Chapter 8 (Lecture 7)

Question 1

What is the major difference between a virus and a worm?

Answer 1

Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible.

However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate.

Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.

Question 2

Explain the four propagation methods used by Robert Tappan Morris’s Internet Worm.

Answer 2

The Internet Worm used four propagation techniques.

First, it exploited a bug in the sendmail utility that allowed it to spread itself by sending a specially crafted email message that contained its code to the sendmail program on a remote system.

Second, it used a dictionary-based password attack to attempt to gain access to remote systems by utilizing the username and password of a valid system user.

Third, it exploited a buffer overflow vulnerability in the finger program to infect systems.

Fourth, it analyzed any existing trust relationships with other systems on the network and attempted to spread itself to those systems through the trusted path.

Question 3

What are the actions an antivirus software package might take when it discovers an infected file?

Answer 3

If possible, antivirus software may try to disinfect an infected file, removing the virus’s malicious code.
If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.

Question 4

Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.

Answer 4

Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system.
If a file infector virus strikes the system, this would result in a change in the affected file’s hash value and would, therefore, trigger a file integrity alert.

Question 5

1. What is the most commonly used technique to protect against virus attacks?

A. Signature detection

B. Heuristic detection

C. Data integrity assurance

D. Automated reconstruction

Answer 5

1. A. Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.

Question 6

2. You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use?

A. Internet

B. DMZ

C. Intranet

D. Sandbox

Answer 6

2. B. The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.

Question 7

3. Which one of the following types of attacks relies upon the difference between the timing of two events?

A. Smurf

B. TOCTTOU

C. Land

D. Fraggle

Answer 7

3. B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.

Question 8

4. Which of the following techniques requires that administrators identify appropriate applications for an environment?

A. Sandboxing

B. Control signing

C. Integrity monitoring

D. Whitelisting

Answer 8

4. D. Application whitelisting requires that administrators specify approved applications and then the operating system uses this list to allow only known good applications to run.

Question 9

5. What advanced virus technique modifies the malicious code of a virus on each system it infects?

A. Polymorphism

B. Stealth

C. Encryption

D. Multipartitism

Answer 9

5. A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.

Question 10

6. Which one of the following tools provides a solution to the problem of users forgetting complex passwords?

A. LastPass

B. Crack

C. Shadow password files

D. Tripwire

Answer 10

6. A. LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.

Question 11

7. What type of application vulnerability most directly allows an attacker to modify the contents of a system’s memory?

A. Rootkit

B. Back door

C. TOC/TOU

D. Buffer overflow

Answer 11

7. D. Buffer overflow attacks allow an attacker to modify the contents of a system’s memory by writing beyond the space allocated for a variable.

Question 12

8. Which one of the following passwords is least likely to be compromised during a dictionary attack?

A. mike

B. elppa

C. dayorange

D. fsasoalg

Answer 12

8. D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.

Question 13

9. What file is instrumental in preventing dictionary attacks against UNIX systems?

A. /etc/passwd

B. /etc/shadow

C. /etc/security

D. /etc/pwlog

Answer 13

9. B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.

Question 14

10. What character should always be treated carefully when encountered as user input on a web form?

A. !

B. &

C. *

D. ‘

Answer 14

10. D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Question 15

11. What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?

A. Triggers

B. Stored procedures

C. Column encryption

D. Concurrency control

Answer 15

11. B. Developers of web applications should leverage database stored procedures to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators.

Question 16

12. What type of reconnaissance attack provides attackers with useful information about the services running on a system?

A. Session hijacking

B. Port scan

C. Dumpster diving

D. IP sweep

Answer 16

12. B. Port scans reveal the ports associated with services running on a machine and available to the public.

Question 17

13. What condition is necessary on a web page for it to be used in a cross-site scripting attack?

A. Reflected input

B. Database-driven content

C. .NET technology

D. CGI scripts

Answer 17

13. A. Cross-site scripting attacks are successful only against web applications that include reflected input.

Question 18

14. What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?

A. Stealth virus

B. Companion virus

C. Polymorphic virus

D. Multipartite virus

Answer 18

14. D. Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.

Question 19

15. What is the most effective defense against cross-site scripting attacks?

A. Limiting account privileges

B. Input validation

C. User authentication

D. Encryption

Answer 19

15. B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.

Question 20

16. What worm was the first to cause major physical damage to a facility?

A. Stuxnet

B. Code Red

C. Melissa

D. rtm

Answer 20

16. A. Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers.

Question 21

17. Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?

A. Escalation of privilege

B. Back door

C. Rootkit

D. Buffer overflow

Answer 21

17. B. Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions.

Question 22

18. What technology does the Java language use to minimize the threat posed by applets?

A. Confidentiality

B. Encryption

C. Stealth

D. Sandbox

Answer 22

18. D. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.

Question 23

19. What HTML tag is often used as part of a cross-site scripting (XSS) attack?

A. “H1”

B. “HEAD”

C. “XSS”

D. “SCRIPT”

Answer 23

19. D. The SCRIPT tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

Question 24

20. When designing firewall rules to prevent IP spoofing, which of the following principles should you follow?

A. Packets with internal source IP addresses don’t enter the network from the outside.

B. Packets with internal source IP addresses don’t exit the network from the inside.

C. Packets with public IP addresses don’t pass through the router in either direction.

D. Packets with external source IP addresses don’t enter the network from the outside.

Answer 24

20. A. Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed.

Question 25

Virus propagation techniques

Answer 25

1. Macro virus
2. MBR virus
3. File infector virus

Question 26

What is a Macro virus

Answer 26

Many common software applications implement some sort of scripting functionality to assist with the automation of repetitive tasks (Like VBA)

Macro viruses first appeared in the mid-1990s, and infected documents created in the popular Microsoft Word environment

Although they were relatively unsophisticated, these viruses spread rapidly because the antivirus community didn’t anticipate them

Question 27

Master Boot Record (MBR virus)

Answer 27

A master boot record virus (or MBR virus) attacks the MBR, the portion of bootable media (e.g., hard drive) that the computer uses to load the operating system during the boot process

The virus stores most of its code on another portion of the media
When the system reads the infected MBR, the virus instructs it to read and execute the code stored in the alternate location

Question 28

File infector virus (File Injector)

Answer 28

A file infector virus infects different types of executable files and triggers when the operating system attempts to execute them
Example: .exe and .com files in Windows-based systems

Easily Detectable comparing Hashes.

Question 29

What are the Main Virus Technologies?

Answer 29

1. Multipartite
2. Stealth
3. Polymorphic
4. Encrypted

Question 30

What is a Multipartite Virus?

Answer 30

Multipartite viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method

For example, a virus may infect both executable files and the MBR

Question 31

What is a Stealth Virus?

Answer 31

Stealth viruses hide themselves by tampering with the operating system

For example, a stealth MBR virus might infect the system’s MBR and also modify the operating system’s file access functionality to cover its tracks

When the antivirus requests a copy of the MBR, the modified operating system code provides it with a clean version of the MBR

However, when the system boots, it reads the infected MBR and loads the virus into memory

Question 32

What is a Polymorphic Virus?

Answer 32

Polymorphic viruses modify their code as they move from system to system,
The signature of the virus is different each time it infects a new system

Constantly changing signature should render signature-based antivirus packages useless

However, current antivirus packages are able to detect known polymorphic viruses

Question 33

What is Encrypted Virus?

Answer 33

Encrypted viruses use cryptographic techniques to avoid detection

As with polymorphic viruses, each infected system has a virus with a different signature
However, encrypted viruses generate these different signatures by encrypting their code with different cryptographic keys
Encrypted viruses use a decryption routine, which contains the cryptographic information necessary to load and decrypt the main virus code

This routine often contains signatures that render it vulnerable to antivirus software

Question 34

What are Logic Bombs?

Answer 34

Logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions

Question 35

What are Trojan Horses?

Answer 35

Trojans differ very widely in functionality
Some are fairly innocuous
Some will destroy all the data stored on a system in an attempt to cause a large amount of damage in a short time frame

ex in 2002 program to run xbox
When users ran these program, they simply didn’t work
However, they inserted a value into the Windows Registry that caused a specific web page to open each time the computer booted

Question 36

How Worms Work?

Answer 36

Worms pose a significant risk to network security
They contain the same destructive potential as other malicious code objects, but they can also propagate without requiring any human intervention

Question 37

What is a Spyware?

Answer 37

Spyware monitors your actions and transmits important details to a remote system that spies on your activity

Question 38

Adware

Answer 38

Adware is quite similar to spyware in form, but has a different purpose
It uses a variety of techniques to display advertisements on infected computers

Question 39

Name 5 types of Attacks

Answer 39

1. Denial-of-Service Attacks
2. Distributed DoS Toolkits
3. Smurf Attacks
4. DNS Amplification Attacks
5. Teardrop
6. Land Attack
7. Ping of Death
8. Buffer Overflows
9. Time-of-Check-to-Time-of-Use
10. Trap Doors
11. Rootkits

Question 40

DOS attacks

Answer 40

DoS attacks prevent legitimate users from accessing resources

In some attacks, a brute-force approach is used, simply overwhelming a targeted system with many requests

Others include elegantly crafted commands that cause vulnerable systems to crash or hang indefinitely

Question 41

Classes of DOS Attacks

Answer 41

• SYN Flood
• Distributed DoS Toolkits
• Smurf
• DNS Amplification Attacks
• Teardrop
• Land
• DNS Poisoning
• Ping of Death

Question 42

Distributed DoS Toolkits

Answer 42

Distributed denial-of-service (DDoS) attacks allow attackers to harness the power of many third-party systems to attack the target

Trinoo and Tribe Flood Network (TFN) are two commonly used DDoS toolkits

Question 43

Smurf Attacks

Answer 43

The smurf attack is a distributed reflective denial-of-service (DRDoS) attack
Attacks are amplified using one or more third-party networks

Question 44

DNS Amplification Attacks

Answer 44

Causes flooding similar to Smurf

An attacker tricks unwitting participants into sending unwanted traffic to a third party

Question 45

Teardrop Attack

Answer 45

A teardrop attack is a fragmentation attack (a DoS attack)

Fragmentation attacks exploit vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack

System administrators can configure the maximum size allowed for TCP/IP packets on each network

When a network receives a packet larger than its maximum allowable size, it breaks it up into two or more fragments
These fragments are each assigned a size and an offset

In the teardrop attack, attackers use software that sends out packet fragments that do not conform to the protocol specification

Specifically, they send two or more overlapping fragments

When the receiving system tries to reassemble the fragmented packet, it doesn’t know how to handle the fragments and freezes or crashes

Question 46

Land Attack

Answer 46

The land denial-of-service attack causes many older operating systems to freeze and behave in an unpredictable manner

Question 47

Ping Of Death

Answer 47

The largest permissible ICMP packet is 65,536 bytes
Many early OS developers relied upon the assumption that the protocol stack of sending machines would never exceed this value and did not build in error-handling routines to monitor for packets exceeding this limit

Question 48

Buffer Overflow

Answer 48

Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size

User data can overwrite system commands

Buffer-overflow vulnerabilities are especially prevalent in code developed rapidly for the Web using CGI or other languages

Question 49

Time-of-Check-to-Time-of-Use (TOCTTOU)

Answer 49

is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource use

Question 50

RootKits

Answer 50

Rootkits are specialized software packages that allow attackers to gain expanded access to a system

Question 51

Trap doors (or back doors)

Answer 51

undocumented access mechanisms that allow software developers to bypass normal access restrictions

Question 52

What is Cross-site Scripting (XSS)

Answer 52

Cross-site scripting (XSS) is a security vulnerability typically found in Web applications
Enables attackers to leverage some type of reflected input to inject client-side scripts into web pages viewed by other users

Question 53

What is SQL Injection

Answer 53

SQL injection attacks allow a malicious individual to directly perform SQL transactions against the underlying database

Question 54

How IP Probes Work

Answer 54

IP probes (aka IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a target system

• Automated tools simply attempt to ping each address in a range
• Systems that respond to the ping request are logged for further analysis
• Addresses that do not prod/uce a response are assumed to be unused and are ignored

disabling ping helps.

Question 55

How Port Scans work

Answer 55

After performing an IP probe, attackers have a list of active systems on a network

The next step is to select one or more systems to target with additional attacks

Often, attackers have a type of target in mind, such as a web server or other servers supporting critical operations

Question 56

Vulnerability Scans

Answer 56

Once the attacker determines a specific system to target, they need to discover a specific vulnerability that can be exploited

Vulnerability scanners are highly automated tools
They can probe an entire network for any exploitable weaknesses

Question 57

Dumpster Diving

Answer 57

Dumpster diving consists in analyzing waste to gain intelligence that might help launch an attack