security exercise?!

"It's like totally my birthday, but my family completely forgot!" Molly Ringworm typed frantically into her diary on her Windows-based laptop. “I thought turning 0x10 would be, like, sooo major,” she lamented. As with many kids heavily steeped in contemporary teenage computer culture, Molly referred to numbers almost exclusively in hexadecimal, citing her 16th birthday as the “Big 0x10”. Indeed, Molly was a computer aficionado to her core, getting the nickname “Ringworm” based on her compelling analysis of the Ring Zero worm a few years back.

Despite her family’s forgetting her Sweet 0x10, Molly Ringworm held out hope that this evening’s dance would be far better, possibly giving her a chance finally to speak with Jake Ryan, the object of her biggest crush ever.

Unfortunately, at the dance, she was just too shy to even approach Jake. Compounding the problem, the biggest nerd of all, known simply as “The Geek,” wouldn’t stop bothering her. She thought she’d escape him by moving to a secluded cubicle in a corner of the high school computer lab to update her diary. The Geek still stalked her even there.

Lonely and heartbroken, Molly decided to confide to The Geek, “This is the single worst day of my entire life… Jake doesn’t know I exist and everyone has forgotten my birthday!” The Geek, however, was interested in much more than discussing Molly’s hormonally induced pathos. He cut right to the chase, “Would it be totally off the wall if I asked if I could have an account on your box?” Molly chuckled at the complete absurdity of such a request, and responded, “As if! Like, totally gag me!”

The Geek, having anticipated such a reaction, decided to move to Plan B. “I'm getting input here that I'm reading as relatively hostile... But I made a bet with my buds that I could score an account on your system. I can’t go back empty handed, but there’s a way we could work this, even without you giving me an account. Can I borrow your motherboard for ten minutes?”

Knowing the dangers of hardware-based attacks, Molly shot back right away, “I don’t think so, creep! Get out of here.”

Right after The Geek left, Molly’s laptop starting behaving erratically, with the mouse cursor moving around on the screen by itself! Completely shocked, she quickly fired up her favorite sniffer and noticed packets leaving her machine going to a web server on TCP port 443. She then ran Active Ports, a tool that lists programs that are utilizing TCP and UDP ports. She saw that a program named iexplore.exe was trying to connect to a remote system on TCP port 443, even though she couldn’t see a browser window on her screen. Sighing, Molly exclaimed, “Like, what a total bummer… hacked on my birthday!”

Despite her near overdose of self-pity, Molly needed to act. Given that the attack had likely just occurred, she conducted a search of her hard drive using the dir and find commands, looking for executable files created today. She found one! A new executable called note.exe created this morning at 9:04 AM.

Molly then ran the dir command again, this time with the /B flag, to determine the location of that strange file. It turns out that note.exe was located right in her c:\ directory.


1.Based on the output of the strings command, what capabilities might be built into the malicious code?
2.What simple and popular method could the attacker have used to thwart strings analysis (as well as making binary disassembly more difficult) on note.exe? What tools could the attacker use to accomplish this goal?
3.How could a malicious code researcher overcome the strings-obscuring and anti-disassembly technique(s) you described in your answer to question 2? What tools could a researcher use to accomplish this goal?
4.What should Molly do next to eradicate the malware and win Jake’s heart?
justinoleary556Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shahrialCommented:
1. logic bomb...run arbitary codes.
2. Binary obfuscation is usually performed.
3. Procdump.
4. Install personal firewall, anti-spyware monitors. Win Jake's heart....errr...i don't know...talk to him?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
justinoleary556Author Commented:
NO ITS NOT HOMEWORK HOW MANY RULES DO YOU HAVE ON THIS WEBSITE EVERY SECURITY QUESTION I ASK THERES SOME PROBLEM WITH IT TAKE IT EASY.
0
justinoleary556Author Commented:
OK SO WHATS YOUR POINT I DONT SEE ANYTHING WRONG WITH MY QUESTION R U GONNA LET PEOPLE ANSWER IT OR NOT
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Darrell PorterEnterprise Business Process ArchitectCommented:
For a complete reference to this specific issue, look at: http://www.bookpool.com/.x/RRRRRR/ct/49
and http://www.bookpool.com/.x/RRRRRR/ct/51

And don't ever waste my time again.

Walkabout

p.s. your track record for grading is atrocious.
0
justinoleary556Author Commented:
hey walkabouttigger i dont think i wasted your time considering you didnt answer anything.  the only reason most of my grades are so "atrocious" is because 90% of the answers given here are googled.  so keep your  comments to yourself
0
Darrell PorterEnterprise Business Process ArchitectCommented:
You wasted my time.

Your responses are clearly immature and demonstrate your lack of respect for the members here.  In my opinion, you have no business posting in these forums if your attitude remains as demonstrated.

Walkabout
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.