ECCouncil Updated 312-50v13 Exam Questions and Answers by rafi

The CEH Malware and Rootkit Analysis module emphasizes that kernel-level rootkits compromise the most trusted components of the operating system. Once a kernel is compromised, no tool running on that system can be fully trusted.

CEH explicitly states that the only reliable remediation for kernel-mode rootkits is:

Full system wipe

Reinstallation from a known, trusted source

Restoration of verified clean data

Option C is correct and represents CEH best practice.

Option A may work for user-mode rootkits but is unreliable for kernel-level infections.

Option B is a research tactic, not remediation.

Option D is containment, not eradication.

The File Transfer Protocol (FTP) is a standard organization convention utilized for the exchange of PC records from a worker to a customer on a PC organization. FTP is based on a customer worker model engineering utilizing separate control and information associations between the customer and the server.[1] FTP clients may validate themselves with an unmistakable book sign-in convention, ordinarily as a username and secret key, however can interface namelessly if the worker is designed to permit it. For secure transmission that ensures the username and secret phrase, and scrambles the substance, FTP is frequently made sure about with SSL/TLS (FTPS) or supplanted with SSH File Transfer Protocol (SFTP).

The primary FTP customer applications were order line programs created prior to working frameworks had graphical UIs, are as yet dispatched with most Windows, Unix, and Linux working systems.[2][3] Many FTP customers and mechanization utilities have since been created for working areas, workers, cell phones, and equipment, and FTP has been fused into profitability applications, for example, HTML editors.

A pharming attacker tries to send a web site’s traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

Though they share similar goals, pharming uses a special technique from phishing. “Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site,” explains David Emm, principal security man of science at Kaspersky. “When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different.”

CEH v13 highlights HTML smuggling as a modern technique used to bypass perimeter defenses by leveraging browser-side execution. Instead of downloading a malware file directly—which firewalls and IDS can detect—an attacker embeds obfuscated JavaScript or HTML within an attachment. When the victim opens the file, the browser reconstructs the payload locally using APIs like Blob or URL.createObjectURL. This method avoids external network transfers during the payload creation stage, allowing it to bypass content filters, sandboxing, and inline inspection tools. CEH emphasizes that HTML smuggling is especially dangerous because it operates within the browser environment, which security appliances implicitly trust. Port forwarding (Option B) relates to tunneling traffic, not file reconstruction. XSS (Option C) requires injecting scripts into web pages, not delivering malware. HTTP header spoofing (Option D) manipulates request metadata, not payload construction. Therefore, HTML smuggling precisely matches the described behavior.