Module 6: Handling Malicious Code Incidents

Question 1

What is a virus

Answer 1

Small malicious codes that are attached to files in computers and replicate themselves to spread and infect other files without the user’s knowledge or permission

Question 2

How do viruses spread

Answer 2

Through email attachments, instant messages, download from the Internet, etc.

Question 3

Viruses are generally characterized as

Answer 3

• File infectors (attached to programs or files)
• System or boot-record infectors (infect executable code)
• Macro viruses (Infect Word application)

Question 4

What is a worm

Answer 4

A self-replicating computer program

Question 5

How does a worm spread

Answer 5

Worms spread automatically by infecting one system after the other in a network, and even spreading further to other networks

Question 6

TRUE or FALSE: A worm relies for a user’s action for execution

Answer 6

FALSE

Question 7

What is a Trojan

Answer 7

Malicious programs masked as a genuine harmless program

Question 8

How does a Trojan work

Answer 8

Install backdoors on user’s system and allows unauthorized access to the attacker

Question 9

What is spyware

Answer 9

Software that gathers user information without user’s knowledge

Question 10

How does one generally start the preparation for preventing malware

Answer 10

Installing anti-virus software and backing up important data

Question 11

What are the 10 steps to handling malware incidents

Answer 11

1. Establish malicious code security policy
2. Install antivirus software
3. Check all downloaded files and email attachments for infection
4. Check all the removable media such as USB, diskettes, etc.
5. Users must be aware of malicious code issues
6. Study the antivirus vendor bulletins
7. Install host based IDS’s on critical hosts
8. Collect malware incident analysis resources
9. Acquire malware incident mitigation software
10. Establish the procedures for reporting of malicious code incident

Question 12

TRUE or FALSE: A point of contact for reporting malicious code is needed

Answer 12

TRUE

Question 13

How can spyware be prevented

Answer 13

Disabling a user’s web browser such that it prevents the installation of plug-ins

Question 14

What is one way to help make sure users handle email attachments properly

Answer 14

Educate the users

Question 15

.exe, .txt, .vbs, .htm are all examples of files that need to be what

Answer 15

Blocked due to malicious file extensions. Especially on the email server and client

Question 16

How might a user know if they have a virus

Answer 16

• Files are deleting, are corrupted, or inaccessible
• Computer runs slowly or crashes
• Sudden increase in emails and crashes
• Odd messages and graphics

Question 17

How might a user know if they have a worm

Answer 17

• Increase network bandwidth
• Failed connections
• Programs running slowly or do not start
• System crashes

Question 18

How might a user know if they have a Trojan

Answer 18

• IDS, firewall, and router alert on suspicious client-server connections
• Unknown processes being executed
• High amount of network traffic
• Programs running slowly or do not start
• System crashes

Question 19

What are the steps in a malware containment strategy

Answer 19

• Disconnect infected hosts from the network & the network from the Internet
• Register malicious code with antivirus (submit sophos sample)
• Block emails & particular hosts
• Shut down email servers
• Soliciting user participation
• Disable services
• Disable connectivity

Question 20

What are the three techniques to identify the infected host

Answer 20

1. Forensic Identification
2. Active Identification
3. Manual Identification

Question 21

Why is it hard to find the original source of the malicious code

Answer 21

Malware can be transmitted automatically or accidentally by the infected users

Question 22

Why is forensic identification more advantageous

Answer 22

Data is collected beforehand and the applicable data is simply extracted from the complete data set

Question 23

What should a user do if the anti-malware software cannot disinfect infected files

Answer 23

The files need to be deleted or removed

Question 24

What should a user do if the files are deleted by the malware

Answer 24

Restore the files through backups