nerdexam
EC-Council

312-50V13 · Question #616

A multinational corporation's computer system was infiltrated by an advanced persistent threat (APT). During forensic analysis, it was discovered that the malware was utilizing a blend of two highly s

The correct answer is D. Metamorphic and Rootkit malware. The malware described, which embeds harmful code into genuine system files and changes its code as it propagates, aligns with the characteristics of metamorphic malware and a rootkit.

Submitted by parkjh· Mar 6, 2026Malware Threats

Question

A multinational corporation's computer system was infiltrated by an advanced persistent threat (APT). During forensic analysis, it was discovered that the malware was utilizing a blend of two highly sophisticated techniques to stay undetected and continue its operations. Firstly, the malware was embedding its harmful code into the actual binary or executable part of genuine system files rather than appending or prepending itself to the files. This made it exceptionally difficult to detect and eradicate, as doing so risked damaging the system files themselves. Secondly, the malware exhibited characteristics of a type of malware that changes its code as it propagates, making signature-based detection approaches nearly impossible. On top of these, the malware maintained a persistent presence by installing itself in the registry, making it able to survive system reboots. Given these distinctive characteristics, which two types of malware techniques does this malware most closely embody?

Options

  • APolymorphic and Metamorphic malware
  • BPolymorphic and Macro malware
  • CMacro and Rootkit malware
  • DMetamorphic and Rootkit malware

How the community answered

(26 responses)
  • A
    12% (3)
  • B
    4% (1)
  • C
    19% (5)
  • D
    65% (17)

Why each option

The malware described, which embeds harmful code into genuine system files and changes its code as it propagates, aligns with the characteristics of metamorphic malware and a rootkit.

APolymorphic and Metamorphic malware

Polymorphic malware changes its code while retaining the original algorithm, often by encrypting parts of itself with different keys, but it doesn't typically rewrite its entire code or use a mutation engine like metamorphic malware.

BPolymorphic and Macro malware

Macro malware relies on macros within documents (e.g., Office files) to execute, which does not match the description of embedding into system binaries or changing code propagation.

CMacro and Rootkit malware

Macro malware is incorrect as it does not typically embed into system files in the manner described, nor does it inherently change its code as it propagates in a metamorphic fashion.

DMetamorphic and Rootkit malwareCorrect

The description of "embedding its harmful code into the actual binary or executable part of genuine system files" strongly indicates a rootkit, which aims to gain persistent and stealthy control by hiding its presence within the operating system. The characteristic of "changes its code as it propagates, making signature-based detection approaches nearly impossible" directly defines metamorphic malware, which rewrites its own code for each infection, often using a "mutation engine," to create functionally identical but syntactically different variants.

Concept tested: Metamorphic malware and Rootkit characteristics

Source: https://www.microsoft.com/en-us/security/business/security-101/what-is-polymorphic-malware

Topics

#malware types#metamorphic malware#rootkit#evasion techniques

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice