Malware

• ransomware/crypto-malware
• virus
  • can be fileless - resides only in RAM
  • can be armored -> complex code, encryption, hiding
  • can be polymorphic -> changing
• worm - replicates itself w/o user intervention over a network
• trojan horse - disguise itself as smth legit
• [[rootkit]] - privesc

• logic bomb

  • time bomb, user event -> starts w predefied event -> often deletes itself

  • examples

    • 2013 South Korea bank logic bomb
    • 2016 Ukraine high voltage substation -> bringing down electrical networks
      • customized for SCADA networks

  • to prevent

    • formal change control
    • host-based intrusion detection
    • tripwire
    • constant auditing