During a server audit, a security administrator does not notice abnormal activity. However, a network
security analyst notices connections to unauthorized ports from outside the corporate network. Using
specialized tools, the network security analyst also notices hidden processes running. Which of the
following has MOST likely been installed on the server?
A.
SPIM
B.
Backdoor
C.
Logic bomb
D.
Rootkit
Explanation:
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or
computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level
access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it
allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly,
other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a
“backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network;
and alter existing system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and
Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits
are available for a number of operating systems, including Windows, and are increasingly difficult to
detect on any network.
Incorrect Answers:
A: SPIM is a term sometimes used to refer to spam over IM (Instant Messaging). It’s also called just spam,
instant spam, or IM marketing. No matter what the name, it consists of unwanted messages transmitted
through some form of instant messaging service, which can include Short Message Service (SMS). SPIM is
not what is described in this question.B: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal
authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so
on, while attempting to remain undetected. The backdoor may take the form of an installed program
(e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor is not what is described in
this question.
C: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious
function when specified conditions are met. For example, a programmer may hide a piece of code that
starts deleting files should they ever be terminated from the company.
Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute
a certain payload at a pre-defined time or when some other condition is met. This technique can be used
by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host
systems on specific dates, such as Friday the 13th or April Fool’s Day. Trojans that activate on certain
dates are often called “time bombs”.
To be considered a logic bomb, the payload should be unwanted and unknown to the user of the
software. As an example, trial programs with code that disables certain functionality after a set time are
not normally regarded as logic bombs. A logic bomb is not what is described in this question.http://searchmidmarketsecurity.techtarget.com/definition/rootkit
http://en.wikipedia.org/wiki/Logic_bomb