloading pirated software, a user notices the computer is running very slowly and antivirus software is detecting malware. What likely happened?
A. The user installed a Trojan
B. The user installed a worm
C. The user installed a logic bomb
D. The user installed a botnet
B. Users can unknowingly transfer and install Trojan horse malware onto their systems with USB thumb drives. Spam is unwanted e-mail filtered with anti-spam software. A buffer overflow occurs when a system receives unexpected data or more data than program can handle. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.
What type of malware do users inadvertently install with USB thumb drives?
A. Spam
B. Trojans
C. Buffer overflow
D. Logic bomb
B. Users can unknowingly transfer and install Trojan horse malware onto their systems with USB thumb drives. Spam is unwanted e-mail filtered with anti-spam software. A buffer overflow occurs when a system receives unexpected data or more data than program can handle. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.
At 9 a.m. on January 31, an administrator starts receiving alerts from monitoring systems indicating problems with servers in the datacenter. He discovers that all servers are unreachable. Of the following choices, what is the most likely cause? A. Logic bomb B. XSRF attack C. Buffer overflow D. Rootkit
A. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date, and since all the servers are affected at the same time, this is the most likely cause. An XSRF occurs when an attacker tricks a user into performing an action on a website. A buffer overflow attack occurs when an attacker sends more data to a single system than it can handle and overwrites memory locations, and would not affect all servers at the same time. A rootkit provide attackers with system or kernel access on a single system and can modify file system operations for a single system.
An employee has added malicious code into the company’s personnel system. The code verifies the employment status of the employee once a month. If the check shows the person is no longer an active employee, it launches attacks on internal servers. What type of code is this?
A. Botnet
B. Logic bomb
C. Trojan
D. Adware
B. A logic bomb is a program or code snippet that executes in response to an event and can execute after checking for a condition. A botnet is group of computers controlled through command and control software, and commonly launches DDoS attacks. A Trojan appears to be something useful but instead includes something malicious, but the code in this question is strictly malicious. Adware may open and close windows with advertisements and pop-up blockers can block it.
A process running on a system has system level access to the operating system kernel. Investigation shows that it has modified system files. What best describes this behavior? A. Rootkit B. Worm C. Cross-site scripting D. Adware
A. Rootkits provide attackers with system level (or kernel) access and can modify file system operations. A worm is self-replicating malware but wouldn’t typically have system level access. Cross-site scripting allows an attacker to inject malicious code into a website’s HTML pages. Adware may open and close windows with advertisements, but wouldn’t modify administrative access.
Where would a security specialist look for a hooked process?
A. Rootkit
B. Disk
C. RAM
D. Firewall log
C. Processes (including hooked processes) are stored and run from random access memory (RAM), so experts look in RAM for hooked processes. A rootkit commonly uses a hooked process, but examining files in the rootkit would not identify a hooked process. Rootkit files would be stored on the drive but not hooked processes. A firewall log can record firewall activity but it wouldn’t include information on hooked processes.
A file integrity checker on a database server detected several modified system files. What could cause this?
A. Spam
B. Buffer overflow
C. Logic bomb
D. Rootkit
D. Rootkits have system level (or kernel) access and can modify system files (detectable with host-based intrusion detection systems or antivirus software file integrity checkers). Spam is unwanted e-mail and doesn’t modify system files. A buffer overflow occurs when a vulnerable application receives unexpected data that it can’t handle, but it isn’t necessarily an attack. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.
What can you use to block unsolicited e-mail? A. Spam filter B. Rootkit C. Spyware D. Antivirus software
A. A spam filter filters out, or blocks, unsolicited e-mail (spam). A rootkit is malicious software with kernel level access that hides its processes to prevent detection. Spyware is software installed on users’ systems without their awareness or consent. Antivirus software can detect viruses, worms, and Trojan horses.
What can reduce unwanted e-mail that contains advertisements?
A. Anti-spam software
B. Antivirus software
C. File integrity checkers
D. Botnet software
A. Anti-spam software can filter out unwanted or unsolicited e-mail (also called spam). Antivirus software detects and blocks malware such as viruses, worms, and Trojans. File integrity checks can detect if a rootkit modified system files. A botnet is a network of multiple computers and attackers use them to send spam and attack other systems.
A user’s system has spyware installed. What is the most likely result?
A. Loss of root level access
B. Loss of confidentiality
C. Loss of integrity
D. Loss of anonymity on the Internet
B. Spyware collects user data and results in the loss of confidentiality. A rootkit may remove a user’s root level access. Spyware rarely disables systems or modifies data, so integrity is not lost, though spyware may slow a system down. There is no such thing as anonymity on the Internet, with or without spyware.
Additional windows are appearing when a user surfs the Internet. These aren’t malicious, but the user wants them to stop. What can stop this behavior?
A. Antivirus software
B. Host-based firewall
C. Pop-up blocker
D. Input validation
C. Pop-up windows are windows that appear while browsing, and a pop-up blocker blocks them. Antivirus software can detect and remove many types of malware but cannot block pop-ups. Firewalls can block intrusions but can’t block pop-ups. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks.
What type of signature-based monitoring can detect and remove known worms and Trojans? A. Anti-spyware B. NIDS C. NIPS D. Antivirus
D. Antivirus software monitors a system and can detect and remove known malware (including worms and Trojans) based on signatures. Anti-spyware detects spyware, and while it can detect some types of malware, it isn’t as reliable as antivirus software to detect malware. Intrusion detection and prevention systems do not remove malware such as worms and Trojans, though they may detect network activity from a worm.
A user’s computer has recently been slower than normal and has been sending out e-mail without user interaction. Of the following choices, what is the best choice to resolve this issue?
A. Botnet software
B. Anti-spam software
C. Anti-spyware software
D. Antivirus software
D. Antivirus software can resolve many types of malware infections and this activity indicates an infection possibly related to a botnet. Botnet software is malware that joins a computer to a botnet and does not resolve problems, but causes them. Anti-spam software can block spam coming in but wouldn’t remove malware or block e-mails going out. Anti-spyware software detects spyware, and some malware but isn’t as good a choice as antivirus software.
While surfing the Internet, a user sees a message indicating a malware infection and offering free antivirus software. The user downloads the free antivirus software but realizes it infected this system. Which of the following choices best explains what happened to the user?
A. Social engineering
B. Trojan
C. Vishing
D. Spim
A. The user was tricked by the website using a sophisticated form of social engineering. The system, not the user, was infected with a Trojan commonly known as rogueware or scareware. Vishing is a form of phishing that uses recorded voice over the telephone. Spim is a form of spam using instant messaging (IM).