Malware Threats

Question 1

What does the ‘Payload’ component of malware do?

Answer 1

The payload is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security

Question 2

What does the ‘Obfuscator’ component of malware do?

Answer 2

The obfuscator is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it

Question 3

What does the ‘Dropper’ component of malware do?

Answer 3

The dropper is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute the malware on a target system without being detected by antivirus scanners

Question 4

What does the ‘Injector’ component of malware do?

Answer 4

The injector injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal

Question 5

What is a crypter?

Answer 5

A crypter is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms

Question 6

What is a packer?

Answer 6

A packer is software that compresses the malware file to convert the code and data of the malware into an unreadable format. It uses compression techniques to pack the malware.

Question 7

What is an overt channel?

Answer 7

An overt channel is a legal channel for the transfer of data or information in a company network and works securely to transfer data and information

Question 8

What is a covert channel?

Answer 8

Covert channels are methods attackers can use to hide data in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. Any process or a bit of data can be a covert channel. This makes it an attractive mode of transmission for a Trojan because an attacker can use the covert channel to install a backdoor on the target machine.

Question 9

What is an APT (Advanced Persistent Threat)?

Answer 9

An APT is an attack that focuses on stealing information from the victim machine without its user being aware of it. The impact of APT attacks on computer performance and Internet bandwidth is negligible as these attacks are slow in nature. APTs exploit vulnerabilities in the applications running on a computer, operating system, and embedded systems.

Question 10

Which port number is used by the trojans Zeus, OceanSalt, and Shamoon?

Answer 10

Port 8080

Question 11

Which ports are used by the trojan Emotet?

Answer 11

Ports 20, 22, 80 and 443

Question 12

Which port number is used by the trojan Senna Spy?

Answer 12

Port 11000

Question 13

What is Emotet?

Answer 13

Emotet is a dropper/downloader for well-known banking Trojans such as Zeus Panda banker, Trickbot, and Iced ID to infect victims globally

Question 14

What is IExpress Wizard?

Answer 14

IExpress Wizard is a wrapper tool that guides the user to create a self-extracting package that can automatically install the embedded setup files, Trojans, etc

Question 15

What is Godzilla?

Answer 15

Godzilla is a downloader that can be used for deploying malware on the target machine

Question 16

What is BitCrypter?

Answer 16

BitCrypter is used to embed a crypter in binaries and can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality

Question 17

Which port number is used by Trojans such as Silencer and WebEx?

Answer 17

1001

Question 18

Which port number is used by Trojans such as Psyber Stream Server and Voice?

Answer 18

1170

Question 19

Which port number is used by the njRAT trojan?

Answer 19

1177

Question 20

Which port number is used by the Doly trojan?

Answer 20

1011

Question 21

Which port number is used by trojans such as WannaCry, Petya, and Dragonfly 2.0?

Answer 21

445

Question 22

Which port numbers are used by the Hackers Paradise trojan?

Answer 22

31 and 456

Question 23

Which port numbers are used by the TCP Wrappers trojan?

Answer 23

421

Question 24

Which port number does the XtremeRAT use?

Answer 24

1863

Question 25

Which CVE is the Windows VBScript vuln?

CVE-2018-4878
CVE-2013-2465
CVE-2018-8174
CVE-2013-2551

Answer 25

CVE-2018-8174

Question 26

What is Replication in the virus lifecycle?

Answer 26

The virus replicates for a period within the target system and then spreads itself.

Question 27

What is Launch in the virus lifecycle?

Answer 27

The virus is activated when the user performs specific actions such as running an infected program

Question 28

What is Detection in the virus lifecycle?

Answer 28

The virus is identified as a threat infecting the target system

Question 29

What is Execution of the damage routine in the virus lifecycle?

Answer 29

Users install antivirus updates and eliminate the virus threats

Question 30

What is a tunneling virus?

Answer 30

Tunneling viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs.

Question 31

What is a macro virus?

Answer 31

Macro viruses infect Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. Most macro viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files

Question 32

What is a system/boot sector virus?

Answer 32

System viruses generally target the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. An OS executes code in these areas while booting

Question 33

What is a file virus?

Answer 33

File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. File viruses can be direct-action (non-resident) or memory-resident viruses

Question 34

What is a transient virus?

Answer 34

Transient viruses transfer all controls of the host code to where it resides in the memory. It selects the target program to be modified and corrupts it

Question 35

What is an add-on virus?

Answer 35

Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their code at the beginning

Question 36

What is an armored virus?

Answer 36

Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection.

Question 37

What is a covert channel trojan?

Answer 37

A covert channel trojan creates an arbitrary data transfer channel in data streams authorized by the network access control system

Question 38

What is a metamorphic virus?

Answer 38

Metamorphic viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with different code) and then converted back into the original code. This technique, in which the original algorithm remains intact, is used to avoid pattern recognition by antivirus software.

Question 39

What is a polymorphic virus?

Answer 39

A polymorphic virus is a virus with a decrypting engine which decrypts the virus code before execution. During each infection, the mutation engine builds new virus code with completely different functionality. Then, the actual code and mutation engine both are encrypted for the next infection

Question 40

What does -s do when passed to netstat (Windows)?

Answer 40

-s causes netstat to show protocol statistics.

Question 41

What does -n do when passed to netstat (Windows)?

Answer 41

-n causes netstat to display active TCP connections; however, addresses and port numbers are expressed numerically, and no attempt is made to determine names

Question 42

What does -o do when passed to netstat (Windows)?

Answer 42

-o Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID in the Processes tab in Windows Task Manager

Question 43

What does -a do when passed to netstat (Windows)?

Answer 43

-a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

Question 44

What does Interception mean as it relates to antivirus products?

Answer 44

The interceptor monitors the operating system requests that are written to the disk.

Question 45

What does Code Emulation mean as it relates to antivirus products?

Answer 45

In code emulation techniques, the antivirus executes the malicious code inside a virtual machine to simulate CPU and memory activities. These techniques are considered very effective in dealing with encrypted and polymorphic viruses if the virtual machine mimics the real machine

Question 46

What does Heuristic Analysis mean as it relates to antivirus products?

Answer 46

Heuristic analysis can be static or dynamic. In static analysis, the antivirus analyses the file format and code structure to determine if the code is viral. In dynamic analysis, the antivirus performs a code emulation of the suspicious code to determine if the code is viral

Question 47

Which of the following Windows Service Manager (SrvMan) commands is used to install and start a legacy driver with a single call?

• srvman.exe delete
• srvman.exe run [service name] [/copy:yes] [/overwrite:no] [/stopafter:]
• srvman.exe start [/nowait] [/delay:] / srvman.exe stop [/nowait] [/delay:] / srvman.exe restart [/delay:]
• srvman.exe add [service name] [display name] [/type:] [/start:] [/interactive:no] [/overwrite:yes]

Answer 47

srvman.exe run [service name] [/copy:yes] [/overwrite:no] [/stopafter:]

Question 48

What is BinText?

Answer 48

BinText is a small text extractor utility that can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional “advanced” view mode.

Question 49

What is UPX?

Answer 49

UPX (Ultimate Packer for Executables) is a free and open source executable packer supporting a number of file formats from different operating systems.

Question 50

What is ASPack?

Answer 50

ASPack is an advanced EXE packer created to compress Win32 executable files and to protect them against non-professional reverse engineering.

Question 51

What is PE Explorer?

Answer 51

PE Explorer lets you open, view and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL and ActiveX Controls, to the less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS Windows Mobile platform).

Question 52

What is kernel32.dll used for?

Answer 52

Kernel32.dll is used to access/manipulate memory, files, and hardware

Question 53

What is advapi32.dll used for?

Answer 53

Advapi32.dll is used to access/manipulate Service Manager and Registry

Question 54

What is User32.dll used for?

Answer 54

User32.dll is used to display and manipulate graphics

Question 55

What is Sheep Dipping?

Answer 55

Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware. The users isolate the sheep-dipped computer from other computers on the network to block any malware from entering the system. Before performing this process, it is important to save all downloaded programs on external media such as CD-ROMs or DVDs. A computer used for sheep dipping should have tools such as port monitors, files monitors, network monitors, and one or more anti-virus programs for performing malware analysis of files, applications, incoming messages, external hardware devices (such as USB, Pen drive, etc.), and so on

Question 56

What is Droidsheep?

Answer 56

DroidSheep is a tool used for session hijacking on Android devices connected on common wireless network. It gets the session ID of active user on Wi-Fi network and uses it to access the website as an authorized user. The droidsheep user can easily see what the authorized user is doing or seeing on the website. It can also hijack the social account by obtaining the session ID.

Question 57

What is AlienVault USM Anywhere?

Answer 57

AlienVault® USM Anywhere™: AlienVault® USM Anywhere™ is a Fileless malware detection tool that provides a unified platform for threat detection, incident response, and compliance management. It centralizes security monitoring of networks and devices in the cloud, on premises, and at remote locations, thereby helping you to detect threats virtually anywhere.

Question 58

What is GFI LanGuard?

Answer 58

GFI LanGuard: The GFI LanGuard patch management software scans the user’s network automatically as well as installs and manages security and non-security patches