WEBVTT

00:00.890 --> 00:05.750
The chances of you watching this video and never having to deal with malware is pretty small.

00:05.760 --> 00:09.400
And in this episode what I want to do is let's just talk about malware.

00:09.710 --> 00:10.940
Now to get things started.

00:10.940 --> 00:17.270
What I want to say is that malware is nothing more than software that is running on your system that

00:17.550 --> 00:21.500
you don't want it there and B it may or may not be doing something naughty.

00:21.500 --> 00:23.660
In most cases it's doing something naughty.

00:23.660 --> 00:28.550
So what I want to do in this episode is go through each of the different types of malware that are listed

00:28.550 --> 00:35.640
on the exam starting with a virus.

00:35.660 --> 00:41.260
Now it makes me laugh a little bit when I see the word virus on the exam because really viruses are

00:41.290 --> 00:49.550
very old fashioned term viruses go back to the mid 1980s arguably and a virus is a piece of software

00:49.880 --> 00:51.380
that somehow gets on your computer.

00:51.410 --> 00:53.880
Keep in mind we're talking about before internet.

00:53.960 --> 00:58.300
So back in the old days a virus would get on your computer through a floppy disk.

00:58.310 --> 01:01.720
You ever heard of those or more modern maybe a thumb drive.

01:01.730 --> 01:05.640
So what would happen is a virus would get on your system.

01:05.750 --> 01:11.540
It would attach itself often to operating system files or something like that and it would go ahead

01:11.570 --> 01:12.620
and do two things.

01:12.620 --> 01:14.350
Number one it would propagate.

01:14.480 --> 01:20.240
So anytime someone else threw in a floppy disk or punched in another thumb drive well the viruses job

01:20.240 --> 01:25.490
was to get itself onto that removable media so it could spread itself out to other different types of

01:25.490 --> 01:26.840
devices.

01:26.840 --> 01:30.060
The other thing that it does is that a virus will activate.

01:30.110 --> 01:35.390
Now when we talk about activation back in the old days they would do amusing cute things like the famous

01:35.390 --> 01:40.610
falling letters virus or maybe you would see something you would put a happy face up on your screen

01:40.910 --> 01:46.250
but it didn't take very long for viruses to start doing really terrible things like for example erasing

01:46.250 --> 01:47.750
the boot sector on your hard drive.

01:47.750 --> 01:54.700
So the term virus is a little bit dated in that really because we're so internet connected now we'd

01:54.710 --> 01:57.350
have to take some broader views so going with that.

01:57.380 --> 01:59.480
Let's go ahead and talk about where

02:03.900 --> 02:04.300
now.

02:04.310 --> 02:10.580
When I say ad where all I'm talking about are programs that try to put ads up so they're pretty much

02:10.580 --> 02:11.640
web centric.

02:11.750 --> 02:15.950
And what will happen is you'll be on some web page and suddenly something's going to pop up saying Oh

02:15.950 --> 02:22.040
by this ad where when it first came out years ago was in many people's opinion kind of a good thing

02:22.040 --> 02:26.090
you know you'd be trying to buy flowers from one website and then all of a sudden this thing would pop

02:26.090 --> 02:29.590
up and go we will sell you the same flowers for half price.

02:29.750 --> 02:31.510
Over time it became noxious.

02:31.640 --> 02:40.050
And we decided that ad where it was also a very very bad thing.

02:40.100 --> 02:43.950
The next type of malware you're going to see on the exam is spyware.

02:43.970 --> 02:50.390
Now spyware is kind of an interesting term but basically what it means is that spyware is some form

02:50.390 --> 02:55.880
of malware that is hiding itself from you so you don't see it up on the screen or anything but what

02:55.880 --> 02:58.680
it's doing is it's phoning home one way or another.

02:58.820 --> 03:04.730
It could be tracking what you're doing in terms of web browsing it could be stealing cookie information.

03:04.730 --> 03:10.130
The bottom line is is that spyware is something that we really really don't want on our systems.

03:15.020 --> 03:20.860
A Trojan horse or as I say a trojan is a piece of software that does something like this.

03:20.870 --> 03:22.960
No no no that's a real Trojan horse.

03:23.090 --> 03:28.940
What we're talking about when we say Trojan Horse we're talking about a piece of software that is running

03:28.970 --> 03:33.760
on your system and it may do something you could be a game or a chat tool or whatever.

03:33.770 --> 03:38.150
So it's doing something nice but it's also doing something naughty in the background.

03:38.150 --> 03:42.290
So Trojan horses are not like viruses they don't propagate on their own.

03:42.320 --> 03:46.550
There has to be something compelling about that application that says oh I want to download this and

03:46.550 --> 03:48.340
run it type of thing.

03:48.360 --> 03:52.520
Now that type of Trojan is kind of old fashioned these days.

03:52.520 --> 03:57.410
What we tend to see more than anything else when we talk about trojans are what we call remote access

03:57.410 --> 04:01.330
Trojans a remote access trojan is a Trojan.

04:01.340 --> 04:08.330
But the big differences is it doesn't do anything naughty until somebody in a remote location goes ahead

04:08.360 --> 04:12.680
and manually turns it on to do whatever naughtiness that it's going to do.

04:12.680 --> 04:17.810
So when we're talking about Trojan horse we've got the classic Trojans and then we have the remote access

04:17.810 --> 04:18.230
trojan.

04:18.230 --> 04:28.990
So when you're talking about a trojan remember it's a piece of software that something like that.

04:29.210 --> 04:31.940
Next is ransomware or crypto malware.

04:31.970 --> 04:33.200
Same term.

04:33.260 --> 04:38.450
Of what we're talking about here is a type of now where that does in fact a lot of people that are one

04:38.450 --> 04:40.260
of the most evil malwares out there.

04:40.280 --> 04:46.880
And it simply does something Gere's system locks it in some way that you can't get to it until you pay

04:46.880 --> 04:51.010
somebody some money to have them go ahead and unlock your system.

04:51.240 --> 04:56.330
Now ransomware has been out for a few years now probably started originally with the infamous crypto

04:56.340 --> 05:01.790
locker but there's a lot of derivations out there these days that can do all kinds of naughtiness and

05:01.790 --> 05:03.910
it is a big big problem.

05:03.970 --> 05:06.730
Now next I want to talk about one of my absolute favorites.

05:06.770 --> 05:07.610
The logic bomb

05:12.740 --> 05:19.850
a logic bomb has some similarities to a remote access trojan a logic bomb is a program that is sitting

05:19.850 --> 05:21.460
on a computer.

05:21.590 --> 05:22.990
It doesn't propagate.

05:23.000 --> 05:28.310
It has to activate but whereas a remote access trojan would be activated remotely.

05:28.410 --> 05:34.970
A logic bomb kicks off because some event has taken place probably one of the best examples of a logic

05:34.970 --> 05:41.750
bomb would be say I'm a I'm a disgruntled employee and I can actually create a logic bomb that will

05:41.780 --> 05:46.960
only go off if an administrator disables my account for example if I was fired.

05:52.170 --> 05:57.450
Now there's a lot of malware out there that could be argued that it could be for goodness as much as

05:57.450 --> 05:58.550
for badness.

05:58.560 --> 06:06.120
So the two I'm talking about right now are root kits and back doors now a root kit and the name root

06:06.120 --> 06:15.120
is actually a clue is a piece of software that grabs administrative or very very big privileges so that

06:15.120 --> 06:18.560
it can do things to other stuff that's running on the computer.

06:18.630 --> 06:23.960
Probably the most famous rootkit of all was the famous Sony rootkit back a long time ago.

06:24.210 --> 06:29.280
And it's a great example of is it good or is it bad because that Sony rootkit was used for digital rights

06:29.280 --> 06:30.120
management.

06:30.150 --> 06:32.830
So in that case it was good for Sony.

06:32.880 --> 06:38.340
I don't know about the rest of us though root kits are particularly notorious to detect because of the

06:38.340 --> 06:42.890
nature of their administrative or root level privileges.

06:42.900 --> 06:47.090
It can be a challenge to actually detect and get rid of them so it's always a big deal.

06:47.160 --> 06:55.800
Along with that is going to be a back door now a back door is a piece of software that has some intentionally

06:55.800 --> 06:59.820
derived way to get into it to do something.

06:59.840 --> 07:06.120
Now if I were a developer of software for example and I would write a backdoor that would allow me to

07:06.480 --> 07:10.820
access somebody in a remote situation so I could work on it that might be a good thing.

07:10.980 --> 07:16.400
I could be that saying to the helper that I could put a backdoor into my software application that erases

07:16.400 --> 07:17.910
it if you don't pay me on time.

07:18.030 --> 07:19.260
That might be a bad thing.

07:19.260 --> 07:25.740
So when we talk about back doors when we talk about root kits keep in mind that there is some argument

07:25.740 --> 07:26.340
for goodness.

07:26.340 --> 07:31.980
But generally when we'd call them now where they're doing something bad now the next thing I want to

07:31.980 --> 07:38.550
talk about are isn't really so much malware itself as some aspects of what malware can do and probably

07:38.550 --> 07:42.420
the best first example is going to be what we call polymorphic malware

07:46.910 --> 07:50.610
polymorphic malware is malware that changes itself.

07:50.750 --> 07:57.380
The reason it changes itself is because any time now where program is going to be using digital signatures

07:57.620 --> 08:00.850
to recognize these different types of bits of malware literally.

08:00.980 --> 08:05.360
Ones and zeroes that define these different pieces of Naughtie programs.

08:05.360 --> 08:11.870
So a polymorphic is simply going to change its own code just enough to confuse the digital signatures

08:11.930 --> 08:13.630
of your anti-malware program.

08:13.730 --> 08:15.750
And they are extremely common today.

08:16.080 --> 08:23.540
Now an armored virus is a little bit different an armored virus is a virus that is designed to make

08:23.540 --> 08:27.750
it hard for the anti-malware people to figure out what's going on.

08:27.770 --> 08:34.490
The number one tool we use to get rid of malware is we get a piece of malware and then we reverse engineer

08:34.490 --> 08:35.950
it to see how it ticks.

08:36.200 --> 08:43.130
So an armored virus is going to well first of all it's going to have into it's code little like memory

08:43.130 --> 08:47.440
locations and stuff that make it hard to actually find the malware itself.

08:47.660 --> 08:52.970
And then along with that it's going to have a lot of superfluous code that does absolutely nothing whose

08:53.030 --> 08:56.330
only job is to confuse the reverse engineers.

08:56.360 --> 09:02.610
So what we're talking about an armored virus or we're talking about polymorphic that isn't just one

09:02.670 --> 09:05.970
piece of malware it's just aspects of what they might do.

09:05.970 --> 09:10.940
Now speaking of aspects we've talked about a lot of different pieces of malware in here.

09:10.950 --> 09:13.880
But one of the things we haven't talked about is what do they do.

09:13.890 --> 09:20.040
And probably one of the more common things that we see is what we call a key logger key loggers simply

09:20.040 --> 09:27.210
as the name infers will record keystrokes letting people capture passwords or private information or

09:27.210 --> 09:28.310
whatever they might want.

09:28.410 --> 09:34.610
So a lot of different types of malware will use a key logging function to get bad information.

09:34.770 --> 09:40.320
Now the other way we'll see key loggers in a lot of situations is there'll be some type of little Dongola

09:40.340 --> 09:46.170
P.S. to dongle that plugs into a keyboard or little US beat device that you plug in and that device

09:46.200 --> 09:48.510
is simply there to record keystrokes

09:51.480 --> 10:10.280
in.