Definitions - Benign
The category we would use for a website displaying a homeowner's association.
A) Travel
B) Government
C) Real-estate
C) Real-estate
Keep in mind some HOA sites look like government websites, but if they say "homeowners association" or "HOA", this is not government-owned and should be classified as real-estate.
Which of the following categories does NOT require malware team's approval before classifying?
A) malware
B) command-and-control
C) hacking
C) hacking
If you receive a URL that displays a parked page with click-through ads related to gambling, what category would be most appropriate?
Parked!
Remember we always choose parked UNLESS there is adult CONTENT - not words - displayed (adult), or if the domain name is typosquatting a legitimate page (grayware).
Name as many of the 10 grayware tags as you can
(10 points each).
TRIPLE if you can name them all!
2. Rogueware-adware
3. Typosquatting
4. Scam
5. Random-redirections
6. Hacked-site
7. Youtube-download
8. Infected-drive-by-download
9. Chrome-red-page-except-deceptive-site
10. http-and-https-different-content
TRUE/FALSE: If our remote machine isn't working, we can open CRs on our local machine.
FALSE!!!
We never ever open CRs on our local machine, even if they're suggested benign. You never know if a URL is infected or not, and we have to abide by Palo Alto Network policies to keep our machines safe. The purpose of the remote machine is to research securely.
The category we would use for a website offering mortgage loans.
A) Stock-advice-and-tools
B) Financial-services
C) Real-estate
B) Financial-services
You receive a URL that the customer suggests as "malware". You take it to your remote machine and plug it into VirusTotal to be scanned.
Name 1 of 2 ways that we determine we need to submit this to the malware team?
DOUBLE if you can name both!
1. 3 or more VirusTotal hits from ANY vendor
2. AT LEAST 1 VirusTotal hit from a TRUSTED Vendor
You receive a URL suggested shopping. When you launch the page, you see an online store selling armor and bullet-proof vests. You don't see any firearms nor ammo for sale.
What is the correct category/categories?
A) Shopping
B) Hunting-and-fishing + shopping
C) Weapons
D) Weapons + shopping
D) Weapons + shopping
According to our definitions, we include bulletproof vests in the weapons category; weapons is also a shopping category!
A) The site ahead contains harmful programs
B) Deceptive site ahead
C) The site ahead contains malware
DOUBLE the points if you can name the category it's actually associated with!
B) Deceptive Site Ahead!
DOUBLE: Phishing!
What is the difference between EMC and MCT? (Name any difference)
- EMC is on our local machine, MCT is on our remote machine
- EMC is our editor portal to receive and submit CRs, MCT is our research portal
The category we would use if we launch a URL and we see the following, and no other evidence can be found in our research.
A) Content-delivery-network
B) Dynamic-DNS
C) Web-hosting
A) CDN!
Remember, if we can find other evidence (i.e. sibling/parent/child domains with content, registrant info, etc.) then we classify based on that evidence; otherwise, we go with CDN.
TRUE/FALSE: All malicious categories are severe, but not all severe categories are malicious.
TRUE!
The 5 malicious categories are a sub-section of the total 11 severe categories.
You receive a URL suggested gambling that is a casino's website, but does not offer any online gambling.
What is the correct category?
A) Travel
B) Real-estate
C) Gambling
D) Entertainment-and-arts
B) Real-estate!
You receive the URL homdepot.com from the customer jerryseinfeld@homedepot.com, with the customer's suggested category "malware". You launch the page and it displays the home page for Home Depot, however you see on WhoIS that the registrant is "Privacy Domains" and was registered yesterday.
What is the correct category and tag (if applicable)?
A) Grayware -> illegal activity
B) Grayware -> scam
C) Grayware -> typosquatting
D) Home-and-garden
C) Grayware -> typosquatting!
In this case, the customer is from Home Depot (as we can see from the contact email) claiming this domain is malicious. We confirm that, even though it's showing Home Depot, it is not owned by Home Depot. Many times you will see "Privacy" listed as the registrant - this means that the registrant is unknown.
TRUE/FALSE: sports.yahoo.com is a parent of yahoo.com
FALSE!
yahoo.com is the parent of sports.yahoo.com
The category we would use for a website that allows the user to bypass URL filtering and anonymously browse the internet.
A) internet-communications-and-telephony
B) proxy-avoidance-and-anonymizers
C) dynamic-DNS
B) proxy-avoidance-and-anonymizers
TRUE OR FALSE: We can make IP addresses
(without a path) a malicious category.
FALSE!
An IP without a path (i.e. 192.168.255.255/path/example.html) cannot be a malicious category. If we block an IP address as malicious, we're potentially blocking all domains hosted on this IP as well!
You receive a URL with the customer comment "This website belongs to my favorite bar, please unblock." The cloud category is alcohol-and-tobacco, and the customer suggests shopping. When you launch the page, you indeed see a website for a bar with a menu and takeout options.
TRUE/FALSE: You should keep the cloud category as alcohol-and-tobacco even though they serve food, because they also serve alcohol.
FALSE!
We do NOT include restaurants in the severe category of alcohol-and-tobacco. Because they also serve food, we would go with society.
You receive the URL omnuator.com suggested computer-and-internet-info, and is in the cloud as grayware. You launch the URL and see a soft404 page. You do not find any registrant info, nor any content on child domains, nor content on any archived pages. However, you see on the Google search several articles entitled "How to Remove this Virus omnuator.com".
Do you honor the customer's request to make it benign, or do you keep this as grayware?
A) Keep as grayware with the tag rogueware-adware
B) Keep as grayware with the tag typosquatting
C) There's no evidence! Insufficient-content with the attribute soft404
D) The customer is always right! Change it to computer-and-internet-info
A) Keep as grayware with the tag rogueware-adware!
The customer is suggesting this is benign, but you have exhausted all of your research outlets and found no evidence of what this domain does, other than reputable reports that this domain is malicious. These Google reports are good evidence for rogueware-adware.
You receive the URL subdomain2.subdomain1.maindomain.com/subdirectory1/subdirectory2.php
This URL is not in our database, but a few children of maindomain.com are.
Assuming the following are all in our database, which is the closest best-match parent that you would find in the Preserved URL for this CR?
D) subdomain2.subdomain1.maindomain.com/subdirectory1
This is the closest parent to the Original URL in our database (in this scenario).
Name 5 of the 9 categories that can have "shopping" added as a secondary category.
DOUBLE if you can name all 9!
1. Adult
2. Health-and-medicine
3. Home-and-garden
4. Hunting-and-fishing
5. Motor-vehicles
6. Music
7. Religion
8. Swimsuits-and-intimate-apparel
9. Weapons
Name 3 of the 5 malicious categories.
DOUBLE if you can name all 5!
1. Phishing
2. Malware
3. Grayware
4. Command-and-Control
5. Hacking
Name 6 of the 11 severe categories (HINT: Severe categories include the 5 MALICIOUS categories!)
TRIPLE if you can name all 11!
1. Phishing
2. Malware
3. Grayware
4. Command-and-control
5. Hacking
6. Adult
7. Abused-drugs
8. Alcohol-and-tobacco
9. Extremism
10. Gambling
11. Weapons
In the this imaginary scenario, you receive the following CR in EMC:
Original URL: offic3.com
Customer Suggests The Category: malware
Cloud (Current) Category: unknown
There is no content shown on the domain, nor on any of its child domains. You check WhoIs.com and under registrant info, you see the owner is Microsoft.
Name the correct category you should choose.
A) Computer-and-internet-info, based on the registrant
B) No-access
C) Insufficient-content
D) Grayware -> typosquatting
A) Computer-and-internet-info, same as office.com
This is a case of defense squatting! Since Microsoft owns this domain, we know it's not being used maliciously.
You receive the URL subdomain2.subdomain1.maindomain.com/subdirectory1/subdirectory2.php
This URL is not in our database, but a few children of maindomain.com are.
Assuming the following are all in our database, which is the closest best-match parent that you would find in the Preserved URL for this CR?