This is a ramdisk-based containerizing rootkit that resides inside initrd and uses a mount and PID namespace before the actual init starts.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam. Study with comprehensive questions and explanations. Equip yourself with the skills needed for success!

Multiple Choice

This is a ramdisk-based containerizing rootkit that resides inside initrd and uses a mount and PID namespace before the actual init starts.

Explanation:
Bootkits that load during the early boot stage and hide in the initramfs/initrd are designed to gain control before the real system init runs. They often create their own isolated environment by using kernel namespaces: a mount namespace to present a separate filesystem view and a PID namespace to keep their processes hidden from the rest of the system. This combination lets the rootkit operate in a clean, cloaked space while the rest of the OS begins to boot. The described scenario matches Horse Pill, a ramdisk-based containerizing rootkit that resides inside the initrd and leverages both a mount namespace and a PID namespace to run before the actual init starts. LoJax is a different threat, a UEFI bootkit that targets firmware rather than an initrd-based boot path. The other two options refer to detection approaches rather than a rootkit family, so they don’t describe the malware in question.

Bootkits that load during the early boot stage and hide in the initramfs/initrd are designed to gain control before the real system init runs. They often create their own isolated environment by using kernel namespaces: a mount namespace to present a separate filesystem view and a PID namespace to keep their processes hidden from the rest of the system. This combination lets the rootkit operate in a clean, cloaked space while the rest of the OS begins to boot.

The described scenario matches Horse Pill, a ramdisk-based containerizing rootkit that resides inside the initrd and leverages both a mount namespace and a PID namespace to run before the actual init starts. LoJax is a different threat, a UEFI bootkit that targets firmware rather than an initrd-based boot path. The other two options refer to detection approaches rather than a rootkit family, so they don’t describe the malware in question.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy