1 00:00:02,820 --> 00:00:09,040 Ending this module I'd like to show you a specific case study this case study will indicate the methods 2 00:00:09,040 --> 00:00:16,630 for dealing with a disaster let's assume that this disaster is for example a virus outbreak. 3 00:00:16,830 --> 00:00:22,910 We'll talk about the Conficker virus. 4 00:00:22,960 --> 00:00:29,640 The picture below shows you the propagation speed of the virus Conficker spread automatically and without 5 00:00:29,640 --> 00:00:31,550 the need of user interaction. 6 00:00:33,080 --> 00:00:37,670 To infect a computer the virus did not require a user to behave in a certain manner. 7 00:00:39,500 --> 00:00:46,450 One of the propagating vectors for configure was the security bug found in the Windows system. 8 00:00:46,510 --> 00:00:52,980 It was detected and an update fixing the bug was created a month before the outbreak. 9 00:00:53,170 --> 00:00:56,960 But this was just one method in which the virus spread. 10 00:00:57,100 --> 00:01:03,250 The software manufacturer in this case Microsoft to find an effective procedure preventing the escalation 11 00:01:03,250 --> 00:01:05,950 of the virus after the problem was detected. 12 00:01:09,490 --> 00:01:12,910 It was documented in a knowledgebase article. 13 00:01:12,990 --> 00:01:19,070 The company also set up a reward of $250000 for helping to identify the authors of the virus. 14 00:01:25,270 --> 00:01:29,960 Conficker had five known versions. 15 00:01:29,990 --> 00:01:33,710 It's rather interesting that the versions would update quickly. 16 00:01:33,860 --> 00:01:38,870 For example if you were infected with Version A It would almost immediately update itself to version 17 00:01:38,880 --> 00:01:47,880 C. 18 00:01:47,940 --> 00:01:52,050 Let's find out what should be done if Conficker attacked us. 19 00:01:52,120 --> 00:02:00,120 The first step is to detect it detection methods was covered in the previous part of the lecture configure 20 00:02:00,120 --> 00:02:04,280 and other viruses are relatively simple to detect. 21 00:02:04,300 --> 00:02:11,020 It is enough to know that basic vectors and spreading techniques configure made regular connections 22 00:02:11,020 --> 00:02:19,070 to five hundred randomly selected domains that were chosen from a pool of over 50000 domains after they 23 00:02:19,070 --> 00:02:23,090 were infected the virus moved on to infect other machines. 24 00:02:25,940 --> 00:02:32,460 Web applications in effect affected machines would practically shut down configure used 100 percent 25 00:02:32,460 --> 00:02:34,680 of the bandwidth for its own purposes. 26 00:02:36,200 --> 00:02:41,140 It's hard to miss this symptom. 27 00:02:41,140 --> 00:02:48,320 The virus also spread through cracking passwords if you unable to count lockouts after 50 incorrect 28 00:02:48,320 --> 00:02:54,760 attempts a recognizable attack symptom was the message that users can't log into their accounts because 29 00:02:54,760 --> 00:02:57,920 a limit of unsuccessful logging attempts has been reached. 30 00:03:04,070 --> 00:03:06,560 Assume that we've detected the attack already. 31 00:03:07,260 --> 00:03:12,090 Of course in the end a virus scanner should have helped this in that. 32 00:03:12,120 --> 00:03:16,870 Now we need to determine the scope of the attack. 33 00:03:16,880 --> 00:03:21,890 You might remember that the most important question that we need to answer is what resources have been 34 00:03:21,950 --> 00:03:24,300 or could have been accessed by attackers. 35 00:03:25,540 --> 00:03:28,700 We also need to find a way to prevent the attack from spreading. 36 00:03:31,600 --> 00:03:35,380 In the case of Configure you could use dedicated tools for this purpose. 37 00:03:36,460 --> 00:03:41,810 Such countermeasures were developed because the problem was global in scope. 38 00:03:41,830 --> 00:03:45,790 You could also use the knowledge on the virus vectors and try to remove it manually.