Mid test
IAM302
Student name: Lê Đức Khiêm
Student ID: DE170044
Explain in your words
Q1. What are differences between worm and virus?
Ans:
A virus is malware attaches to another program and when it executed, it replicates itself
by modifying other computer programs and infecting them with its own bits of code.
Worm is like virus but the different is that worms can spread across network on their
own, whereas viruses need some sort of action from a user in order to initiate the
infection.
Q2. Why are rootkits dangerous?
Ans:
Rootkit is dangerous because it hides the existence of itself and additional malware from
the user which makes it extremely hard to locate. A rootkit can manipulate processes
such as hiding their IP in an IP scan so that a user may never know that they have a direct
socket to a botnet or other remote computer. Therefore, detecing rootkit is very difficult
on the machine. Beside, rootkit provides the attacker with administrator privileges on the
infected system, also known as “root” access.
Q3. How to explore Process Memory and resources?
Ans:
On windows, to explore Process Memory and resources on computer, we can use Task
Manager to view the process, memory, power use of each process on computer. If we
want to have an advanced tool to explore processes, we can use Process Monitor, a tool
�of windows sysinternal. This tool can give a detail look for events triggered by specific
processes.
On linux machine, we can use command ‘ps’ to view the process on computer. ‘ps’
command also come with the various options to use and view the specific result.
Q4. How to isolate Encrypted Data in Packet Captures?
Ans:
To isolate encrypted data while capturing packet we can use filters in capture tool.
Depend on the protocols use, we can isolate the encrypted packets. For example when
using wireshark, all ‘https’ packets are encrypted and there is no way we can read it
except we have the cert key, but we can use filter to only capture the ‘http’ packets
which are not encrypted and isolate all ‘https’ packets.
Q5. How to execute DLLs with rundll32.exe?
Ans:
In order to run dll file with rundll32.exe, it very simple by using command prompt. To
run dll file we just type “rundll32.exe <dllname>”. For example if I have a dll file name
khiem.dll and I want to run it I just type “rundll32.exe khiem.dll” on terminal.
