P2L2

Question 1

what’s the goal of past malware?

Answer 1

fun and fame

Question 2

what’s the goal of modern malware?

Answer 2

profit and political gain

Question 3

modern malware is more sophisticated. (T/F)

Answer 3

True

Question 4

bots is also called zombies (T/F)

Answer 4

True

Question 5

what is botnet

Answer 5

• a coordinated network of bots, a network of compromised computers that the botmaster influences via C&C (command and control)
• key platform for most internet-based attacks and frauds

Question 6

almost all spams are sent by botnet (T/F)

Answer 6

True

Question 7

botnet is used for profit or political activism?

Answer 7

True, both!

Question 8

most common DDOS botnet

Answer 8

attacker order bots to SYN flood the victim

Question 9

amplified distributed reflective attack

Answer 9

DDOS, attacker order bots to request large txt record sent to victim spoofed IP

Question 10

an attacker doesn’t have to use his own computer in an attack (T/F)

Answer 10

True

Question 11

the characteristic of DNS helps mitigate the effect of DDOS attack

Answer 11

False. DNS actually amplified the effect of DDOS

Question 12

naive botnet C&C

Answer 12

spread bots and have them directly communicate back

Question 13

problems with naive botnet C&C

Answer 13

• not stealthy. If someone catches a bot, they can trace back to the attacker
• not robust: only 1 method of communication

Question 14

botnet C&C design considerations

Answer 14

• efficient and reliable
• stealthy
• resilient

Question 15

bots require communication before an attack (T/F)

Answer 15

false

Question 16

bots are less likely to be found if it uses custom communication

Answer 16

false. That will make it stand out

Question 17

many botnet use DNS for C&C (T/F)

Answer 17

True

Question 18

DNS is good for C&C because?

Answer 18

• DNS is always allowed. DNS is needed whenever a machine on the internet wants to talk to another machine
• using DNS won’t make the bot standout

Question 19

the way a bot look up a domain is different from a machine looks up a web server

Answer 19

• domain is looked up by too many bots and unknown to google search

Question 20

how to detect botnet C&C domain

Answer 20

anomaly detection. Then the DynDSN provider to map that domain to a sinkhole

Question 21

APT is used for attack and phishing (T/F)

Answer 21

false, it’s used for high-value operations (like stealing designs)

Question 22

spear phising

Answer 22

target specific individuals

Question 23

APT tries to infect as many machine as possible

Answer 23

no. the whole purpose is to keep the footprint as small as possible

Question 24

Boy in the browser

Answer 24

changes network routing

Question 25

clickjacking

Answer 25

webuser unknowingly click on something not as portrayed

Question 26

man in the browser

Answer 26

modifies webpages

Question 27

man in the middle

Answer 27

eavesdrops

Question 28

problem with malware static analysis

Answer 28

those that depend on runtime or input data cannot be analyzed by looking at the code

Question 29

problem with malware dynamic analysis

Answer 29

only reveal behavior of the runs, won't show the complete picture

Question 30

analysis by looking at instruction by instruction

Answer 30

fine-grained

Question 31

signature-based approach is effective against packed malware (T/F)

Answer 31

false

Question 32

signature-based approach is effective against packed malware (T/F)

Answer 32

false

Question 33

we can use the unpacked code as signature to detect malware (T/F)

Answer 33

false

Question 34

the key of fine-grained tracing based universal unpacking algorithms

Answer 34

detecting the execution of code not in the static code model. Then unpack that part of the code, and use signature-based approach to detect that part of the malware