Miscellaneous Quiz / DefenseMid2

Random Miscellaneous Quiz

Can you name the DefenseMid2?

Quiz not verified by Sporcle

Forced Order
Challenge
Share
Tweet
Embed
Score 0/128 Timer 10:00
Hints
in x86 debugging, INT 3:
Time and logic bombs are examples of what armored virus technique
instead of trying to find a single sequence of bytes unique to a virus, a scanner can have a collection of _____ specifying patterns at relative distances in the virus body
This technique is used to detect polymorphic viruses quickly and cost effectively
What does ASTs stand for?
When a virus exploits the fact that the emulation environment is not always able to predict an exception by putting part of their code in exception handlers and then causing very s
What is a goat?
______ is a background process, from the OS or from an AV package, that prevents certain suspicious behaviors, such as changing the interrupt chain or doing a disk write to an exis
Non-deterministic Finite State Automata (strat)
What does GD stand for
lex executes the action for the ________ match for the current input
This is maintained by many AV programs and is full of checksums and files sizes for various system files; it is often attacked by retroviruses
T/F entry point scanning led to the virus writers' use of the encrypted virus
This armored virus anti-disassembly technique uses a compression alg and decompresses during execution by a decompression code at the beginning of the virus; slows down examination
retroviruses have ________ ______, meaning that it can kill anti-virus processes, remove anti-virus files, etc., just as you could
disabling the keyboard interrupt during virus execution prevents the AV researcher from using a
Grammar: what's P stand for?
when a virus can only execute at certain times of the day:
T/F scanning a PE file for virus code patterns is not always as simple as using reg expressions, especially when detecting new virus or new variants. And exploitation of this fact
in lex, arbitrary characters are signified by
The Tequila virus is an example of a :
T/F: A code emulator, as opposed to a debugger, does not insert breakpoints and is not defeated by the checksum anti-debugging technique
A tunneling virus defeats the anti-virus monitor by
The phoenix provided binary capabilities: (3)
The IDEA.6155 virus is an example of what type of virus that alters integrity database entries
A GD scanner is comprised of a:
Main topic of trusting trust:
What is IR (intermediate representation)?
A _______ can attack analysis tools used by AV researches and can remain dormant until it detects AV SW, then start damaging the system
an element (a,b) is generally written as ______ and is called a _____
T/F the first antivirus programs were glorified string searching programs
EIR, or ______ IR, is ____
Linux/Unix: end of line for ASCII is
Grammar: what's Sigma stand for (Ndfa)?
This armored virus anti-disassembly technique makes it so code no longer reveals the API name to a reader and makes the AV researcher step through the ___ computation to figure out
EPO techniques are an example of which armored-virus technique
3 ways virus writers can vary their code patterns:
This may be used to a) defeat pattern based scanners b) make it difficult to determine what the virus code does and c) hide the virus code
T/F a regular expression package or scripting language will permit us to define named patterns so we don't keep typing the no-op pattern over and over
HIR, or ______ IR, are architecture and runtime _____
What does ECM stand for
When dealing with hooking viruses, you want to find and remove the _______ code immediately before removing the handler
windows: end of line for ASCII is
Hints
AST (abstract syntax trees) are:
using a checksum to defeat INT 3 breakpoints is an example of what armored virus technique?
On PE files, This worm exploited the fact that simpler non-cryptographic checksums, such as CRC, can be defeated by appending a few byes to an infected file that cause its new CRC
phoenix was written in
if two rules in lex match the same input, you should prefer the rul that
a _____ eases working with disassembled code (easier to read than hex)
In terms of Language specification, a Grammar is
an interrupt hooking virus has a ________ in addition to the _____; the latter calls the former
The EPO techniques we've studied are examples of a ______ technique, as they make it hard for a scanner to detect that control passes to a virus
In terms of obfuscation, _____ ____ _____ tools provide a partial solution to detecting obfuscated viruses
How can a virus follow the call chain? (3)
the ____ _____ looks only in such areas of the virus body, and skips over no-ops and do-nothings
Virus generator kits could be designed to inject different types of ____ into different virus variants
Grammar: what's delta stand for?
Lex source code has three sections:
The five categories of armored viruses, corresponding to the five tools they are designed to combat:
T/F: in terms of evolving scanners, binary scanners were enhance to allow wildcard specifiers
T/F must make sure the binary compiler knows about this new character sequence; tell it once tehn you can use this self-referencing definition
Code with roundabout computations, computed jump addresses as opposed to direct jumps, etc are examples of the ______ anti-disassembler technique of armored viruses
dynamic code length is an example of what armored virus technique
diassemblers, debuggers, emulators, heuristic analyzers, goat files: this type of virus tries to make these tools ineffective or difficult to use
Grammar: what's N stand for?
A finite state automaton (FSA) is deterministic if: (2)
T/F computer retroviruses directly attack anti-virus software in an effort to make themselves immune
T/F polymorphic viruses have specific mutation engines that simulate the process of mutation
instead of hex code patterns, some of the bookmarks could specify checksums or hash function over certain regions of the virus body, which leads to very few false positives or fals
Grammar: what's sigma stand for?
This type of virus designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult; c
Detecting changes in the state of the stack during single-step mode is an example of what armored virus technique?
the mutation engine of a polymorphic virus generates a new ____ ____ each time it infects a new program
When you deliberately miscompile source code whenever a particular pattern is matched it's called a ______, whereas if it was unintentionally, it's called a compiler bug
in Lex, repeated expressions are marked with (2):
The Resure Virus is an example of what kind of armored virus technique where the virus writer added some of their own data sections after the code section so the entry point was no
5 techniques that make disassembly difficult:
Phoenix is heavily dependent on ______ symbols in order to produce readable LIR
2 important properties of self-replicating programs:
T/F the emulation environment is always able to predict whether the next instruction will cause an exception
The anti-disassembly technique of encrypted data ____ ____ the AV SW engineer because they will need to emulate code, write a decryption utility program and paste data into it
Grammar: what's Q stand for?
Detecting the interrupt hooking virus: if a virus has hooked the interrupt, the anti-virus monitor code
The 5 forms/states of IR are:
The _______ worm is an example of the encrypted data anti-disassembly technique
T/F phoenix is one of the few compiler tools that can read, change, then write a binary, all using compiler transformations that usually require source code
Hints
who developed phoenix, the compiler system?
this is when you have very few false positives or false negatives
When time and logic bombs (this type of armored virus technique) are executed in an emulator, the virus will probably be dormant and cannot be analyzed by the emulator
An anti-goat virus tries to:
in x86 debugging, INT 1:
Hooking the two interrupts (INT 1 and INT 3) is an example of what armored virus technique?
Appending virus code by placing the beginning of the virus in the stack area at the end of the host program code section, with a jump to the appended virus code at the end is an ex
MIR, or ______ IR, are architecture ____ and runtime ______
When every code region that is constant acress the whole family of viruses is part of the examination, this is called
This virus computes a _____ over the ASCII bytes of the two strings, stores one as a constant and compares the ____ for equality.
many debuggers set _______ _____ when they are active
What does IR stand for
regex stands for
T/F: without single-step debug state changes, a location on the stack will remain unchanged until an instruction changes it, but will be changed by the debugger after every instruc
The encrypted virus consists of two parts:
in our CS 4630 class, we focus on the phoenix capabilities that relate to:
Many emulators used to only keep track of the integer CPU registers and memory because viruses were not ____ ____ code
Anti-disassembly armored viruses make up the _____ category of techniques that make disassembly difficult
moral of trusting trust piece:
T/F Anti-virus software often uses a.k.a sacrificial goats, which are dummy files whose infection will signal the presence of a virus
this is a technique based on the observation that certain sections of the virus body made no references to data constants that might change, had no jump or call offsets that would
a file with lots of no-ops and do-nothing instructions as well as clusters of files with sequential numbers in their names are examples of
A retrovirus is a computer virus that:
This type of virus avoids detection by mutating itself each time it infects a new program; each mutated infection is capable of performing the same tasks as its parents, yet may lo
interrupt war (def):
compiling in phoenix produces and needs both a .____ and a .____ file
The fix2001 worm:
A non deterministic finite automaton is
Grammar: what's q_0 stand for?
when a virus can only execute under random conditions that might be controlled by random number generation
viruses can scan _____ for debugger code
what does .pdb stand for
The process of following the interrupt call chain is called ______, because the virus is trying to locate itself in the system in a place that is beneath the vision of the anti-vir
T/F: Phoenix has no virus code analysis but it can be extended by users
Grammar: what's F stand for?
IVT stands for:
T/F trusting trust talks about the breaking and entering analogy
LIR, or ______ IR, are architecture and runtime _______
EPO stands for:
what does HIR stand for?
T/F: Scanning executable files to detect virus code became necessary early in the ongoing battle between virus and AV SW designers
Grammar: what's S stand for?

You're not logged in!

Compare scores with friends on all Sporcle quizzes.
Sign Up with Email
OR
Log In

You Might Also Like...

Show Comments

Extras

Top Quizzes Today


Score Distribution

Your Account Isn't Verified!

In order to create a playlist on Sporcle, you need to verify the email address you used during registration. Go to your Sporcle Settings to finish the process.