Ch.3 Malicious Code Flashcards
Ryan wants to prevent logic bombs created by insider threats from impacting his organization. What technique will most effectively limit the likelihood of logic bombs being put in place?
A) Deploying antivirus software
B) Using a code review process
C) Deploying endpoint detection and response (EDR) software
D) Disabling autorun for USB drives
β
Correct Answer: B) Using a code review process
πΉ Explanation: Logic bombs are malicious code that executes under specific conditions, often placed by insiders. Code reviews allow security professionals to examine the code for suspicious logic and prevent such threats before they become active.
β Incorrect Answers:
A) Deploying antivirus software β Antivirus software typically detects known malware, but logic bombs may evade detection until they execute.
C) Deploying endpoint detection and response (EDR) software β EDR tools monitor for suspicious activity, but they may not prevent logic bombs from being planted.
D) Disabling autorun for USB drives β While useful for preventing malware from running automatically, it does not address logic bombs hidden within code.
Yasmine believes that her organization may be dealing with an advanced rootkit and wants to write IoC definitions for it. Which of the following is not likely to be a useful IoC for a rootkit?
A) File hashes
B) Command and control domains
C) Pop-ups demanding a ransom
D) Behavior-based identifiers
β
Correct Answer: C) Pop-ups demanding a ransom
πΉ Explanation: Rootkits are designed to hide malicious activity and provide persistent access to a system, not to demand ransom. A pop-up demanding a ransom is an indicator of ransomware, not a rootkit.
β Incorrect Answers:
A) File hashes β Unique file hashes can help identify malicious rootkit files.
B) Command and control domains β Rootkits often communicate with external servers, making C&C domains useful indicators.
D) Behavior-based identifiers β Rootkits may show behavioral patterns such as unauthorized privilege escalation or hidden system processes.
Nathan works at a school and notices that one of his staff appears to have logged in and changed grades for a single student to higher grades, even in classes that staff member is not responsible for. When asked, the staff member says that they did not perform the action. Which of the following is the most likely way that a student could have gotten access to the staff memberβs password?
A) A keylogger
B) A rootkit
C) Spyware
D) A logic bomb
β
Correct Answer: A) A keylogger
πΉ Explanation: Keyloggers record keystrokes, allowing an attacker to capture login credentials without the userβs knowledge. The student likely used a keylogger to obtain the staff memberβs credentials.
β Incorrect Answers:
B) A rootkit β Rootkits provide persistent access and conceal malicious activity, but they do not typically capture credentials directly.
C) Spyware β While some spyware can capture credentials, keyloggers are more specifically designed for this purpose.
D) A logic bomb β Logic bombs are triggered by specific conditions but do not actively steal credentials.
Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
A) Command and control
B) Spyware
C) A worm
D) A hijacked web browser
β
Correct Answer: A) Command and control
πΉ Explanation: TCP port 6667 is commonly associated with IRC-based command and control (C&C) traffic, which botnets and other malware use to communicate with an attackerβs server.
β Incorrect Answers:
B) Spyware β Spyware collects user data but does not typically use IRC for communication.
C) A worm β Worms spread independently but do not necessarily rely on IRC for control.
D) A hijacked web browser β Web browser hijacking typically involves redirecting users to malicious websites, not IRC-based communication.
Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his companyβs network. How should he describe or classify this malware?
A) A worm
B) Crypto malware
C) A Trojan
D) A backdoor
β
Correct Answer: D) A backdoor
πΉ Explanation: A backdoor is a malicious program that provides attackers with unauthorized remote access to a system, bypassing normal authentication mechanisms.
β Incorrect Answers:
A) A worm β Worms replicate themselves and spread, but they do not necessarily provide remote access.
B) Crypto malware β Crypto malware is ransomware that encrypts files rather than granting remote access.
C) A Trojan β Trojans may carry backdoors, but a backdoor itself is a specific type of malware that enables unauthorized access.
What is the primary impact of bloatware?
A) Consuming resources
B) Logging keystrokes
C) Providing information about users and devices to third parties
D) Allowing unauthorized remote access
β
Correct Answer: A) Consuming resources
πΉ Explanation: Bloatware consists of unnecessary applications that take up memory, CPU, and disk space, slowing down system performance.
β Incorrect Answers:
B) Logging keystrokes β This is associated with keyloggers, not bloatware.
C) Providing information about users and devices to third parties β This behavior aligns more with spyware.
D) Allowing unauthorized remote access β This is a characteristic of Trojans and backdoors.
Matt uploads a malware sample to a third-party malware scanning site that uses multiple anti-malware and antivirus engines to scan the sample. He receives multiple different answers for what the malware package is. What has occurred?
A) The package contains more than one piece of malware.
B) The service is misconfigured.
C) The malware is polymorphic and changed while being tested.
D) Different vendors use different names for malware packages.
β
Correct Answer: D) Different vendors use different names for malware packages.
πΉ Explanation: Different antivirus vendors classify and name malware differently, leading to multiple detections with different names.
β Incorrect Answers:
A) The package contains more than one piece of malware β While possible, the most common reason is vendor differences.
B) The service is misconfigured β This would not typically result in multiple different detections.
C) The malware is polymorphic and changed while being tested β Polymorphic malware changes signatures but would not necessarily lead to different names from vendors.
What type of malware is used to gather information about a userβs browsing habits and system?
A) A Trojan
B) Bloatware
C) Spyware
D) A rootkit
β
Correct Answer: C) Spyware
πΉ Explanation: Spyware is designed to collect user data, track browsing habits, and send the information to attackers.
β Incorrect Answers:
A) A Trojan β Trojans disguise themselves as legitimate software but do not necessarily gather user data.
B) Bloatware β Bloatware is unwanted software but does not typically collect user data.
D) A rootkit β Rootkits provide stealthy access but are not primarily designed for data collection.
Nancy is concerned that there is a software keylogger on the system sheβs investigating. What best describes data that may have been stolen?
A) All files on the system
B) All keyboard input
C) All files the user accessed while the keylogger was active
D) Keyboard and other input from the user
β
Correct Answer: D) Keyboard and other input from the user
πΉ Explanation: Keyloggers capture keystrokes and other user input, such as mouse movements and touchscreen interactions.
β Incorrect Answers:
A) All files on the system β Keyloggers do not exfiltrate files, just input data.
B) All keyboard input β While mostly correct, some keyloggers also capture non-keyboard input.
C) All files the user accessed while the keylogger was active β Keyloggers do not monitor file access directly.
A system in Elaineβs company has suddenly displayed a message demanding payment in Bitcoin and claiming that the data from the system has been encrypted. What type of malware has Elaine likely encountered?
A) Worms
B) A virus
C) Ransomware
D) Rootkit
β
Correct Answer: C) Ransomware
πΉ Explanation: Ransomware encrypts files and demands payment, often in cryptocurrency, to restore access.
β Incorrect Answers:
A) Worms β Worms spread automatically but do not demand ransoms.
B) A virus β Viruses replicate, but they do not typically demand payment.
D) Rootkit β Rootkits provide stealthy access but do not lock files for ransom.
Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs an anti-malware toolβs scanner, the system doesnβt show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?
A) Rerun the antimalware scan.
B) Mount the drive on another system and scan it that way.
C) Disable the systemβs antivirus because it may be causing a false negative.
D) The system is not infected and he should move on.
β
Correct Answer: B) Mount the drive on another system and scan it that way.
πΉ Explanation: Rootkits embed themselves deep in the operating system, often making them invisible to security tools running within that system. Scanning the drive from an external, trusted system bypasses the compromised OS, allowing detection.
β Incorrect Answers:
A) Rerun the antimalware scan β The rootkit may be hiding itself, so scanning again within the same OS is unlikely to help.
C) Disable the systemβs antivirus because it may be causing a false negative β This action does not address the fact that the rootkit is hiding itself.
D) The system is not infected and he should move on β If there are signs of infection, further investigation is warranted.
A recently terminated developer from Jayaβs organization has contacted the organization claiming that they left code in an application that they wrote that will delete files and bring the application down if they are not employed by the company. What type of malware is this?
A) Ransomware
B) Extortionware
C) A logic bomb
D) A Trojan
β
Correct Answer: C) A logic bomb
πΉ Explanation: A logic bomb is malicious code that triggers based on a specific condition, such as a developer leaving a company.
β Incorrect Answers:
A) Ransomware β Ransomware encrypts files and demands payment, while a logic bomb executes based on conditions.
B) Extortionware β Extortionware involves threats to release data, not system destruction upon a condition being met.
D) A Trojan β A Trojan disguises itself as legitimate software, but a logic bomb is embedded within an existing program.
What is the key difference between a worm and a virus?
A) What operating system they run on
B) How they spread
C) What their potential impact is
D) The number of infections
β
Correct Answer: B) How they spread
πΉ Explanation: The main difference is that worms spread automatically without user interaction, while viruses require user action to propagate (e.g., opening an infected file).
β Incorrect Answers:
A) What operating system they run on β Both worms and viruses can run on various OSes.
C) What their potential impact is β Both can cause significant damage.
D) The number of infections β Both can spread widely, but worms typically spread faster.
Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?
A) Run multiple antimalware tools and use them to remove all detections.
B) Wipe the drive and reinstall from known good media.
C) Use the delete setting in her antimalware software rather than the quarantine setting.
D) There is no way to ensure the system is safe and it should be destroyed.
β
Correct Answer: B) Wipe the drive and reinstall from known good media.
πΉ Explanation: The most foolproof way to remove malware, especially sophisticated threats like rootkits, is a full system wipe and reinstall from a trusted source.
β Incorrect Answers:
A) Run multiple antimalware tools and use them to remove all detections β This may not detect or remove all malware components, especially if a rootkit is present.
C) Use the delete setting in her antimalware software rather than the quarantine setting β This does not guarantee full removal.
D) There is no way to ensure the system is safe and it should be destroyed β Reinstalling from a clean source is sufficient in most cases.
Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
A) Run a decompiler against it to allow him to read the code
B) Open the file using a text editor to review the code
C) Test the code using an antivirus tool
D) Submit the Python code to a malware testing website
β
Correct Answer: B) Open the file using a text editor to review the code.
πΉ Explanation: Python is an interpreted rather than a compiled language, so Ben doesnβt need to use a decompiler. The Python source code is readable as plain text. Opening it in a text editor allows direct inspection of the code.
β Incorrect Answers:
A) Run a decompiler against it to allow him to read the code β Python does not require decompilation; its source is already readable.
C) Test the code using an antivirus tool β Antivirus tools may not detect Python-based scripts unless they are well-known threats.
D) Submit the Python code to a malware testing website β While this may provide some insights, manual review is the most direct method.
Which of the following defenses is most likely to prevent Trojan installation?
A) Installing patches for known vulnerabilities
B) Preventing downloads from application stores
C) Preventing the use of USB drives
D) Disabling autorun from USB drives
β
Correct Answer: B) Preventing downloads from application stores
πΉ Explanation: Trojans are most commonly disguised as legitimate software and downloaded by users from the internet or untrusted sources. Preventing users from downloading applications from unverified sources is the most effective way to stop Trojan infections. Many organizations implement application whitelisting to restrict what software can be installed.
β Incorrect Answers:
A) Installing patches for known vulnerabilities β Patching prevents exploitation of known software vulnerabilities but does not stop Trojans, which require user interaction to install.
C) Preventing the use of USB drives β This can help in some cases but is too broad, and not all Trojans are spread via USB.
D) Disabling autorun from USB drives β While this prevents some types of Trojans that rely on USB autorun, most Trojans come from downloads, making option B the better answer.
Jasonβs security team reports that a recent WordPress vulnerability seems to have been exploited by malware and that their organizationβs entire WordPress service cluster has been infected. What type of malware is most likely involved if a vulnerability in the software was exploited over the network?
A) A logic bomb
B) A Trojan
C) A worm
D) A rootkit
β
Correct Answer: C) A worm
πΉ Explanation: Worms spread automatically by exploiting vulnerabilities in software, making them a likely cause of widespread infection.
β Incorrect Answers:
A) A logic bomb β A logic bomb executes based on conditions, not network exploitation.
B) A Trojan β Trojans require user interaction, whereas worms do not.
D) A rootkit β Rootkits provide stealthy access, but they do not typically spread across systems automatically.
What type of malware connects to a command and control system, allowing attackers to manage, control, and update it remotely?
A) A bot
B) A drone
C) A vampire
D) A worm
β
Correct Answer: A) A bot
πΉ Explanation: Bots are infected systems controlled by attackers via command and control (C&C) servers, forming part of a botnet.
β Incorrect Answers:
B) A drone β Not a term used in malware classification.
C) A vampire β Not a term used in malware classification.
D) A worm β Worms spread automatically but do not necessarily rely on C&C infrastructure.
Huiβs organization recently purchased new Windows computers from an office supply store. The systems have a number of unwanted programs on them that load at startup that were installed by the manufacturer. What type of software is this?
A) Viruses
B) Trojans
C) Spyware
D) Bloatware
β
Correct Answer: D) Bloatware
πΉ Explanation: Bloatware refers to preinstalled software that takes up system resources but is not inherently malicious.
β Incorrect Answers:
A) Viruses β Viruses are malicious and replicate, while bloatware is simply unwanted.
B) Trojans β Trojans disguise themselves as legitimate applications, whereas bloatware is preinstalled.
C) Spyware β Spyware collects user data, whereas bloatware does not necessarily do so.
Randy believes that a system that he is responsible for was infected after a user picked up a USB drive and plugged it in. The user claims that they only opened one file on the drive to see who might own it. What type of malware is most likely involved?
A) A virus
B) A worm
C) A Trojan
D) A spyware tool
β
Correct Answer: A) A virus
πΉ Explanation: Viruses often spread via infected files on USB drives, requiring user interaction to execute and spread. Since the user opened a file, itβs likely that the file contained a virus that then infected the system.
β Incorrect Answers:
B) A worm β Worms spread automatically without user interaction, whereas this infection required the user to open a file.
C) A Trojan β A Trojan would look like a useful or desirable file, not just a file to determine the USBβs owner
D) A spyware tool β Spyware is designed to collect data covertly, but the question suggests an infection event, not data theft.
Which of the following characteristics best distinguishes bloatware from spyware?
A) Bloatware is always pre-installed on devices, whereas spyware is installed through malware campaigns.
B) Spyware is designed to secretly collect data, while bloatware is primarily unwanted but not always malicious.
C) Bloatware directly compromises user privacy, while spyware only affects system performance.
D) Spyware is always government-sponsored, whereas bloatware is installed by software vendors.
β
Correct Answer: B) Spyware is designed to secretly collect data, while bloatware is primarily unwanted but not always malicious.
πΉ Explanation: Spyware is specifically designed to collect user data, such as browsing habits or credentials, and send it to a remote attacker. Bloatware, on the other hand, consists of pre-installed or unnecessary programs that consume system resources but are not always malicious.
β Incorrect Answers:
A) Bloatware is always pre-installed on devices, whereas spyware is installed through malware campaigns. β Incorrect, because bloatware can also be installed later as part of software bundles.
C) Bloatware directly compromises user privacy, while spyware only affects system performance. β Incorrect, since spyware is the actual privacy risk, whereas bloatware just slows down devices.
D) Spyware is always government-sponsored, whereas bloatware is installed by software vendors. β Incorrect, spyware can be used by cybercriminals too, not just governments.
An analyst notices a workstation making repeated, encrypted outbound connections to a known command and control (C&C) server. The workstation has also started creating unexpected scheduled tasks. What type of malware is most likely responsible?
A) A rootkit
B) A keylogger
C) A Trojan
D) A worm
β
Correct Answer: A) A rootkit
πΉ Explanation: Rootkits are designed to provide long-term stealthy access to a system, often communicating with a C&C server to receive attacker commands. They can also create scheduled tasks to maintain persistence.
β Incorrect Answers:
B) A keylogger β Keyloggers capture user input but do not typically use C&C servers.
C) A Trojan β Trojans can open backdoors, but they do not persist as effectively as rootkits.
D) A worm β Worms spread rapidly but are not known for long-term stealthy access.
What is the most effective way to remove a rootkit from an infected system?
A) Run an anti-rootkit scanning tool.
B) Manually delete infected system files from Safe Mode.
C) Restore from a known good backup or reimage the system.
D) Disable all startup processes and delete suspicious registry keys.
β
Correct Answer: C) Restore from a known good backup or reimage the system.
πΉ Explanation: Rootkits embed themselves deeply in the operating system, often at the kernel level, making them very difficult to remove. The most reliable method is to completely wipe the system and restore from a trusted backup.
β Incorrect Answers:
A) Run an anti-rootkit scanning tool. β This may detect some rootkits but cannot guarantee complete removal.
B) Manually delete infected system files from Safe Mode. β Rootkits can hide system files, making this method ineffective.
D) Disable all startup processes and delete suspicious registry keys. β Rootkits hook into deeper system functions, so deleting registry keys wonβt remove them completely.
A user reports that their computer suddenly became unresponsive, and a message appeared demanding payment to unlock their files. The security team determines that no unauthorized programs were installed recently. Which indicator of compromise (IoC) would best confirm the type of attack?
A) Discovery of a new administrator account
B) Repeated failed login attempts in security logs
C) Sudden increase in network bandwidth usage
D) Unauthorized file encryption and ransom demand message
β
Correct Answer: D) Unauthorized file encryption and ransom demand message
πΉ Explanation: Ransomware encrypts files and then demands a ransom in exchange for the decryption key. The primary IoC is a notice demanding payment and inaccessible encrypted files.
β Incorrect Answers:
A) Discovery of a new administrator account. β More common in privilege escalation attacks.
B) Repeated failed login attempts in security logs. β More commonly seen in brute force attacks, not ransomware.
C) Sudden increase in network bandwidth usage. β Could indicate data exfiltration, but not necessarily ransomware.
