3.malware_quiz

2, because a logicbomb is code that activates when certain conditions are met

Ryan wants to prevent logic bombs created by insider threats from impacting his organization. What technique will most effectively limit the likelihood of logic bombs being put in place and why?

1. Deploying antivirus software

2. Using a code review process

3. Deploying endpoint detection and response (EDR) software

4. Disabling autorun for USB drives

3, because pop-ups demanding a ransom are a ransomware IoC

Yasmine believes that her organization may be dealing with an advanced rootkit and wants to write IoC definitions for it. Which of the following is not likely to be a useful IoC for a rootkit and why?

1. File hashes

2. Command and control domains

3. Pop-ups demanding a ransom

4. Behavior-based identifiers

1, because a keylogger would’ve obtained the password by capturing the employee’s keystrokes

Nathan works at a school and notices that one of his staff appears to have logged in and changed grades for a single student to higher grades, even in classes that staff member is not responsible for. When asked, the staff member says that they did not perform the action. Which of the following is the most likely way that a student could have gotten access to the staff member's password and why?

1. A keylogger

2. A rootkit

3. Spyware

4. A logic bomb

1, because command and control facilitates communication between a compromised host and a malicious host.

Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting and why?

1. Command and control

2. Spyware

3. A worm

4. A hijacked web browser

Backdoors are the primary way to gain remote access, and none of the other malware mentioned provides remote access by default.

Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware? Why is it a backdoor and not a Trojan.

1. A worm

2. Crypto malware

3. A trojan

4. A backdoor

Think of a Trojan as giving a gift with a bomb inside, and a backdoor as a thief installing a secret door to the office, which they will use later to break in.

backdoor

what is a primary method for an attacker to gain remote access to a system?

bloatware is unnecessary software installed by manufacturers that takes up space and consumes resources. Providing user and device data is a function of spyware.

What is the primary impact of bloatware? Why is it consuming resources and not providing user and device data to third parties?

1. Consuming resources

2. Logging keystrokes

3. Providing information about users and devices to third parties

4. Allowing unauthorized remote access

The keyword is bloat. What does it mean? What other malware collects user data?

bloatware: unwanted software that takes up space. spyware: malware that steals user and device data.

what is the difference between bloatware and spyware?

hint:what does the word bloat mean?

3

What type of malware is used to gather information about a user's browsing habits and system?

1. A Trojan

2. Bloatware

3. Spyware

4. A rootkit.

Antimalware and antivirus orgs will name malware packages differently. When malware is polymorphic, it avoids detection by rewriting itself.

Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives multiple different answers for what the malware package is. What has occurred? Why is different vendors use different names for malware packages and not the malware is polymorphic?

1. The package contains more than one piece of malware.

2. The service is misconfigured.

3. The malware is polymorphic and changed while being tested.

4. Different vendors use different names for malware packages.

hints: different nicknames from different people and why would malware need to change?

4, keyloggers capture all user input and not just keyboard input

Nancy is concerned that there is a software keylogger on the system she's investigating. What best describes data that may have been stolen and why?

1. All files on the system

2. All keyboard input

3. All files the user accessed while the keylogger was active

4. Keyboard and other input from the user

when malware changes to avoid detection

what is polymorphic malware and why would a malware turn into a polymorphic one?

hint: the word polymorphic means to change.

3

A system in Elaine's company has suddenly displayed a message demanding payment in Bitcoin and claiming that the data from the system has been encrypted. What type of malware has Elaine likely encountered?

1. Worms

2. A virus

3. Ransomware

4. Rootkit

Rootkits usually avoid detection by antimalware software and local scans. Mounting the drive in another system is an effective way to counter rootkits’ counterdetection measures.

Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs an antimalware tool's scanner, the system doesn't show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system? Why is it mount the drive on another system and scan it that way and not disable the systems antivirus because it may be causing a false negative?

1. Rerun the antimalware scan.

2. Mount the drive on another system and scan it that way.

3. Disable the systems antivirus because it may be causing a false negative.

4. The system is not infected and he should move on.

hint: what is one of the primary functions of a rootkit?

rootkit

what malware avoids detection?

3, logicbombs is code that executes once certain conditions are met. In this case an employee’s termination

A recently terminated developer from Jaya's organization has contacted the organization claiming that they left code in an application that they wrote that will delete files and bring the application down if they are not employed by the company. What type of malware is this and why?

1. Ransomware

2. Extortionware

3. A logic bomb

4. A Trojan

2, malware can still remain, even if you delte malicious files.

Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?

1. Run multiple antimalware tools and use them to remove all detections.

2. Wipe the drive and reinstall from known good media.

3. Use the delete setting in her antimalware software rather than the quarantine setting.

4. There is no way to ensure the system is safe and it should be destroyed.

2, virus worms spread without user interaction while viruses require user interaction to spread

What is the key difference between a worm and a virus and why?

1. What operating system they run on

2. How they spread

3. What their potential impact is

4. The number of infections

Submitting the code to a testing site is useless because it was created by an employee, it won’t match an existing malware package

Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious? Why is it opening the file using a text editor for code review and not submitting the code to a malware testing site?

1. Run a decompiler against it to allow him to read the code

2. Open the file using a text editor to review the code

3. Test the code using an antivirus tool

4. Submit the Python code to a malware testing website

Hint: if an employee gives you a handwritten note, would you send it to a foreign language translator or read it yourself?

3, because Trojans are malware disguised as legitimate software or apps

Which of the following defenses is most likely to prevent Trojan installation and why?

1. Installing patches for known vulnerabilities

2. Preventing downloads from application stores

3. Preventing the use of USB drives

4. Disabling autorun from USB drives

3, because worms install themselves by exploiting a network’s vulnerabilities, a logicbomb is code, a trojan requires that user downlad it, and a rootkits are used to hide malware.

Jason's security team reports that a recent WordPress vulnerability seems to have been exploited by malware and that their organization's entire WordPress service cluster has been infected. What type of malware is most likely involved if a vulnerability in the software was exploited over the network and why is it worm and not the others?

1. A logic bomb

2. A Trojan

3. A worm

4. A rootkit

process of elimination: was the malware code, disguised as a legit app, or stealthy? What’s the only malware with lateral movement processes capabilities

worm

what malware spreads through a network through lateral movement processes

4

Hui's organization recently purchased new Windows computers from an office supply store. The systems have a number of unwanted programs on them that load at startup that were installed by the manufacturer. What type of software is this?

1. Viruses

2. Trojans

3. Spyware

4. Bloatware

bots connect to a command and control system to form a botnet while worms spread through vulnerabilities

What type of malware connects to a command and control system, allowing attackers to manage, control, and update it remotely? Wht is it a bot and not a worm?

1. A bot

2. A drone

3. A vampire

4. A worm

hint: zombie

1, because a virus requires user interaction to execute. In this case the user opened a file on the USB

Randy believes that a system that he is responsible for was infected after a user picked up a USB drive and plugged it in. The user claims that they only opened one file on the drive to see who might own it. What type of malware is most likely involved and why?

1. A virus

2. A worm

3. A trojan

4. A spyware tool