P2L2 Flashcards

1
Q

what’s the goal of past malware?

A

fun and fame

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what’s the goal of modern malware?

A

profit and political gain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

modern malware is more sophisticated. (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

bots is also called zombies (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what is botnet

A
  • a coordinated network of bots, a network of compromised computers that the botmaster influences via C&C (command and control)
  • key platform for most internet-based attacks and frauds
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

almost all spams are sent by botnet (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

botnet is used for profit or political activism?

A

True, both!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

most common DDOS botnet

A

attacker order bots to SYN flood the victim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

amplified distributed reflective attack

A

DDOS, attacker order bots to request large txt record sent to victim spoofed IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

an attacker doesn’t have to use his own computer in an attack (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

the characteristic of DNS helps mitigate the effect of DDOS attack

A

False. DNS actually amplified the effect of DDOS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

naive botnet C&C

A

spread bots and have them directly communicate back

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

problems with naive botnet C&C

A
  • not stealthy. If someone catches a bot, they can trace back to the attacker
  • not robust: only 1 method of communication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

botnet C&C design considerations

A
  • efficient and reliable
  • stealthy
  • resilient
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

bots require communication before an attack (T/F)

A

false

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

bots are less likely to be found if it uses custom communication

A

false. That will make it stand out

17
Q

many botnet use DNS for C&C (T/F)

18
Q

DNS is good for C&C because?

A
  • DNS is always allowed. DNS is needed whenever a machine on the internet wants to talk to another machine
  • using DNS won’t make the bot standout
19
Q

the way a bot look up a domain is different from a machine looks up a web server

A
  • domain is looked up by too many bots and unknown to google search
20
Q

how to detect botnet C&C domain

A

anomaly detection. Then the DynDSN provider to map that domain to a sinkhole

21
Q

APT is used for attack and phishing (T/F)

A

false, it’s used for high-value operations (like stealing designs)

22
Q

spear phising

A

target specific individuals

23
Q

APT tries to infect as many machine as possible

A

no. the whole purpose is to keep the footprint as small as possible

24
Q

Boy in the browser

A

changes network routing

25
clickjacking
webuser unknowingly click on something not as portrayed
26
man in the browser
modifies webpages
27
man in the middle
eavesdrops
28
problem with malware static analysis
those that depend on runtime or input data cannot be analyzed by looking at the code
29
problem with malware dynamic analysis
only reveal behavior of the runs, won't show the complete picture
30
analysis by looking at instruction by instruction
fine-grained
31
signature-based approach is effective against packed malware (T/F)
false
32
signature-based approach is effective against packed malware (T/F)
false
33
we can use the unpacked code as signature to detect malware (T/F)
false
34
the key of fine-grained tracing based universal unpacking algorithms
detecting the execution of code not in the static code model. Then unpack that part of the code, and use signature-based approach to detect that part of the malware