Rizzi, Clifford Chazz L.

BSIT 511

PART I
ADWARE

 180solutions assistant - In 1999, company “ePIPO” was founded by Keith and Ken Smith. It was
a kind of pay-to-surf company that displays banner ads. And later, they changed their name into
180 Solutions that also goes with the changes in their technology like using pop-up ads instead
of banner ads. Then in about June 2006, 180 solutions collaborated with Hotbar and they
established "zango". 180 solutions assistant is a product of 180 solutions. It displays pop-up ads
that came from the user's web-searches and surfing habits. Once it is in the system, continues
pop-up ads will flood your computer and may slow down your system.

https://www.f-secure.com/sw-desc/adware_w32_180solutions.shtml
https://en.m.wikipedia.org/wiki/Zango_(company)

 Coolwebsearch (CoolWWWSearch/CWS) - In May 2003, a browser hijacker called

coolwebsearch was created. It was thought to work on internet explorer, mozilla firepox, and
google chrome. And it will automatically download itself to a microsoft windows kind of
computers. Once a computer is infected with this, it will automatically change the settings. The
web homepage will then be changed to coolwebsearch without warning, it will modify settings,
it will collect the user's private information, and will show never ending pop-up ads which
redirects to malicious sites like pornsites and others. CWS has over 100 versions and it infected
about 8% of PCs worldwide. Moreover, Coolwebsearch makes one's computer slow down,
possibly crash operating system, and largely affect the internet speed.

https://www.2-spyware.com/remove-coolwebsearch.html#:~:text=CoolWebSearch%20is%20a
%20notorious%20potentially,modify%20their%20settings%20without%20warning.
https://en.m.wikipedia.org/wiki/CoolWebSearch

ROOTKIT

 Vanquish - It is a type of user-mode rootkit. When we say User-mode rootkit, it means that it
will be able to modify the processes, network connections, security, and others without the risk
of being detected. Another, it can impede the system calls and be able to process the output.
And because of this processes, the files, system drivers, network ports, registry keys and paths,
and system services were able to hid by the hacker. Vanquish was created by XShadow on 2003-
2004. This works on windows 2000, XP, and 2003. Vanquish rootkit can hide files, folders,
registry entries, and log passwords following what was described to user-mode rootkit.

https://www.esecurityplanet.com/networks/rootkit-threats/
https://greatis.com/unhackme/vanquishrootkitremoval.htm#:~:text=Vanquish%20is%20a%20DLL-
Injection,registry%20entries%20and%20logs%20passwords.

 FU - it is an example of rootkit in kernel-mode. Kernel-mode rootkit changes some components

in the OS' core which is what we call 'kernel'. Because of this, similar device drivers and
computer modules which gives unrestricted access to the cybercriminal. FU is a kernel-mode
Rizzi, Clifford Chazz L.
BSIT 511

rootkit that also make adjustments to the data structures of a computer which in return hide
some processes.

https://www.aldeid.com/wiki/FU-Rootkit#:~:text=5%20Comments-,Description,fu.exe%20and
%20msdirectx.
https://www.esecurityplanet.com/networks/rootkit-threats/

RANSOMWARE

 WannaCry - In 2017, a ransomware attack called "wannacry" were created which caused havoc.
This particular attack used email scams and phishing. About 150 countries, 230,000 computers
around the globe, and 200,000 people specifying companies like FedEx, Telefonica, Nissan and
Renault were greatly affected. It was suspiciously created by United States National Security
Agency and leaked by the Shadow Brokers group. The 'ransom' for release was priced around
USD 300. Global financial losses was said to be an estimated total of $4 billion dollars.

 Cryptolocker - it is one of the famous ransomware attack that was first seen in 2007 and was
actually launched in 2013. This type of malware if it infects your computer, will encrypt
important files or data and will hold it against you for ransom. This was spread by using email
attachment carrying infected or malicious files. An estimation of 200,000 - 500,000 computers
(windows-based) were infected and a financial loss of more than USD 3 million.

https://gatefy.com/blog/real-and-famous-cases-ransomware-attacks/
https://www.kaspersky.com/resource-center/threats/ransomware-examples

WORM

 The morris worm - this is among the well-known computer worm in the early times. It is
launched by a student named Robert Morris on 1988, hence it was called morris worm. He just
wanted to test out the vastness of the internet and not intending to be destructive. However,
when he released the program to the internet he had not anticipated the fast spreading of what
he created. It’s self-replicating, infecting, and reinfecting computers 1-7 times went out of
control. Which is why 10% of the 60,000 internet-connected computers were affected in the
united states and cost about $200 - $53,000 to remove the worm and prevent reinfection. It was
also said that around $100 million were lost due to Morris worm.

https://www.exabeam.com/information-security/cybersecurity-calendar-morris-worm/
https://searchsecurity.techtarget.com/definition/Robert-Morris-worm

 ILOVEYOU – this is a type of computer virus or worm that spreads through a chain email,
specifically in Outlook. The outbreak started on May 4, 2000 created by a college student at that
time Onel De Guzman. He just intended to make use of computer worm to steal passwords so
he could access the internet for free. But this creation of him, had a flaw in the code which
happened to get uncontrollable in spreading. And with its title “ILOVEYOU” and an attachment
of LOVE-LETTER-FOR-YOU, surely lots of people are intrigued to open it and later fell into the
virus trap causing it to spread even more. This infected over 45 million of computers in just two
days and estimatedly cost over $15 billion damages.
Rizzi, Clifford Chazz L.
BSIT 511

https://searchsecurity.techtarget.com/definition/ILOVEYOU-virus
https://www.computerweekly.com/news/252481937/Revealed-The-man-behind-the-first-major-
computer-virus-pandemic
BACKDOOR

 CoinTicker – this is a MAC application which is used to show the updated prices of Bitcoins and
other cryptocurrencies in the menu bar. It was found out that this application is installing two
backdoors, specifically, EvilOSX and EggShell. Although the purpose are not yet clear, it is
suspiciously not legit. According to Thomas Reed of Malwarebytes, it appears that this malware
is trying to gain access to the users’ cryptocurrency wallets so they can steal coins. There are
also no authentication to root, which is why the user wouldn’t think something’s wrong. He also
conveyed that this app is “never legitimate to begin with”. Because it was suspiciously
“registered just months ago on July 13”, Thomas Reed on his post.

https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-
backdoors/
https://9to5mac.com/2018/10/30/cointicker/

 Wordpress – In 2017, an SEO scam or search engine optimization scam were revealed by
security researchers. This certain scam were said to affect more than 300,000 WordPress
websites. In a blogpost of Yash Mehta on August 2020, he said that a wordpress backdoor allows
an attacker to access persistently a server and note that this is unauthorized. Oftenly, he said
that this is through a malicious files that are hidden somewhere or through an infected plug-ins.

https://www.malwarebytes.com/backdoor/
https://www.getastra.com/blog/911/wordpress-backdoor-hack/

PART II
Rizzi, Clifford Chazz L.
BSIT 511

a. What is the title of the article?

 The Untold Story of NotPetya, the Most Devastating Cyberattack in History
b. Who wrote the article?
 Andy Greenberg – a senior writer for WIRED, covering security, privacy, and information
freedom.
c. When was the article published?
 Published on August 22, 2018 at 5:00 am.
d. Give the link where you found the article.
 https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-
world/
e. Is it possible to prevent this kind of attack? How?
 I believe that this kind of attack is preventable. As it has been mentioned in the article,
the cyberattack that happened to Maersk was possibly due to the company’s state of
being “behind” in terms of security and operating system. There was a need for being
updated and yet it didn’t deemed important until NotPetya cyberattack happened. That
is why I think that such attack is preventable, by allotting budget for the company’s
security, updating OS, purchasing a strong anti-virus for protection (updated and
patched), knowing how to detect it and how to mitigate risk, regular monitoring,
backing up important of the data in external and in cloud, as well as training employees
about these instances and make them ready in case another cyberattack happen in the
future. It is very important for the employees to know this kind of malware and how to
deal with it so next time they won’t fell into the trap like paying the ransom even if it
doesn’t do anything.
f. How extensive was the impact of the attack to the environment where it happened?
 According to the article, when NotPetya was set in motion it ran through and out of
Ukraine, infecting also numerous computers around the world, it infected hospitals in
Pennsylvania, a certain factory in Tasmania, and it totally damaged or ‘crippled’
multinational companies such as Maersk ($300,000,000), pharmaceutical giant Merck
($870,000,000), FedEx European subsidiary TNT Express ($400,000,000), French
construction company Saint-Gobain ($384,000,000), food producer Mondelēz
($188,000,000), manufacturer Reckitt Benckiser ($129,000,000), and spreading back to
Russia infecting the state oil company Rosneft. In totality, the White House said that the
damages are around $10 Billion.
g. How did the person/company who was attacked, cope with the consequences and effects of the
incident?
 When the attack first happened and still unknown to the employees and staffs of
Maersk, they act by trying to figure out what’s happening. Running to the IT offices,
calling the significant people who could possibly help, and making everything halt just to
be certain that no further infections might happen. In several days, the operations and
the company was in chaos having mostly everything stop. They addressed the issue by
forming a team that’s called to work 24/7 for emergency operations. It’s like getting the
best people to work on the attack, give immediate solution, and save the company. They
literally work their ‘asses’ off. Which later on produced a valuable outcome. In the
article, the Maersk chair Jim Hagemann Snabe stated that “we overcame the problem
Rizzi, Clifford Chazz L.
BSIT 511

with human resilience” he also recognized the heroic deeds of the IT rescue team as
well as the other people who went extramiles to aid the business. And because of what
happened, the company not just work on how to improve their cybersecurity but also to
make it a “competitive advantage”. After that, most of the security features that the IT
department asked was immediately approved. The company took a great importance to
the cybersecurity to not let such cyberattack from happening again.