1 00:00:00,280 --> 00:00:02,600 The first type of malware that we're going to discuss 2 00:00:02,600 --> 00:00:03,840 is a virus. 3 00:00:03,840 --> 00:00:06,640 A computer virus is simply made up of malicious code 4 00:00:06,640 --> 00:00:09,340 that's run on a machine without the user's knowledge. 5 00:00:09,340 --> 00:00:11,640 And this code allows it to infect the computer 6 00:00:11,640 --> 00:00:13,210 whenever it's being run. 7 00:00:13,210 --> 00:00:15,940 Now, what does this look like in the real world? 8 00:00:15,940 --> 00:00:18,200 Well, maybe you've gone to download a new game 9 00:00:18,200 --> 00:00:21,460 from a website, and when you download that installation file 10 00:00:21,460 --> 00:00:24,520 inside of it there may have been some malicious code. 11 00:00:24,520 --> 00:00:26,440 When you run the program to install it, 12 00:00:26,440 --> 00:00:29,000 you're allowing the code to be installed on your machine 13 00:00:29,000 --> 00:00:31,530 and that virus now can take hold. 14 00:00:31,530 --> 00:00:34,850 At this point, the virus is going to want to reproduce and spread 15 00:00:34,850 --> 00:00:38,010 and it does this because you have taken a user action. 16 00:00:38,010 --> 00:00:40,300 In this example, you installed the program 17 00:00:40,300 --> 00:00:42,350 and that allowed the code to be run 18 00:00:42,350 --> 00:00:45,350 and the virus to start doing its nefarious things. 19 00:00:45,350 --> 00:00:46,890 This allows it to begin to replicate 20 00:00:46,890 --> 00:00:49,240 and spread across your network. 21 00:00:49,240 --> 00:00:52,250 Now, the Security+ exam is going to separate viruses 22 00:00:52,250 --> 00:00:54,140 into 10 different types. 23 00:00:54,140 --> 00:00:57,270 We have boot sector, macro, program, 24 00:00:57,270 --> 00:01:01,360 multipartite, encrypted, polymorphic, metamorphic, 25 00:01:01,360 --> 00:01:04,330 stealth, armor, and hoax. 26 00:01:04,330 --> 00:01:07,450 The first one we're going to talk about is a boot sector virus. 27 00:01:07,450 --> 00:01:09,510 A boot sector virus is one that's stored 28 00:01:09,510 --> 00:01:11,380 in the first sector of a hard drive 29 00:01:11,380 --> 00:01:14,870 and is loaded into memory whenever the computer boots up. 30 00:01:14,870 --> 00:01:16,910 These are actually very difficult to detect 31 00:01:16,910 --> 00:01:18,250 because they're installed before 32 00:01:18,250 --> 00:01:19,840 the operating system boots up. 33 00:01:19,840 --> 00:01:22,040 And so your antivirus that you have inside 34 00:01:22,040 --> 00:01:24,660 your Windows or your Mac machine is not going to be able 35 00:01:24,660 --> 00:01:27,240 to find these boot sector viruses very easily. 36 00:01:27,240 --> 00:01:29,710 Instead, you have to use an antivirus 37 00:01:29,710 --> 00:01:32,780 that specifically looks for boot sector viruses. 38 00:01:32,780 --> 00:01:34,610 Next we have macros. 39 00:01:34,610 --> 00:01:37,150 Macros are a form of code that allows a virus 40 00:01:37,150 --> 00:01:39,900 to be embedded inside another document. 41 00:01:39,900 --> 00:01:42,470 And when that document is opened by the user, 42 00:01:42,470 --> 00:01:44,820 that virus then is executed. 43 00:01:44,820 --> 00:01:46,690 The most common examples of macros 44 00:01:46,690 --> 00:01:49,110 are ones that are found inside Word documents 45 00:01:49,110 --> 00:01:52,330 or Excel spreadsheets, or PowerPoint presentations. 46 00:01:52,330 --> 00:01:55,240 By default, macros aren't malicious. 47 00:01:55,240 --> 00:01:57,520 Actually, macros are used out there as a way 48 00:01:57,520 --> 00:01:59,450 for you to do a lot of good functions 49 00:01:59,450 --> 00:02:01,450 in a very short period of time. 50 00:02:01,450 --> 00:02:03,550 For example, I have a macro that I use within 51 00:02:03,550 --> 00:02:07,400 Microsoft Excel that allows me to do quicker calculations. 52 00:02:07,400 --> 00:02:09,720 That is a piece of code that works properly, 53 00:02:09,720 --> 00:02:11,810 but because we have the ability to add code 54 00:02:11,810 --> 00:02:14,530 to these Office documents, bad guys can also 55 00:02:14,530 --> 00:02:16,330 add malicious codes to those documents. 56 00:02:16,330 --> 00:02:19,108 And that's exactly what a macro virus does. 57 00:02:19,108 --> 00:02:22,330 The next type of virus is a program virus. 58 00:02:22,330 --> 00:02:24,800 Program viruses seek out executables 59 00:02:24,800 --> 00:02:26,890 or application files to infect. 60 00:02:26,890 --> 00:02:29,130 For example, if you went and loaded a virus 61 00:02:29,130 --> 00:02:31,570 and was able to install itself into your Microsoft Word 62 00:02:31,570 --> 00:02:34,310 program, every time you opened up Word 63 00:02:34,310 --> 00:02:36,720 you'd be loading that virus again and again. 64 00:02:36,720 --> 00:02:40,180 And that's why a program virus targets programs. 65 00:02:40,180 --> 00:02:43,440 The next type of virus we have is a multipartite. 66 00:02:43,440 --> 00:02:46,520 A multipartite virus is a combination of a boot sector 67 00:02:46,520 --> 00:02:48,930 type virus and a program virus. 68 00:02:48,930 --> 00:02:51,200 By using this combination, the virus is able 69 00:02:51,200 --> 00:02:53,910 to place itself in the boot sector and be loaded 70 00:02:53,910 --> 00:02:55,570 every time the computer boots. 71 00:02:55,570 --> 00:02:57,830 And by doing so, it can then install itself 72 00:02:57,830 --> 00:02:59,460 in a program where it can be run 73 00:02:59,460 --> 00:03:02,190 each and every time the computer starts up. 74 00:03:02,190 --> 00:03:04,500 This allows it to have a persistence and be able 75 00:03:04,500 --> 00:03:07,040 to be there over and over again. 76 00:03:07,040 --> 00:03:09,280 So even if you're able to find the program part 77 00:03:09,280 --> 00:03:11,970 of the virus and clean it out from within Windows, 78 00:03:11,970 --> 00:03:14,060 you may not be able to see the boot sector part. 79 00:03:14,060 --> 00:03:17,070 And the next time you reboot it reinstalls into Windows, 80 00:03:17,070 --> 00:03:18,890 infecting you again. 81 00:03:18,890 --> 00:03:21,170 Another way that viruses try to hide themselves 82 00:03:21,170 --> 00:03:22,610 is by using encryption. 83 00:03:22,610 --> 00:03:24,290 And when you have an encrypted virus, 84 00:03:24,290 --> 00:03:26,780 this virus is going to use a cipher to encrypt 85 00:03:26,780 --> 00:03:29,280 the contents of itself to avoid detection 86 00:03:29,280 --> 00:03:31,490 by any antivirus software. 87 00:03:31,490 --> 00:03:33,900 Because our antivirus providers are getting better 88 00:03:33,900 --> 00:03:36,350 and better all the time at understanding viruses 89 00:03:36,350 --> 00:03:39,140 and how they work and how to stop them, 90 00:03:39,140 --> 00:03:41,630 encrypted viruses are making it harder 91 00:03:41,630 --> 00:03:44,330 for virus makers to find these type of viruses. 92 00:03:44,330 --> 00:03:46,120 And so again, this is one of those things of 93 00:03:46,120 --> 00:03:48,670 the good guys get better so the bad guys get better. 94 00:03:48,670 --> 00:03:49,770 And then the good guys get better 95 00:03:49,770 --> 00:03:51,520 and then the bad guys get better. 96 00:03:51,520 --> 00:03:53,200 And this brings us to our next one. 97 00:03:53,200 --> 00:03:55,050 A polymorphic virus. 98 00:03:55,050 --> 00:03:57,400 A polymorphic virus is an advanced version 99 00:03:57,400 --> 00:03:58,920 of an encrypted virus. 100 00:03:58,920 --> 00:04:01,350 But instead of just encrypting the contents, 101 00:04:01,350 --> 00:04:03,090 it's actually going to change its code 102 00:04:03,090 --> 00:04:06,470 each time it's executed by altering the decryption module 103 00:04:06,470 --> 00:04:08,810 in order for it to evade detection. 104 00:04:08,810 --> 00:04:11,030 Now, I know this sounds really complicated, 105 00:04:11,030 --> 00:04:13,100 but what it's doing is it's trying to morph 106 00:04:13,100 --> 00:04:15,670 the way its code looks so that a signature-based 107 00:04:15,670 --> 00:04:18,100 antivirus can't detect it anymore. 108 00:04:18,100 --> 00:04:20,730 Like I said, it's basically a more complicated version 109 00:04:20,730 --> 00:04:22,960 of an encrypted virus that allows it to stay 110 00:04:22,960 --> 00:04:26,010 in your system longer and remain undetected. 111 00:04:26,010 --> 00:04:28,620 Metamorphic viruses are able to rewrite themselves 112 00:04:28,620 --> 00:04:31,670 entirely before it attempts to infect a file. 113 00:04:31,670 --> 00:04:34,000 And essentially, this is an advanced version 114 00:04:34,000 --> 00:04:35,800 of a polymorphic virus. 115 00:04:35,800 --> 00:04:38,320 And so we went from encrypted to polymorphic 116 00:04:38,320 --> 00:04:40,390 to now metamorphic. 117 00:04:40,390 --> 00:04:42,550 Next we have stealth viruses. 118 00:04:42,550 --> 00:04:45,640 And these aren't necessarily a specific type of virus 119 00:04:45,640 --> 00:04:49,560 as much as a category of a virus protecting itself. 120 00:04:49,560 --> 00:04:52,020 When we talked about encrypted and polymorphic 121 00:04:52,020 --> 00:04:54,770 and metamorphic viruses, these are all examples 122 00:04:54,770 --> 00:04:56,270 of stealth viruses. 123 00:04:56,270 --> 00:04:58,230 They're viruses that are using various different 124 00:04:58,230 --> 00:05:02,130 techniques to avoid detection by an antivirus software. 125 00:05:02,130 --> 00:05:04,220 Next we have armored viruses. 126 00:05:04,220 --> 00:05:06,540 And armored viruses have a layer of protection 127 00:05:06,540 --> 00:05:09,980 to confuse a program or a person who's trying to analyze it. 128 00:05:09,980 --> 00:05:12,490 Again, this is another way that the virus is trying to 129 00:05:12,490 --> 00:05:14,570 protect itself and increase its odds 130 00:05:14,570 --> 00:05:16,320 of being able to spread to other users 131 00:05:16,320 --> 00:05:18,100 without being detected. 132 00:05:18,100 --> 00:05:20,170 The final category of virus that we have 133 00:05:20,170 --> 00:05:22,010 is what's known as a hoax. 134 00:05:22,010 --> 00:05:23,840 Now, a hoax is actually not a virus 135 00:05:23,840 --> 00:05:25,460 in the traditional sense. 136 00:05:25,460 --> 00:05:27,540 Instead, when we get a virus hoax, 137 00:05:27,540 --> 00:05:29,250 we're trying to trick a user 138 00:05:29,250 --> 00:05:31,180 into infecting their own machine. 139 00:05:31,180 --> 00:05:33,130 This might come in the form of a message 140 00:05:33,130 --> 00:05:34,790 or a website that pops up. 141 00:05:34,790 --> 00:05:36,300 It may be that we call them on the phone 142 00:05:36,300 --> 00:05:38,260 and pretend that we're from Microsoft tech support 143 00:05:38,260 --> 00:05:40,570 and tell them that their machine has been infected. 144 00:05:40,570 --> 00:05:41,960 And if they just follow our steps, 145 00:05:41,960 --> 00:05:43,630 we'll help them get rid of it. 146 00:05:43,630 --> 00:05:46,600 Usually this is part of something as somebody's game, 147 00:05:46,600 --> 00:05:48,760 somebody thinks it's a joke, or someone's 148 00:05:48,760 --> 00:05:50,490 trying to trick them out of money. 149 00:05:50,490 --> 00:05:52,490 Regardless, when you get a virus hoax, 150 00:05:52,490 --> 00:05:54,070 you really don't have a virus 151 00:05:54,070 --> 00:05:56,360 unless you follow through with doing the things 152 00:05:56,360 --> 00:05:58,210 that the virus hoax tells you to do, 153 00:05:58,210 --> 00:06:01,510 like installing this type of program to remove the virus. 154 00:06:01,510 --> 00:06:03,610 Or allowing remote access to your machine 155 00:06:03,610 --> 00:06:06,610 so somebody from tech support can clean it up for you. 156 00:06:06,610 --> 00:06:09,210 Either way, this is a form of social engineering 157 00:06:09,210 --> 00:06:10,660 where they're just trying to trick you. 158 00:06:10,660 --> 00:06:12,450 And when you actually try to help 159 00:06:12,450 --> 00:06:14,950 by giving them access or installing the program, 160 00:06:14,950 --> 00:06:17,200 instead you're actually putting the malicious code 161 00:06:17,200 --> 00:06:18,830 on your machine yourself. 162 00:06:18,830 --> 00:06:20,973 So beware of hoax viruses.