Security + (SY0-501) 1.1
Once a boot sector virus infection is discovered, how will an administrator remove it from the computer?
Boot from a clean source and rewrite the master boot record (MBR) (The correct approach is to boot from a clean source, such as a DVD, and rewrite (overwrite) the infected MBR.)
A network administrator suspects that several computers on the network have been compromised by malware because of the large numbers of TCP connections to a single IP address. Upon checking the IP address' origin, the administrator finds that it belongs to a major political action committee. Which type of malware has infected this network?
Botnet (A botnet infects multiple computers on a network in order to attack a target to halt its operation through a Distributed Denial of Service (DDoS) attack.)
Anti-malware software has evolved to combat various types of malware. For example, pure signature-based anti-malware is no longer used. Which type of virus has been eradicated from the attack surface due to these more sophisticated detection and removal techniques?
Camouflage
Although malware programmers are blamed for the increase of widespread malware infections, which of the following is perhaps the number one factor contributing to malware infections?
Careless computer users (Careless computer users download unverified programs, visit malicious websites, and open email attachments that carry malware.)
Viruses and worms both self-replicate (self-propagate) but worms distinguish themselves from viruses in that a worm's purpose is to do what to an infected network?
Disrupt by crippling network bandwidth (Worms are designed to spread by disrupting networks with connections to other networked devices, so it can self-replicate. Self-replication without user interaction is a characteristic of worms.)
Which action should a system administrator take to prevent further infection of computers on a network from being infected with keylogger software or hardware?
Distribute keystroke-encrypting keyboards to all users (Encrypting keyboards prevents any type of keylogger from capturing keystrokes as the user enters them.)
A user found that their personal data had been exfiltrated from their computer by a malicious program that they clicked on several weeks ago. Which type of malware infected the user's system?
Spyware (The user was infected by spyware; whose purpose is to exfiltrate user data to an external location.)
What is the initial goal for an attacker who wants to access a network via backdoor attack?
To gain command and control of the target network (The attacker wants to initially gain command and control of a network.)
A malicious actor has contacted multiple individuals at a company over multiple months in order to convince unsuspecting users to execute a malicious file on their systems. By doing so, the actor could covertly gain control of those systems and establish a presence inside the network. Which type of malware was the actor attempting to have the users execute?
Trojan horse (The malicious actor (caller) is using social engineering tactics to have the victims execute a Trojan horse so that he or she can gain control of at least one computer inside the target network. This could be by sending the victims a file and requesting they open it.)
A user has contracted a virus that an anti-virus program detects but cannot remove or quarantine. After investigating further, a system administrator notes that the virus is very large but impossible to remove. With which type of virus is the administrator likely dealing?
Armored (An armored virus is extremely difficult to remove because of the many methods it uses to avoid removal. Detection is also not always easy but armored viruses tend to be large because of the extra code required to become armored.)
The Mydoom worm is considered to be the worst worm incident of its type in virus history. Which method do worms, such as Mydoom, commonly use to rapidly spread themselves to millions of computers?
Email (Email is the most common method used by worms, such as Mydoom, to spread themselves across several computers.)
In addition to a lockout screen, ransomware can deny a user access to files by using which of the following methods?
Encryption (Ransomware often uses a password locking screen or, in more damaging scenarios, encryption to deny the victim access to files. Encrypting a victim's data ensures those files are unusable unless the victim can decrypt them. This is often referred to as crypto-malware.)
Which of the following is a type of a classic virus that infects executable files, and upon execution of an infected file, infects other files?
File-infecting (File-infecting or classic viruses infect executable files, and upon execution of an infected file, the viruses spread to other executables.)
Keyloggers appear in two different forms or types. Identify the two types of keyloggers.
Hardware and software (Keyloggers can be hardware- or software-based. There are keylogger devices that a malicious actor can attach to a computer, or keylogger software can be installed on a system.
How is a remote access Trojan (RAT) different from a regular Trojan horse?
It is a specialized, stealthy Trojan horse designed to mimic functionality of legitimate remote-control programs. (A remote access Trojan (RAT) is a specialized Trojan horse that mimics the functionality of legitimate remote-control program and is designed specifically for stealth installation and operation.)
A rootkit is a particularly dangerous type of malware. What makes it so dangerous?
It takes control of a system at the lowest levels while attempting to hide from detection. (A rootkit is so dangerous because it is designed to hide from normal detection methods. Rootkits attempt to integrate at the "root" or lowest level of a computer system, providing access to an attacker. Once an attacker has administrative privileges, they can further mask their activities, making detection nearly impossible.)
Most malware infections occur when computer users accidentally download, click, or open a malicious program via the web or email. Malware being sent to users is often a result of a malware attack or campaign. Which of the following malware types is NOT typically part of a malware campaign or attack?
Logic bomb (A logic bomb is a piece of code (often as part of a legitimate piece of software) that sits dormant on a target computer until an event triggers it, such as a specific date and time. The user was not phished, emailed, or tricked into installing this type of malware and is not typically part of a malware attack or campaign.)
Which feature makes logic bomb malware very difficult to detect and to prevent?
Logic bomb code is inserted during program development and is part of the standard program code. (Logic bomb code is inserted during program development and is part of the standard program code. Programmers often add logic bombs to execute if a user does not pay for a software license.)
Which action will determine whether a system has a malware infection?
Positive results from a malware scan (Positive results from a malware scan is the action that alerts the user or the administrator that a system is infected.)
If a rootkit is discovered or suspected on a system, what is the general recommendation for cleaning the infected computer?
Reinstall the operating system and applications from scratch (The recommendation is to reinstall the operating system and applications from scratch because rootkits are extremely hard to fully detect and remove can leave corruption and remnants behind even after cleaning.)
A user experiences an unusual and noticeable slowness when connecting to the Internet and other network resources, such as file shares and printers. What course of action does an administrator take in order to investigate further?
Scan with an anti-malware program (Scanning the computer with an anti-malware program is a better option than the rest of the options because it removes all doubts about malware infection.)
A system administrator has just spent three full days fighting a significant virus infestation on the network. One computer after another became infected during this time. Which virus feature caused multiple computers to become infected?
Self-replicating (Self-replication is the virus feature that causes multiple infections on a network and results in rapid virus spread.)
What is the major benefit to an attacker using a so-called backdoor attack?
The backdoor can help the attacker break into a target's infrastructure without being discovered. (Backdoors, which can exist for legitimate remote access, can also allow attackers into a network without discovery.)
A network administrator had their entire network converted into a botnet. Which type of malware infection did the network administrator find during an investigation?
Worm (A worm infection is the most likely the cause for an entire network to be turned to botnets. A worm's primary function is usually to spread. Worms that do carry payloads often turn computers into remote zombies that an attacker can use to launch other attacks from.)
