Chapter 50 Β· Advisories

Malicious Code

Three formal security advisories from the Threat Intelligence Unit β€” covering malware taxonomy and classification, the WannaCry ransomware worm incident analysis, and web-based malicious code including the British Airways XSS attack and Estonian SQL injection breach.

REFERENCE β€” GENERAL SECURITY DISTRIBUTION
ADVISORY ID:MALCODE-2024-001 CATEGORY:Threat Intelligence β€” Malicious Code Taxonomy and Classification SEVERITY:Reference document β€” severity varies by specific malware type and deployment context SCOPE:All endpoint and server platforms; any system capable of executing code is susceptible to some class of malicious code

Reference Advisory: Malicious Code Taxonomy β€” Classification, Propagation, and Defining Characteristics

Executive Summary

Malicious code is the technical toolkit for gaining unauthorized access to, or exerting unauthorized control over, computing systems. Where social engineering and misconfiguration attacks exploit human error and configuration mistakes, malicious code exploits vulnerabilities in software β€” bugs, design flaws, and unpatched weaknesses β€” that allow code to execute with authorization the attacker does not legitimately possess. This reference document classifies the malware types commonly tested on the Security+ examination by their defining characteristics, propagation method, and primary purpose. Correct classification is required for recommending appropriate defenses, as different malware classes are addressed by different control layers.

Malware Classification Reference

Malware TypeDefining CharacteristicPropagationUser Action Required?Primary Defense
VirusAttaches to a host file; runs when infected file is executed; replicates into other filesShared files, USB drives, email attachments, infected downloadsYes β€” user must execute the infected fileAnti-malware; user training; application allowlisting
WormSelf-contained; no host file needed; exploits network vulnerabilities to spread autonomouslyNetwork exploitation of vulnerable services; no user interactionNo β€” spreads without any user actionPatching the exploited vulnerability; firewall rules blocking attack vector; network segmentation
Trojan HorseDisguised as legitimate/useful software; malicious payload hidden inside apparent functionalityUser installation; does not self-replicateYes β€” user voluntarily installs itUser training; application allowlisting; software source verification
RansomwareEncrypts victim files; demands payment for decryption key; extortion payloadVaries: Trojan delivery, worm propagation, phishing link, drive-byDepends on delivery methodOffline backups; patching; endpoint protection
SpywareCollects user information without knowledge; transmits to attacker; operates silentlyBundled with software; drive-by download; Trojan deliveryOften yes, deceptivelyAnti-malware; user training; EDR behavioral monitoring
RootkitModifies the OS to hide its own presence; intercepts system calls to conceal files, processes, and network connectionsRequires initial compromise; not self-propagatingDepends on delivery methodBoot from trusted external media for detection; OS reinstall; firmware-level scanning
KeyloggerRecords every keystroke; captures passwords, credentials, card numbersSoftware: Trojan delivery; Hardware: physical installation between keyboard and systemFor software variants, yesAnti-malware; physical security (hardware keyloggers); EDR
Logic BombDormant until trigger condition; activates on date, event, or condition; often planted by insidersManual installation by insider; no self-propagationNo β€” activates automatically on triggerCode review; change control monitoring; separation of duties
RAT / BackdoorCreates persistent remote access channel; full remote control; operates silently for extended periodsTrojan delivery; phishing; vulnerability exploitationDepends on delivery methodNetwork monitoring for C2 traffic; EDR; firewall egress filtering
Fileless MalwareOperates entirely in memory; no executable files written to disk; abuses legitimate system tools (PowerShell, WMI)Document macros; malicious scripts; Living-off-the-Land techniquesOften yes (macro execution, script click)Behavioral EDR; script execution policy; memory scanning

Critical Distinction: Virus vs. Worm

The exam consistently tests this distinction. The critical difference is not the payload but the propagation method: a virus requires a host file and requires user execution to spread β€” it cannot move on its own. A worm requires neither: it exploits network vulnerabilities to install itself on reachable systems with no user involvement. A worm can infect a fully up-to-date, well-trained user's machine if that machine has a vulnerable network service exposed β€” because the user does nothing to trigger the infection. This is why WannaCry infected 230,000 machines without a single user clicking anything, and why patching β€” not user training β€” is the primary defense against worm propagation.

CONTROLLED β€” INCIDENT ANALYSIS DISTRIBUTION
ADVISORY ID:MALCODE-2024-002 CATEGORY:Incident Analysis β€” WannaCry Ransomware Worm, May 2017 SEVERITY:CRITICAL INCIDENT DATE:May 12, 2017 β€” May 15, 2017 (initial variant; subsequent variants continued)

Incident Analysis: WannaCry β€” Ransomware Worm Exploiting MS17-010 (EternalBlue) SMBv1 Vulnerability

Incident Overview

On May 12, 2017, the WannaCry ransomware worm began propagating across the internet and corporate networks, infecting approximately 230,000 machines in 150 countries within 24 hours. WannaCry was notable for combining two distinct capabilities: a worm propagation engine based on a critical Windows SMBv1 vulnerability, and a ransomware payload that encrypted victim files and demanded Bitcoin payment. No user interaction was required at any stage. Vulnerable machines were infected solely by virtue of having port 445 (SMB) accessible to the propagating worm.

Technical Analysis β€” Vulnerability and Propagation

WannaCry's propagation engine exploited MS17-010, a critical vulnerability in Windows Server Message Block version 1 (SMBv1) β€” the legacy Windows file-sharing protocol enabled by default on all Windows versions. The vulnerability, internally code-named EternalBlue, allowed an attacker to send a specially crafted SMBv1 packet to a target machine and achieve arbitrary code execution β€” the ability to run any software on the target system β€” without any user interaction and without credentials.

Arbitrary code execution is the highest-impact single vulnerability class. It means the attacker's code runs on the target with whatever privileges the vulnerable service operates under. In WannaCry's case, this enabled installation of the ransomware payload and the worm's scanning engine in seconds, with no prompt, no notification, and no log entry the victim would recognize as hostile until the ransom note appeared.

Propagation sequence: each infected machine immediately began scanning IP address ranges for other machines with port 445 open. On contact with a vulnerable machine, EternalBlue was used to install WannaCry on the new target. The new target began scanning immediately. Exponential propagation: tens of thousands of new infections per hour at peak.

Key Facts and Timeline

ItemDetail
Vulnerability exploitedMS17-010 / EternalBlue β€” SMBv1 arbitrary code execution
Microsoft patch releaseMarch 14, 2017 β€” two months before the attack
Attack launch dateMay 12, 2017
Peak infection rateTens of thousands of machines per hour
Total confirmed infections~230,000 machines in 150 countries
User interaction requiredNone β€” worm propagated entirely autonomously via network exploitation
Notable victimsUK NHS (hospitals diverted ambulances, cancelled surgeries); TelefΓ³nica; FedEx; Deutsche Bahn; LATAM Airlines
Kill switchHardcoded domain check in the worm; registering the domain (cost: $10.69) caused infected instances to halt propagation; discovered by researcher Marcus Hutchins
Ransom demanded$300–$600 USD in Bitcoin per machine; relatively few victims paid; payment did not guarantee decryption

Preventability Assessment

Every WannaCry infection was preventable. Microsoft had released the MS17-010 patch on March 14, 2017 β€” 59 days before the attack. Systems that had applied the patch were completely immune to the EternalBlue exploit. Every infected system had failed to apply a publicly available patch during that 59-day window. This is the defining lesson of WannaCry for security practitioners: the "window of vulnerability" between patch release and patch application is the window in which exploitation succeeds. The WannaCry timeline makes the cost of delayed patching inescapably concrete.

Additionally, organizations that had disabled SMBv1 (deprecated and unnecessary in modern Windows environments) were immune regardless of patch status β€” removing the attack surface entirely eliminated the vulnerability.

Recommended Mitigations

  • Continuous patching with defined SLAs: Critical patches must be applied within 48–72 hours of release. An 18-month or even 2-month patching lag is operationally indefensible for a Critical severity vulnerability with active exploitation. Automated patch deployment with emergency patch procedures for critical vulnerabilities is required.
  • Disable SMBv1: SMBv1 is a legacy protocol deprecated by Microsoft. It has no legitimate use in modern Windows environments. Disable via Group Policy or PowerShell on all systems. This removes the EternalBlue attack surface entirely on otherwise unpatched systems.
  • Firewall rules blocking SMB from untrusted networks: Block TCP port 445 (and 139) inbound from external networks and untrusted network segments. WannaCry's initial external infection vector required port 445 to be reachable from the internet. Perimeter firewalls that blocked SMB prevented external infection; internal segmentation would have limited intra-network spread.
  • Offline backup strategy: Ransomware encrypts all accessible data including network shares. Offline (air-gapped) backups not reachable from infected systems enable recovery without paying ransom. 3-2-1 backup rule: 3 copies, 2 media types, 1 offsite/offline.
CONTROLLED β€” WEB SECURITY DISTRIBUTION
ADVISORY ID:MALCODE-2024-003 CATEGORY:Web-Based Malicious Code β€” Cross-Site Scripting and SQL Injection SEVERITY:HIGH INCIDENT REFERENCES:British Airways Magecart Attack (June–September 2018); Estonian Central Health Database SQL Injection

Advisory: Web-Based Malicious Code β€” XSS Formjacking and SQL Injection Against Web Applications

Executive Summary

Web applications present a distinct malicious code attack surface from the endpoint and OS-level threats covered in MALCODE-2024-001 and -002. Two web-specific malicious code techniques are covered in this advisory: cross-site scripting (XSS), which injects malicious JavaScript into legitimate web pages to execute in other users' browsers, and SQL injection, which injects malicious SQL commands into database queries through unsanitized input fields. Both techniques were used in significant real-world breaches: the 2018 British Airways payment data theft (XSS formjacking) and the Estonian Central Health Database breach (SQL injection). Each requires defenses at the application code layer that differ from the OS-level and network-level controls used for traditional malware.

Incident Analysis β€” British Airways XSS Formjacking, 2018

Between June and September 2018, attackers attributed to the Magecart threat group compromised the British Airways website and inserted 22 lines of malicious JavaScript into the payment processing pages used by customers booking flights. The injected script monitored the payment form in real time: as customers typed their payment card details (card number, expiration date, CVV, cardholder name, billing address), the script captured the input values and transmitted them to an attacker-controlled server at the moment of form submission.

The attack ran undetected for more than two weeks. Approximately 380,000 customers had payment card data compromised. British Airways was subsequently fined Β£20 million under the UK GDPR (reduced from an initial Β£183 million proposed fine).

The attack's efficiency is notable: a single website compromise automatically became an attack against 380,000 users. The attacker never accessed those users' devices. The attack succeeded because the injected script ran with the same browser trust level as the legitimate site's own JavaScript β€” the browser could not distinguish malicious injected code from authorized site code. Detection required monitoring the site's loaded scripts for unexpected additions, which was not in place during the initial breach window.

Incident Analysis β€” Estonian Health Database SQL Injection

In a separate incident, attackers exploited a SQL injection vulnerability in Estonia's national healthcare database application. The vulnerability existed in an input field that accepted user-supplied data and incorporated it directly into a database query without sanitization. By supplying SQL syntax rather than the expected data value, the attackers were able to manipulate the database query to return unauthorized records β€” ultimately gaining access to the patient record database for the entire country.

A parameterized query would have prevented the breach: by separating query structure from data values, the database engine would have treated the attacker's SQL input as a literal string to search for rather than executable query syntax. The absence of this basic control β€” standard practice for decades β€” allowed a single input field to become the entry point for a national health data breach.

Web Malicious Code Comparison

TechniqueAttack LayerMechanismPrimary Defense
XSS (stored/persistent)Browser (client-side)Malicious JavaScript stored on server; executes in victim browsers when page is loaded; can read cookies, form data, and perform actions as the victimOutput encoding; Content Security Policy (CSP) headers; input sanitization
XSS formjacking (Magecart style)Browser (client-side)JavaScript injected into checkout/payment page captures form field data as typed; transmits to attacker serverSubresource Integrity (SRI) for third-party scripts; CSP; website script integrity monitoring
SQL InjectionServer (database layer)Malicious SQL syntax in input fields manipulates database queries; enables unauthorized read/write/delete of database contentsParameterized queries (prepared statements); least-privilege database accounts; input validation

Recommended Mitigations

  • Content Security Policy (CSP) headers: A CSP header instructs the browser to execute only scripts loaded from explicitly approved sources. An injected inline script or a script loaded from an unexpected domain is blocked by the browser before execution. Had British Airways implemented a restrictive CSP, the injected Magecart script loading from an external attacker domain would have been blocked in all visiting browsers. CSP is configured at the web server or application layer and costs nothing beyond implementation effort.
  • Parameterized queries for all database interactions: User-supplied values must be passed to the database as bound parameters, never concatenated into query strings. This is the architectural prevention for SQL injection. Input validation and WAF rules are secondary layers β€” parameterized queries are the required primary control.
  • Website integrity monitoring: Automated comparison of loaded JavaScript against a known-good baseline enables detection of injected scripts. The British Airways breach ran for two weeks because no such monitoring was in place. Continuous integrity checks against deployed page content, with alerting on unexpected changes, would have enabled rapid detection and response.
  • Third-party script governance: Any JavaScript loaded from a third party (analytics, advertising, payment processing, chat widgets) has the same execution authority in the browser as the site's own scripts. Each third-party script is a potential injection vector if that vendor is compromised. Audit all third-party script dependencies; use Subresource Integrity (SRI) to verify script hash before execution; minimize third-party script surface area.