Deck 3: Malicious Code

A) Remote Authentication Terminal
B) Someone that reports the activities of a coworker to management
C) Remote Access Tool
D) The Reveal - Access - Target, model of malicious activity

A) Tayzia will have to work overtime (unpaid, this is IT after all) trying to figure out where all the MP3s are being hid on the network.
B) Clearly someone is using BitTorrent to download the first season of "Star Trek: Deep Space Nine"
C) Something on her network is trying to access IRC, and it might be an infected host.
D) These are common administrative ports for Citrix or Oracle or something. She doesn't remember because during that discussion in her training class she was answering an email instead of listening. Either way, there is no need to investigate; it is probably just a false positive.

A) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
B) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunStart
C) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Startup
D) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\StartOnBoot

A) UPF scans are common license tracking mechanisms and should always be ignored. The port belongs to an old tool no one uses anymore and therefore poses no threat.
B) Larry should download the 27001 spec and pour through it word for word until it tells him what to do
C) Larry should run "Zombie P0wn3r" a tool he got from the last Defcon security conference he attended that was guaranteed to wipe out all malicious servers.
D) The traffic is being sent from a tool, and based on port 31337, the assumption could be this is this is a Back Orifice scan.

A) netstat -an
B) nbtstat -an
C) netports -all
D) Ipconfig --open-ports

A) Assume it is a virus again and go buy a new computer
B) Call Microsoft and demand they fix their stinking operating system because he is tired of this garbage
C) Check to see if his laptop has a keyboard shortcut for rotating the display, he may have accidently hit
It)
D) Download every freeware scanner he can find and spend the next three days looking for the malicious code.

A) Monkey shell
B) STunnel
C) HTTrack
D) Loki

A) Wrapper
B) Masher
C) Squisher
D) Flux Capacitor

A) HKEY_LOCAL_MACHINE\SOFTWARE\Services\Microsoft\Updates
B) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServicePacks
C) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Patches
D) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates

A) RPC-SMTP Trojan
B) VNC remote desktop
C) Hardware keylogger
D) Screenshot spytool

A) Regmon
B) Rootkit Revealer
C) Registry Revealer
D) Registry Baseliner

A) Rootkit
B) Trojan horse
C) Shrink-wrap code
D) Illicit Server

A) Multipartite
B) Metamorphic
C) Polymorphic
D) Stealth Virus

A) Release, Detection, Removal
B) Invention, release, detection
C) Infection, Spreading, Attack
D) Spreading, Attack, Infection

A) Cavity Virus
B) Polymorphic Virus
C) Metamorphic Virus
D) File descriptor Virus

A) Heuristic
B) Anomaly
C) Host based
D) PUP Analysis

A) Rootkit Revealers
B) Firewalls and Virtual Private Networks
C) Anti-Phishing, Anti-Malware etc
D) File Integrity Verification tools

A) Metamorphic Virus
B) Polymorphic Virus
C) XOR Virus
D) Stealth Virus

A) Viruses such as Polymorphic and Metamorphic are too sophisticated to be stopped.
B) Nuisances such as Spam will never go away and the attackers are always one step ahead.
C) "Zero-day" exploits are constantly being discovered and cannot be defended against.
D) People are always the weakest link. Untrained users, careless users, and inside attackers are always a risk.

A) Boot Sector
B) System level viruses
C) Multi-partite viruses
D) Macro viruses

A) Elk Cloner
B) Morris
C) Strange Brew
D) FU

A) Blaster
B) Slammer
C) Code Red
D) Nimda

A) Code Red got to her web server
B) An attacker used a fuzzer to overflow the query string
C) Class case of Michelangelo
D) The Nachi worm found her site and successfully exploited it.

A) Pretty Park
B) Storm
C) Nachi / Welchia
D) I Love You

A) Design, Replication, Infection, Detection, Incorporation, Elimination
B) Design, Replication, Monitoring, Detection, Incorporation, Elimination
C) Design, Replication, Launch, Detection, Elimination, Incorporation
D) Design, Replication, Launch, Detection, Incorporation, Elimination

A) Kelly is being helpful. Coworkers watching out for events like this and helping one another is critical to any working security program.
B) This looks like a hoax. If Kelly is even a real person she should be fired on the spot, since hoaxes are considered as dangerous as actual viruses.
C) Hoaxes are considered as dangerous as actual viruses and this could be an indication that training is in order for more people than just Kelly
D) An investigation should be conducted to find out if Kelly was attempting a hoax or was herself social engineered.

A) She will open the attachment and it will be from a long lost partner she has been hoping to get back in touch with for years.
B) The file is really named "iloveyou.txt.vbs" and is a well known classic trick to spread a macro virus
C) Her boss sent her this as a practical joke to see if she would open it, but its harmless
D) A Windows will pop open to a command shell and a lot of noise will come from her speakers. The shell will say "Will you marry me?" the email was from her finacee.

A) Stack
B) Page
C) Heap
D) Pile

A) Load / Unload
B) Push / Pop
C) Get / Put
D) Retrieve / Return

A) strcpy
B) strcat
C) wcscpy
D) fgets
E) malloc

A) An overflow has been attempted
B) A overflow was succesful
C) The stack has crashed
D) The host based IDS caught the event

A) If we have written 300 characters to the buffer variable, the function should stop because it cannot hold any more data
B) If we have written more than 300 characters to the buffer variable, the function should stop because it cannot hold any more data
C) If we have written less than 300 characters to the buffer variable, the function should stop because it cannot hold any more data
D) If we have written less than or equal to 300 characters to the buffer variable, the function should stop because it cannot hold any more data

A) 0xA4\0x23\0xFE\0x65\0xA5\0x65\0xAE\0x5B
B) 0xFF\0xFF\0xFF\0xFF\0xFF\0xFF\0xFF\0xFF\
C) 0x00\0x0D\0x0A\0xFF\0x00\0x0D\0x0A\0xFF\
D) 0x90\0x90\0x90\0x90\0x90\0x90\0x90\0x90\

A) EIP
B) ESP
C) ERP
D) EXP

A) Bytecode
B) Shellcode
C) NOP Sled
D) Canary bytes

A) ActiveX
B) Assembly
C) Java
D) C++

A) Whatever the user was when they visited the page
B) IUSR_[computer name]
C) System or Administrator
D) Internet_Explorer

A) Jill.c
B) iishack2000.c
C) iis5hack.zip
D) john the printer

A)POST /iisstart.asp HTTP/1.1
B)Accept: */*
C)Host: acme.com
D)Content

A) void foo()
B) myMethod
C) strcpy
D) fgets

A) Buffer overflows always have system
B) Buffer overflows always have root, or admin
C) The same context of the service or application that was running
D) Its indetermined, depends on the exploit

A) Distributed Denial of Service that relies on accidental traffic
B) Denial of Service based on a well known LSASS vulnerability
C) Distributed Denial of Service that overloads resources
D) Denial of Service that requires human interaction to restore service

A) Land
B) Fraggle
C) Smurf
D) Ping of Death

A) A 0-day attack that researchers have not yet identified
B) An attack that have not been identified by the IDS
C) Reducing offset values to cause a short packet on reassembly
D) Increasing offset values to cause a long packet on reassembly

A) Her internet filter is metering her usage and throttling her down
B) Her ISP sucks
C) The website she is visiting is down
D) Her host is vulnerable to slammer.

A) He is referring to a character in his video game, but the boss doesn't realize this
B) He just gave the boss a simple explanation for a real attack knowing he wouldn't understand the right
One
C) The high order bit in the fragment offset field is set, but it is supposed to be reserved with a value 0, and most IP stacks have not been updated to understand it. It crashes the system
D) This is an IT inside Joke

A) Tribe Flood Network
B) Trinoo
C) C2myazz
D) Stacheldraht

A) SYN Flood
B) Smurf
C) Ping of Death
D) Stachledraught

A) Zertifizierte
B) Stacheldraht
C) Barbenkwier
D) Zschwiedlfenken

A) UDP Flood
B) Jolt2
C) Blast
D) MStream

A) SPI Firewall
B) SYN Cookies
C) Block all flags with the SYN flag set, in or out
D) Disable outgoing SYN traffic

A) TFN2K
B) Targa
C) Kismet
D) Wikto

A) Ping of Death
B) Invite of Death
C) Generate false positives on the IDS that Lee will have to explain
D) Nothing, packets can be up to 2^32 in size because the Datagram length field is 15 bits and the 16th bit is a multiplier.

A) Smurf attack
B) Fraggle attack
C) FrickaFrack Attack
D) SmallService Attack

A) Defining private IPs
B) Defining internal networks
C) Anti-NAT attacks
D) Anti-spoofing

A) A packet that causes a kernel panic
B) A packet that causes a broadcast storm
C) A packet than contains a virus
D) A packet that causes a BSOD