Question

( Emotet, CovidLock, Mirai, Stuxnet & WannaCry) Describe in 600 words each of these  and provide a case study for each of these.

Try to answer it as a document.

Answer 1

1) Emotet:
It is a computer malware program. It was developed in the form of a banking Trojan. The intention was to access foreign devices, computers, and systems, and spy on sensitive and confidential private data. It deceives basic antivirus software applications and hides from them. When infected, it spreads like any other computer worm and makes attempts for infiltrating other machines or computers in the network.

The malware spreads primarily through spam emails. Such Emotet infected emails contain a malicious link or an infected document. When a user clicks on it and downloads the document or even opens the link, further malware automatically gets downloaded onto his/her Personal Computer (PC). These emails would be created by hackers so they appear to very authentic and many users and people have been victims of Emotet malware attacks.

2) CovidLock:
The Android ransomware application or app has been titled as CovidLock, as it has malware capabilities and because of its hidden story. This CovidLock malware app uses techniques denying the innocent people or the victims access to their phone forcing them to change the password they used to unlock their phone. This attack is called a screen-lock attack and is identified before on Android ransomware.

This CovidLock ransomware malware charges people about $100 in bitcoins for unlocking their infected devices. Since Android version 7, the OS has provided protection against screen-lockout attacks. This is the case, provided users have set a password for locking their mobile device screens, in the first place. The good news is DomainTools researchers reverse-engineered the ransomware and have now planned to release decryption keys to those affected mobile device users so that can unlock phones for free.

3) Mirai:
It is basically a malware. It transforms Linux networked devices into remotely controlled bots so they can be used as a part of a botnet to be further used in large-scale network hacks and attacks. It mainly aims for online consumer and user devices like home routers and Internet Protocol (IP) cameras. In 2016, the first Mirai botnet was founded by a white hat malware research group. Mirai has been used in disruptive and the largest Distributed Denial of Service (DDoS) attacks.

The Mirai infected devices continuously scan the public Internet for the Internet of things (IoT) devices' IP address. The malware locates and finds out IoT devices that are vulnerable, using a table holding more than 60 common factory default device credentials such as usernames and passwords, and logs into these devices using the credentials and infecting them with the Mirai malware. Infected IoT devices resume functioning normally, with sluggishness occurring now and then, and there would also be increased use of bandwidth. An IoT device would sit infected until it is rebooted. Rebooting may require it to be powered off and after a brief gap power it back on. After its reboot or restart, unless its login password is changed or reset immediately, within a few minutes, the IoT device would be reinfected. After it has infected the IoT device, the malware will identify any competing malware, and it will remove it from memory, and also it will block ports that are meant for remote administration.

4) Stuxnet:
It is an extremely sophisticated malicious computer worm. It was reported and found out in 2010. It aims for and attempts to attack data acquisition and supervisory control systems. It is even believed to have caused significant damage to Iran's nuclear program. It exploits and misuses multiple earlier unknown Windows zero-day vulnerabilities attacking and infecting computers and spread in the networks. Its purpose was causing real-world physical damages, loss, and effects. It particularly targets centrifuges that are used for producing the enriched uranium that is used power nuclear reactors and weapons. It has an unparalleled ability for spreading and widely spread infection rates. It causes little harm or even no harm at all to computers that are not involved and used in uranium enrichment.

5) WannaCry: One comprehensive case study on WannaCry ransomware malware.
WannaCry is ransomware. It is one of the high-profile ransomware malware and is called "WannaCry worm" that transmitted automatically amongst computers without user interaction. To fix the problem after it has happened, it gives users an option to provide them the Wanna Decryptor program itself.

This along with other ransomware attacks is carried out using a Trojan (malicious file, software, or code) disguised as a legitimate file tricking the users into loading or opening it when the same arrives in an email attachment, mostly from spam and phishing emails.

Non-technical background information such as where it came from, who is using it, if there have been arrests, major victims, and consequences:
News article:

In 2017, one of the primary attacks was ransomware including WannaCry on the network layer.
* Kingdom of Saudi Arabia (KSA) has experienced attacks of Ransomware malware, prior to 2014 November.
* In general, businesses and residents in KSA have been continuously targeted to many types and levels of cyber threats and attacks such as WannaCry malware or ransomware, making them experience information and monetary losses, with regard to the Information and Communication Technology (ICT) field, used in their day to day personal, private, and professional tasks, jobs, and activities.

* Organisations that were confirmed to have been affected by WannaCry malware are:
Saudi Telecom Company,
Lakeridge Health,
Honda,
Hitachi,
Chinese public security bureau, etc.

* Attacks have been on public and private sector organizations and businesses in KSA.

What the malware does and how victims typically get infected:
From techncial perspective, specifically, from the computer networking perspective:

Below are the layers of the Open System Interconnection (OSI) model involved, attacked, and impacted in the 2017 WannaCry attack:
Mostly,
Application layer.
Transport layer.
Network layer.

And in a way, an application running on Layer 7 (Application Layer), has to and in fact, would use all the below layers. Unless there is not a connection to the Layer 7 of a machine through a Layer 1, the machine would not be infected. Hence, in a way, from Layer 1 through Layer 7 can also be considered as attacked or breached.

WannaCry is a network worm as it also carries out a "transport" mechanism to automatically move and spread itself. The transport code thus scans for vulnerable systems on the network. It then uses the EternalBlue exploit to access such systems and it installs and executes a copy of itself using the DoublePulsar tool.

The start of the infection or attack appeared to be based on and through an exposed, less secured, and vulnerable Windows Server Message Block (SMB) network port. The SMB protocol works at Layer 7 of the OSI model, i.e., the application layer (the topmost layer). It is a network file-sharing protocol.

SMB can be used over TCP/IP on port 445 for transport. It thus requires network ports on a computer or server for enabling communication to other systems through data transmission. SMB is an application layer protocol to network access to files, printers, and other resources and Inter-Process Communication (IPC). EternalBlue is an exploit of Windows' SMB application-layer network protocol. It made use of or misused the ports that are on networks and that are allowed in the firewall are 137-139 and 445 were attacked.

Both, Transport Control Protocol (TCP) and User Datagram Package (UDP) work at the Layer 4 (Transport Layer) of the OSI model. The layer provides mechanisms to carry data across a network.

How it involves the network layer specifically:

WannaCry spreads across computer networks, (and in general, computer networks operate at the network layer (Layer 3) of the OSI model) delivering packets of the unauthorized malicious code from source to destination across multiple networks or links.

The network layer is not a direct layer involved in the attack, but an indirect one. It thus lets attackers for transmitting crafted packets to other systems accepting data from the public internet on the SMB port 445 using the Microsoft SMBv1 network resource sharing protocol. It spread when it was not able to connect to an unregistered domain uqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

However, the layer that was involved the most in the attack was the Application layer.

How it can be detected and the measures that can be taken to prevent WannaCry are:

There are steps, measures, precautions, defense, etc., that can be taken to prevent the WannaCry ransomware attack:
* Everyone should first, install the Windows security patch MS17-010.
* Any and all users, customers, employees, all around the world personally and professionally should enable automatic updates in Windows OS, another security updates, upgrades, patches, etc., for the Windows OS and any native or user application software programs and other feature or important and latest updates.
* Everyone should create backups of their respective important files, data, resources, and systems both, on the cloud online and on an external hard disk to keep it safely and securely offline. Even if any of them is attacked, he/she or they would not have anything much to lose, miss, delete, remove, etc.
* Everyone should install a good, strong, secured, and updated antivirus or anti-malware software in their respective Windows OSs.
* For additional security, everyone should install anti-ransomware software products on to their systems with a real-time scanner.
* In organizations, administrative access of users should be restricted.
* Least privileges access should be implemented and followed.
* Security should be applied at every level of the systems.
* Everyone should turn off or disable Macros in Microsoft Excel, Word, or Powerpoint if possible and whenever appropriate and required.
* Everyone should review, revise, modify, and configure their respective web browser’s security and privacy settings.
* Everyone should use adblocker software, applications, or web browser plugins and extension to block the attacks any and all malicious ads, links, pop-ups, websites, web applications, etc.
* No one should open spam emails and emails from unknown senders and click suspicious, unwanted, illegitimate, too good to be true, tempting hyperlinks, webpages, websites, offers, discounts, products, services, images, photos, audio, and video files in the emails or on any website or webpage.
* No one should click, and download and run attachments of different files of different file formats from links, websites, and webpages, in spam emails or suspicious emails on their systems.
* Install and use software and hardware firewalls on systems as an Internet data traffic filtering solution.
* A certain version WannaCry was detected as it lacked the kill switch altogether.
* It requires to find the kill switch to stop the spread of ransomware.
* It requires finding other ways to unlock WannaCry without ransom.

How we can fix the problem after it has happened:
* The Wanna Decryptor program itself.

Much of WannaCry's spread was from companies, businesses, and organizations that had not applied released patches to close the exploit.
The attack with the malware, infected over 200,000 computers in 150 different countries, with total damages from hundreds of millions to billions of dollars.
The attack originated and came from North Korea or agencies which worked for North Korea.
There have been no arrests made.

Victims were Windows 7 users and employees.
Landelijk Aktie Komitee Scholieren (LAKS) which was the second Dutch victim of ransomware WannaCry malware.
The consequences or impacts were, it affected organizations. Russia, Ukraine, India, and Taiwan were the four most affected countries.
Nissan Motor Manufacturing UK in Tyne and Wear, in England, stopped the production of their products after the ransomware infected some of their systems.
Renault stopped its production at several sites trying to stop the ransomware spread.

The EternalBlue exploit for older Windows systems was stolen and leaked by a group called The Shadow Brokers.