Chapter 50 Β· Tricks & Performance

Trick Questions & Performance Tasks

The malicious code misconceptions most likely to cost exam points β€” and the incident response performance task that tests whether you can identify the malware type and prescribe the right defense under pressure.

Trick 1: "WannaCry infected 230,000 machines in 150 countries because users clicked phishing links that delivered the ransomware executable β€” demonstrating that user awareness training is the primary defense against ransomware worms." True or False?
FALSE β€” WannaCry required no user interaction whatsoever. It spread autonomously as a worm, exploiting the SMBv1 vulnerability (MS17-010) to infect any reachable unpatched machine without anyone clicking anything.

This is one of the most critical facts the exam tests about WannaCry. Attributing its spread to user clicks misrepresents the entire attack and leads to the wrong remediation.

How WannaCry actually spread:
WannaCry was a worm. It scanned IP address ranges for machines with port 445 open. For each machine it found, it sent a specially crafted SMBv1 packet that triggered arbitrary code execution. The infected machine then installed WannaCry's ransomware payload and immediately started scanning for more victims. Users on those machines did nothing wrong β€” they didn't click a link, open an attachment, or install software. Their machines were infected simply because SMBv1 was running and the MS17-010 patch had not been applied.

Why this matters for the exam:
If WannaCry spread via phishing, user training would be the primary defense. But since it spread via a network vulnerability, the primary defense is patching β€” specifically, applying MS17-010. Secondary defenses include firewall rules blocking SMB port 445 from untrusted sources and network segmentation to limit worm propagation between segments. User training provides zero protection against a worm that doesn't need users to do anything.

Exam tip: When a question describes WannaCry and lists "user awareness training" as a defense, that's always a wrong answer choice. When a question asks what would have prevented WannaCry infections, "apply the MS17-010 patch" is always the correct primary answer.
Trick 2: "A Trojan horse is a type of worm because both spread from system to system by disguising themselves as legitimate software β€” the Trojan disguises its payload, and the worm disguises its propagation as legitimate network traffic." True or False?
FALSE β€” Trojans and worms are fundamentally different malware categories. The defining characteristic of a Trojan is disguise + no self-replication. The defining characteristic of a worm is autonomous self-propagation + no host file required.

The claim that worms "disguise their propagation as legitimate traffic" is not what defines them, and conflating the two types creates confusion about both defenses and identification.

Trojan horse β€” key properties:
A Trojan horse presents itself as a legitimate, useful application. The user installs it voluntarily. The malicious payload is hidden inside the apparently legitimate software. Trojans do not self-replicate β€” they cannot spread on their own. Every instance of a Trojan is installed by a user who was deceived. Remove the deception and the delivery fails. Defense: user training, application allowlisting, software source verification.

Worm β€” key properties:
A worm is self-propagating. It doesn't disguise itself as useful software β€” it exploits a vulnerability directly to install itself without being invited. No user action required. Worms spread at network speed, independent of any human behavior. Defense: patching the exploited vulnerability, firewall rules, network segmentation.

Why Trojans can deliver worms (and other payloads):
A Trojan can install a worm as its payload β€” the user installs what appears to be a game, and the hidden payload is a worm component that then starts spreading. But the Trojan and the worm are still distinct: the Trojan was the delivery vehicle, the worm is the payload. They're classified separately even when combined.

Exam tip: Know these three malware types by their single distinguishing property: Virus = needs host file to spread + needs user execution. Worm = no host file, no user action, autonomous network propagation. Trojan = no self-replication, depends on user installation, disguised as legitimate software.
Trick 3: "A rootkit is classified as a type of ransomware because both operate secretly inside an infected system without the user's knowledge." True or False?
FALSE β€” rootkits and ransomware are entirely different malware categories defined by what they do, not by whether they operate secretly.

Many malware types operate without the user's knowledge β€” spyware, keyloggers, RATs, rootkits, some ransomware during the initial encryption phase. "Operating secretly" is a characteristic shared by many malware types and doesn't define any single category.

Rootkit β€” defined by:
Concealment and persistence. A rootkit modifies the operating system to hide itself and other malicious software. It intercepts system calls that would reveal malicious processes, files, or network connections. The goal is to remain on the system undetected while providing persistent access for the attacker. A rootkit's primary purpose is to survive and stay hidden β€” it's an enabler for other malicious activities rather than a destructive payload itself.

Ransomware β€” defined by:
Extortion through encryption. Ransomware encrypts the victim's files and demands payment for the decryption key. It is almost always immediately visible β€” the ransom note and inaccessible files make the infection obvious. Ransomware's business model depends on the victim knowing they've been infected and believing payment is their only option. A ransomware attack that was completely hidden wouldn't generate any ransom payments.

The relationship between them:
A sophisticated ransomware attack might use a rootkit during the initial reconnaissance and lateral movement phase β€” staying hidden while gathering information and spreading before triggering the encryption. But the rootkit and the ransomware are still distinct tools with distinct purposes, often used in sequence during a multi-stage attack.

Exam tip: Classify malware by its primary defining behavior: Rootkit = hides malicious presence in the OS. Ransomware = encrypts files, demands payment. Keylogger = records keystrokes. Logic bomb = dormant until trigger condition. RAT = remote control channel. Don't conflate them based on secondary shared characteristics like "operates secretly."
Trick 4: "Installing and running updated anti-malware software is sufficient to protect a system against all forms of malicious code β€” as long as the signatures are current, no malware can succeed." True or False?
FALSE β€” anti-malware is one important layer in the defense stack, but it is not sufficient against all malicious code types, and several attack scenarios defeat even updated anti-malware.

This trick targets the "silver bullet" fallacy β€” the idea that one security tool can be a complete defense. The exam consistently tests defense-in-depth, which means understanding what each control does and doesn't protect against.

What anti-malware does well:
Detects known malware via signatures, catches suspicious behavioral patterns via heuristics, and can identify malware-like behavior of running processes via behavioral monitoring. Updated signatures address the most common threat landscape. For well-known malware families delivered as executable files, anti-malware is highly effective.

What anti-malware misses or struggles with:
(1) Zero-day exploits β€” malware exploiting a newly discovered vulnerability has no signature yet; signature databases are reactive, not predictive. (2) Fileless malware β€” no file on disk means no file-based signature to match; behavioral detection helps but may not catch all variants. (3) Network-level attacks (WannaCry's worm propagation) β€” anti-malware on an endpoint doesn't prevent the SMBv1 exploit packet from arriving and executing before anti-malware can intercept it; the patch closes the vulnerability before the exploit runs. (4) Logic bombs from insiders β€” the code may pass anti-malware scans because it's embedded in a legitimate script by someone with system access. (5) Web injection attacks (XSS, SQL injection) β€” these are attacks on web applications and databases, not on endpoints; anti-malware installed on a workstation provides no protection against a SQL injection attack on a remote database server.

The required stack:
Anti-malware + firewall + continuous patching + input validation (for injection attacks) + user training + secure configuration + backup strategy. WannaCry was stopped by patching, not by anti-malware. British Airways XSS required web application security controls. Estonian SQL injection required parameterized queries. Each attack type has its specific defense β€” anti-malware alone covers only a subset.

Exam tip: When an answer choice says "anti-malware is sufficient" or "with updated anti-malware, this attack would have been prevented," apply skepticism. Check whether the attack in question operates at a layer where anti-malware is effective. Worms exploiting OS vulnerabilities, injection attacks, and fileless malware are all categories where anti-malware alone is insufficient.
Performance Task: A regional hospital network has experienced an incident. At 7:15 AM on a Tuesday, patient record systems across three hospital sites simultaneously became inaccessible, displaying a ransom note demanding payment in Bitcoin. Investigation reveals: all affected systems are running Windows Server 2008 R2; none had been patched in the past 18 months; SMB port 445 is open between all hospital segments; no user has reported clicking a suspicious link or receiving an unusual email. Wired workstations in a fourth hospital site (on a separate subnet separated by a firewall) are unaffected. Describe the attack type, explain why no user error triggered it, identify the critical missed defense, and provide a prioritized remediation plan covering both the immediate incident and long-term hardening.
Model Answer:

Attack Classification:
This is a ransomware worm attack β€” consistent with WannaCry or a similar worm-delivered ransomware. The key indicators: (1) simultaneous infection across multiple sites β€” worm propagation across networks, not a single endpoint event; (2) no user error reported β€” worms require no user interaction; (3) Windows Server 2008 R2 without patches β€” legacy OS, likely missing SMBv1 patches; (4) SMB port 445 open between all segments β€” the worm propagation pathway; (5) fourth site on separate subnet behind firewall unaffected β€” firewall blocked worm traffic from crossing the network boundary, confirming the attack vector is SMB propagation.

Why No User Error Was Required:
Ransomware worms exploit OS-level vulnerabilities in network services (specifically SMBv1 in WannaCry). The infection vector is a packet sent directly to port 445 β€” the worm scanned the network, found Windows servers with the port open, exploited the vulnerability, installed the ransomware, and immediately began scanning for more targets. No phishing link, no email attachment, no user action was involved. Every affected system was compromised simply by running an unpatched Windows version with SMB accessible. This is why user training provides zero protection against this specific attack vector.

The Critical Missed Defense:
Patching. Microsoft had released patches for the SMBv1 vulnerability before WannaCry's 2017 launch. An 18-month patching gap means these systems were missing not just the SMBv1 fix but potentially hundreds of other security patches. Every single infection was preventable by a single patch deployment. The fourth hospital being on a segmented subnet with a firewall shows that network architecture also provided a meaningful defense β€” but even that didn't require patching; it just blocked the propagation vector at the network layer.

Immediate Incident Response:
(1) Isolate immediately β€” disconnect affected systems from the network to stop further propagation; do not shut down (memory forensics may reveal attacker infrastructure). (2) Preserve evidence β€” capture RAM images, network logs, and filesystem snapshots before any remediation. (3) Assess scope β€” identify all infected systems using network flow data and endpoint inventory; determine which patient data systems were encrypted and what was accessible. (4) Restore from backup β€” if offline backups exist and are clean, restore encrypted systems from pre-infection backups rather than paying the ransom; ransom payment does not guarantee key delivery and funds future attacks. (5) Notify β€” legal obligation to notify patients if health data was exposed; report to relevant authorities (FBI, HHS for HIPAA-covered entities).

Prioritized Long-Term Hardening:

Priority 1 β€” Patch immediately:
Apply all available Windows security patches to all systems before reconnecting to the network. For legacy Windows Server 2008 R2 (end of support), either apply the ESU (Extended Security Updates) patches or begin emergency migration to supported OS versions. An 18-month patching gap is a critical organizational failure requiring process-level remediation, not just a one-time catch-up.

Priority 2 β€” Disable SMBv1:
SMBv1 has been deprecated and has no legitimate use in modern environments. Disable it via Group Policy or PowerShell on all systems (Set-SmbServerConfiguration -EnableSMB1Protocol $false). Even if patched, removing the attack surface entirely is more durable than relying on patches alone.

Priority 3 β€” Network segmentation:
The fact that one site on a separate subnet was unaffected proves that network segmentation works. Segment all hospital sites into separate VLANs with firewall rules blocking SMB between segments. Clinical systems, administrative systems, and guest/IoT networks should all be isolated. Worm propagation requires network reachability β€” segmentation contains the blast radius to one segment even if infection occurs.

Priority 4 β€” Offline backup strategy:
Implement the 3-2-1 backup rule: 3 copies of data, 2 different media types, 1 offsite/offline. Backups must be air-gapped or offline (not connected to the network) β€” ransomware will encrypt backup shares if it can reach them. Test restore procedures regularly; a backup that hasn't been tested is an unknown.

Priority 5 β€” Patch management program:
Implement automated patch management with defined SLAs: critical patches applied within 48 hours, high-severity within 7 days, moderate within 30 days. No system should go 18 months without patches. Include vulnerability scanning to identify unpatched systems before attackers do.