Modern Malware Flashcards
Which of the following viruses are classified by concealment?
a. Macrovirus
b. Encrypted virus
c. Polymorphic virus
d. Metamorphic virus
e. B, C, D
f. All of the above
e. B, C, D
T/F: Improper handling of user input can lead to SQL injection.
True
T/F: Metamorphic viruses are harder to detect than polymorphic viruses
True
What is software called that collects information from the computer and transmits it to another system, monitoring keystrokes, network traffic and on the screen data
a. Spammer programs
b. Keylogger
c. Spyware
d. Trojan horse
c. Spyware (page 185 and lecture slides)
For each of the below, select whether the statement describes Spamming, Click Fraud, or Phishing:
a. Used by botmasters to fraudulently increase revenues from advertisers
b. Used to gather valuable financial information.
c. Infected machines send out unsolicited emails
a. used by botmasters to fraudulently increase revenues from advertisers?
Answer: Click Fraud
b. Used to gather valuable financial information.
Answer: Phishing
c. Infected machines send out unsolicited emails
Answer: spamming
List some examples of attacks and frauds by botnets:
Spam DDOS Clickfraud Phishing and pharming Key logging Key/password cracking Anonymized terrorist and criminal communication Cheating in online games/polls
T/F: In DDOS attacks, the attacker does not have to use his own computer in the attack
True
T/F: In a DDOS attack, the quantity of computers involved in the attack makes it difficult to distinguish legitimate from malicious traffic
True
T/F: The characteristics of DNS servers help mitigate the effect of DDOS attacks.
False
In C&C, how can the bot master contact the compromised machines (bots) and use them?
The naive approach is to have victims contact the botmaster. This is insufficient because it can be easily defeated via ISP intervention, blackhole routing, etc…
What are good Botnet C&C Design considerations from an attacker perspective?
a. Efficient and reliable: able to reach a sizable set of bots within a time limit
b. Stealthy: hard to detect (blended with normal/regular traffic)
c. Resilient: hard to disable or block
T/F: Bots have more sophisticated communication capabilities than worms and viruses.
True
T/F: Bots require direct communication with the C&C server before beginning an attack.
False
T/F: Bots require direct communication with the C&C server before beginning an attack.
False. Bots may include conditions such as time to trigger an attack.
T/F: A botnet will be less likely to be found if it uses custom communication protocols.
False. Custom communications protocols more easily detected
How do we distinguish between bots vs worms/viruses?
The ability to perform C2 is a characteristic of bots, not worms or viruses
What are some ways we can deal with botnet DNS lookups once we have identified a domain (i.e. hackerz.com) as a botnet master?
GT sinkhole: when a bot/victim makes a DNS request for hackerz.com, the DNS server responds with the ip address of a GT sinkhole.
In addition to canceling communication from/to bot master, this approach allows researchers to inspect the ip of infected machines
What do the following APT attacks do?
a. Boy in the Browser
b. Clickjacking
c. Man in the Browser
d. Man in the Middle
e. Keyloggers
a. Boy in the Browser: covertly changes a computer’s network routing
b. Clickjacking: web users unknowingly click on something that is not as it is portrayed
c. Man in the Browser: modifies web pages covertly
d. Man in the Middle: eavesdrops
e. Keyloggers: covertly records keystrokes
What is malware static analysis and malware dynamic analysis?
a. Static analysis: understand what a malware instance would do if executed
b. Dynamic analysis: understand what a program does when executed
Which of the following Malware needs host program (can be multiple)?
a. Trapdoor
b. Viruses
c. Logic bombs
d. Worms
e. Botnets
f. APT
a, b, c
_______ is an attack that exploits a security vulnerability occurring in the database layer of an application (such as queries).
A. Trojan horse
B. Logic bomb
C. SQLi
D. Buffer overflow
Answer C
Source: Book pg. 156
T/F: Improper handling of user input can result in a SQL injection
Answer True
The attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements OR user input is not strongly typed.
Source: Book pg. 156
SQLi attacks can be grouped into three main categories: _______, ________, and ______.
A. parameterized, user input, blind injection
B. second-order injection, out-of-band, parameterized
C. inferential, blind injection, inband
D. inband, inferential, out-of-band
Answer D
Source: Book pg 158
What are the main avenues of attack for SQL injection?
A. Cookies B. Server variables C. User input D. Second-order injection E. Physical user input F. All of the above G. None of the above
Answer F
Source: Book pg. 158
T/F: Defensive coding is an effective way to dramatically reduce the threat from SQLi
Answer True
Source: Book pg. 160
_____attack occurs when user input is incorrectly filtered for string escape characters or user input is not strongly typed.
Answer SQLi
Source: book p.156
Illegal/logically incorrect queries return often overly descriptive errors from the application server and allow an attacker to gather important information about the server. This is part of what type of attack?
Answer inferential attack
Source: book p.159
Which of the following are proper measures to defend against SQLi attacks?
a) user input validation
b) parameterized query insertion
c) SQL DOM
d) a and b
e) All of the above
Answer e)
Source: book p.160
Which of the following Detection methods to prevent SQLi attacks define a training phase to learn normal behavior?
A) Anomaly-based
B) Signature-based
C) Code analysis
D) None of the above
Answer A.
Anomaly based attempts to define normal behavior then detect behavior patterns outside the normal range.
Source: Book Chapter 5.4 Page 182
There are _________ generations of antivirus software.
a) Two
b) Three
c) Four
d) Five
Answer c) Four
A __________ virus is a virus that mutates with every infection, making detection by the “signature” of the virus impossible.
A. Metamorphic
B. Encrypted
C. Polymorphic
D. Stealth
Answer C
Which of the following viruses are classified by concealment?
A) Macro Virus B) Encrypted Virus C) Polymorphic Virus D) Metamorphic Virus E) B, C, D F) All of the above
Answer E. viruses in B,C,D fit this description. Macro viruses are classified by Target rather than concealment
Source: Book Chapter 6.3 Page 215
Which phase does a virus place a copy of itself into other programs?
A) Dormant Phase
B) Propagation Phase
C) Triggering Phase
D) Execution Phase
Answer B
Source: Book Chapter 6.3 Page 211
Which type of document is not known to carry macro viruses?
A. Microsoft Word Document
B. Plain Text File
C. Adobe PDF File
D. Microsoft Excel File
Answer B
Source: page 212 Chapter 6.3
T/F: Macro Viruses will manipulate call functions on the host document’s content only.
Answer False
Source: page 213 Chapter 6.3. Their ability to interact with other parts of the system is demonstrated by the “Melissa” macro virus, which uses a Windows system registry to keep track of infection status.
T/F: Metamorphic Viruses are harder to detect than Polymorphic Viruses.
Answer True
Source: page 215 Chapter 6.3
Which of the following are NOT a typical use case for botnets?
A) Spamming
B) DDos attacks
C) Spear phishing
D) Sniffing traffic
Answer C
Spear phishing is a targeted attack whereas botnets are typically used as a swarm to work in concert to perform their attacks.
Source: Book P207
Which Malware was the first of a new generation that included aspects of virus, worm and trojan in one package.
a) Morris worm
b) Melissa e-mail worm
c) Cod Red worm
d) WannaCry ransomware
Answer b)
global edition pg. 219 chapter 6, Malicious software
What type of Malware is Easter egg?
a) Virus
b) Worm
c) Trojan
d) Trapdoor
Answer d
Malicious Code slides
What is software that collects information form a computer and transmits it to another system monitoring keystrokes, network traffic and other screen data?
A.) Spammer Programs
B.) Keylogger
C.) Spyware
D.) Trojan Horse
Answer C.)
Page 185
Which type of malware is a program installed on an infected machine that is activated to launch attacks on other machines?
A) Virus B) Trojan C) Worm D) Bot E) Root Kit
Answer D
Source: Book Chapter 6.1 Page 207
Which of the following properties are not commonly found in both Viruses and Worms?
A. Dormant, Propagation, Triggering, and Execution phases
B. May attempt to determine if a system has been previously infected
C. Requires a host program to run
D. Can be polymorphic to evade detection
Answer C
Source Page 222 Chapter 6.4
T/F: In order to increase the difficulty of an offline dictionary attack, a salt can be combined with a password before hashing
Answer True
For a salt of length b bits, the number of possible passwords is increased by a factor of 2^b
Source: Book pg. 72
In Information Security, a “logic bomb” generally refers to _____________
a. A useful program or command procedure but with hidden (malicious) side-effects
b. A program which secretly takes over another networked computer then uses it to indirectly launch attacks
c. A program that always sends large volumes of unwanted email
d. A program embedded in the malware that lies dormant until a predefined condition is met; it triggers an unauthorized act
e. A program that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system
Correct Answer: D
__________ detection methods for SQL injection attacks are based on verifying distinct patterns. This approach must be routinely updated and may be unsuccessful against self-modifying attacks.
a. Anomaly based
b. Code analysis
c. Signature based
d. All of the above
e. None of the above
Correct Answer: C
Which of the following components is always included in contemporary types of malware?
a. Infection mechanism
b. Header
c. Payload
d. Trigger
e. B & C
f. A, C, & D
Answer: F
________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious action.
a. Behavior blocking software
b. Generic decryption technology
c. Heuristic scanners
d. Fingerprint-based scanners
Correct Answer: A