Chapter 3 Quiz


When infected with a malicious Kernel-Level Rootkit, why can it be difficult to remove it (short of reinstalling the OS)?


A kernel level rootkit can sneak in through a device driver, which means that it will have OS level privledges. This means that it can do literally anything possible to avoid detection. It can modify programs that would be used to find and remove it, it can cover its tracks with the same efficency that the OS covers its inner workings.

Discussion Questions

  1. What if an exploit is not discovered for a while and all of a system’s backup images are contaminated too?
  2. I find it difficult to sift through packets coming through my computer in a few seconds, let alone an entire network in real time. How does this help anything?
  3. When analyzing a suspect system, how exactly do you draw the line between doing a partial HDD analysis and full blown HDD analysis? I guess it would make sense that if a partial didn't discover the problem you would go on to a full analysis, but when would you begin with a full analysis?
  4. The section on Ethics says that "some vendors purchase vulnerabilities to augment their research capacity." How exactly do they purchase vulnerabilities and how could they help with research?
  5. There is a section on detecting system intrusion from the network. If a device scans the network traffic, how can it distinguish what may be malicious?
  6. What is the difference between Detecting System Intrusions and Intrusions Detection System/Intrusions Prevention System(IDS/IPS).
Topic revision: r4 - 2014-03-18 - JimSkon
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback