Review Questions
1. What is a wrapper?
A. A Trojaned system
B. A program used to combine a Trojan and legitimate software into a single executable
C. A program used to combine a Trojan and a backdoor into a single executable
D. A way of accessing a Trojaned system
2. What is the difference between a backdoor and a Trojan?
A. A Trojan usually provides a backdoor for a hacker.
B. A backdoor must be installed first.
C. A Trojan is not a way to access a system.
D. A backdoor is provided only through a virus, not through a Trojan.
3. What port does Tini use by default?
A. 12345
B. 71
C. 7777
D. 666
4. Which is the best Trojan and backdoor countermeasure?
A. Scan the hard drive on network connection, and educate users not to install unknown
software.
B. Implement a network firewall.
C. Implement personal firewall software.
D. Educate systems administrators about the risks of using systems without firewalls.
E. Scan the hard drive on startup.
5. How do you remove a Trojan from a system?
A. Search the Internet for freeware removal tools.
B. Purchase commercially available tools to remove the Trojan.
C. Reboot the system.
D. Uninstall and reinstall all applications.
6. What is ICMP tunneling?
A. Tunneling ICMP messages through HTTP
B. Tunneling another protocol through ICMP
C. An overt channel
D. Sending ICMP commands using a different protocol
7. What is reverse WWW shell?
A. Connecting to a website using a tunnel
B. A Trojan that connects from the server to the client using HTTP
C. A Trojan that issues commands to the client using HTTP
D. Connecting through a firewall
8. What is a covert channel?
A. Using a communications channel in a way that was not intended
B. Tunneling software
C. A Trojan removal tool
D. Using a communications channel in the original, intended way
9. What is the purpose of system file verification?
A. To find system files
B. To determine whether system files have been changed or modified
C. To find out if a backdoor has been installed
D. To remove a Trojan
10. Which of the following is an example of a covert channel?
A. Reverse WWW shell
B. Firewalking
C. SNMP enumeration
D. Steganography
11. What is the difference between a virus and a worm?
A. A virus can infect the boot sector but a worm cannot.
B. A worm spreads by itself but a virus must attach to an email.
C. A worm spreads by itself but a virus must attach to another program.
D. A virus is written in C++ but a worm is written in shell code.
12. What type of virus modifies itself to avoid detection?
A. Stealth virus
B. Polymorphic virus
C. Multipartite virus
D. Armored virus
13. Which virus spreads through Word macros?
A. Melissa
B. Slammer
C. Sobig
D. Blaster
14. Which worm affects SQL servers?
A. Sobig
B. SQL Blaster
C. SQL Slammer
D. Melissa
15. Which of the following describes armored viruses?
A. Hidden
B. Tunneled
C. Encrypted
D. Stealth
16. What are the three methods used to detect a virus?
A. Scanning
B. Integrity checking
C. Virus signature comparison
D. Firewall rules
E. IDS anomaly detection
F. Sniffing
17. What components of a system do viruses infect? (Choose all that apply.)
A. Files
B. System sectors
C. Memory
D. CPU
E. DLL files
18. Which of the following are the best indications of a virus attack? (Choose all that apply.)
A. Any anomalous behavior
B. Unusual program opening or closing
C. Strange pop-up messages
D. Normal system operations as most viruses run in the background
19. A virus that can cause multiple infections is known as what type of virus?
A. Multipartite
B. Stealth
C. Camouflage
D. Multi-infection
20. Which of the following is a way to evade an antivirus program?
A. Write a custom virus script.
B. Write a custom virus signature.
C. Write a custom virus evasion program.
D. Write a custom virus detection program.
Answers to Review Questions
1. B. A wrapper is software used to combine a Trojan and legitimate software into a single
executable so that the Trojan is installed during the installation of the other software. After
a Trojan has been installed, a system is considered “Trojaned.” A backdoor is a way of
accessing a Trojaned system and can be part of the behavior of a Trojan.
2. A. A Trojan infects a system first and usually includes a backdoor for later access. The
backdoor is not installed independently, but is part of a Trojan. A Trojan is one way a
hacker can access a system.
3. C. Tini uses port 7777 by default. Doom uses port 666.
4. A. The best prevention is to scan the hard drive for known Trojans on network connec-
tions and backdoors and to educate users not to install any unknown software. Scanning
the hard drive at startup is a good method for detecting a Trojan, but will not prevent its
installation. User education is an important component of security but will not always and
consistently prevent a Trojan attack.
5. B. To remove a Trojan, you should use commercial tools. Many freeware tools contain Trojans
or other malware. Rebooting the system alone will not remove a Trojan from the system.
Uninstalling and reinstalling applications will not remove a Trojan as it infects the OS.
6. B. ICMP tunneling involves sending what appear to be ICMP commands but really are
Trojan communications. An overt channel sends data via a normal communication path
such as via email. Sending or tunneling ICMP within another protocol such as HTTP is not
considered ICMP tunneling.
7. B. Reverse WWW shell is a connection from a Trojan server component on the compro-
mised system to the Trojan client on the hacker’s system. Connecting to a website using
tunneling or through a firewall is not considered a reverse WWW shell.
8. A. A covert channel is the use of a protocol or communications channel in a nontraditional
way. Tunneling software is one way of using a covert channel but does not necessarily
define all covert channels. Using a communications channel in the original intended way is
considered an overt channel.
9. B. System file verification tracks changes made to system files and ensures that a Trojan has
not overwritten a critical system file. System files and backdoors are not located using sys-
tem file verification. To remove a Trojan, you should use commercial removal tools.
10. A. Reverse WWW shell is an example of a covert channel. Firewalking is enumerating a
firewall for firewall rules, allowed traffic, and open ports. Steganography is hiding infor-
mation in text or graphics. SNMP enumeration is used to identify SNMP MIB settings on
networking devices.
11. C. A worm can replicate itself automatically, but a virus must attach to another program.
Viruses are not always spread via email but can also be attached to other programs or
installed directly by tricking the user. Both viruses and worms can infect the boot sector.
The programming language is not used to categorize malware as either viruses or worms.
12. B. A polymorphic virus modifies itself to evade detection. Stealth viruses hide the normal
virus characteristics to prevent detection. Multipartite viruses are viruses that create multi-
ple infections or infect multiple files or programs. Armored viruses use encryption to evade
detection.
13. A. Melissa is a virus that spreads via Word macros. Slammer and Blaster are actually worm
infections, not viruses. Sobig is another type of virus.
14. C. SQL Slammer is a worm that attacks SQL servers. Melissa affects Word files through
the use of macros. There is no such worm as SQL Blaster.
15. C. Armored viruses are encrypted. They are not by nature tunneled and do not change
characteristics, as do stealth viruses. Also, armored viruses are not hidden in any other way.
16. A, B, C. Scanning, integrity checking, and virus signature comparison are three ways to
detect a virus infection. Firewalls, IDS anomaly detection, and sniffing all work at lower
layers of the OSI model and are not able to detect viruses.
17. A, B, E. A virus can affect files, system sectors, and DLL files. Memory and CPU cannot be
infected by viruses.
18. B, C. Trojans, backdoors, spyware, and other malicious software can cause a system to not
act normally. Any indications of programs opening or closing without user intervention,
unresponsive programs, unusual error messages, or pop-ups could indicate any type of mal-
ware has infected the system. But not all anomalous behavior can be attributed to a virus.
19. A. A multipartite virus can cause multiple infections. Stealth viruses hide the normal virus
characteristics to prevent detection. Camouflage and multi-infection are not categories of
viruses.
20. A. A custom virus script can be used to evade detection because the script will not match a
virus signature.