T F 1. Malicious software aims to trick users into revealing sensitive personal data.
T F 2. Keyware captures keystrokes on a compromised system.
T F 3. Metamorphic code is software that can be shipped unchanged to a
heterogeneous collection of platforms and execute with identical semantics.
T F 4. A virus that attaches to an executable program can do anything that the
program is permitted to do.
T F. 5. It is not possible to spread a virus via an USB stick.
T F 6. A logic bomb is the event or condition that determines when the payload is
activated or delivered.
T F 7. Many forms of infection can be blocked by denying normal users the right to
modify programs on the system.
T F 8. A macro virus infects executable portions of code.
T F 9. E-mail is a common method for spreading macro viruses.
T F 10. In addition to propagating, a worm usually carries some form of payload.
T F 11. A Trojan horse is an apparently useful program containing hidden code that,
when invoked, performs some harmful function.
T F 12. Packet sniffers are mostly used to retrieve sensitive information like
usernames and passwords.
T F 13. A bot propagates itself and activates itself, whereas a worm is initially
controlled from some central facility.
T F 14. Every bot has a distinct IP address.
T F 15. Programmers use backdoors to debug and test programs.
MULTIPLE CHOICE QUESTIONS:
A program that is covertly inserted into a system with the intent of compromising the integrity or confidentiality of the victim’s data is __________.
Adobe B. Animoto
malware D. Prezi
__________ are used to send large volumes of unwanted e-mail.
Rootkits B. Spammer programs
Downloaders D. Auto-rooter
A __________ is code inserted into malware that lies dormant until a predefined condition, which triggers an unauthorized act, is met.
logic bomb B. trapdoor
worm D. Trojan horse
The term “computer virus” is attributed to __________.
Herman Hollerith B. Fred Cohen
Charles Babbage D. Albert Einstein
Computer viruses first appeared in the early __________.
1960s B. 1970s
1980s D. 1990s
The __________ is what the virus “does”.
infection mechanism B. trigger
logic bomb D. payload
The __________ is when the virus function is performed.
dormant phase B. propagation phase
triggering phase D. execution phase
During the __________ the virus is idle.
dormant phase B. propagation phase
triggering phase D. execution phase
A __________ uses macro or scripting code, typically embedded in a document and triggered when the document is viewed or edited, to run and replicate itself into other such documents.
boot sector infector B. file infector
macro virus D. multipartite virus
__________ is the first function in the propagation phase for a network worm.
Propagating B. Fingerprinting
Keylogging D. Spear phishing
Unsolicited bulk e-mail is referred to as __________.
spam B. propagating
phishing D. crimeware
__________ is malware that encrypts the user’s data and demands payment in order to access the key needed to recover the information.
Trojan horse B. Ransomware
Crimeware D. Polymorphic
A __________ attack is a bot attack on a computer system or network that causes a loss of service to users.
spam B. phishing
DDoS D. sniff
The ideal solution to the threat of malware is __________.
identification B. removal
detection D. prevention
__________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious actions.
Fingerprint-based scanners B. Behavior-blocking software
Generic decryption technology D. Heuristic scanners
SHORT ANSWER QUESTIONS:
A _________ is a set of programs installed on a system to maintain covert access to that system with administrator (root) privileges while hiding evidence of its presence.
A __________ uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack.
A computer __________ is a piece of software that can “infect” other programs or any type of executable content and tries to replicate itself.
Sometimes referred to as the “infection vector”, the __________ is the means by which a virus spreads or propagates.
Sometimes known as a “logic bomb”, the __________ is the event or condition that determines when the payload is activated or delivered.
The four phases of a typical virus are: dormant phase, triggering phase, execution phase and __________ phase.
During the __________ phase the virus is activated to perform the function for which it was intended.
A __________ virus is explicitly designed to hide itself from detection by anti-virus software.
__________ code refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
A __________ is when a user views a Web page controlled by the attacker that contains a code that exploits the browser bug and downloads and installs malware on the system without the user’s knowledge or consent.
A __________ is a collection of bots capable of acting in a coordinated manner.
A bot can use a __________ to capture keystrokes on the infected machine to retrieve sensitive information.
Countermeasures for malware are generally known as _________ mechanisms because they were first developed to specifically target virus infections.
Developed by IBM and refined by Symantec, the __________ provides a malware detection system that will automatically capture, analyze, add detection and shielding, or remove new malware and pass information about it to client systems so the malware can be detected before it is allowed to run elsewhere.
__________ technology is an anti-virus approach that enables the anti-virus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds.
Chapter 6 – Malicious Software
Answer Key
TRUE/FALSE QUESTIONS:
T
F
F
T
F
T
T
F
T
T
T
T
F
T
T
MULTIPLE CHOICE QUESTIONS:
C
B
A
B
C
D
D
A
C
B
A
B
C
D
B
SHORT ANSWER QUESTIONS:
rootkit
blended attack
virus
infection mechanism
trigger
propagation
triggering
stealth
Mobile
drive-by-download
botnet
keylogger
anti-virus
digital immune system
Generic decryption (GD)
Chapter 7 – Denial-of-Service Attacks
TRUE/FALSE QUESTIONS:
T F 1. A denial-of-service attack is an attempt to compromise availability by
hindering or blocking completely the provision of some service.
T F 2. DoS attacks cause damage or destruction of IT infrastructures.
T F 3. A DoS attack targeting application resources typically aims to overload
or crash its network handling software.
T F 4. The SYN spoofing attack targets the table of TCP connections on the
server.
T F 5. A cyberslam is an application attack that consumes significant
resources, limiting the server’s ability to respond to valid requests from
other users.
T F 6. The source of the attack is explicitly identified in the classic ping flood
attack.
T F 7. Given sufficiently privileged access to the network handling code on a
computer system, it is difficult to create packets with a forged source
address.
T F 8. SYN-ACK and ACK packets are transported using IP, which is an
unreliable network protocol.
T F 9. The attacker needs access to a high-volume network connection for a
SYN spoof attack.
T F 10. Flooding attacks take a variety of forms based on which network
protocol is being used to implement the attack.
T F 11. The best defense against being an unwitting participant in a DDoS
attack is to prevent your systems from being compromised.
T F 12. A SIP flood attack exploits the fact that a single INVITE request
triggers considerable resource consumption.
T F 13. Slowloris is a form of ICMP flooding.
T F 14. Reflector and amplifier attacks use compromised systems running the
attacker’s programs.
T F 15. There is very little that can be done to prevent a flash crowd.
MULTIPLE CHOICE QUESTIONS:
______ relates to the capacity of the network links connecting a server to the wider Internet.
Application resource B. Network bandwidth
System payload D. Directed broadcast
A ______ triggers a bug in the system’s network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.
echo B. reflection
poison packet D. flash flood
Using forged source addresses is known as _________.
source address spoofing B. a three-way address
random dropping D. directed broadcast
The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
DNS amplification attack B. SYN spoofing attack
basic flooding attack D. poison packet attack
TCP uses the _______ to establish a connection.
zombie B. SYN cookie
directed broadcast D. three-way handshake
_______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.
Application-based B. System-based
Random D. Amplification
_______ is a text-based protocol with a syntax similar to that of HTTP.
RIP B. DIP
SIP D. HIP
Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______.
trailing B. spidering
spoofing D. crowding
______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete.
HTTP B. Reflection attacks
SYN flooding D. Slowloris
A characteristic of reflection attacks is the lack of _______ traffic.
backscatter B. network
three-way D. botnet
In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable.
SYN spoofing attacks B. indirect flooding attacks
ICMP attacks D. system address spoofing
In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
SYN flood B. DNS amplification
poison packet D. UDP flood
It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code.
three-way handshake B. UDP flood
SYN spoofing attack D. flash crowd
Modifying the system’s TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______.
poison packet B. slashdot
backscatter traffic D. random drop
When a DoS attack is detected, the first step is to _______.
identify the attack B. analyze the response
design blocking filters D. shut down the network
SHORT ANSWER QUESTIONS:
The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.
_____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.
The standard protocol used for call setup in VoIP is the ________ Protocol.
Requests and _______ are the two different types of SIP messages.
A _______ flood refers to an attack that bombards Web servers with HTTP requests.
During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.
In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.
______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.
The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.
The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and _______.
Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an _______ is best placed to ensure that valid source addresses are used in all packets from its customers.
A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.
To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).
If an organization is dependent on network services it should consider mirroring and ________ these servers over multiple sites with multiple network connections.
A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
Chapter 7 – Denial-of-Service Attacks
Answer Key
TRUE/FALSE QUESTIONS:
T
F
F
T
T
T
F
T
F
T
T
T
F
F
T
MULTIPLE CHOICE QUESTIONS:
B
C
A
B
D
A
C
B
D
A
A
B
C
D
A
SHORT ANSWER QUESTIONS:
backscatter
Flooding
Session Initiation
responses
HTTP
reflection
spoofed source
Amplification
IP-directed
attack reaction
ISP
captcha
incident response
replicating
denial-of-service (DoS)
