• Choose a category
• All
• Classic-Fiction

A. Scanning

B. Integrity checking

C. Virus signature comparison

D. Firewall rules

E. IDS anomaly detection

F. Sniffing

17. What components of a system do viruses infect?

A. Files

B. System sectors

C. Memory

D. CPU

E. DLL files

18. All anomalous behavior can be attributed to a virus.

A. True

B. False

19. A virus that can cause multiple infections is know as what type of virus?

A. Multipartite

B. Stealth

C. Camouflage

D. Multi-infection

20. A way to evade an antivirus program is to do what?

A. Write a custom virus script.

B. Write a custom virus signature.

C. Write a custom virus evasion program.

D. Write a custom virus detection program.

Answers to Review Questions

1. B. A wrapper is software used to combine a Trojan and legitimate software into a single executable so that the Trojan is installed during the installation of the other software.

2. A. A Trojan infects a system first and usually includes a backdoor for later access.

3. C. Tini uses port 7777 by default.

4. A. The best prevention is to scan the hard drive for known Trojans on network connection and backdoors and to educate users not to install any unknown software.

5. B. To remove a Trojan, you should use commercial tools. Many freeware tools contain Trojans.

6. B. ICMP tunneling involves sending what appear to be ICMP commands but really are Trojan communications.

7. B. Reverse WWW shell is a connection from a Trojan server component on the compromised system to the Trojan client on the hacker's system.

8. A. A covert channel is the use of a protocol or communications channel in a nontraditional way.

9. B. System-file verification tracks changes made to system files and ensures that a Trojan has not overwritten a critical system file.

10. A. Reverse WWW shell is an example of a covert channel.

11. C. A worm can replicate itself automatically but a virus must attach to another program.

12. B. A polymorphic virus modifies itself to evade detection.

13. A. Melissa is a virus that spreads via Word Macros.

14. C. SQL Slammer is a worm that attacks SQL servers.

15. C. Armored viruses are encrypted.

16. A, B, C. Scanning, integrity checking, and virus signature comparison are three ways to detect a virus infection.

17. A, B, E. A virus can affect files, system sectors, and DLL files.

18. False. Not all anomalous behavior can be attributed to a virus.

19. A. A multipartite virus can cause multiple infections.

20. A. A custom virus script can be used to evade detection because the script will not match a virus signature.

Sniffers

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

✓ Understand the Protocols Susceptible to Sniffing

✓ Understand Active and Passive Sniffing

✓ Understand ARP Poisoning

✓ Understand Ethereal Capture and Display Filters

✓ Understand MAC Flooding

✓ Understand DNS Spoofing Techniques

✓ Describe Sniffing Countermeasures

A sniffer can be a packet-capturing or frame-capturing tool. It intercepts traffic on the network and displays it in either a command-line or GUI format for a hacker to view. Some sophisticated sniffers interpret the packets and can reassemble the packet stream into the original data, such as an e-mail or a document.

Sniffers are used to capture traffic sent between two systems. Depending on how the sniffer is used and the security measures in place, a hacker can use a sniffer to discover usernames, passwords, and other confidential information transmitted on the network. Several hacking attacks and various hacking tools require the use of a sniffer to obtain important information sent from the target system. This chapter will describe how sniffers work and identify the most common sniffer hacking tools.

Understand the Protocols Susceptible

to Sniffing

Sniffer software works by capturing packets not destined for the system's MAC address but rather for a target's destination MAC address. This is known as promiscuous mode. Normally, a system on the network reads and responds only to traffic sent directly to its MAC address. In promiscuous