- (Topic 23)
Lyle is a systems security analyst for Gusteffson & Sons, a large law firm in Beverly Hills. Lyle's responsibilities include network vulnerability scans, Antivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a user in the Accounting department. This user reports that his computer is running very slow all day long and it sometimes gives him an error message that the hard drive is almost full. Lyle runs a scan on the computer with the company antivirus software and finds nothing. Lyle downloads another free antivirus application and scans the computer again. This time a virus is found on the computer. The infected files appear to be Microsoft Office files since they are in the same directory as that software. Lyle does some research and finds that this virus disguises itself as a genuine application on a computer to hide from antivirus software. What type of virus has Lyle found on this computer?

1. A. This type of virus that Lyle has found is called a cavity virus.
2. B. Lyle has discovered a camouflage virus on the computer.
3. C. By using the free antivirus software, Lyle has found a tunneling virus on the computer.
4. D. Lyle has found a polymorphic virus on this computer

Correct Answer: C

- (Topic 23)
File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?

1. A. Use disable-eXchange
2. B. Use mod_negotiation
3. C. Use Stop_Files
4. D. Use Lib_exchanges

Correct Answer: B

- (Topic 23)
BankerFox is a Trojan that is designed to steal users' banking data related to certain banking entities.
When they access any website of the affected banks through the vulnerable Firefox 3.5 browser, the Trojan is activated and logs the information entered by the user. All the information entered in that website will be logged by the Trojan and transmitted to the attacker's machine using covert channel.
BankerFox does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer.

What is the most efficient way an attacker located in remote location to infect this banking Trojan on a victim's machine?

1. A. Physical access - the attacker can simply copy a Trojan horse to a victim's hard disk infecting the machine via Firefox add-on extensions
2. B. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer
3. C. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer
4. D. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer
5. E. Downloading software from a website? An attacker can offer free software, such as shareware programs and pirated mp3 files

Correct Answer: E

- (Topic 7)
Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?

1. A. Snort
2. B. argus
3. C. TCPflow
4. D. Tcpdump

Correct Answer: C
Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

- (Topic 23)
You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session.
Here is the captured data in tcpdump.

What are the next sequence and acknowledgement numbers that the router will send to the victim machine?

1. A. Sequence number: 82980070 Acknowledgement number: 17768885A.
2. B. Sequence number: 17768729 Acknowledgement number: 82980070B.
3. C. Sequence number: 87000070 Acknowledgement number: 85320085C.
4. D. Sequence number: 82980010 Acknowledgement number: 17768885D.

Correct Answer: A