Malicious Code and Activity
An employee configured malicious code to execute at midnight on February 2. What does this describe? A. Logic bomb B. Groundhog Day virus C. Worm D. Ransomware
A. A logic bomb is malware that executes in response to an event such as a specific date and time. While February 2 is Groundhog Day, the scenario doesn't describe a Groundhog Day virus. Worms infect computers over a network, not on a specific day. Ransomware takes control of a user's computer or data and demands a ransom from the user.
What type of virus attempts to protect itself from reverse engineering and prevent antivirus researchers from analyzing the malware? A. Armored virus B. Polymorphic virus C. Metamorphic virus D. Multipartite virus
A. An armored virus attempts to prevent an AV researcher from reverse engineering it to determine what it is doing and how it is doing it. Although polymorphism and metamorphism can make it harder to reverse engineer a virus, they aren't the best answer, because these techniques primarily make it harder for AV software to detect the virus. A multipartite virus uses multiple methods of attack.
What should users do to ensure that antivirus software can detect recently released viruses? A. Update signatures B. Update the operating system C. Update the AV software D. Regularly purchase new AV software
A. Antivirus software uses signature definition files to detect viruses, and these signatures must be regularly updated. It's not necessary to update the operating system, update the AV software, or purchase new AV software to detect recently released viruses.
A virus is detected on a system based on the virus's behavior. What detected the virus? A. Heuristics B. A virus fingerprint C. A virus filter D. A signature
A. Heuristics can detect malware based on the behavior of the malware and are designed to detect previously unknown viruses. There's no such thing as a virus filter or a virus fingerprint, although a virus signature does uniquely identify known malware similar to how a fingerprint can identify a person.
Of the following choices, how is malware most often delivered today? A. Over the Internet B. Via an intranet C. Via USB drives D. Through company policies
A. The common way attackers deliver malware is over the Internet. While some attacks can come from internal intranet sources, they do not compete with the volume of attacks from the Internet. Unsuspecting users transmit viruses with USB drives, but this isn't as common as virus delivery over the Internet. Company policies would not deliver viruses.
What type of malware can spread without any user intervention? A. Virus B. Trojan horse C. Worm D. Spyware
C. Worms spread through a network without any user intervention. Viruses, Trojan horses, and spyware all require some level of interaction.
What does antivirus software use to detect previously unknown viruses? A. Signatures B. Polymorphism C. Heuristics D. Armor
C. Antivirus software uses heuristics to detect previously unknown viruses. Signatures detect known viruses. Polymorphism and armor are techniques used by virus authors to prevent the detection of a virus.
Of the following choices, which one is NOT a valid method to reduce malware infections? A. Don't open attachments from unsolicited e-mails. B. Don't click links in unsolicited e-mails. C. Don't send encrypted personal information via e-mail. D. Don't follow shortened links from unknown sources.
C. If you need to send personal information via e-mail, the best choice is to send it in an encrypted format. All of the other choices are valid methods to reduce malware infections.
A company authorizes users to transport data from work to home using USB drives. What's the best method of protecting systems from malware without affecting the user? A. Install AV software on the network firewall B. Install AV software on the e-mail server C. Install AV software on each user's work computer D. Prevent users from using USB drives
C. Installing AV software on each user's work computer provides the best protection against a user inadvertently transporting malware from home to work. Installing software on the network firewall and on an e-mail server is a good practice, but it won't help if the virus is transported via a USB drive. Preventing the users from using USB drives will affect the users.
Your organization mandates security training for users within its security policy to educate users about malware and methods to prevent malware infections. What is the best description of this effort? A. A detective control B. A corrective control C. A preventive control D. A technical control
C. Training is a preventive control because it attempts to prevent incidents from occurring. Detective controls attempt to detect incidents, and corrective controls attempt to reverse the effects of an incident. Technical controls use technology to implement the control, but training doesn't require technology.
Which of the following malware types alters its own code to avoid detection by antivirus software? A. Armored virus B. Metamorphic virus C. Polymorphic virus D. Ransomware
B. A metamorphic virus changes or mutates its code as it replicates itself to prevent detection. An armored virus uses techniques such as encryption to make it more difficult for AV researchers to decompile the virus. A polymorphic virus changes the file, but not the code. Ransomware takes over a user's computer and demands a monetary ransom to return control back to the user.
A website developer wants to provide assurances to users that ActiveX controls used on the site are not malicious. What can provide this assurance? A. Input validation B. Code signing C. Code review D. Enabling cross-site scripting
B. Code signing digitally signs ActiveX controls and provides assurances to users of who created the control and that it hasn't been modified. Input validation helps prevent injection attacks, but it's used to protect the website, not provide assurance to users. Code review is a valuable tool to detect problems with applications before an organization releases them. Cross-site scripting is an attack and would not be enabled.
When Sally turns her computer on, she sees a screen indicating software has encrypted all of her data files. A message indicates she must pay $300 within 48 hours to access the decryption key. What does this describe? A. Logic bomb B. Ransomware C. Worm D. Spyware
B. Ransomware takes control of a user's computer or data and demands a ransom to return control to the user. This scenario describes CryptoLocker. A logic bomb is malware that executes in response to an event such as a specific date and time. Worms infect computers over a network, and while worms deliver malware, not all worms include ransomware. Spyware is software installed on a user's system without the user's knowledge with the goal of spying on the user, not extorting money from the user.
Of the following choices, what is the best technique you can implement on an e-mail server to reduce infection through e-mail? A. Block all e-mail B. Add a spam filter C. Add a polymorphic filter D. Remove all attachments
B. The majority of malware comes through spam, so a spam filter can reduce infections through e-mail. An e-mail server isn't very useful if it blocks all e-mail or removes all attachments. E-mail servers don't have polymorphic filters.
Of the following choices, which one is a principle that prevents users from accidentally installing malicious software on their systems? A. Nonrepudiation B. Least privilege C. Separation of duties D. Accountability
B. The principle of least privilege specifies that users are given rights and privileges to do their job but no more. If a user doesn't need to install applications, the user is not given permission to do so, which reduces the possibility of the user accidentally installing malware. Nonrepudiation prevents a person from denying an action. Separation of duties divides tasks so that no single person or entity controls an entire process. Accountability ensures that user actions can be tracked and monitored.
A software application appears to have a useful purpose, but it includes malicious code. What does this describe? A. A virus B. A backdoor C. A worm D. A Trojan horse
D. A Trojan horse appears to be something useful to the user but includes malicious code or malware. While Trojans often include viruses and backdoors, not all viruses and backdoors come from Trojans. Worms travel over the network and are not embedded in software applications.
What type of malware takes control of the operating system at the kernel level? A. Trojan horse B. Worm C. Keylogger D. Rootkit
D. A rootkit is a set of programs that runs on a system, largely undetected, because it runs at the kernel level or root level of the operating system. A Trojan horse is malware that looks like one thing but is something else. A worm is a type of malware that spreads through a network without any user intervention. A keylogger captures keystrokes from users.
Of the following choices, what network device can filter e-mail, spam, and malware? A. Packet-filtering firewall B. Proxy server C. An intrusion detection system D. Content-filtering appliance
D. Content-filtering appliances can filter e-mail to remove spam and malicious attachments. They can also act as a proxy server or an intrusion detection system (IDS). A packet-filtering firewall can only examine packets. A proxy server can filter websites but not e-mail. An IDS detects attacks, but not e-mail and spam.
After visiting a website, a user sees a pop-up indicating a virus has infected his system and offering free antivirus software. He downloads the free antivirus software, but finds that it won't clean the virus unless he purchases the full version. What does this describe? A. Shareware B. Rootkit C. Freeware D. Scareware
D. Scareware is malware that scares users into thinking a virus has infected their system and encourages them to install a free download. The free download appears as antivirus software that doesn't remove viruses unless users pay, but it often includes malware itself. Shareware is software that users are free to try and pay for if they like it and continue to use it. A rootkit takes over the system with root-level privileges. Freeware is free software.
What provides a standardized method of describing malware? A. The Consortium of Antivirus Vendors (CAV) B. The Consortium of Virus Authors (CVA) C. The National Institute of Standards and Technology (NIST) D. The Common Vulnerabilities and Exposures (CVE) list
D. The CVE is maintained by the MITRE Corporation and provides a standardized method of describing security vulnerabilities, exploits, and malware. There is no such thing as the Consortium of Antivirus Vendors (CAV) or Consortium of Virus Authors (CVA). NIST is a U.S. government entity that regularly publishes standard publications related to IT security, standards, and practices, but it does not maintain the CVE.
