Miscellaneous Quiz / DefenseMid2

Random Miscellaneous Quiz

Can you name the DefenseMid2?

Quiz not verified by Sporcle

Forced Order
Score 0/128 Timer 10:00
Grammar: what's delta stand for?
Grammar: what's sigma stand for?
in our CS 4630 class, we focus on the phoenix capabilities that relate to:
when a virus can only execute at certain times of the day:
The phoenix provided binary capabilities: (3)
Virus generator kits could be designed to inject different types of ____ into different virus variants
EIR, or ______ IR, is ____
T/F: without single-step debug state changes, a location on the stack will remain unchanged until an instruction changes it, but will be changed by the debugger after every instruc
What does ASTs stand for?
Grammar: what's F stand for?
in Lex, repeated expressions are marked with (2):
in lex, arbitrary characters are signified by
The Resure Virus is an example of what kind of armored virus technique where the virus writer added some of their own data sections after the code section so the entry point was no
Hooking the two interrupts (INT 1 and INT 3) is an example of what armored virus technique?
T/F scanning a PE file for virus code patterns is not always as simple as using reg expressions, especially when detecting new virus or new variants. And exploitation of this fact
This virus computes a _____ over the ASCII bytes of the two strings, stores one as a constant and compares the ____ for equality.
This is maintained by many AV programs and is full of checksums and files sizes for various system files; it is often attacked by retroviruses
in x86 debugging, INT 1:
A _______ can attack analysis tools used by AV researches and can remain dormant until it detects AV SW, then start damaging the system
Grammar: what's Q stand for?
moral of trusting trust piece:
This armored virus anti-disassembly technique makes it so code no longer reveals the API name to a reader and makes the AV researcher step through the ___ computation to figure out
interrupt war (def):
The five categories of armored viruses, corresponding to the five tools they are designed to combat:
A non deterministic finite automaton is
The encrypted virus consists of two parts:
The EPO techniques we've studied are examples of a ______ technique, as they make it hard for a scanner to detect that control passes to a virus
3 ways virus writers can vary their code patterns:
______ is a background process, from the OS or from an AV package, that prevents certain suspicious behaviors, such as changing the interrupt chain or doing a disk write to an exis
What is a goat?
A tunneling virus defeats the anti-virus monitor by
Grammar: what's P stand for?
EPO stands for:
Many emulators used to only keep track of the integer CPU registers and memory because viruses were not ____ ____ code
an interrupt hooking virus has a ________ in addition to the _____; the latter calls the former
HIR, or ______ IR, are architecture and runtime _____
T/F must make sure the binary compiler knows about this new character sequence; tell it once tehn you can use this self-referencing definition
This type of virus avoids detection by mutating itself each time it infects a new program; each mutated infection is capable of performing the same tasks as its parents, yet may lo
a _____ eases working with disassembled code (easier to read than hex)
MIR, or ______ IR, are architecture ____ and runtime ______
retroviruses have ________ ______, meaning that it can kill anti-virus processes, remove anti-virus files, etc., just as you could
On PE files, This worm exploited the fact that simpler non-cryptographic checksums, such as CRC, can be defeated by appending a few byes to an infected file that cause its new CRC
Grammar: what's N stand for?
when a virus can only execute under random conditions that might be controlled by random number generation
T/F Anti-virus software often uses a.k.a sacrificial goats, which are dummy files whose infection will signal the presence of a virus
using a checksum to defeat INT 3 breakpoints is an example of what armored virus technique?
an element (a,b) is generally written as ______ and is called a _____
The Tequila virus is an example of a :
IVT stands for:
instead of trying to find a single sequence of bytes unique to a virus, a scanner can have a collection of _____ specifying patterns at relative distances in the virus body
What is IR (intermediate representation)?
AST (abstract syntax trees) are:
When every code region that is constant acress the whole family of viruses is part of the examination, this is called
a file with lots of no-ops and do-nothing instructions as well as clusters of files with sequential numbers in their names are examples of
The process of following the interrupt call chain is called ______, because the virus is trying to locate itself in the system in a place that is beneath the vision of the anti-vir
lex executes the action for the ________ match for the current input
T/F trusting trust talks about the breaking and entering analogy
Grammar: what's S stand for?
This may be used to a) defeat pattern based scanners b) make it difficult to determine what the virus code does and c) hide the virus code
How can a virus follow the call chain? (3)
Lex source code has three sections:
T/F: in terms of evolving scanners, binary scanners were enhance to allow wildcard specifiers
The IDEA.6155 virus is an example of what type of virus that alters integrity database entries
When you deliberately miscompile source code whenever a particular pattern is matched it's called a ______, whereas if it was unintentionally, it's called a compiler bug
T/F the emulation environment is always able to predict whether the next instruction will cause an exception
EPO techniques are an example of which armored-virus technique
what does HIR stand for?
the ____ _____ looks only in such areas of the virus body, and skips over no-ops and do-nothings
A retrovirus is a computer virus that:
in x86 debugging, INT 3:
T/F a regular expression package or scripting language will permit us to define named patterns so we don't keep typing the no-op pattern over and over
many debuggers set _______ _____ when they are active
An anti-goat virus tries to:
Detecting changes in the state of the stack during single-step mode is an example of what armored virus technique?
T/F: A code emulator, as opposed to a debugger, does not insert breakpoints and is not defeated by the checksum anti-debugging technique
In terms of Language specification, a Grammar is
LIR, or ______ IR, are architecture and runtime _______
T/F polymorphic viruses have specific mutation engines that simulate the process of mutation
This technique is used to detect polymorphic viruses quickly and cost effectively
In terms of obfuscation, _____ ____ _____ tools provide a partial solution to detecting obfuscated viruses
T/F: Phoenix has no virus code analysis but it can be extended by users
T/F phoenix is one of the few compiler tools that can read, change, then write a binary, all using compiler transformations that usually require source code
disabling the keyboard interrupt during virus execution prevents the AV researcher from using a
The _______ worm is an example of the encrypted data anti-disassembly technique
Non-deterministic Finite State Automata (strat)
This armored virus anti-disassembly technique uses a compression alg and decompresses during execution by a decompression code at the beginning of the virus; slows down examination
The 5 forms/states of IR are:
who developed phoenix, the compiler system?
When time and logic bombs (this type of armored virus technique) are executed in an emulator, the virus will probably be dormant and cannot be analyzed by the emulator
Main topic of trusting trust:
T/F entry point scanning led to the virus writers' use of the encrypted virus
compiling in phoenix produces and needs both a .____ and a .____ file
phoenix was written in
What does IR stand for
When dealing with hooking viruses, you want to find and remove the _______ code immediately before removing the handler
dynamic code length is an example of what armored virus technique
this is a technique based on the observation that certain sections of the virus body made no references to data constants that might change, had no jump or call offsets that would
What does GD stand for
Detecting the interrupt hooking virus: if a virus has hooked the interrupt, the anti-virus monitor code
regex stands for
viruses can scan _____ for debugger code
T/F computer retroviruses directly attack anti-virus software in an effort to make themselves immune
A GD scanner is comprised of a:
2 important properties of self-replicating programs:
diassemblers, debuggers, emulators, heuristic analyzers, goat files: this type of virus tries to make these tools ineffective or difficult to use
the mutation engine of a polymorphic virus generates a new ____ ____ each time it infects a new program
Grammar: what's q_0 stand for?
if two rules in lex match the same input, you should prefer the rul that
When a virus exploits the fact that the emulation environment is not always able to predict an exception by putting part of their code in exception handlers and then causing very s
5 techniques that make disassembly difficult:
Linux/Unix: end of line for ASCII is
Time and logic bombs are examples of what armored virus technique
Phoenix is heavily dependent on ______ symbols in order to produce readable LIR
A finite state automaton (FSA) is deterministic if: (2)
what does .pdb stand for
this is when you have very few false positives or false negatives
T/F: Scanning executable files to detect virus code became necessary early in the ongoing battle between virus and AV SW designers
The anti-disassembly technique of encrypted data ____ ____ the AV SW engineer because they will need to emulate code, write a decryption utility program and paste data into it
Grammar: what's Sigma stand for (Ndfa)?
windows: end of line for ASCII is
Appending virus code by placing the beginning of the virus in the stack area at the end of the host program code section, with a jump to the appended virus code at the end is an ex
instead of hex code patterns, some of the bookmarks could specify checksums or hash function over certain regions of the virus body, which leads to very few false positives or fals
T/F the first antivirus programs were glorified string searching programs
Code with roundabout computations, computed jump addresses as opposed to direct jumps, etc are examples of the ______ anti-disassembler technique of armored viruses
This type of virus designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult; c
What does ECM stand for
Anti-disassembly armored viruses make up the _____ category of techniques that make disassembly difficult
The fix2001 worm:

You're not logged in!

Compare scores with friends on all Sporcle quizzes.
Sign Up with Email
Log In

You Might Also Like...

Show Comments


Top Quizzes Today

Score Distribution

Your Account Isn't Verified!

In order to create a playlist on Sporcle, you need to verify the email address you used during registration. Go to your Sporcle Settings to finish the process.