Miscellaneous Quiz / DefenseMid2

Random Miscellaneous Quiz

Can you name the DefenseMid2?

 Plays Quiz not verified by Sporcle

Forced Order
Score 0/128 Timer 10:00
interrupt war (def):
When a virus exploits the fact that the emulation environment is not always able to predict an exception by putting part of their code in exception handlers and then causing very s
Grammar: what's N stand for?
windows: end of line for ASCII is
This type of virus avoids detection by mutating itself each time it infects a new program; each mutated infection is capable of performing the same tasks as its parents, yet may lo
This armored virus anti-disassembly technique makes it so code no longer reveals the API name to a reader and makes the AV researcher step through the ___ computation to figure out
The _______ worm is an example of the encrypted data anti-disassembly technique
Grammar: what's delta stand for?
if two rules in lex match the same input, you should prefer the rul that
what does HIR stand for?
When every code region that is constant acress the whole family of viruses is part of the examination, this is called
disabling the keyboard interrupt during virus execution prevents the AV researcher from using a
Appending virus code by placing the beginning of the virus in the stack area at the end of the host program code section, with a jump to the appended virus code at the end is an ex
Many emulators used to only keep track of the integer CPU registers and memory because viruses were not ____ ____ code
a _____ eases working with disassembled code (easier to read than hex)
T/F computer retroviruses directly attack anti-virus software in an effort to make themselves immune
Lex source code has three sections:
The encrypted virus consists of two parts:
who developed phoenix, the compiler system?
T/F trusting trust talks about the breaking and entering analogy
Detecting changes in the state of the stack during single-step mode is an example of what armored virus technique?
an element (a,b) is generally written as ______ and is called a _____
T/F entry point scanning led to the virus writers' use of the encrypted virus
the ____ _____ looks only in such areas of the virus body, and skips over no-ops and do-nothings
in x86 debugging, INT 3:
Grammar: what's S stand for?
What does ASTs stand for?
HIR, or ______ IR, are architecture and runtime _____
T/F polymorphic viruses have specific mutation engines that simulate the process of mutation
Grammar: what's P stand for?
The process of following the interrupt call chain is called ______, because the virus is trying to locate itself in the system in a place that is beneath the vision of the anti-vir
when a virus can only execute at certain times of the day:
in our CS 4630 class, we focus on the phoenix capabilities that relate to:
Grammar: what's Q stand for?
When time and logic bombs (this type of armored virus technique) are executed in an emulator, the virus will probably be dormant and cannot be analyzed by the emulator
The fix2001 worm:
Main topic of trusting trust:
A finite state automaton (FSA) is deterministic if: (2)
T/F: Scanning executable files to detect virus code became necessary early in the ongoing battle between virus and AV SW designers
AST (abstract syntax trees) are:
T/F Anti-virus software often uses a.k.a sacrificial goats, which are dummy files whose infection will signal the presence of a virus
Detecting the interrupt hooking virus: if a virus has hooked the interrupt, the anti-virus monitor code
many debuggers set _______ _____ when they are active
MIR, or ______ IR, are architecture ____ and runtime ______
Grammar: what's q_0 stand for?
What does ECM stand for
what does .pdb stand for
The EPO techniques we've studied are examples of a ______ technique, as they make it hard for a scanner to detect that control passes to a virus
LIR, or ______ IR, are architecture and runtime _______
On PE files, This worm exploited the fact that simpler non-cryptographic checksums, such as CRC, can be defeated by appending a few byes to an infected file that cause its new CRC
An anti-goat virus tries to:
when a virus can only execute under random conditions that might be controlled by random number generation
Linux/Unix: end of line for ASCII is
IVT stands for:
dynamic code length is an example of what armored virus technique
A retrovirus is a computer virus that:
compiling in phoenix produces and needs both a .____ and a .____ file
When dealing with hooking viruses, you want to find and remove the _______ code immediately before removing the handler
Non-deterministic Finite State Automata (strat)
the mutation engine of a polymorphic virus generates a new ____ ____ each time it infects a new program
What does IR stand for
instead of hex code patterns, some of the bookmarks could specify checksums or hash function over certain regions of the virus body, which leads to very few false positives or fals
lex executes the action for the ________ match for the current input
retroviruses have ________ ______, meaning that it can kill anti-virus processes, remove anti-virus files, etc., just as you could
How can a virus follow the call chain? (3)
this is a technique based on the observation that certain sections of the virus body made no references to data constants that might change, had no jump or call offsets that would
In terms of Language specification, a Grammar is
This armored virus anti-disassembly technique uses a compression alg and decompresses during execution by a decompression code at the beginning of the virus; slows down examination
T/F must make sure the binary compiler knows about this new character sequence; tell it once tehn you can use this self-referencing definition
3 ways virus writers can vary their code patterns:
The five categories of armored viruses, corresponding to the five tools they are designed to combat:
viruses can scan _____ for debugger code
5 techniques that make disassembly difficult:
Virus generator kits could be designed to inject different types of ____ into different virus variants
Time and logic bombs are examples of what armored virus technique
The phoenix provided binary capabilities: (3)
The Tequila virus is an example of a :
T/F the emulation environment is always able to predict whether the next instruction will cause an exception
This technique is used to detect polymorphic viruses quickly and cost effectively
regex stands for
The 5 forms/states of IR are:
T/F phoenix is one of the few compiler tools that can read, change, then write a binary, all using compiler transformations that usually require source code
this is when you have very few false positives or false negatives
instead of trying to find a single sequence of bytes unique to a virus, a scanner can have a collection of _____ specifying patterns at relative distances in the virus body
Grammar: what's Sigma stand for (Ndfa)?
This may be used to a) defeat pattern based scanners b) make it difficult to determine what the virus code does and c) hide the virus code
A GD scanner is comprised of a:
What is IR (intermediate representation)?
EIR, or ______ IR, is ____
an interrupt hooking virus has a ________ in addition to the _____; the latter calls the former
Grammar: what's sigma stand for?
What is a goat?
What does GD stand for
T/F: without single-step debug state changes, a location on the stack will remain unchanged until an instruction changes it, but will be changed by the debugger after every instruc
diassemblers, debuggers, emulators, heuristic analyzers, goat files: this type of virus tries to make these tools ineffective or difficult to use
The Resure Virus is an example of what kind of armored virus technique where the virus writer added some of their own data sections after the code section so the entry point was no
a file with lots of no-ops and do-nothing instructions as well as clusters of files with sequential numbers in their names are examples of
T/F scanning a PE file for virus code patterns is not always as simple as using reg expressions, especially when detecting new virus or new variants. And exploitation of this fact
in lex, arbitrary characters are signified by
EPO techniques are an example of which armored-virus technique
Code with roundabout computations, computed jump addresses as opposed to direct jumps, etc are examples of the ______ anti-disassembler technique of armored viruses
T/F the first antivirus programs were glorified string searching programs
moral of trusting trust piece:
T/F: Phoenix has no virus code analysis but it can be extended by users
phoenix was written in
A non deterministic finite automaton is
In terms of obfuscation, _____ ____ _____ tools provide a partial solution to detecting obfuscated viruses
______ is a background process, from the OS or from an AV package, that prevents certain suspicious behaviors, such as changing the interrupt chain or doing a disk write to an exis
Hooking the two interrupts (INT 1 and INT 3) is an example of what armored virus technique?
in Lex, repeated expressions are marked with (2):
in x86 debugging, INT 1:
This type of virus designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult; c
2 important properties of self-replicating programs:
A _______ can attack analysis tools used by AV researches and can remain dormant until it detects AV SW, then start damaging the system
using a checksum to defeat INT 3 breakpoints is an example of what armored virus technique?
The IDEA.6155 virus is an example of what type of virus that alters integrity database entries
T/F: A code emulator, as opposed to a debugger, does not insert breakpoints and is not defeated by the checksum anti-debugging technique
T/F a regular expression package or scripting language will permit us to define named patterns so we don't keep typing the no-op pattern over and over
When you deliberately miscompile source code whenever a particular pattern is matched it's called a ______, whereas if it was unintentionally, it's called a compiler bug
This virus computes a _____ over the ASCII bytes of the two strings, stores one as a constant and compares the ____ for equality.
The anti-disassembly technique of encrypted data ____ ____ the AV SW engineer because they will need to emulate code, write a decryption utility program and paste data into it
A tunneling virus defeats the anti-virus monitor by
Anti-disassembly armored viruses make up the _____ category of techniques that make disassembly difficult
Phoenix is heavily dependent on ______ symbols in order to produce readable LIR
T/F: in terms of evolving scanners, binary scanners were enhance to allow wildcard specifiers
This is maintained by many AV programs and is full of checksums and files sizes for various system files; it is often attacked by retroviruses
EPO stands for:
Grammar: what's F stand for?

You're not logged in!

Compare scores with friends on all Sporcle quizzes.
Join for Free
Log In

You Might Also Like...

Show Comments


Created Apr 5, 2011ReportFavoriteNominate

Top Quizzes Today

Score Distribution

Your Account Isn't Verified!

In order to create a playlist on Sporcle, you need to verify the email address you used during registration. Go to your Sporcle Settings to finish the process.

Report this User

Report this user for behavior that violates our Community Guidelines.