Question

Conduct some research and find a recent computer virus that has attacked either a company or individuals. Explain how the virus effects computers or networks and how to stop the virus.

Answer 1

WannaCry is a ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The worm is also known as WannaCrypt,Wana Decrypt0r 2.0,WanaCrypt0r 2.0, and Wanna Decryptor. It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.WannaCry versions 0, 1, and 2 were created using Microsoft Visual C++ 6.0.

EternalBlue is an exploit of Windows' Server Message Block (SMB) protocol .

Microsoft eventually discovered the vulnerability, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016.

When executed, the WannaCry malware first checks the "kill switch" domain name; if it is not found, then the ransomware encrypts the computer's data,then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,and "laterally" to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment .

The day after the initial attack in May, Microsoft released out-of-band security updates for end of life products Windows XP, Windows Server 2003 and Windows 8; these patches had been created in February of that year following a tip off about the vulnerability in January of that year.

Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.

Prevention :

• Keep your Windows Operating System and antivirus up-to-date.
• Regularly back-up your files in an external hard-drive.
• Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
• Use OneDrive for Consumer or for Business.
• Beware of phishing emails, spams, and clicking malicious attachment.
• Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
• Disable the loading of macros in your Office programs.
• Disable your Remote Desktop feature whenever possible.
• Use two step authentication.
• Use a safe and password-protected internet connection.

working in technical aspect with appropriate abstraction:

The overflow happens in NON-PAGED Pool memory—and specifically in Large NON-PAGED Pool. Large non-page pool do not have a POOL Header. Because of this, after the large POOL buffer, another POOL Buffer can be allocated—one that is owned by a driver with specific DRIVER data. Therefore, the attack has to manipulate the POOL buffer coming after the overflowed buffer. EternalBlue’s technique is to control the SRVNET driver buffer structures. To achieve this, both buffers should be aligned in memory. To create the NON-PAGED POOL alignment, the kernel pool should sprayed.