nerdexam
GIAC

GCIH · Question #522

A user opened a PDF he downloaded from the web, that contained a URL to an executable called FreeCoupons.exe. The user downloaded and ran FreeCoupons.exe, and now that file is on the C:\ partition of

The correct answer is D. A worm that spreads through RDP. The most likely classification of this malware is a worm spreading through RDP. The failed logons in Event Viewer indicate attempts by the malware to spread through RDP. Since there was no human interaction to advance the malware beyond the initial execution of the file, this qua

Malware Analysis & Advanced Persistent Threats

Question

A user opened a PDF he downloaded from the web, that contained a URL to an executable called FreeCoupons.exe. The user downloaded and ran FreeCoupons.exe, and now that file is on the C:\ partition of 20% of the company's Windows servers. Additionally, there are a large number of failed logon attempts on the Event Viewer of each server, with little time between each failed logon, and common user IDs associated with each attempt. Based on this behavior, what is the most likely classification of the malware?

Options

  • AA virus that spreads through SQL injection
  • BA macro virus that spreads through infected PDFs
  • CA social engineering attempt that spreads through email
  • DA worm that spreads through RDP

How the community answered

(46 responses)
  • A
    22% (10)
  • B
    4% (2)
  • C
    9% (4)
  • D
    65% (30)

Explanation

The most likely classification of this malware is a worm spreading through RDP. The failed logons in Event Viewer indicate attempts by the malware to spread through RDP. Since there was no human interaction to advance the malware beyond the initial execution of the file, this qualifies as a worm. Since failed logons occur on each server, this is not a multi-exploit worm. Additionally, the PDF and social engineering are both vectors to download the initial malware, but is not how it spreads. Based on the behavior, this malware is not a virus, and has nothing to do with SQL

Topics

#malware classification#worm propagation#RDP brute force#social engineering

Community Discussion

No community discussion yet for this question.

Full GCIH Practice