Modern Malware

Question 1

Which of the following viruses are classified by concealment?

a. Macrovirus
b. Encrypted virus
c. Polymorphic virus
d. Metamorphic virus
e. B, C, D
f. All of the above

Answer 1

e. B, C, D

Question 2

T/F: Improper handling of user input can lead to SQL injection.

Answer 2

True

Question 3

T/F: Metamorphic viruses are harder to detect than polymorphic viruses

Answer 3

True

Question 4

What is software called that collects information from the computer and transmits it to another system, monitoring keystrokes, network traffic and on the screen data

a. Spammer programs
b. Keylogger
c. Spyware
d. Trojan horse

Answer 4

c. Spyware (page 185 and lecture slides)

Question 5

For each of the below, select whether the statement describes Spamming, Click Fraud, or Phishing:

a. Used by botmasters to fraudulently increase revenues from advertisers
b. Used to gather valuable financial information.
c. Infected machines send out unsolicited emails

Answer 5

a. used by botmasters to fraudulently increase revenues from advertisers?
Answer: Click Fraud

b. Used to gather valuable financial information.
Answer: Phishing

c. Infected machines send out unsolicited emails
Answer: spamming

Question 6

List some examples of attacks and frauds by botnets:

Answer 6

Spam
DDOS
Clickfraud
Phishing and pharming
Key logging
Key/password cracking
Anonymized terrorist and criminal communication
Cheating in online games/polls

Question 7

T/F: In DDOS attacks, the attacker does not have to use his own computer in the attack

Answer 7

True

Question 8

T/F: In a DDOS attack, the quantity of computers involved in the attack makes it difficult to distinguish legitimate from malicious traffic

Answer 8

True

Question 9

T/F: The characteristics of DNS servers help mitigate the effect of DDOS attacks.

Answer 9

False

Question 10

In C&C, how can the bot master contact the compromised machines (bots) and use them?

Answer 10

The naive approach is to have victims contact the botmaster. This is insufficient because it can be easily defeated via ISP intervention, blackhole routing, etc…

Question 11

What are good Botnet C&C Design considerations from an attacker perspective?

Answer 11

a. Efficient and reliable: able to reach a sizable set of bots within a time limit
b. Stealthy: hard to detect (blended with normal/regular traffic)
c. Resilient: hard to disable or block

Question 12

T/F: Bots have more sophisticated communication capabilities than worms and viruses.

Answer 12

True

Question 13

T/F: Bots require direct communication with the C&C server before beginning an attack.

Answer 13

False

Question 14

T/F: Bots require direct communication with the C&C server before beginning an attack.

Answer 14

False. Bots may include conditions such as time to trigger an attack.

Question 15

T/F: A botnet will be less likely to be found if it uses custom communication protocols.

Answer 15

False. Custom communications protocols more easily detected

Question 16

How do we distinguish between bots vs worms/viruses?

Answer 16

The ability to perform C2 is a characteristic of bots, not worms or viruses

Question 17

What are some ways we can deal with botnet DNS lookups once we have identified a domain (i.e. hackerz.com) as a botnet master?

Answer 17

GT sinkhole: when a bot/victim makes a DNS request for hackerz.com, the DNS server responds with the ip address of a GT sinkhole.

In addition to canceling communication from/to bot master, this approach allows researchers to inspect the ip of infected machines

Question 18

What do the following APT attacks do?

a. Boy in the Browser
b. Clickjacking
c. Man in the Browser
d. Man in the Middle
e. Keyloggers

Answer 18

a. Boy in the Browser: covertly changes a computer’s network routing
b. Clickjacking: web users unknowingly click on something that is not as it is portrayed
c. Man in the Browser: modifies web pages covertly
d. Man in the Middle: eavesdrops
e. Keyloggers: covertly records keystrokes

Question 19

What is malware static analysis and malware dynamic analysis?

Answer 19

a. Static analysis: understand what a malware instance would do if executed
b. Dynamic analysis: understand what a program does when executed

Question 20

Which of the following Malware needs host program (can be multiple)?

a. Trapdoor
b. Viruses
c. Logic bombs
d. Worms
e. Botnets
f. APT

Answer 20

a, b, c

Question 21

_______ is an attack that exploits a security vulnerability occurring in the database layer of an application (such as queries).

A. Trojan horse
B. Logic bomb
C. SQLi
D. Buffer overflow

Answer 21

Answer C

Source: Book pg. 156

Question 22

T/F: Improper handling of user input can result in a SQL injection

Answer 22

Answer True

The attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements OR user input is not strongly typed.

Source: Book pg. 156

Question 23

SQLi attacks can be grouped into three main categories: _______, ________, and ______.

A. parameterized, user input, blind injection
B. second-order injection, out-of-band, parameterized
C. inferential, blind injection, inband
D. inband, inferential, out-of-band

Answer 23

Answer D

Source: Book pg 158

Question 24

What are the main avenues of attack for SQL injection?

A. Cookies
B. Server variables
C. User input
D. Second-order injection
E. Physical user input
F. All of the above
G. None of the above

Answer 24

Answer F

Source: Book pg. 158

Question 25

T/F: Defensive coding is an effective way to dramatically reduce the threat from SQLi

Answer 25

Answer True

Source: Book pg. 160

Question 26

_____attack occurs when user input is incorrectly filtered for string escape characters or user input is not strongly typed.

Answer 26

Answer SQLi

Source: book p.156

Question 27

Illegal/logically incorrect queries return often overly descriptive errors from the application server and allow an attacker to gather important information about the server. This is part of what type of attack?

Answer 27

Answer inferential attack

Source: book p.159

Question 28

Which of the following are proper measures to defend against SQLi attacks?

a) user input validation
b) parameterized query insertion
c) SQL DOM
d) a and b
e) All of the above

Answer 28

Answer e)

Source: book p.160

Question 29

Which of the following Detection methods to prevent SQLi attacks define a training phase to learn normal behavior?

A) Anomaly-based
B) Signature-based
C) Code analysis
D) None of the above

Answer 29

Answer A.

Anomaly based attempts to define normal behavior then detect behavior patterns outside the normal range.

Source: Book Chapter 5.4 Page 182

Question 30

There are _________ generations of antivirus software.

a) Two
b) Three
c) Four
d) Five

Answer 30

Answer c) Four

Question 31

A __________ virus is a virus that mutates with every infection, making detection by the “signature” of the virus impossible.

A. Metamorphic
B. Encrypted
C. Polymorphic
D. Stealth

Answer 31

Answer C

Question 32

Which of the following viruses are classified by concealment?

A) Macro Virus
B) Encrypted Virus
C) Polymorphic Virus
D) Metamorphic Virus
E) B, C, D
F) All of the above

Answer 32

Answer E. viruses in B,C,D fit this description. Macro viruses are classified by Target rather than concealment

Source: Book Chapter 6.3 Page 215

Question 33

Which phase does a virus place a copy of itself into other programs?

A) Dormant Phase
B) Propagation Phase
C) Triggering Phase
D) Execution Phase

Answer 33

Answer B

Source: Book Chapter 6.3 Page 211

Question 34

Which type of document is not known to carry macro viruses?

A. Microsoft Word Document
B. Plain Text File
C. Adobe PDF File
D. Microsoft Excel File

Answer 34

Answer B

Source: page 212 Chapter 6.3

Question 35

T/F: Macro Viruses will manipulate call functions on the host document’s content only.

Answer 35

Answer False

Source: page 213 Chapter 6.3. Their ability to interact with other parts of the system is demonstrated by the “Melissa” macro virus, which uses a Windows system registry to keep track of infection status.

Question 36

T/F: Metamorphic Viruses are harder to detect than Polymorphic Viruses.

Answer 36

Answer True

Source: page 215 Chapter 6.3

Question 37

Which of the following are NOT a typical use case for botnets?

A) Spamming
B) DDos attacks
C) Spear phishing
D) Sniffing traffic

Answer 37

Answer C

Spear phishing is a targeted attack whereas botnets are typically used as a swarm to work in concert to perform their attacks.

Source: Book P207

Question 38

Which Malware was the first of a new generation that included aspects of virus, worm and trojan in one package.

a) Morris worm
b) Melissa e-mail worm
c) Cod Red worm
d) WannaCry ransomware

Answer 38

Answer b)

global edition pg. 219 chapter 6, Malicious software

Question 39

What type of Malware is Easter egg?

a) Virus
b) Worm
c) Trojan
d) Trapdoor

Answer 39

Answer d

Malicious Code slides

Question 40

What is software that collects information form a computer and transmits it to another system monitoring keystrokes, network traffic and other screen data?

A.) Spammer Programs
B.) Keylogger
C.) Spyware
D.) Trojan Horse

Answer 40

Answer C.)

Page 185

Question 41

Which type of malware is a program installed on an infected machine that is activated to launch attacks on other machines?

A) Virus
B) Trojan
C) Worm
D) Bot
E) Root Kit

Answer 41

Answer D

Source: Book Chapter 6.1 Page 207

Question 42

Which of the following properties are not commonly found in both Viruses and Worms?

A. Dormant, Propagation, Triggering, and Execution phases
B. May attempt to determine if a system has been previously infected
C. Requires a host program to run
D. Can be polymorphic to evade detection

Answer 42

Answer C

Source Page 222 Chapter 6.4

Question 43

T/F: In order to increase the difficulty of an offline dictionary attack, a salt can be combined with a password before hashing

Answer 43

Answer True

For a salt of length b bits, the number of possible passwords is increased by a factor of 2^b

Source: Book pg. 72

Question 44

In Information Security, a “logic bomb” generally refers to _____________

a. A useful program or command procedure but with hidden (malicious) side-effects
b. A program which secretly takes over another networked computer then uses it to indirectly launch attacks
c. A program that always sends large volumes of unwanted email
d. A program embedded in the malware that lies dormant until a predefined condition is met; it triggers an unauthorized act
e. A program that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system

Answer 44

Correct Answer: D

Question 45

__________ detection methods for SQL injection attacks are based on verifying distinct patterns. This approach must be routinely updated and may be unsuccessful against self-modifying attacks.

a. Anomaly based
b. Code analysis
c. Signature based
d. All of the above
e. None of the above

Answer 45

Correct Answer: C

Question 46

Which of the following components is always included in contemporary types of malware?

a. Infection mechanism
b. Header
c. Payload
d. Trigger
e. B & C
f. A, C, & D

Answer 46

Answer: F

Question 47

________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious action.

a. Behavior blocking software
b. Generic decryption technology
c. Heuristic scanners
d. Fingerprint-based scanners

Answer 47

Correct Answer: A