Computer Viruses

Question 1

Non-Resident / File Infector

Answer 1

The virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.

Question 2

Memory Resident

Answer 2

When the host file is executed, the virus creates a new process for itself in memory. The malicious process remains in memory, even if the host process is terminated.

Question 3

Boot

Answer 3

The virus code is written to the disk boot sector or the partition table of a fixed disk or USB media and executes as a memory-resident process when the OS starts, or the media is attached to the computer.

Question 4

Script and Macro Viruses

Answer 4

The malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.

Question 5

Multipartite

Answer 5

Term used for viruses that use multiple vectors.

Question 6

Polymorphic

Answer 6

Term used for viruses that can dynamically change or obfuscate their code to evade detection

Question 7

Code Red worm

Answer 7

The Code Red worm was able to infect early versions of Microsoft’s IIS web server software via a buffer overflow vulnerability. It then scanned randomly generated IP ranges to try and infect other vulnerable IIS servers.

Question 8

Conficker worm

Answer 8

The Conficker worm illustrated the potential for remote code execution and memory-resident malware to effect highly potent attacks.

Question 9

Fileless Malware

Answer 9

Fileless malware does not write its code to disk.

Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host.

Fileless malware may use “live off the land” techniques rather than compiled executables to evade detection.

Question 10

Supercookie

Answer 10

A supercookie is a means of storing tracking data in a non-regular way, such as saving it to a cache without declaring the data to be a cookie or encoding data into header requests.

Question 11

Beacon

Answer 11

A beacon is a single-pixel image embedded into a website. While invisible to the user, the browser must request to download the pixel to load the site, giving the beacon host the opportunity to collect metadata, perform browser fingerprinting, and potentially run tracking scripts.

Question 12

Covert Channel

Answer 12

A type of attack that subverts network security systems and policies to transfer data without authorization or detection.

Question 13

Rootkit

Answer 13

Class of malware that modifies system files, often at the kernel level, to conceal its presence.