1
00:00:00,180 --> 00:00:01,589
In this lesson, we're going to discuss

2
00:00:01,589 --> 00:00:04,230
some different types of malware that you may come across

3
00:00:04,230 --> 00:00:07,230
while working as a cybersecurity or network technician.

4
00:00:07,230 --> 00:00:08,850
So what is malware?

5
00:00:08,850 --> 00:00:12,150
Well, malware is a shorthand term for malicious software.

6
00:00:12,150 --> 00:00:13,410
This is software that's designed

7
00:00:13,410 --> 00:00:16,050
to infiltrate a computer system and possibly damage it

8
00:00:16,050 --> 00:00:18,300
without the user's knowledge or consent.

9
00:00:18,300 --> 00:00:21,270
Simply put, malware is some kind of bad software code

10
00:00:21,270 --> 00:00:24,210
that wants to do harm to our computers and our networks.

11
00:00:24,210 --> 00:00:28,110
Malware comes in many varieties, including viruses, worms,

12
00:00:28,110 --> 00:00:31,680
Trojan horses, ransomware, spyware, and rootkits.

13
00:00:31,680 --> 00:00:34,380
The first type of malware we have is known as viruses.

14
00:00:34,380 --> 00:00:36,840
A computer virus is simply made up of malicious code

15
00:00:36,840 --> 00:00:39,360
that's run on a machine without the user's knowledge.

16
00:00:39,360 --> 00:00:41,280
This code allows it to infect the computer

17
00:00:41,280 --> 00:00:42,960
whenever that code is run.

18
00:00:42,960 --> 00:00:44,970
Now, what does this look like in the real world?

19
00:00:44,970 --> 00:00:47,340
Well, one of your users may have gone to a website

20
00:00:47,340 --> 00:00:49,440
to download a new game, and when they did that,

21
00:00:49,440 --> 00:00:51,360
they actually download an installation file

22
00:00:51,360 --> 00:00:54,270
that contained a virus or malicious code inside of it.

23
00:00:54,270 --> 00:00:56,280
When they ran that program to install the game,

24
00:00:56,280 --> 00:00:57,750
they actually just installed the virus

25
00:00:57,750 --> 00:01:01,650
onto the client machine, and now that virus has taken hold.

26
00:01:01,650 --> 00:01:03,840
At this point, the virus is going to want to reproduce

27
00:01:03,840 --> 00:01:05,280
and spread, and it does this

28
00:01:05,280 --> 00:01:07,440
because you had a user action occur.

29
00:01:07,440 --> 00:01:08,760
This was namely the opening

30
00:01:08,760 --> 00:01:10,920
and running of the game's install file.

31
00:01:10,920 --> 00:01:12,030
Once this has been done,

32
00:01:12,030 --> 00:01:13,860
the virus can now begin to replicate

33
00:01:13,860 --> 00:01:16,440
and attempt to spread further across the network.

34
00:01:16,440 --> 00:01:19,140
Our second type of malware is known as a worm.

35
00:01:19,140 --> 00:01:21,210
Now, a worm is a piece of malicious software

36
00:01:21,210 --> 00:01:22,350
much like a virus,

37
00:01:22,350 --> 00:01:26,130
but it can replicate itself without any user interaction.

38
00:01:26,130 --> 00:01:29,040
This is a key distinction between a virus and a worm.

39
00:01:29,040 --> 00:01:31,620
Remember I said the user had to install the program

40
00:01:31,620 --> 00:01:34,200
or open a file in order to have the virus take action

41
00:01:34,200 --> 00:01:35,640
and begin its replication,

42
00:01:35,640 --> 00:01:38,550
but with worms, this simply isn't the case.

43
00:01:38,550 --> 00:01:40,140
Worms are able to self-replicate,

44
00:01:40,140 --> 00:01:41,580
and they spread throughout your network

45
00:01:41,580 --> 00:01:43,860
without a user's consent or action.

46
00:01:43,860 --> 00:01:45,630
This occurs because worms take advantage

47
00:01:45,630 --> 00:01:46,980
of security vulnerabilities

48
00:01:46,980 --> 00:01:49,440
that exist within operating systems, network protocols,

49
00:01:49,440 --> 00:01:51,000
and other applications.

50
00:01:51,000 --> 00:01:51,930
If the worm determines

51
00:01:51,930 --> 00:01:53,430
that there's a computer on the network

52
00:01:53,430 --> 00:01:55,650
that doesn't have the latest security patch installed,

53
00:01:55,650 --> 00:01:57,120
it can then take advantage of that

54
00:01:57,120 --> 00:01:58,530
and exploit that vulnerability

55
00:01:58,530 --> 00:02:01,530
to spread from victim to victim across the entire network

56
00:02:01,530 --> 00:02:04,650
or even across the internet and the entire world.

57
00:02:04,650 --> 00:02:06,630
Because of this, worms can cause disruption

58
00:02:06,630 --> 00:02:09,750
to your normal network traffic and your computing activities

59
00:02:09,750 --> 00:02:11,070
because as they're spreading

60
00:02:11,070 --> 00:02:12,870
and replicating from victim to victim,

61
00:02:12,870 --> 00:02:15,360
they're also using its processing power, its memory,

62
00:02:15,360 --> 00:02:16,740
and its network traffic.

63
00:02:16,740 --> 00:02:19,110
It's going to be using all these different resources

64
00:02:19,110 --> 00:02:21,180
and not for something that you want them to do.

65
00:02:21,180 --> 00:02:23,700
Eventually, this can start slowing down your systems,

66
00:02:23,700 --> 00:02:25,770
or in some cases it can cause your systems

67
00:02:25,770 --> 00:02:27,600
or your networks to crash.

68
00:02:27,600 --> 00:02:30,480
Worms are known for spreading far and wide over the internet

69
00:02:30,480 --> 00:02:32,430
in a relatively short amount of time.

70
00:02:32,430 --> 00:02:35,160
Back in 2001, there was a worm named Nimda,

71
00:02:35,160 --> 00:02:36,960
which is admin spelled backwards.

72
00:02:36,960 --> 00:02:39,450
Now it was able to propagate across the entire internet

73
00:02:39,450 --> 00:02:41,340
in just 22 minutes.

74
00:02:41,340 --> 00:02:43,680
Then in 2009, we had another worm.

75
00:02:43,680 --> 00:02:45,450
This one was known as Conficker.

76
00:02:45,450 --> 00:02:46,920
This is probably one of the largest worms

77
00:02:46,920 --> 00:02:49,680
that we as cybersecurity professionals have seen to date.

78
00:02:49,680 --> 00:02:50,910
Conficker was able to infect

79
00:02:50,910 --> 00:02:54,450
between 9 and 15 million machines worldwide.

80
00:02:54,450 --> 00:02:57,120
This worm was infecting as many machines as it could

81
00:02:57,120 --> 00:02:58,320
by leveraging an exploit

82
00:02:58,320 --> 00:03:01,080
against a missing Microsoft window security patch.

83
00:03:01,080 --> 00:03:02,700
This was specifically the patch associated

84
00:03:02,700 --> 00:03:06,360
with the MS08-067 security bulletin.

85
00:03:06,360 --> 00:03:08,070
Now the vulnerability was a coding error

86
00:03:08,070 --> 00:03:09,540
with the way Microsoft Windows

87
00:03:09,540 --> 00:03:11,610
was performing file and printer sharing.

88
00:03:11,610 --> 00:03:13,080
Conficker sought out those machines

89
00:03:13,080 --> 00:03:14,550
that were missing the security patch,

90
00:03:14,550 --> 00:03:16,260
installed this piece of code on them,

91
00:03:16,260 --> 00:03:19,140
and then those machines became part of a botnet.

92
00:03:19,140 --> 00:03:21,420
Ultimately, this botnet was able to be shut down

93
00:03:21,420 --> 00:03:24,150
before it was used for negative or malicious purposes.

94
00:03:24,150 --> 00:03:26,310
But it does show the true power of these worms

95
00:03:26,310 --> 00:03:28,530
and how they can gather up lots and lots of zombies

96
00:03:28,530 --> 00:03:31,770
for a botnet really quickly for use later on.

97
00:03:31,770 --> 00:03:33,060
The third type of malware we have

98
00:03:33,060 --> 00:03:34,860
is known as a Trojan horse.

99
00:03:34,860 --> 00:03:37,410
A Trojan horse gets its name from the legendary trick

100
00:03:37,410 --> 00:03:40,740
that was used during the Trojan War back in ancient Greece.

101
00:03:40,740 --> 00:03:42,780
Greece and Troy were at war for 10 years

102
00:03:42,780 --> 00:03:44,310
and there was no end in sight.

103
00:03:44,310 --> 00:03:45,480
After a long siege,

104
00:03:45,480 --> 00:03:47,400
the Greeks decided they were getting restless

105
00:03:47,400 --> 00:03:48,900
and they decided they wanted to try something

106
00:03:48,900 --> 00:03:51,240
a little different to get this war over with.

107
00:03:51,240 --> 00:03:54,000
So they decided to construct a large wooden horse,

108
00:03:54,000 --> 00:03:55,380
and they gave it to the city of Troy

109
00:03:55,380 --> 00:03:58,140
as a peace offering or so the story goes.

110
00:03:58,140 --> 00:03:59,700
Now this seemingly harmless gift

111
00:03:59,700 --> 00:04:01,440
was actually filled with Greek soldiers,

112
00:04:01,440 --> 00:04:04,290
and once it was wheeled inside the city, day turned to night

113
00:04:04,290 --> 00:04:06,630
and the soldiers emerged from within the horse.

114
00:04:06,630 --> 00:04:09,120
These soldiers immediately opened the walled city gates

115
00:04:09,120 --> 00:04:11,040
and began letting in their fellow soldiers

116
00:04:11,040 --> 00:04:12,840
that were from the invading Greek army.

117
00:04:12,840 --> 00:04:15,240
They got into the city and they laid waste to it.

118
00:04:15,240 --> 00:04:17,910
This was the first example of a Trojan horse.

119
00:04:17,910 --> 00:04:20,550
Now in the world of cybersecurity and computer networking,

120
00:04:20,550 --> 00:04:22,950
Trojan horses work much the same way.

121
00:04:22,950 --> 00:04:25,170
Trojan horses are pieces of malicious code

122
00:04:25,170 --> 00:04:26,940
that's disguised as a piece of harmless

123
00:04:26,940 --> 00:04:28,440
or desirable software.

124
00:04:28,440 --> 00:04:29,940
Basically, a Trojan says,

125
00:04:29,940 --> 00:04:31,800
I'm going to perform this function for you,

126
00:04:31,800 --> 00:04:34,440
and it may very well perform that desired function,

127
00:04:34,440 --> 00:04:37,350
but it can also perform a malicious function too.

128
00:04:37,350 --> 00:04:38,250
Now when I was a kid,

129
00:04:38,250 --> 00:04:39,900
there was a new game out called Tetris

130
00:04:39,900 --> 00:04:41,550
that you probably have heard of at this point,

131
00:04:41,550 --> 00:04:42,810
and it was extremely popular

132
00:04:42,810 --> 00:04:44,520
and everybody wanted to get a copy of it.

133
00:04:44,520 --> 00:04:46,500
So a lot of times you might have a friend

134
00:04:46,500 --> 00:04:48,870
who put a copy of it on a disc and they handed it to you

135
00:04:48,870 --> 00:04:50,160
so you can install it at home,

136
00:04:50,160 --> 00:04:52,050
and you could play this great new game too.

137
00:04:52,050 --> 00:04:53,820
Well, one person was really smart

138
00:04:53,820 --> 00:04:55,200
and they used a copy of Tetris

139
00:04:55,200 --> 00:04:58,710
and embedded a Trojan horse inside that copy of Tetris.

140
00:04:58,710 --> 00:05:00,210
Now, if you took that disc

141
00:05:00,210 --> 00:05:01,830
and installed that game on your computer,

142
00:05:01,830 --> 00:05:04,140
that game would launch and play just like normal.

143
00:05:04,140 --> 00:05:06,240
You could play Tetris, no issue at all,

144
00:05:06,240 --> 00:05:07,530
but in the background,

145
00:05:07,530 --> 00:05:09,030
the Trojan horse part of this

146
00:05:09,030 --> 00:05:10,980
opened up something that allowed a connection

147
00:05:10,980 --> 00:05:13,470
between your system and the attacker system,

148
00:05:13,470 --> 00:05:14,850
allowing them to have remote control

149
00:05:14,850 --> 00:05:17,610
and steal your information or destroy your data.

150
00:05:17,610 --> 00:05:19,140
This is one of the earliest examples

151
00:05:19,140 --> 00:05:23,010
of what we now refer to as a RAT or Remote Access Trojan.

152
00:05:23,010 --> 00:05:24,960
A RAT is a common type of Trojan

153
00:05:24,960 --> 00:05:26,550
that's still widely used today.

154
00:05:26,550 --> 00:05:27,480
It provides the attacker

155
00:05:27,480 --> 00:05:29,790
with remote control of a victim system.

156
00:05:29,790 --> 00:05:32,520
These techniques are still really used a lot today,

157
00:05:32,520 --> 00:05:34,170
but instead of somebody handing you a disc,

158
00:05:34,170 --> 00:05:36,000
they instead post the file on our website

159
00:05:36,000 --> 00:05:37,620
and they wait for you to download it.

160
00:05:37,620 --> 00:05:39,420
Remember, whenever you're downloading a program

161
00:05:39,420 --> 00:05:40,980
for the internet, always be careful

162
00:05:40,980 --> 00:05:42,180
because you don't know what other code

163
00:05:42,180 --> 00:05:44,010
is inside of that lurking there.

164
00:05:44,010 --> 00:05:46,410
Anytime you or your users are downloading a file,

165
00:05:46,410 --> 00:05:48,810
you have to make sure you check it for viruses, worms,

166
00:05:48,810 --> 00:05:51,060
and Trojans before you install it.

167
00:05:51,060 --> 00:05:53,850
The fourth type of malware we have is known as ransomware.

168
00:05:53,850 --> 00:05:54,840
If you've watched the news

169
00:05:54,840 --> 00:05:56,880
or scrolled Facebook in the last year or two,

170
00:05:56,880 --> 00:05:58,650
you probably already know what ransomware is

171
00:05:58,650 --> 00:06:01,560
because it keeps showing up all over our news feeds.

172
00:06:01,560 --> 00:06:03,120
Ransomware is a type of malware

173
00:06:03,120 --> 00:06:05,610
that restricts access to a victim's computer system

174
00:06:05,610 --> 00:06:08,850
or their files until a ransom or payment is received.

175
00:06:08,850 --> 00:06:11,310
Essentially, someone's going to break into a network,

176
00:06:11,310 --> 00:06:12,720
a server or a computer,

177
00:06:12,720 --> 00:06:14,310
and then they're going to encrypt all the files

178
00:06:14,310 --> 00:06:16,410
or change the passwords or do something else

179
00:06:16,410 --> 00:06:19,290
to hold that system hostage until you pay up.

180
00:06:19,290 --> 00:06:20,940
One day you may reboot your computer

181
00:06:20,940 --> 00:06:22,477
and it says something like this,

182
00:06:22,477 --> 00:06:23,790
"Your computer has been locked.

183
00:06:23,790 --> 00:06:25,560
You have to pay a fine of $200

184
00:06:25,560 --> 00:06:27,510
and be able to pay it through this link using Bitcoin

185
00:06:27,510 --> 00:06:29,160
and able to get access back.

186
00:06:29,160 --> 00:06:31,650
If you pay me, I'll give you a secret unlock code

187
00:06:31,650 --> 00:06:32,970
and you can put it in that white little box

188
00:06:32,970 --> 00:06:35,850
and you can hit okay and have access to all your stuff."

189
00:06:35,850 --> 00:06:37,470
This is what ransomware looks like

190
00:06:37,470 --> 00:06:38,940
when it targets end users.

191
00:06:38,940 --> 00:06:40,230
But even more recently,

192
00:06:40,230 --> 00:06:42,030
we're seeing large scale ransom attacks

193
00:06:42,030 --> 00:06:44,580
against large corporations and local governments,

194
00:06:44,580 --> 00:06:46,680
including oil pipelines, hospital systems,

195
00:06:46,680 --> 00:06:48,300
and even city governments.

196
00:06:48,300 --> 00:06:50,820
Back in 2018, the city of Atlanta got infected

197
00:06:50,820 --> 00:06:52,560
with the Samsam ransomware.

198
00:06:52,560 --> 00:06:53,393
This started spreading

199
00:06:53,393 --> 00:06:55,710
across a lot of their systems throughout the city,

200
00:06:55,710 --> 00:06:59,190
and it ended up costing them over $17 million to fix it.

201
00:06:59,190 --> 00:07:00,960
They ended up not paying the ransom,

202
00:07:00,960 --> 00:07:03,630
but instead they spent about $6 million in services

203
00:07:03,630 --> 00:07:05,370
and contracts and software upgrades

204
00:07:05,370 --> 00:07:07,570
and another $11 million in hardware upgrades

205
00:07:07,570 --> 00:07:10,380
to be able to deal with the Samsam ransomware.

206
00:07:10,380 --> 00:07:12,090
This made the costliest cyber attack

207
00:07:12,090 --> 00:07:14,130
affecting the government in 2018,

208
00:07:14,130 --> 00:07:16,020
and this was despite them not paying

209
00:07:16,020 --> 00:07:18,330
the ransom demanded by the attackers.

210
00:07:18,330 --> 00:07:20,490
Usually, ransomware is going to get a foothold

211
00:07:20,490 --> 00:07:21,930
into your network somewhere

212
00:07:21,930 --> 00:07:24,090
because of a vulnerability in a piece of software

213
00:07:24,090 --> 00:07:26,310
on one of your servers or your clients.

214
00:07:26,310 --> 00:07:27,990
Once it gets into the network though,

215
00:07:27,990 --> 00:07:31,020
it's going to attempt to steal your data and hold it hostage.

216
00:07:31,020 --> 00:07:33,660
Once they do that, you have no way to decrypt that data

217
00:07:33,660 --> 00:07:37,110
unless you pay the ransom or restore from an offline backup.

218
00:07:37,110 --> 00:07:39,840
The fifth type of malware we have is known as spyware.

219
00:07:39,840 --> 00:07:41,610
Spyware is a type of malicious software

220
00:07:41,610 --> 00:07:42,960
that's installed on your system

221
00:07:42,960 --> 00:07:45,870
and it gathers information about you without your consent.

222
00:07:45,870 --> 00:07:48,240
Normally, this will be installed either from a website

223
00:07:48,240 --> 00:07:49,800
or some third party software

224
00:07:49,800 --> 00:07:51,450
that you have installed on your system.

225
00:07:51,450 --> 00:07:53,520
That software is going to look through all your files.

226
00:07:53,520 --> 00:07:54,960
It's going to look through all your emails,

227
00:07:54,960 --> 00:07:57,120
all of your instant messages, all your calendar invites,

228
00:07:57,120 --> 00:07:59,370
and what other information you may have on your system.

229
00:07:59,370 --> 00:08:01,470
It's going to look through that to gather information

230
00:08:01,470 --> 00:08:03,000
and build a profile on you.

231
00:08:03,000 --> 00:08:04,920
This is the best case scenario.

232
00:08:04,920 --> 00:08:07,500
Now after all, spyware might just be trying to figure out

233
00:08:07,500 --> 00:08:09,060
things they can advertise to you,

234
00:08:09,060 --> 00:08:12,330
and in this case, we call this a thing called adware.

235
00:08:12,330 --> 00:08:14,430
Now, this allows it to display advertisements to you

236
00:08:14,430 --> 00:08:16,200
based on what they think you'd like best

237
00:08:16,200 --> 00:08:17,970
and what you're most likely to buy.

238
00:08:17,970 --> 00:08:21,540
Now in the worst case, spyware could include a key logger.

239
00:08:21,540 --> 00:08:23,280
Now a key logger can allow an attacker

240
00:08:23,280 --> 00:08:26,070
to capture any keystrokes you make on a victim machine,

241
00:08:26,070 --> 00:08:28,050
such as the website addresses you type in,

242
00:08:28,050 --> 00:08:30,660
the usernames, and even the passwords you enter.

243
00:08:30,660 --> 00:08:33,179
Spyware and key loggers can collect those details

244
00:08:33,179 --> 00:08:34,860
and send it all back to the attacker

245
00:08:34,860 --> 00:08:36,570
complete with screenshots that they're taking

246
00:08:36,570 --> 00:08:39,240
on a regular interval of your computer screen.

247
00:08:39,240 --> 00:08:40,830
Now, our sixth type of malware we have

248
00:08:40,830 --> 00:08:42,330
is known as a rootkit.

249
00:08:42,330 --> 00:08:44,400
A rootkit is a specific type of software

250
00:08:44,400 --> 00:08:46,410
that's designed to gain administrative level control

251
00:08:46,410 --> 00:08:48,420
over a computer system or network device

252
00:08:48,420 --> 00:08:49,860
without being detected.

253
00:08:49,860 --> 00:08:51,180
Now, this is really important

254
00:08:51,180 --> 00:08:52,740
because when we talk about root

255
00:08:52,740 --> 00:08:54,450
or administrator level permissions,

256
00:08:54,450 --> 00:08:56,130
this is the highest level of permissions

257
00:08:56,130 --> 00:08:57,960
that someone can have on a system.

258
00:08:57,960 --> 00:09:00,060
If you're using a Windows machine, for example,

259
00:09:00,060 --> 00:09:01,680
that would be your administrator account

260
00:09:01,680 --> 00:09:03,420
that allows somebody to install programs,

261
00:09:03,420 --> 00:09:06,090
delete programs, open ports and shut ports.

262
00:09:06,090 --> 00:09:08,400
Basically, they can do whatever they want on your system.

263
00:09:08,400 --> 00:09:10,380
This type of access is known as root access

264
00:09:10,380 --> 00:09:13,020
if you're using Unix, Linux or OSX,

265
00:09:13,020 --> 00:09:14,760
which is a Mac operating system.

266
00:09:14,760 --> 00:09:16,380
Either way, gaining administrative

267
00:09:16,380 --> 00:09:18,510
or root access is great for an attacker,

268
00:09:18,510 --> 00:09:20,970
but it is horrible for you and your security.

269
00:09:20,970 --> 00:09:23,010
Now in our networks, the most common place

270
00:09:23,010 --> 00:09:24,750
to find a root kit would be if the attacker

271
00:09:24,750 --> 00:09:26,250
was able to compromise the firmware

272
00:09:26,250 --> 00:09:28,020
on our routers or switches.

273
00:09:28,020 --> 00:09:29,700
There have been documented cases of this

274
00:09:29,700 --> 00:09:31,200
for pretty much every brand of router

275
00:09:31,200 --> 00:09:32,160
and switch out there.

276
00:09:32,160 --> 00:09:33,390
So it's important to keep up to date

277
00:09:33,390 --> 00:09:35,370
with the latest threats based on the type of equipment

278
00:09:35,370 --> 00:09:37,560
that you're using inside your networks.

279
00:09:37,560 --> 00:09:39,300
Rootkits are extremely powerful

280
00:09:39,300 --> 00:09:40,890
and they're really difficult to detect

281
00:09:40,890 --> 00:09:43,380
because the operating system itself can be blinded to them

282
00:09:43,380 --> 00:09:46,080
since they're loaded before the operating system itself is.

283
00:09:46,080 --> 00:09:46,950
To detect them,

284
00:09:46,950 --> 00:09:49,050
the best way is to boot from an external device

285
00:09:49,050 --> 00:09:50,460
and then scan the device to ensure

286
00:09:50,460 --> 00:09:52,620
that you can properly detect those rootkits.

287
00:09:52,620 --> 00:09:54,120
As I said earlier in this lesson,

288
00:09:54,120 --> 00:09:56,370
there are lots of different types of malware.

289
00:09:56,370 --> 00:09:58,500
In this lesson, we discussed just a few of them.

290
00:09:58,500 --> 00:10:01,350
We talked about viruses and worms and Trojan horses

291
00:10:01,350 --> 00:10:03,480
and ransomware and spyware and rootkits,

292
00:10:03,480 --> 00:10:04,800
but there are many others out there

293
00:10:04,800 --> 00:10:05,820
that you're going to learn about

294
00:10:05,820 --> 00:10:08,620
as you continue to advance in your cybersecurity career.