Sample Attack

https://www.youtube.com/watch?
v=XrE-RfAYrzs integer overflow
https://www.youtube.com/watch?v=SaMr4EdU3GQ
An integer, in the context of computing, is a variable capable of

representing a real number with no fractional part. Integers are typically
the same size as a pointer on the system they are compiled on (i.e. on a 32
bit system, such as i386, an integer is 32 bits long, on a 64 bit system,
such as SPARC, an integer is 64 bits long).
Integers, like all variables are just regions of memory. When we talk
about integers, we usually represent them in decimal, as that is the
numbering system humans are most used to. Computers, being digital, cannot
deal with decimal, so internally to the computer integers are stored in
binary. Binary is another system of representing numbers which uses only
two numerals, 1 and 0, as opposed to the ten numerals used in decimal. As
well as binary and decimal, hexadecimal (base sixteen) is often used in
computing as it is very easy to convert between binary and hexadecimal.
Since it is often necessary to store negative numbers, there needs to be a

mechanism to represent negative numbers using only binary. The way this is
accomplished is by using the most significant bit (MSB) of a variable to
determine the sign: if the MSB is set to 1, the variable is interpreted as
negative; if it is set to 0, the variable is positive. This can cause some
confusion, as will be explained in the section on signedness bugs, because
not all variables are signed, meaning they do not all use the MSB to
determine whether they are positive or negative. These variable are known
as unsigned and can only be assigned positive values, whereas variables
which can be either positive or negative are called unsigned.
----[ 1.2 What is an integer overflow?
Since an integer is a fixed size (32 bits for the purposes of this paper),
there is a fixed maximum value it can store. When an attempt is made to
store a value greater than this maximum value it is known as an integer
overflow. The ISO C99 standard says that an integer overflow causes
"undefined behaviour", meaning that compilers conforming to the standard
may do anything they like from completely ignoring the overflow to aborting
the program. Most compilers seem to ignore the overflow, resulting in an
unexpected or erroneous result being stored.
----[ 1.3 Why can they be dangerous?
Integer overflows cannot be detected after they have happened, so there is

not way for an application to tell if a result it has calculated previously
is in fact correct. This can get dangerous if the calculation has to do
with the size of a buffer or how far into an array to index. Of course
most integer overflows are not exploitable because memory is not being
directly overwritten, but sometimes they can lead to other classes of bugs,
frequently buffer overflows. As well as this, integer overflows can be
difficult to spot, so even well audited code can spring surprises.
Integer overflows are not like most common bug classes. They do not allow
direct overwriting of memory or direct execution flow control, but are much
more subtle. The root of the problem lies in the fact that there is no way
for a process to check the result of a computation after it has happened,
so there may be a discrepancy between the stored result and the correct
result. Because of this, most integer overflows are not actually
exploitable. Even so, in certain cases it is possible to force a crucial
variable to contain an erroneous value, and this can lead to problems later
in the code.
The main reason for this is that these vulnerabilities can invalidate checks made to protect against other
classes of vulnerabilities.
For example, a buffer overflow vulnerability is created when a developer fails to check the length of user-
controlled input before placing it in a preallocated memory buffer. The solution to this vulnerability is to
ensure that the length of the user input is shorter than the size of the available buffer. However, if an attacker
can cause this check to fail due to an integer overflow vulnerability, the vulnerability becomes exploitable
again.
Another application of integer overflow and underflows is defeating checks to determine if a value meets
certain criteria, like ensuring that an account has a certain minimum balance before initiating a withdrawal.
If this check is implemented using unsigned variables and checks to see if the difference between the account
balance and withdrawal amount is greater than zero, the check will never return false, making it possible to
perform unauthorized withdrawals.
There is a huge number of situations

in which they can be exploited, so, I will provide examples of some
situations which are exploitable.
--[ 2.0 Integer overflows
So what happens when an integer overflow does happen? ISO C99 has this to
say:
"A computation involving unsigned operands can never overflow,

because a result that cannot be represented by the resulting unsigned
integer type is reduced modulo the number that is one greater than
the largest value that can be represented by the resulting type."
NB: modulo arithmetic involves dividing two numbers and taking the
remainder,
e.g.
10 modulo 5 = 0
11 modulo 5 = 1
so reducing a large value modulo (MAXINT + 1) can be seen as discarding the
portion of the value which cannot fit into an integer and keeping the rest.
In C, the modulo operator is a % sign.
</NB>
This is a bit wordy, so maybe an example will better demonstrate the

typical "undefined behaviour":
We have two unsigned integers, a and b, both of which are 32 bits long. We
assign to a the maximum value a 32 bit integer can hold, and to b we assign
1. We add a and b together and store the result in a third unsigned 32 bit
integer called r:
a = 0xffffffff
b = 0x1
r = a + b
Now, since the result of the addition cannot be represented using 32 bits,
the result, in accordance with the ISO standard, is reduced modulo
0x100000000.
r = (0xffffffff + 0x1) % 0x100000000

r = (0x100000000) % 0x100000000 = 0
Reducing the result using modulo arithmetic basically ensures that only the
lowest 32 bits of the result are used, so integer overflows cause the
result to be truncated to a size that can be represented by the variable.
This is often called a "wrap around", as the result appears to wrap around
to 0.
----[ 2.1 Widthness overflows
So an integer overflow is the result of attempting to store a value in a

variable which is too small to hold it. The simplest example of this can
be demonstrated by simply assigning the contents of large variable to a
smaller one:
/* ex1.c - loss of precision */

#include <stdio.h>
int main(void){
int l;
short s;
char c;
l = 0xdeadbeef;
s = l;
c = l;
printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);

printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8);
printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8);
return 0;
}
/* EOF */
The output of which looks like this:
nova:signed {48} ./ex1

l = 0xdeadbeef (32 bits)
s = 0xffffbeef (16 bits)
c = 0xffffffef (8 bits)
Since each assignment causes the bounds of the values that can be stored in
each type to be exceeded, the value is truncated so that it can fit in the
variable it is assigned to.
It is worth mentioning integer promotion here. When a calculation
involving operands of different sizes is performed, the smaller operand is
"promoted" to the size of the larger one. The calculation is then
performed with these promoted sizes and, if the result is to be stored in
the smaller variable, the result is truncated to the smaller size again.
For example:
int i;
short s;
s = i;
A calculation is being performed with different sized operands here. What

happens is that the variable s is promoted to an int (32 bits long), then
the contents of i is copied into the new promoted s. After this, the
contents of the promoted variable are "demoted" back to 16 bits in order to
be saved in s. This demotion can cause the result to be truncated if it is
greater than the maximum value s can hold.
2.1.1 Exploiting
Integer overflows are not like most common bug classes. They do not allow
direct overwriting of memory or direct execution flow control, but are much
more subtle. The root of the problem lies in the fact that there is no way
for a process to check the result of a computation after it has happened,
so there may be a discrepancy between the stored result and the correct
result. Because of this, most integer overflows are not actually
exploitable. Even so, in certain cases it is possible to force a crucial
variable to contain an erroneous value, and this can lead to problems later
in the code.
Because of the subtlety of these bugs, there is a huge number of situations

in which they can be exploited, so I will not attempt to cover all
exploitable conditions. Instead, I will provide examples of some
situations which are exploitable, in the hope of inspiring the reader in
their own research :)
Example 1:
/* width1.c - exploiting a trivial widthness bug */

#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){

unsigned short s;
int i;
char buf[80];
if(argc < 3){

return -1;
}
i = atoi(argv[1]);
s = i;
if(s >= 80){ /* [w1] */

printf("Oh no you don't!\n");
return -1;
}
printf("s = %d\n", s);
memcpy(buf, argv[2], i);

buf[i] = '\0';
printf("%s\n", buf);
return 0;
}
While a construct like this would probably never show up in real life code,
it serves well as an example. Take a look at the following inputs:
nova:signed {100} ./width1 5 hello

s = 5
hello
Oh no you don't!
s = 0
Segmentation fault (core dumped)
The length argument is taken from the command line and held in the integer
i. When this value is transferred into the short integer s, it is
truncated if the value is too great to fit into s (i.e. if the value is
greater than 65535). Because of this, it is possible to bypass the bounds
check at [w1] and overflow the buffer. After this, standard stack smashing
techniques can be used to exploit the process.
----[ 2.2 Arithmetic overflows
As shown in section 2.0, if an attempt is made to store a value in an

integer which is greater than the maximum value the integer can hold, the
value will be truncated. If the stored value is the result of an
arithmetic operation, any part of the program which later uses the result
will run incorrectly as the result of the arithmetic being incorrect.
Consider this example demonstrating the wrap around shown earlier:
/* ex2.c - an integer overflow */

#include <stdio.h>
int main(void){
unsigned int num = 0xffffffff;
printf("num is %d bits long\n", sizeof(num) * 8);

printf("num = 0x%x\n", num);
printf("num + 1 = 0x%x\n", num + 1);
return 0;
}
/* EOF */
The output of this program looks like this:

num is 32 bits long
num = 0xffffffff
num + 1 = 0x0
Note:
The astute reader will have noticed that 0xffffffff is decimal -1, so it
appears that we're just doing
1 + (-1) = 0
Whilst this is one way at looking at what's going on, it may cause some
confusion since the variable num is unsigned and therefore all arithmetic
done on it will be unsigned. As it happens, a lot of signed arithmetic
depends on integer overflows, as the following demonstrates (assume both
operands are 32 bit variables):
-700 + 800 = 100

0xfffffd44 + 0x320 = 0x100000064
Since the result of the addition exceeds the range of the variable, the
lowest 32 bits are used as the result. These low 32 bits are 0x64, which
is equal to decimal 100.
</note>
Since an integer is signed by default, an integer overflow can cause a

change in signedness which can often have interesting effects on subsequent
code. Consider the following example:
/* ex3.c - change of signedness */

#include <stdio.h>
int main(void){
int l;
l = 0x7fffffff;
printf("l = %d (0x%x)\n", l, l);

printf("l + 1 = %d (0x%x)\n", l + 1 , l + 1);
return 0;
}
/* EOF */
The output of which is:

l = 2147483647 (0x7fffffff)
l + 1 = -2147483648 (0x80000000)
Here the integer is initialised with the highest positive value a signed
long integer can hold. When it is incremented, the most significant bit
(indicating signedness) is set and the integer is interpreted as being
negative.
Addition is not the only arithmetic operation which can cause an integer to
overflow. Almost any operation which changes the value of a variable can
cause an overflow, as demonstrated in the following example:
/* ex4.c - various arithmetic overflows */
#include <stdio.h>
int main(void){
int l, x;
l = 0x40000000;
printf("l = %d (0x%x)\n", l, l);
x = l + 0xc0000000;
printf("l + 0xc0000000 = %d (0x%x)\n", x, x);
x = l * 0x4;
printf("l * 0x4 = %d (0x%x)\n", x, x);
x = l - 0xffffffff;
printf("l - 0xffffffff = %d (0x%x)\n", x, x);
return 0;
}
/* EOF */
Output:

l = 1073741824 (0x40000000)
l + 0xc0000000 = 0 (0x0)
l * 0x4 = 0 (0x0)
l - 0xffffffff = 1073741825 (0x40000001)
The addition is causing an overflow in exactly the same way as the first
example, and so is the multiplication, although it may seem different. In
both cases the result of the arithmetic is too great to fit in an integer,
so it is reduced as described above. The subtraction is slightly
different, as it is causing an underflow rather than an overflow: an
attempt is made to store a value lower than the minimum value the integer
can hold, causing a wrap around. In this way we are able to force an
addition to subtract, a multiplication to divide or a subtraction to add.
What is a man-in-the-middle attack?
A man-in-the-middle attack requires three players. There’s the victim, the entity with which the
victim is trying to communicate, and the “man in the middle,” who’s intercepting the victim’s
communications. Critical to the scenario is that the victim isn’t aware of the man in the middle.
How does a man-in-the-middle attack work?
How does this play out? Let’s say you received an email that appeared to be from your bank,
asking you to log in to your account to confirm your contact information. You click on a link in
the email and are taken to what appears to be your bank’s website, where you log in and perform
the requested task.
In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be
legitimate. (This attack also involves phishing, getting you to click on the email appearing to
come from your bank.) He also created a website that looks just like your bank’s website, so you
wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when
you do that, you’re not logging into your bank account, you’re handing over your credentials to
the attacker.
MITM attacks: Close to you or with malware
Man-in-the-middle attacks come in two forms, one that involves physical proximity to the
intended target, and another that involves malicious software, or malware. This second form, like
our fake bank example above, is also called a man-in-the-browser attack.
Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and
decryption.
With a traditional MITM attack, the cybercriminal needs to gain access to an unsecured or poorly
secured Wi-Fi router. These types of connections are generally found in public areas with free
Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their network.
Attackers can scan the router looking for specific vulnerabilities such as a weak password.
Once attackers find a vulnerable router, they can deploy tools to intercept and read the victim’s
transmitted data. The attacker can then also insert their tools between the victim’s computer and
the websites the user visits to capture log in credentials, banking information, and other personal
information.
A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data
must then be unencrypted, so that the attacker can read and act upon it.
What is a man-in-the-browser attack?
With a man-in-the-browser attack (MITB), an attacker needs a way to inject malicious software,
or malware, into the victim’s computer or mobile device. One of the ways this can be achieved is
by phishing.
Phishing is when a fraudster sends an email or text message to a user that appears to originate
from trusted source, such as a bank, as in our original example. By clicking on a link or opening
an attachment in the phishing message, the user can unwittingly load malware onto their device.
The malware then installs itself on the browser without the user’s knowledge. The malware
records the data sent between the victim and specific targeted websites, such as financial
institutions, and transmits it to the attacker.
7 types of man-in-the-middle attacks
The word "spoof" means to hoax, trick, or deceive. Therefore, in the IT world, spoofing refers
tricking or deceiving computer systems or other computer users. This is typically done by hiding
one's identity or faking the identity of another user on the Internet.
Spoofing can take place on the Internet in several different ways. One common method is
through e-mail. E-mail spoofing involves sending messages from a bogus e-mail address or
faking the e-mail address of another user. Fortunately, most e-mail servers have security features
that prevent unauthorized users from sending messages. However, spammers often
send spam messages from their own SMTP, which allows them to use fake e-mail addresses.
Therefore, it is possible to receive e-mail from an address that is not the actual address of the
person sending the message.
Another way spoofing takes place on the Internet is via IP spoofing. This involves masking
the IP address of a certain computer system. By hiding or faking a computer's IP address, it is
difficult for other systems to determine where the computer is transmitting data from. Because IP
spoofing makes it difficult to track the source of a transmission, it is often used in denial-of-
service attacks that overload a server. This may cause the server to either crash or become
unresponsive to legitimate requests. Fortunately, software security systems have been developed
that can identify denial-of-service attacks and block their transmissions.
Finally, spoofing can be done by simply faking an identity, such as an online username. For
example, when posting on an Web discussion board, a user may pretend he is the representative
for a certain company, when he actually has no association with the organization. In online chat
rooms, users may fake their age, gender, and location.
While the Internet is a great place to communicate with others, it can also be an easy place to
fake an identity. Therefore, always make sure you know who you are communicating with before
giving out private information.
Cybercriminals can use MITM attacks to gain control of devices in a variety of ways.
1. IP spoofing
Every device capable of connecting to the internet has an internet protocol (IP) address, which is
similar to the street address for your home. By spoofing an IP address, an attacker can trick you
into thinking you’re interacting with a website or someone you’re not, perhaps giving the
attacker access to information you’d otherwise not share.
Replay
A replay attack occurs when an attacker intercepts and saves old messages and then tries to send
them later, impersonating one of the participants. This type can be easily countered with session
timestamps or nonce (a random number or a string that changes with time).
Currently, there is no single technology or configuration to prevent all MitM attacks. Generally,
encryption and digital certificates provide an effective safeguard against MitM attacks, assuring
both the confidentiality and integrity of communications. But a man-in-the-middle attack can be
injected into the middle of communications in such a way that encryption will not help — for
example, attacker “A” intercepts public key of person “P” and substitute it with his own public
key. Then, anyone wanting to send an encrypted message to P using P’s public key is
unknowingly using A’s public key. Therefore, A can read the message intended for P and then
send the message to P, encrypted in P’s real public key, and P will never notice that the message
was compromised. In addition, A could also modify the message before resending it to P. As you
can see, P is using encryption and thinks that his information is protected but it is not, because of
the MitM attack.
3) Phishing and spear phishing attacks
Phishing attack is the practice of sending emails that appear to be from trusted sources with the
goal of gaining personal information or influencing users to do something. It combines social
engineering and technical trickery. It could involve an attachment to an email that loads malware
onto your computer. It could also be a link to an illegitimate website that can trick you into
downloading malware or handing over your personal information.
Spear phishing is a much targeted type of phishing activity. Attackers take the time to conduct
research into targets and create messages that are personal and relevant. Because of this, spear
phishing can be very hard to identify and even harder to defend against. One of the simplest
ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the
information in the “From” section of the email is falsified, making it appear as if it is coming
from someone you know, such as your management or your partner company. Another technique
that scammers use to add credibility to their story is website cloning — they copy legitimate
websites to fool you into entering personally identifiable information (PII) or login credentials.
To reduce the risk of being phished, you can use these techniques:
 Critical thinking — Do not accept that an email is the real deal just because you’re busy
or stressed or you have 150 other unread messages in your inbox. Stop for a minute and
analyze the email.
 Hovering over the links — Move your mouse over the link, but do not click it! Just let
your mouse cursor h over over the link and see where would actually take you. Apply
critical thinking to decipher the URL.
 Analyzing email headers — Email headers define how an email got to your address.
The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated
in the email.
 Sandboxing — You can test email content in a sandbox environment, logging activity
from opening the attachment or clicking the links inside the email.
4) Drive-by attack
 Drive-by download attacks are a common method of spreading malware. Hackers look
for insecure websites and plant a malicious script into HTTP or PHP code on one of the
pages. This script might install malware directly onto the computer of someone who
visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by
downloads can happen when visiting a website or viewing an email message or a pop-up
window. Unlike many other types of cyber security attacks, a drive-by doesn’t rely on a
user to do anything to actively enable the attack — you don’t have to click a download
button or open a malicious email attachment to become infected. A drive-by download
can take advantage of an app, operating system or web browser that contains security
flaws due to unsuccessful updates or lack of updates.
 To protect yourself from drive-by attacks, you need to keep your browsers and operating
systems up to date and avoid websites that might contain malicious code. Stick to the
sites you normally use — although keep in mind that even these sites can be hacked.
Don’t keep too many unnecessary programs and apps on your device. The more plug-ins
you have, the more vulnerability there are that can be exploited by drive-by attacks.
Drive by downloads are designed to breach your device for one or more of the following:
 Hijack your device — to build a botnet, infect other devices, or breach yours further.
 Spy on your activity — to steal your online credentials, financial info, or identity.
 Ruin data or disable your device — to simply cause trouble or personally harm you.
4. SSL hijacking
When your device connects to an unsecure server — indicated by “HTTP” — the server can
often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A
connection to a secure server means standard security protocols are in place, protecting the data
you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes
encrypted links between your browser and the web server.
In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the
information passing between the server and the user’s computer.
5. Email hijacking
Cybercriminals sometimes target email accounts of banks and other financial institutions. Once
they gain access, they can monitor transactions between the institution and its customers. The
attackers can then spoof the bank’s email address and send their own instructions to customers.
This convinces the customer to follow the attackers’ instructions rather than the bank’s. As a
result, an unwitting customer may end up putting money in the attackers’ hands.
6. Wi-Fi eavesdropping
Cybercriminals can set up Wi-Fi connections with very legitimate sounding names, similar to a
nearby business. Once a user connects to the fraudster’s Wi-Fi, the attacker will be able to
monitor the user’s online activity and be able to intercept login credentials, payment card
information, and more. This is just one of several risks associated with using public Wi-Fi. You
can learn more about such risks here.
7. Stealing browser cookies
To understand the risk of stolen browser cookies, you need to understand what one is. A browser
cookie is a small piece of information a website stores on your computer.
For example, an online retailer might store the personal information you enter and shopping cart
items you’ve selected on a cookie so you don’t have to re-enter that information when you
return.
A cybercriminal can hijack these browser cookies. Since cookies store information from your
browsing session, attackers can gain access to your passwords, address, and other sensitive
information.
How to help protect against a man-in-the-middle attack
With the amount of tools readily available to cybercriminals for carrying out man-in-the-middle
attacks, it makes sense to take steps to help protect your devices, your data, and your
connections. Here are just a few.
 Make sure “HTTPS” — with the S — is always in the URL bar of the websites you visit.
 Be wary of potential phishing emails from attackers asking you to update your password
or any other login credentials. Instead of clicking on the link provided in the email,
manually type the website address into your browser.
 Never connect to public Wi-Fi routers directly, if possible. A VPN encrypts your internet
connection on public hotspots to protect the private data you send and receive while using
public Wi-Fi, like passwords or credit card information.
 Since MITB attacks primarily use malware for execution, you should install a
comprehensive internet security solution, such as Norton Security, on your computer.
Always keep the security software up to date.
 Be sure that your home Wi-Fi network is secure. Update all of the default usernames and
passwords on your home router and all connected devices to strong, unique passwords.
What is a malware attack?
A malware attack is when cybercriminals create malicious software that’s installed on someone
else’s device without their knowledge to gain access to personal information or to damage the
device, usually for financial gain. Different types of malware include viruses, spyware,
ransomware, and Trojan horses.
Malware attacks can occur on all sorts of devices and operating systems, including Microsoft
Windows, macOS, Android, and iOS.
At least one type of malware attack is growing that is Mobile ransomware attck.
Types of malware attack
Malware attacks seem to get more sophisticated every year. Because malware is often difficult to
detect, and devices are typically infected without the user even noticing, it can be one of the
primary threats to your personal information and identity that you must be on guard for.
A wide variety of types of malware exist, including computer viruses, worms, Trojan
horses, ransomware, spyware, adware, rogue software, and scareware.
Computer Worms:
A computer worm is a type of malware that spreads copies of itself from computer to computer.
A worm can replicate itself without any human interaction, and it does not need to attach itself to
a software program in order to cause damage.
It replicates itself in order to spread to other computers.[1] It often uses a computer network to
spread itself, relying on security failures on the target computer to access it. It will use this
machine as a host to scan and infect other computers. When these new worm-invaded computers
are controlled, the worm will continue to scan and infect other computers using these computers
as hosts, and this behavior will continue.[2] Computer worms use recursive method to copy
themselves without host program and distribute themselves based on the law of exponential
growth, and then controlling and infecting more and more computers in a short time.Worms
almost always cause at least some harm to the network, even if only by consuming bandwidth,
whereas viruses almost always corrupt or modify files on a targeted computer.
Many worms are designed only to spread, and do not attempt to change the systems they pass
through. However they can cause major disruption by increasing network traffic and other
unintended effects
How do computer worms work?

worms don't require the activation of their host file. Once a worm has entered your system,
usually via a network connection or as a downloaded file, it can then run, self-replicate and
propagate without a triggering event. A worm makes multiple copies of itself which then spread
across the network or through an internet connection. These copies will infect any inadequately
protected computers and servers that connect—via the network or internet—to the originally
infected device. Because each subsequent copy of a worm repeats this process of self-
replication, execution and propagation, worm-based infections spread rapidly across computer
networks and the internet at large.
computer worm’s purpose is only to make copies of itself over and over — depleting system
resources, such as hard drive space or bandwidth, by overloading a shared network.
The Morris worm or Internet worm of November 9, 1988, was one of the first computer
worms distributed via the Internet, and the first to gain significant mainstream media attention.
It is a maliciously clever program was unleashed on the Internet from a computer at the
Massachusetts Institute of Technology (MIT).
This cyber worm soon propagated at remarkable speed and grinding computers to a halt. “We are
currently under attack,” wrote a concerned student at the University of California, Berkeley in an
email later that night. Within 24 hours, an estimated 6,000 of the approximately 60,000
computers that were then connected to the Internet had been hit. Computer worms, unlike
viruses, do not need a software host but can exist and propagate on their own.
Berkeley was far from the only victim. The rogue program had infected systems at a number of
the prestigious colleges and public and private research centers that made up the early national
electronic network. This was a year before the invention of the World Wide Web.
The worm only targeted computers running a specific version of the Unix operating system, but
it spread widely because it featured multiple vectors of attack. For example, it exploited a
backdoor in the Internet’s electronic mail system and a bug in the “finger” program that
identified network users. It was also designed to stay hidden.
The worm did not damage or destroy files, Vital military and university functions slowed to a
crawl. Emails were delayed for days. The network community labored to figure out how the
worm worked and how to remove it. Some institutions wiped their systems; others disconnected
their computers from the network for as long as a week. The exact damages were difficult to
quantify, but estimates started at $100,000 and soared into the millions.
As computer experts worked feverishly on a fix, the question of who was responsible became
more urgent. Shortly after the attack, a dismayed programmer contacted two friends, admitting
he’d launched the worm and despairing that it had spiraled dangerously out of control. He asked
one friend to relay an anonymous message across the Internet on his behalf, with a brief apology
and guidance for removing the program. Ironically, few received the message in time because the
network had been so damaged by the worm.
Independently, the other friend made an anonymous call to The New York Times, which would
soon splash news of the attack across its front pages. The friend told a reporter that he knew who
built the program, saying it was meant as a harmless experiment and that its spread was the result
of a programming error. In follow-up conversations with the reporter, the friend inadvertently
referred to the worm’s author by his initials, RTM. Using that information, The Times soon
confirmed and publicly reported that the culprit was a 23-year-old Cornell University graduate
student named Robert Tappan Morris.
Morris was a talented computer scientist who had graduated from Harvard in June 1988. He had
grown up immersed in computers thanks to his father, who was an early innovator at Bell Labs.
At Harvard, Morris was known for his technological prowess, especially in Unix; he was also
known as a prankster. After being accepted into Cornell that August, he began developing a
program that could spread slowly and secretly across the Internet. To cover his tracks, he
released it by hacking into an MIT computer from his Cornell terminal in Ithaca, New York.
After the incident became public, the FBI launched an investigation. Agents quickly confirmed
that Morris was behind the attack and began interviewing him and his associates and decrypting
his computer files, which yielded plenty of incriminating evidence.
But had Morris broken federal law? Turns out, he had. In 1986, Congress had passed the
Computer Fraud and Abuse Act, outlawing unauthorized access to protected computers.
Prosecutors indicted Morris in 1989. The following year, a jury found him guilty, making him
the first person convicted under the 1986 law. Morris, however, was spared jail time, instead
receiving a fine, probation, and an order to complete 400 hours of community service.
The episode had a huge impact on a nation just coming to grips with how important—and
vulnerable—computers had become. The idea of cybersecurity became something computer
users began to take more seriously. Just days after the attack, for example, the country’s first
computer emergency response team was created in Pittsburgh at the direction of the Department
of Defense. Developers also began creating much-needed computer intrusion detection software.
At the same time, the Morris Worm inspired a new generation of hackers and a wave of Internet-
driven assaults that continue to plague our digital systems to this day. Whether accidental or not,
the first Internet attack 30 years ago was a wake-up call for the country and the cyber age to
come.
Stuxnet: the most famous computer worm
In July 2010, the first computer worm used as a cyber weapon was discovered by two security
researchers after a long string of incidents in Iran. Dubbed “Stuxnet,” this worm appeared to be
much more complex than the worms researchers were used to seeing. This attracted the interest
of high-profile security specialists around the world, including Liam O’Murchu and Eric Chien
of the Security Technology and Response (STAR) team at Symantec. Their extensive research
led them to conclude that the worm was being used to attack an Iranian power plant, with the
ultimate goal of sabotaging nuclear weapon production. Although the attack ultimately failed,
this computer worm is still active on the threat landscape today.
How to tell if your computer has a worm
If you suspect your devices are infected with a computer worm, run a virus scan immediately.
Even if the scan comes up negative, continue to be proactive by following these steps.
1. Keep an eye on your hard drive space. When worms repeatedly replicate themselves,
they start to use up the free space on your computer.
2. Monitor speed and performance. Has your computer seemed a little sluggish lately?
Are some of your programs crashing or not running properly? That could be a red flag
that a worm is eating up your processing power.
3. Be on the lookout for missing or new files. One function of a computer worm is to
delete and replace files on a computer.
How to help protect against computer worms
Computer worms are just one example of malicious software. To help protect your computer
from worms and other online threats, take these steps.
1. Since software vulnerabilities are major infection vectors for computer worms, be sure
your computer’s operating system and applications are up to date with the latest versions.
Install these updates as soon as they’re available because updates often include patches
for security flaws.
2. Phishing is another popular way for hackers to spread worms (and other types of
malware). Always be extra cautious when opening unsolicited emails, especially those
from unknown senders that contain attachments or dubious links.
3. Be sure to invest in a strong internet security software solution that can help block these
threats. A good product should have anti-phishing technology as well as defenses against
viruses, spyware, ransomware, and other online threats.
According to the recent report titled “The State of Ransomware 2020”, by the Indian express
reveals the extent of ransomware attacks in India and the world. As per the report, 82 per cent of
Indian organisations were hit by ransomware in the last six months, which is a 15 per cent
increase from 2017.
The key findings of the report regarding India reveal that 85 per cent of organisations in Delhi
were hit by ransomware followed by Bangalore at 83 per cent, Kolkata and Mumbai at 81 per
cent, Chennai at 79 per cent, and Hyderabad at 74 per cent. The Sophos report also highlights
that the Indian organisation incurred costs of around Rs 8.02 crores to rectify the impact of each
ransomware.
The cybersecurity firm said to keep regular backups of most important and current data on an
offline storage device to avoid paying money to cybercriminals in case of a ransomware attack. It
also asked to never give yourself more login power than you need and administrators should
enable multi-factor authentication on all management systems that support it.
Here are some of the most common types of malware attacks and the cybersecurity threats they
present.
Computer virus
Viruses are often attached or concealed in shared or downloaded files, both executable files—a
program that runs script—and non-executable files such as a Word document or an image file.
When the host file is accepted or loaded by a target system, the virus remains dormant until the
infected host file is activated. Only after the host file is activated, can the virus run, executing
malicious code and replicating to infect other files on your system.
A computer virus is a type of computer program that, when executed, replicates itself by
modifying other computer programs and inserting its own code.[1] When this replication
succeeds, the affected areas are then said to be "infected" with a computer virus.
Motives for creating viruses can include seeking profit (e.g., with ransomware), desire to send a
political message, personal amusement, to demonstrate that a vulnerability exists in software, or
simply because they wish to explore cybersecurity issues.
Computer viruses currently cause billions of dollars' worth of economic damage each year,
[13]
due to causing system failure, wasting computer resources, corrupting data, increasing
maintenance costs or stealing personal information.
What is a Computer Virus?

A computer virus is a malicious code designed to spread from host to host by itself without the
user’s knowledge to perform malicious actions. It imposes harm to a computer by corrupting
system files, destroying data or otherwise by being a nuisance. The reason for designing a
computer virus is to attack vulnerable systems to gain admin control and steal confidential
information — Cybercriminals prey on online users by tricking them.
Theory of Self-Replicating Automata
What is a computer virus? This idea was first discussed in a series of lectures by mathematician
John von Neumann in the late 1940s and a paper published in 1966, Theory of Self-Reproducing
Automata. The paper was effectively a thought experiment that speculated that it would be
possible for a "mechanical" organism—such as a piece of computer code—to damage machines,
copy itself and infect new hosts, just like a biological virus.
How does a Computer Virus Spread

A computer virus spreads through removable media, internet downloads, and e-mail attachments.
In other words, a virus spreads while the user is viewing an infected advertisement, visiting an
infected website, opening the attachment in the email, or clicking on an executable file. Besides
that, connecting with an already infected removable storage device such as a USB drive also
spreads the infection.
There are two ways by which a virus operates; the first type starts replicating itself as soon as it
lands on the computer; the second type remains dormant until it is triggered.
Computer Virus Symptoms

The list of computer virus symptoms include:
 A slow performing computer
 Pop-ups automatically showing up on the screen
 Programs running on their own
 Automatic multiplying/duplicating files
 Presence of unknown files and applications on the computer
 Files getting deleted or corrupted
When a user comes across any of these symptoms, then there are chances that the computer is
virus infected. There are two approaches to erase computer infection. The first approach is do-it-
yourself and the second approach is to ask for some help to get rid of the virus.
The antivirus is designed to protect computers from sophisticated threats too. Here’s a list of
things that a user needs to do:
Step 1- Disconnect your computer from the internet
Step 2- Enter Safe Mode – this helps running only the required programs and applications.
Step 3- Delete all temporary files to free up the disk space
Step 4- Run a virus scan
The Creeper Program
As noted by Discovery, the Creeper program, often regarded as the first virus, was created in
1971 by Bob Thomas of BBN. Creeper was actually designed as a security test to see if a self-
replicating program was possible. It was—sort of. With each new hard drive infected, Creeper
would try to remove itself from the previous host. Creeper had no malicious intent and only
displayed a simple message: "I'M THE CREEPER. CATCH ME IF YOU CAN!"
creeper corrupted DEC PDP-10 computers operating on the TENEX operating system by
messing around the installed printers, displaying the message “I’m the creeper, catch me if you
can!”
The Creeper virus located a computer on the network, transferred itself to the computer, started
to print a file (and stopped), displayed a message on the screen and then started over again. One
significant difference between Creeper and other major viruses was that the Creeper erased its
older versions as it duplicated itself.
The primary difference between a virus and a worm is that viruses must be triggered by the
activation of their host; whereas worms are stand-alone malicious programs that can self-
replicate and propagate independently as soon as they have breached the system. Worms do
not require activation—or any human intervention—to execute or spread their code.
Viruses
Viruses can be classified according to the method that they use to infect a computer
 File viruses
 Boot sector viruses
 Macro viruses
 Script viruses
Worms
Worms often exploit network configuration errors or security loopholes in the operating system
(OS) or applications
Many worms use multiple methods to spread across networks, including the following:
 Email: Carried inside files sent as email attachments

 Internet: Via links to infected websites; generally hidden in the website’s HTML, so the infection
is triggered when the page loads
 Downloads & FTP Servers: May initially start in downloaded files or individual FTP files, but if
not detected, can spread to the server and thus all outbound FTP transmissions
 Instant Messages (IM): Transmitted through mobile and desktop messaging apps, generally as
external links, including native SMS apps, WhatsApp, Facebook messenger, or any other type
of ICQ or IRC message
 P2P/Filesharing: Spread via P2P file sharing networks, as well as any other shared drive or
files, such as a USB stick or network server
 Networks: Often hidden in network packets; though they can spread and self-propagate through
shared access to any device, drive or file across the network
A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can
take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general inflict
some other harmful action on your data or network.
A Trojan acts like a bona fide application or file to trick you. It seeks to deceive you into loading
and executing the malware on your device. Once installed, a Trojan can perform the action it
was designed for.
A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that’s a misnomer.
Viruses can execute and replicate themselves. A Trojan cannot. A user has to execute Trojans.
Even so, Trojan malware and Trojan virus are often used interchangeably.
Whether you prefer calling it Trojan malware or a Trojan virus, it’s smart to know how this
infiltrator works and what you can do to keep your devices safe.
How do Trojans work?

Here’s a Trojan malware example to show how it works.
You might think you’ve received an email from someone you know and click on what looks like a
legitimate attachment. But you’ve been fooled. The email is from a cybercriminal, and the file
you clicked on — and downloaded and opened — has gone on to install malware on your
device.
When you execute the program, the malware can spread to other files and damage your
computer.
Users are typically tricked by some form of social engineering into loading and executing
Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you,
steal your sensitive data, and gain backdoor access to your system. These actions can include:
 Deleting data
 Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks
Unlike computer viruses and worms, Trojans are not able to self-replicate
Common types of Trojan malware

Here’s a look at some of the most common types of Trojan malware, including their names and
what they do on your computer:
Backdoor Trojan
A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending,
receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor
Trojans are often used to unite a group of victim computers to form a botnet or zombie network
that can be used for criminal purposes.
Distributed Denial of Service (DDoS) attack Trojan
These programs conduct DoS (Denial of Service) attacks against a targeted web address. By
sending multiple requests – from your computer and several other infected computers – the
attack can overwhelm the target address… leading to a denial of service.
Downloader Trojan
This Trojan targets your already-infected computer. It downloads and installs new versions of
malicious programs. These can include Trojans and adware.
Fake AV Trojan
This Trojan behaves like antivirus software, but demands money from you to detect and remove
threats, whether they’re real or fake.
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed to extort
money from you – in return for the detection and removal of threats… even though the threats
that they report are actually non-existent.
Game-thief Trojan
The users here may be online gamers. This Trojan seeks to steal their account information.
Infostealer Trojan
As it sounds, this Trojan is after data on your infected computer.
Mailfinder Trojan
This Trojan seeks to steal the email addresses you’ve accumulated on your device.
Ransom Trojan
This type of Trojan can modify data on your computer – so that your computer doesn’t run
correctly or you can no longer use specific data. The criminal will only restore your computer’s
performance or unblock your data, after you have paid them the ransom money that they
demand.
Remote Access Trojan
This Trojan can give an attacker full control over your computer via a remote network
connection. Its uses include stealing your information or spying on you.
Rootkit Trojan
A rootkit aims to hide or obscure an object on your infected computer. The idea? To extend the
time a malicious program runs on your device.
SMS Trojan
This type of Trojan infects your mobile device and can send and intercept text messages. Texts
to premium-rate numbers can drive up your phone costs.
Trojan banker
This Trojan takes aim at your financial accounts. It’s designed to steal your account information
for all the things you do online. That includes banking, credit card, and bill pay data.
Trojan IM
This Trojan targets instant messaging. It steals your logins and passwords on IM platforms.
such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many more.
Examples of Trojan malware attacks

Trojan malware attacks can inflict a lot of damage. At the same time, Trojans continue to evolve.
Here are three examples.
1. Emotet banking Trojan. After a long hiatus, Emotet’s activity increased in the last few
months of 2017, according to the Symantec 2018 Internet Security Threat Report.
Detections increased by 2,000 percent in that period. Emotet steals financial information,
among other things.
2. Rakhni Trojan.This malware has been around since 2013. More recently, it can deliver
ransomware or a cryptojacker (allowing criminals to use your device to mine for
cryptocurrency) to infected computers. “The growth in coin mining in the final months of
2017 was immense,” the 2018 Internet Security Threat Report notes. “Overall coin-
mining activity increased by 34,000 percent over the course of the year.”
3. ZeuS/Zbot.This banking Trojan is another oldie but baddie. ZeuS/Zbot source code was
first released in 2011. It uses keystroke logging — recording your keystrokes as you log
into your bank account, for instance — to steal your credentials and perhaps your
account balance as well.
How Trojans impact mobile devices

Trojans aren’t problems for only laptop and desktop computers. They can also impact your
mobile devices, including cell phones and tablets.
In general, a Trojan comes attached to what looks like a legitimate program. In reality, it is a
fake version of the app, loaded up with malware. Cybercriminals will usually place them
on unofficial and pirate app markets for unsuspecting users to download.
In addition, these apps can also steal information from your device, and generate revenue by
sending premium SMS texts.
One form of Trojan malware has targeted Android devices specifically. Called Switcher Trojan, it
infects users’ devices to attack the routers on their wireless networks. The result?
Cybercriminals could redirect traffic on the Wi-Fi-connected devices and use it to commit
various crimes.
How to help protect against Trojans

Here are some dos and don’ts to help protect against Trojan malware. First, the dos:
 Computer security begins with installing and running an internet security suite. Run
periodic diagnostic scans with your software. You can set it up so the program runs
scans automatically during regular intervals.
 Update your operating system’s software as soon as updates are made available from
the software company. Cybercriminals tend to exploit security holes in outdated software
programs. In addition to operating system updates, you should also check for updates
on other software that you use on your computer.
 Protect your accounts with complex, unique passwords. Create a unique password for
each account using a complex combination of letters, numbers, and symbols.
 Keep your personal information safe with firewalls.
 Back up your files regularly. If a Trojan infects your computer, this will help you to restore
your data.
 Be careful with email attachments. To help stay safe, scan an email attachment first.
A lot of things you should do come with a corresponding thing not to do — like, do be careful
with email attachments and don’t click on suspicious email attachments. Here are some more
don’ts.
 Don’t visit unsafe websites. Some internet security software will alert you that you’re
about to visit an unsafe site, such as Norton Safe Web.
 Don’t open a link in an email unless you’re confident it comes from a legitimate source.
In general, avoid opening unsolicited emails from senders you don’t know.
 Don’t download or install programs if you don’t have complete trust in the publisher.
 Don’t click on pop-up windows that promise free programs that perform useful tasks.
 Don’t ever open a link in an email unless you know exactly what it is.
RANSOMWARE
The idea behind ransomware, a form of malicious software, is simple: Lock and encrypt a
victim’s computer or device data, then demand a ransom to restore access.
In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing
access forever. And since malware attacks are often deployed by cyberthieves, paying the
ransom doesn’t ensure access will be restored.
Ransomware holds your personal files hostage, keeping you from your documents, photos, and
financial information. Those files are still on your computer, but the malware has encrypted your
device, making the data stored on your computer or mobile device inaccessible.
While the idea behind ransomware may be simple, fighting back when you’re the victim of a
malicious ransomware attack can be more complex. And if the attackers don’t give you the
decryption key, you may be unable to regain access to your data or device.
Types of ransomware
Ransomware attacks can be deployed in different forms. Some variants may be more harmful
than others, but they all have one thing in common: a ransom. Here are seven common types of
ransomware.
 Crypto malware. This form of ransomware can cause a lot of damage because it
encrypts things like your files, folders, and hard-drives. One of the most familiar
examples is the destructive 2017 WannaCry ransomware attack. It targeted thousands
of computer systems around the world that were running Windows OS and spread itself
within corporate networks globally. Victims were asked to pay ransom in Bitcoin to
retrieve their data.
 Lockers. Locker-ransomware is known for infecting your operating system to completely

lock you out of your computer or devices, making it impossible to access any of your
files or applications. This type of ransomware is most often Android-based.
 Scareware. Scareware is fake software that acts like an antivirus or a cleaning tool.
Scareware often claims to have found issues on your computer, demanding money to
resolve the problems. Some types of scareware lock your computer. Others flood your
screen with annoying alerts and pop-up messages.
 Doxware. Commonly referred to as leakware or extortionware, doxware threatens to

publish your stolen information online if you don’t pay the ransom. As more people store
sensitive files and personal photos on their computers, it’s understandable that some
people panic and pay the ransom when their files have been hijacked.
 RaaS. Otherwise known as “Ransomware as a service,” RaaS is a type of malware
hosted anonymously by a hacker. These cybercriminals handle everything from
distributing the ransomware and collecting payments to managing decryptors —
software that restores data access — in exchange for their cut of the ransom.
 Mac ransomware. Mac operating systems were infiltrated by their first ransomware in
2016. Known as KeRanger, this malicious software infected Apple user systems through
an app called Transmission, which was able to encrypt its victims’ files after being
launched.
 Ransomware on mobile devices. Ransomware began infiltrating mobile devices on a

larger scale in 2014. What happens? Mobile ransomware often is delivered via a
malicious app, which leaves a message on your device that says it has been locked due
to illegal activity.
The origins of ransomware

How did ransomware get started? While initially targeting individuals, later ransomware attacks
have been tailored toward larger groups like businesses with the intent of yielding bigger
payouts. Here are some notable dates on the ransomware timeline that show how it got its start,
how it progressed, and where ransomware is now.
 PC Cyborg, also known as the AIDS Trojan, in the late 1980s. This was the first
ransomware, released by AIDS researcher Joseph Popp. Popp carried out his attack by
distributing 20,000 floppy disks to other AIDS researchers. Little did the researchers
know, these disks contained malware that would encrypt their C: directory files after 90
reboots and demand payment.
 GpCode in 2004. This threat implemented a weak form of RSA encryption on victims’
personal files until they paid the ransom.
 WinLock in 2007. Rather than encrypting files, this form of ransomware locked its
victims out of their desktops and then displayed pornographic images on their screens.
In order to remove the images, victims had to pay a ransom with a paid SMS.
 Reveton in 2012. This so-called law enforcement ransomware locked its victims out of
their desktops while showing what appeared to be a page from an enforcement agency
such as the FBI. This fake page accused victims of committing crimes and told them to
pay a fine with a prepaid card.
 CryptoLocker in 2013. Ransomware tactics continued to progress, especially by 2013

with this military-grade encryption that used key storage on a remote server. These
attacks infiltrated over 250,000 systems and reaped $3 million before being taken offline.
Locky
Locky is a type of ransomware that was first released in a 2016 attack by an organized group of hackers.
With the ability to encrypt over 160 file types, Locky spreads by tricking victims to install it via fake
emails with infected attachments. This method of transmission is called phishing, a form of social
engineering.
Locky targets a range of file types that are often used by designers, developers, engineers, and testers.
WannaCry
WannaCry is ransomware attack that spread across 150 countries in 2017.
Designed to exploit a vulnerability in Windows, it was allegedly created by the United States National
Security Agency and leaked by the Shadow Brokers group. WannaCry affected 230,000 computers
globally.
The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92 million. Users were
locked out and a ransom was demanded in the form of Bitcoin. The attack highlighted the problematic use
of outdated systems, leaving the vital health service vulnerable to attack.
The global financial impact of WannaCry was substantial -the cybercrime caused an estimated $4 billion
in financial losses worldwide.
Bad Rabbit
Bad Rabbit is a 2017 ransomware attack that spread using a method called a ‘drive-by’ attack, where
insecure websites are targeted and used to carry out an attack.
During a drive-by ransomware attack, a user visits a legitimate website, not knowing that they have been
compromised by a hacker.
Drive-by attacks often require no action from the victim, beyond browsing to the compromised page.
However, in this case, they are infected when they click to install something that is actually malware in
disguise. This element is known as a malware dropper.
Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection.
Ryuk
Ryuk ransomware, which spread in August 2018, disabled the Windows System Restore option, making it
impossible to restore encrypted files without a backup.
Ryuk also encrypted network drives.
The effects were crippling, and many organizations targeted in the US paid the demanded ransoms.
August 2018 reports estimated funds raised from the attack were over $640,000.
Troldesh
The Troldesh ransomware attack happened in 2015 and was spread via spam emails with infected links or
attachments.
Interestingly, the Troldesh attackers communicated with victims directly over email to demand ransoms.
The cybercriminals even negotiated discounts for victims who they built a rapport with — a rare
occurrence indeed.
This tale is definitely the exception, not the rule. It is never a good idea to negotiate with cybercriminals.
Avoid paying the demanded ransom at all costs as doing so only encourages this form of cybercrime.
Jigsaw
Jigsaw is a ransomware attack that started in 2016. This attack got its name as it featured an image of the
puppet from the Saw film franchise.
Jigsaw gradually deleted more of the victim’s files each hour that the ransom demand was left unpaid.
The use of horror movie imagery in this attack caused victims additional distress.
CryptoLocker
CryptoLocker is ransomware that was first seen in 2007 and spread through infected email attachments.
Once on your computer, it searched for valuable files to encrypt and hold to ransom.
Thought to have affected around 500,000 computers, law enforcement and security companies eventually
managed to seize a worldwide network of hijacked home computers that were being used to spread
Cryptolocker.
This allowed them to control part of the criminal network and grab the data as it was being sent, without
the criminals knowing. This action later led to the development of an online portal where victims could
get a key to unlock and release their data for free without paying the criminals.
Petya
Petya (not to be confused with ExPetr) is a ransomware attack that first hit in 2016 and resurged in 2017
as GoldenEye.
Rather than encrypting specific files, this vicious ransomware encrypts the victim’s entire hard drive. It
does this by encrypting the Master File Table (MFT) making it impossible to access files on the disk.
Petya spread through HR departments via a fake job application email with an infected Dropbox link.
GoldenEye
The resurgence of Petya, known as GoldenEye, led to a global ransomware attack that happened in 2017.
Dubbed WannaCry’s ‘deadly sibling’, GoldenEye hit over 2,000 targets, including prominent oil
producers in Russia and several banks.
Frighteningly, GoldenEye even forced workers at the Chernobyl nuclear plant to check radiation levels
manually as they had been locked out of their Windows PCs.
GandCrab
GandCrab is a rather unsavory ransomware attack that threatened to reveal victim’s porn watching habits.
Claiming to have highjacked users webcam, GandCrab cybercriminals demanded a ransom or otherwise
they would make the embarrassing footage public.
After having first hit in January 2018, GandCrab evolved into multiple versions. As part of the No More
Ransom Initiative, internet security providers and the police collaborated to develop a ransomware
decryptor to rescue victim’s sensitive data from GandCrab.
Ways to spot a ransomware email
Now you understand the different examples of ransomware attacks that individuals and companies have
fallen prey to in recent years.
Many of those targeted in the ransomware attacks we have discussed became victims because they
clicked on links in spam emails, or they may have opened infected attachments.
So, if you are sent a ransomware email, how can you avoid becoming the victim of an attack?
The best way to spot a ransomware email is to check the sender. Is it from a trusted contact? If you
receive an email from a person or company you do not know, always exercise caution.
Avoid clicking on links in emails from untrusted sources, and never open email attachments in emails
from senders you do not trust.
Be particularly cautious if the attachment asks you to enable macros. This is a common way ransomware
is spread.
Using a ransomware decryptor
If you become the victim of a ransomware attack, do not pay the ransom.
Paying the ransom that the cybercriminals are demanding does not guarantee that they will return your
data. These are thieves, after all. It also reinforces the ransomware business, making future attacks more
likely.
 WannaCry in 2017. These more recent attacks are examples of encrypting

ransomware, which was able to spread anonymously between computers and disrupt
businesses worldwide.
 Sodinokibi in 2019. The cybercriminals who created this ransomware used managed
service providers (MSPs) like dental offices to infiltrate victims on a larger scale.
Ransomware remains a popular means of attack, and continues to evolve as new ransomware
families are discovered.
Who are the targets of ransomware attacks?

Ransomware can spread across the Internet without specific targets. But the nature of this file-
encrypting malware means that cybercriminals also are able to choose their targets. This
targeting ability enables cybercriminals to go after those who can — and are more likely to —
pay larger ransoms.
Here are four target groups and how each may be impacted.
 Groups that are perceived as having smaller security teams. Universities fall into
this category because they often have less security along with a high level of file-
sharing.
 Organizations that can and will pay quickly. Government agencies, banks, medical
facilities, and similar groups constitute this group, because they need immediate access
to their files — and may be willing to pay quickly to get them.
 Firms that hold sensitive data. Law firms and similar organizations may be targeted,
because cybercriminals bank on the legal controversies that could ensue if the data
being held for ransom is leaked.
 Businesses in the Western markets. Cybercriminals go for the bigger payouts, which
means targeting corporate entities. Part of this involves focusing on the United Kingdom,
the United States, and Canada due to greater wealth and personal-computer use.
Dos and don’ts of ransomware

Ransomware is a profitable market for cybercriminals and can be difficult to stop. Prevention is
the most important aspect of protecting your personal data. To deter cybercriminals and help
protect yourself from a ransomware attack, keep in mind these eight dos and don’ts.
1. Do use security software. To help protect your data, install and use a trusted security suite
that offers more than just antivirus features. For instance, Norton 360 With LifeLock Select can
help detect and protect against threats to your identity and your devices, including your mobile
phones.
2. Do keep your security software up to date. New ransomware variants continue to appear,
so having up-to-date internet security software will help protect you against cyberattacks.
3. Do update your operating system and other software. Software updates frequently
include patches for newly discovered security vulnerabilities that could be exploited by
ransomware attackers.
4. Don’t automatically open email attachments. Email is one of the main methods for
delivering ransomware. Avoid opening emails and attachments from unfamiliar or untrusted
sources. Phishing spam in particular can fool you into clicking on a legitimate-looking link in an
email that actually contains malicious code. The malware then prevents you from accessing
your data, holds that data hostage, and demands ransom.
5. Do be wary of any email attachment that advises you to enable macros to view its
content. Once enabled, macro malware can infect multiple files. Unless you are absolutely sure
the email is genuine and from a trusted source, delete the email.
6. Do back up important data to an external hard drive. Attackers can gain leverage over
their victims by encrypting valuable files and making them inaccessible. If the victim has backup
copies, the cybercriminal loses some advantage. Backup files allow victims to restore their files
once the infection has been cleaned up. Ensure that backups are protected or stored offline so
that attackers can’t access them.
7. Do use cloud services. This can help mitigate a ransomware infection, since many cloud
services retain previous versions of files, allowing you to “roll back” to the unencrypted form.
8. Don’t pay the ransom. Keep in mind, you may not get your files back even if you pay a
ransom. A cybercriminal could ask you to pay again and again, extorting money from you but
never releasing your data.
With new ransomware variants appearing, it’s a good idea to do what you can to minimize your
exposure. By knowing what ransomware is and following these dos and don’ts, you can help
protect your computer data and personal information from being ransomware’s next target.
This school year, bock hackers from spying on you and
Exploit kit
Exploit kits are malicious toolkits that attackers use to search for software vulnerabilities on a
target’s computer or mobile device. The kits come with prewritten code that will search for
vulnerabilities. When a vulnerability is found, the kit can inject malware into the computer
through that security hole. This is a highly effective malware attack variety, and one of the
reasons why it is so important to run software updates as soon as they become available in order
to patch security flaws.
Malicious websites and drive-by-downloads
A drive-by-download is a download that occurs when a user visits a malicious website that is
hosting an exploit kit for malware attacks. There is no interaction needed on the user’s part other
than visiting the infected webpage. The exploit kit will look for a vulnerability in the software of
the browser, and inject malware via the security hole.
Malvertising
Malicious advertising — malvertising, for short — is a threat that’s popular among

cybercriminals. The cybercriminal will purchase legitimate advertising space on legitimate
websites, but malicious code will be embedded within the ad. Similar to a drive-by-download,
there is no interaction needed on the user’s part to download the malware and be impacted by
this kind of malware attack.
Malvertising is different from adware — another type of malware — that can display unwanted
advertisements or content on your screen when you browse the web.
Social engineering and malware attacks
Social engineering is a popular malware delivery method that involves the manipulation of
human emotions. Social engineering uses spam phishing via email, instant messages, social
media, and more. The goal is to trick the user into downloading malware or clicking a link to a
compromised website that hosts the malware.
Often, the messages come in the form of a scare tactic, stating that there is something wrong with
an account, and that the user should immediately click on the link to log into their account or
download an attachment that conceals malware.
The link will lead the user to a copy of the legitimate website, in the hope that the user will enter
their credentials for the site so they can be taken by the cybercriminal.
What was the WannaCry ransomware attack?
The WannaCry ransomware attack was a global epidemic that took place in May 2017.
This ransomware attack spread through computers operating Microsoft Windows. User’s files
were held hostage, and a Bitcoin ransom was demanded for their return.
Were it not for the continued use of outdated computer systems and poor education around the
need to update software, the damage caused by this attack could have been avoided.
How does a WannaCry attack work?
The cybercriminals responsible for the attack took advantage of a weakness in the Microsoft
Windows operating system using a hack that was allegedly developed by the United States
National Security Agency.
Known as EternalBlue, this hack was made public by a group of hackers called the Shadow
Brokers before the WannaCry attack.
Microsoft released a security patch which protected user’s systems against this exploit almost
two months before the WannaCry ransomware attack began. Unfortunately, many individuals
and organizations do not regularly update their operating systems and so were left exposed to the
attack.
Those that had not run a Microsoft Windows update before the attack did not benefit from the
patch and the vulnerability exploited by EternalBlue left them open to attack.
What happened if the WannaCry ransom was not paid?
The attackers demanded $300 worth of bitcoins and then later increased the ransom demand to
$600 worth of bitcoins. If victims did not pay the ransom within three days, victims of the
WannaCry ransomware attack were told that their files would be permanently deleted.
The advice when it comes to ransom payments is not to cave into the pressure. Always avoid
paying a ransom, as there is no guarantee that your data will be returned and every payment
validates the criminals’ business model, making future attacks more likely.
WannaCry ransomware attack hit around 230,000 computers globally.
One of the first companies affected was the Spanish mobile company, Telefónica. By May 12 th,
thousands of NHS hospitals and surgeries across the UK were affected.
Here are our top tips:
Update your software and operating system regularly
Computer users became victims of the WannaCry attack because they had not updated their
Microsoft Windows operating system.
Had they updated their operating systems regularly, they would have benefited from the security
patch that Microsoft released before the attack.
This patch removed the vulnerability that was exploited by EternalBlue to infect computers with
WannaCry ransomware.
Be sure to keep your software and operating system updated. This is an essential ransomware
protection step.
Do not click on suspicious links
If you open an unfamiliar email or visit a website, you do not trust, do not click on any links.
Clicking on unverified links could trigger a ransomware download.
Never open untrusted email attachments
Avoid opening any email attachments unless you are sure they are safe. Do you know and trust
the sender? Is it clear what the attachment is? Were you expecting to receive the attached file?
If the attachment asked you to enable macros to view it, stay well clear. Do not enable macros or
open the attachment as this is a common way ransomware and other types of malware are spread.
Do not download from untrusted websites
Downloading files from unknown sites increases the risk of downloading ransomware. Only
download files from websites you trust.
Avoid unknown USBs
Do not insert USBs or other removal storage devices into your computer, if you do not know
where they came from. They could be infected with ransomware.
Hijacking
Hijacking is a type of network security attack in which the attacker takes control of a
communication- just as an airplane hijacker takes control of an airplane.
In one type of hijacking (man in the middle attack) the attacker take controls of an established
connection while it is in progress.
The attacker intercepts message in a public key exchange and then retransmits it substituting
their own public key.
• The order in which individual statements, instructions or function calls of an imperative

program are executed or evaluated.
Control Hijacking Attacks (Runtime exploit)
• A control hijacking attack exploits a program error, particularly a memory corruption

vulnerability, at application runtime to subvert the intended controlflow of a program.
• Control-hijacking attacks = Control-flow hijacking attacks
• Change of control flow Alter a code pointer (i.e., value that influences program counter)
or, Gain control of the instruction pointer %eip
• Change memory region that should not be accessed
E.g.) Code injection attacks, Code reuse attacks
What is Buffer Overflow
Buffers are memory storage regions that temporarily hold data while it is being transferred from
one location to another. A buffer overflow (or buffer overrun) occurs when the volume of data
exceeds the storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.
For example, a buffer for log-in credentials may be designed to expect username and password
inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than
expected), the program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically result from malformed inputs or
failure to allocate enough space for the buffer. If the transaction overwrites executable code, it
can cause the program to behave unpredictably and generate incorrect results, memory access
errors, or crashes.
Buffer overflow example
What is a Buffer Overflow Attack
Attackers exploit buffer overflow issues by overwriting the memory of an application. This
changes the execution path of the program, triggering a response that damages files or exposes
private information. For example, an attacker may introduce extra code, sending new instructions
to the application to gain access to IT systems.
If attackers know the memory layout of a program, they can intentionally feed input that the buffer
cannot store, and overwrite areas that hold executable code, replacing it with their own code. For
example, an attacker can overwrite a pointer (an object that points to another area in memory)
and point it to an exploit payload, to gain control over the program.
Types of Buffer Overflow Attacks
Stack-based buffer overflows are more common, and leverage stack memory that only exists
during the execution time of a function.
Heap-based attacks are harder to carry out and involve flooding the memory space allocated
for a program beyond memory used for current runtime operations.
https://www.youtube.com/watch?v=1S0aBV-Waeo
What Programming Languages are More Vulnerable?
C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they don’t
have built-in safeguards against overwriting or accessing data in their memory. Mac OSX,
Windows, and Linux all use code written in C and C++.
Languages such as PERL, Java, JavaScript, and C# use built-in safety mechanisms that
minimize the likelihood of buffer overflow.
How to Prevent Buffer Overflows
Developers can protect against buffer overflow vulnerabilities via security measures in their code,
or by using languages that offer built-in protection.
In addition, modern operating systems have runtime protection. Three common protections are:
 Address space randomization (ASLR)—randomly moves around the address space locations of data
regions. Typically, buffer overflow attacks need to know the locality of executable code, and randomizing
address spaces makes this virtually impossible.
 Data execution prevention—flags certain areas of memory as non-executable or executable, which

stops an attack from running code in a non-executable region.
 Structured exception handler overwrite protection (SEHOP)—helps stop malicious code from
attacking Structured Exception Handling (SEH), a built-in system for managing hardware and software
exceptions. It thus prevents an attacker from being able to make use of the SEH overwrite exploitation
technique. At a functional level, an SEH overwrite is achieved using a stack-based buffer overflow to
overwrite an exception registration record, stored on a thread’s stack.
Security measures in code and operating system protection are not enough. When an
organization discovers a buffer overflow vulnerability, it must react quickly to patch the affected
software and make sure that users of the software can access the patch.

Sample Attack

Uploaded by

Copyright:

Available Formats

Sample Attack

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Attack

Uploaded by

Copyright:

Available Formats

https://www.youtube.com/watch?

v=XrE-RfAYrzs integer overflow

An integer, in the context of computing, is a variable capable of

Since it is often necessary to store negative numbers, there needs to be a

----[ 1.2 What is an integer overflow?

----[ 1.3 Why can they be dangerous?

Integer overflows cannot be detected after they have happened, so there is

There is a huge number of situations

--[ 2.0 Integer overflows

"A computation involving unsigned operands can never overflow,

This is a bit wordy, so maybe an example will better demonstrate the

r = (0xffffffff + 0x1) % 0x100000000

----[ 2.1 Widthness overflows

So an integer overflow is the result of attempting to store a value in a

/* ex1.c - loss of precision */

printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);

The output of which looks like this:

nova:signed {48} ./ex1

A calculation is being performed with different sized operands here. What

Because of the subtlety of these bugs, there is a huge number of situations

/* width1.c - exploiting a trivial widthness bug */

int main(int argc, char *argv[]){

if(argc < 3){

if(s >= 80){ /* [w1] */

printf("s = %d\n", s);

memcpy(buf, argv[2], i);

nova:signed {100} ./width1 5 hello

----[ 2.2 Arithmetic overflows

As shown in section 2.0, if an attempt is made to store a value in an

/* ex2.c - an integer overflow */

printf("num is %d bits long\n", sizeof(num) * 8);

The output of this program looks like this:

-700 + 800 = 100

Since an integer is signed by default, an integer overflow can cause a

/* ex3.c - change of signedness */

printf("l = %d (0x%x)\n", l, l);

The output of which is:

nova:signed {38} ./ex3

printf("l = %d (0x%x)\n", l, l);

nova:signed {55} ./ex4

What is a man-in-the-middle attack?

MITM attacks: Close to you or with malware

What is a man-in-the-browser attack?

7 types of man-in-the-middle attacks

3) Phishing and spear phishing attacks

How to help protect against a man-in-the-middle attack

Types of malware attack

How do computer worms work?

Stuxnet: the most famous computer worm

How to help protect against computer worms

What is a Computer Virus?

Theory of Self-Replicating Automata

How does a Computer Virus Spread

Computer Virus Symptoms

The Creeper Program

 Email: Carried inside files sent as email attachments

How do Trojans work?

Common types of Trojan malware

Examples of Trojan malware attacks