During a server audit, a security administrator does not notice abnormal activity. However, a network security analyst notices connections to unauthorized ports
from outside the corporate network. Using specialized tools, the network security analyst also notices hidden processes running. Which of the following has MOST
likely been installed on the server?
A.
SPIM
B.
Backdoor
C.
Logic bomb
D.
Rootkit
Explanation:
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a
computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker
to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network. A rootkit may consist of spyware and other
programs that: monitor traffic and keystrokes; create a “backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network; andalter existing system tools to escape detection. The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux
operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including
Windows, and are increasingly difficult to detect on any network.
Incorrect Answers:
A: SPIM is a term sometimes used to refer to spam over IM (Instant Messaging). It’s also called just spam, instant spam, or IM marketing. No matter what the
name, it consists of unwanted messages transmitted through some form of instant messaging service, which can include Short Message Service (SMS). SPIM is
not what is described in this question. Therefore, this answer is incorrect.
B: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a
computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back
Orifice) or may subvert the system through a rootkit. A backdoor is not what is described in this question. Therefore, this answer is incorrect.
C: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example,
a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. Software that is inherently malicious, such as
viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be
used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or
April Fool’s Day. Trojans that activate on certain dates are often called “time bombs”. To be considered a logic bomb, the payload should be unwanted and
unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic
bombs. A logic bomb is not what is described in this question. Therefore, this answer is incorrect.http://searchmidmarketsecurity.techtarget.com/definition/rootkit http://en.wikipedia.org/wiki/Logic_bomb