Example 1 Β· WannaCry β Anatomy of a Ransomware Worm
WannaCry (May 2017) is the canonical example of malicious code for Security+. It combined two distinct malicious code types into one attack: a worm for propagation and ransomware for the payload.
The vulnerability β SMBv1 and EternalBlue:
Windows Server Message Block version 1 (SMBv1) is a legacy file-sharing protocol built into Windows. Security researchers (and, earlier, the NSA) had identified a critical flaw: a specially crafted packet sent to port 445 could trigger a buffer overflow that gave the attacker arbitrary code execution on the target system β with no authentication required and no user action needed. Microsoft issued patch MS17-010 in March 2017. Organizations that had applied it were immune. Those that hadn't were fully exposed.
Arbitrary code execution β why it matters:
Arbitrary code execution means the attacker can run any software on the target system. Not just crash it β actually install and execute whatever they choose. WannaCry used this to install its ransomware payload. But the same vulnerability could have been used to install a RAT, a keylogger, a backdoor, or anything else. The vulnerability provided the entry; the ransomware was a choice of payload.
The ransomware payload:
Once installed, WannaCry encrypted files on the victim's system using AES-128 encryption and replaced them with encrypted versions. A ransom note appeared demanding $300β$600 worth of Bitcoin for the decryption key. Files affected included documents, photos, spreadsheets, databases β anything of value. Systems without offline backups faced permanent data loss if they didn't pay (and paying didn't guarantee the key would work).
The worm component:
Immediately after infecting a host, WannaCry began scanning random IP addresses and local network ranges for other systems with port 445 open. For each vulnerable system found, the exploit was executed and the infection replicated. Each new infected host immediately started scanning too. The result was exponential spread: one infected machine becomes ten, which become a hundred, which become thousands β within hours.
The kill switch:
A security researcher discovered that WannaCry made a DNS query to a specific long, nonsensical domain before activating. If that domain resolved (i.e., someone had registered it), WannaCry would exit without infecting the system. The researcher registered the domain for $10.69, effectively activating a kill switch that stopped new infections of that WannaCry variant. New variants without the kill switch continued spreading.
Scale of impact:
230,000+ infections across 150 countries. UK National Health Service hospitals diverted ambulances and canceled surgeries. TelefΓ³nica (Spain), FedEx, Deutsche Bahn, Renault, universities, and government agencies worldwide were affected. The total cost was estimated in the billions of dollars. Every single infection was preventable with the MS17-010 patch that had been available for two months.
Example 2 Β· British Airways β 22 Lines That Stole 380,000 Cards
The British Airways breach (JuneβSeptember 2018) demonstrates how minimal malicious code β 22 lines of JavaScript β can have catastrophic impact when placed at exactly the right location.
The attacker group β Magecart:
Magecart is a collective of cybercriminal groups that specialize in injecting payment-skimming scripts into e-commerce websites. Their technique β sometimes called "formjacking" β targets checkout pages specifically because that's where customers enter payment card data.
How the injection occurred:
The attackers first gained access to British Airways' web infrastructure through a separate vulnerability. Once inside, they modified the JavaScript on the BA booking site's payment pages. The injected script was designed to blend in with the legitimate JavaScript already on the page β 22 lines that collected form field values as customers typed them.
What the script captured:
As a customer filled in the payment form β card number, expiration date, CVV, cardholder name, billing address β the injected script read each field value in real time. When the customer clicked "Submit," the legitimate form data went to BA's payment processor, and the stolen data was simultaneously transmitted to an attacker-controlled domain (ba.com.bestprices.pw, designed to mimic a BA domain).
The timeline:
The injected script ran from August 21 to September 5, 2018 β more than two weeks undetected. During that window, approximately 380,000 customers' payment details were captured. BA was fined Β£20 million by the UK Information Commissioner's Office under GDPR (reduced from an initial Β£183 million intent).
Why XSS is particularly effective at scale:
The attacker didn't need to breach 380,000 customers' individual devices. They breached one target β the BA website β and that single breach automatically captured data from every customer who visited the checkout page during the active period. The leverage of a website compromise is enormous: one attack, hundreds of thousands of victims.
Example 3 Β· Estonian Central Health Database β SQL Injection at National Scale
The Estonian health database breach illustrates how SQL injection can give an attacker access to the entirety of a backend database through a single exploited vulnerability.
What SQL injection exploits:
Web applications that query databases often construct SQL queries by incorporating user input. If this input is not sanitized (escaped and validated), an attacker can inject SQL commands that alter the query's behavior. A search field that builds SELECT * FROM patients WHERE name = '[input]' is vulnerable if the application doesn't validate that [input] is only text.
The attack:
By injecting carefully crafted SQL into a vulnerable input field of the healthcare database application, attackers were able to execute arbitrary database queries β not just the query the application intended. This gave them the ability to read any table in the database, including all patient records.
The scope:
Estonia has a centralized national health database for the entire country β every citizen's medical records stored in one system. A single SQL injection vulnerability in one database application gave attackers access to health records for the entire Estonian population. The centralized architecture that makes healthcare administration efficient also concentrates the blast radius of a single vulnerability.
The defense β parameterized queries:
Parameterized queries (prepared statements) prevent SQL injection by separating the query structure from the data values. Instead of building the query as a string with user input embedded, the query is defined with placeholder parameters, and user data is supplied separately. The database engine treats user input purely as a data value β never as executable SQL code. No matter what the user types, it cannot modify the query's structure.
Example comparison:
Vulnerable: query = "SELECT * FROM patients WHERE name = '" + userInput + "'"
Safe: query = "SELECT * FROM patients WHERE name = ?" with userInput bound separately
In the safe version, even if userInput contains SQL commands, the database treats it as a literal string value, not executable code.
Exam Scenario 1 Β· Classifying Malware by Behavior
Scenario: An IT administrator investigates a compromised workstation. She finds: (A) a process running in memory with no associated file on disk; (B) a scheduled task that was set to run on a specific date and permanently delete all files in the user's home directory; (C) a program installed last week disguised as a free video editing tool, which opened a listening port on 4444 allowing remote keyboard and mouse control; (D) malware that spreads across the network to every other unpatched machine within 20 minutes of infecting one host, requiring no user action.
Question: Classify each finding.
Answer:
(A) Process with no file on disk: Fileless malware. Operates entirely in memory. Traditional anti-malware filesystem scanning finds nothing because there's no malicious file to detect. Behavioral monitoring or memory forensics is required.
(B) Scheduled task to delete files on a date: Logic bomb. Dormant until the trigger condition (specific date) is met. Designed to execute destructive payload at a defined future time. Frequently planted by insiders with legitimate system access.
(C) Fake video editor with remote control port: Trojan horse delivering a Remote Access Trojan (RAT). The visible application (video editor) was the disguise. The hidden payload (RAT on port 4444) is the real purpose. No self-replication β user installed it voluntarily believing it was legitimate software.
(D) Spreads to all unpatched machines with no user action: Worm. Self-replicating, autonomous network propagation, no user interaction required. Classic worm behavior β scan, exploit, infect, repeat.
Exam Scenario 2 Β· WannaCry Defense Analysis
Scenario: A hospital's IT department receives a briefing about WannaCry. The hospital runs a mix of Windows 10 (fully patched) and Windows 7 (patch deployment delayed due to application compatibility testing). All systems are on the same flat network with port 445 accessible between all hosts. Which systems are at risk, and which controls would have been most effective?
Answer:
At risk: All unpatched Windows 7 systems. WannaCry's EternalBlue exploit targets the SMBv1 vulnerability fixed by MS17-010. Systems without this patch, with port 445 accessible, are fully vulnerable β no user action required for infection.
Not at risk (from WannaCry): Patched Windows 10 systems are immune to this specific exploit.
Most effective controls, in order:
(1) Apply MS17-010 patch to Windows 7 systems β directly closes the exploited vulnerability. A patched system is fully immune regardless of network architecture.
(2) Firewall rule blocking SMB port 445 from external sources and between internal segments β prevents the worm from reaching internal systems even if some remain unpatched.
(3) Network segmentation β a flat network where all hosts can reach each other's port 445 means one infected machine can reach all others. Segmenting the network limits worm propagation to the compromised segment.
(4) Anti-malware β may detect the WannaCry executable after arrival but only after the exploit has already executed; patching is more reliable than detection after compromise.
(5) Offline backups β mitigates ransomware impact; files can be restored without paying the ransom; doesn't prevent infection but limits business impact.
Exam Scenario 3 Β· Choosing the Right Defense
Scenario: A security team is reviewing three incidents: (A) a web application was breached and customer data was stolen via injected JavaScript; (B) a developer workstation was infected with ransomware delivered inside a file masquerading as a legitimate software update; (C) a database application allowed an attacker to read all records by entering SQL commands into a search field. Match each incident to its most targeted defense.
Answer:
Incident A (injected JavaScript / XSS): Content Security Policy (CSP) headers β restricts which scripts can execute on the page, limiting the impact of injected scripts. Also: regular integrity monitoring of web application files to detect unauthorized changes; web application firewall (WAF) rules for XSS patterns.
Incident B (fake software update / Trojan): Secure computing habits and application allowlisting β users should only install software from trusted, verified sources; application allowlisting prevents execution of unauthorized software regardless of how it was delivered. Anti-malware should also be updated to detect known Trojan payloads.
Incident C (SQL injection / database): Parameterized queries (prepared statements) β the architectural fix that prevents user input from being interpreted as SQL. Also: principle of least privilege for database accounts (the web application's database user should not have access to tables it doesn't need); input validation as secondary defense.