1 00:00:00,978 --> 00:00:02,339 In this section of the course, 2 00:00:02,339 --> 00:00:04,903 we're going to talk about malware infections, 3 00:00:04,903 --> 00:00:07,815 because malware doesn't just appear on your computer. 4 00:00:07,815 --> 00:00:10,195 It doesn't just show up out of thin air. 5 00:00:10,195 --> 00:00:11,945 Somebody has to deliver it somehow 6 00:00:11,945 --> 00:00:13,869 and install it on your machine. 7 00:00:13,869 --> 00:00:16,597 Malware can be delivered in lots of different ways, 8 00:00:16,597 --> 00:00:19,506 including through software, messaging and media, 9 00:00:19,506 --> 00:00:21,479 from a botnet or zombies. 10 00:00:21,479 --> 00:00:23,146 It can have activate interception 11 00:00:23,146 --> 00:00:25,285 that's going to put malware into your network, 12 00:00:25,285 --> 00:00:27,243 or it can have a privilege escalation 13 00:00:27,243 --> 00:00:28,181 where somebody goes from being 14 00:00:28,181 --> 00:00:32,032 a regular user to a super user and infects your computer. 15 00:00:32,032 --> 00:00:34,761 Also, there's back doors and logic bombs. 16 00:00:34,761 --> 00:00:36,087 There is a lot of different ways 17 00:00:36,087 --> 00:00:39,335 to get malicious software onto your machine. 18 00:00:39,335 --> 00:00:41,638 In fact, one of the simplest delivery methods 19 00:00:41,638 --> 00:00:44,445 is when somebody has physical access to your machine 20 00:00:44,445 --> 00:00:46,263 and plugs in something like a thumb drive 21 00:00:46,263 --> 00:00:48,045 that's already infected. 22 00:00:48,045 --> 00:00:50,014 So, when we think about malware 23 00:00:50,014 --> 00:00:51,443 there's really two pieces of how 24 00:00:51,443 --> 00:00:53,692 malware gets onto your machine. 25 00:00:53,692 --> 00:00:56,584 The first is what we call a threat vector. 26 00:00:56,584 --> 00:00:59,201 A threat vector is the method used by an attacker 27 00:00:59,201 --> 00:01:01,510 to access a victim's machine. 28 00:01:01,510 --> 00:01:04,706 Some examples of threat vectors are unpatched software, 29 00:01:04,706 --> 00:01:07,948 installation from a USB thumb drive, a phishing campaign, 30 00:01:07,948 --> 00:01:10,017 where one of your users clicks on a link 31 00:01:10,017 --> 00:01:12,342 to install a program, and many other 32 00:01:12,342 --> 00:01:14,202 different methods that are out there. 33 00:01:14,202 --> 00:01:16,241 After we figure out what the threat vector is, 34 00:01:16,241 --> 00:01:19,685 the next piece is what we call the attack vector. 35 00:01:19,685 --> 00:01:22,364 An attack vector is the means by which the attacker 36 00:01:22,364 --> 00:01:24,364 is going to gain access to that computer 37 00:01:24,364 --> 00:01:26,703 in order to affect you with malware. 38 00:01:26,703 --> 00:01:29,479 Now I know these two terms sound very similar, 39 00:01:29,479 --> 00:01:31,548 but there is a key difference. 40 00:01:31,548 --> 00:01:34,357 A threat vector is how we get to the machine itself, 41 00:01:34,357 --> 00:01:35,884 but the attack vector includes 42 00:01:35,884 --> 00:01:37,773 both the way we got to the machine 43 00:01:37,773 --> 00:01:39,786 and how we're going to infect it. 44 00:01:39,786 --> 00:01:41,325 Let me provide you an example 45 00:01:41,325 --> 00:01:44,103 to hopefully simplify this just a little bit. 46 00:01:44,103 --> 00:01:46,272 Let's pretend that your house is a computer 47 00:01:46,272 --> 00:01:49,351 and I have a cupcake that's going to represent malware. 48 00:01:49,351 --> 00:01:51,976 My job as the attacker is to get the cupcake 49 00:01:51,976 --> 00:01:54,112 from my house to your house 50 00:01:54,112 --> 00:01:56,063 and put it on your kitchen table. 51 00:01:56,063 --> 00:01:58,299 Now, that's my goal, as the attacker. 52 00:01:58,299 --> 00:02:00,441 You are going to try and defend against it. 53 00:02:00,441 --> 00:02:02,669 The threat vector I use might be that 54 00:02:02,669 --> 00:02:04,228 I can drive right up to your house, 55 00:02:04,228 --> 00:02:06,426 because your house isn't inside a gated community 56 00:02:06,426 --> 00:02:08,866 and there's no security guards looking for me. 57 00:02:08,866 --> 00:02:12,061 This would be a threat vector, your unguarded neighborhood. 58 00:02:12,061 --> 00:02:13,804 Now if I walk up to your door, 59 00:02:13,804 --> 00:02:14,974 and I start picking your lock, 60 00:02:14,974 --> 00:02:15,966 and I enter your house, 61 00:02:15,966 --> 00:02:18,594 and I place the cupcake on your kitchen table, 62 00:02:18,594 --> 00:02:20,573 this represents the attack vector. 63 00:02:20,573 --> 00:02:23,222 It's all the things I did from driving to your house, 64 00:02:23,222 --> 00:02:24,779 to picking your lock, 65 00:02:24,779 --> 00:02:28,809 and delivering that poison cupcake onto your kitchen table. 66 00:02:28,809 --> 00:02:29,687 That's the difference between 67 00:02:29,687 --> 00:02:32,858 the threat vector and the attack vector. 68 00:02:32,858 --> 00:02:35,833 Now, let's go back to the world of computers for a moment. 69 00:02:35,833 --> 00:02:37,643 Let's pretend that you have an old computer 70 00:02:37,643 --> 00:02:39,925 that's running Windows 7 and you haven't bothered 71 00:02:39,925 --> 00:02:42,274 installing or downloading the latest security patches, 72 00:02:42,274 --> 00:02:45,146 because you've just been busy and haven't had time. 73 00:02:45,146 --> 00:02:46,794 Well, maybe you haven't installed these patches 74 00:02:46,794 --> 00:02:48,626 in quite a long while. 75 00:02:48,626 --> 00:02:51,512 So you have a computer that's missing a critical patch, 76 00:02:51,512 --> 00:02:56,419 like the Microsoft 17-010 patch, which came out in 2017. 77 00:02:56,419 --> 00:02:58,392 This was an essential security patch 78 00:02:58,392 --> 00:03:02,536 for the EternalBlue vulnerability. This is a threat vector. 79 00:03:02,536 --> 00:03:04,264 This is your unpatched computer, 80 00:03:04,264 --> 00:03:08,319 but I don't yet have an attack vector, not yet. 81 00:03:08,319 --> 00:03:10,370 Now, as an attacker, I'm sitting there 82 00:03:10,370 --> 00:03:11,736 and I'm scanning the internet. 83 00:03:11,736 --> 00:03:13,336 I'm trying to find unpatched computers 84 00:03:13,336 --> 00:03:15,594 and lo and behold I find your computer 85 00:03:15,594 --> 00:03:18,520 and I determine that it's missing this critical patch 86 00:03:18,520 --> 00:03:20,156 and therefore, you're vulnerable 87 00:03:20,156 --> 00:03:22,847 to an exploit against your file and printer services, 88 00:03:22,847 --> 00:03:25,071 which are known as SMB. 89 00:03:25,071 --> 00:03:26,291 Once I run this exploit, 90 00:03:26,291 --> 00:03:28,808 I'm going to be able to gain access to your machine 91 00:03:28,808 --> 00:03:31,049 and install some kind of malware on it. 92 00:03:31,049 --> 00:03:34,339 This series of events now becomes my attack vector. 93 00:03:34,339 --> 00:03:36,878 In fact, this is the exact same attack vector 94 00:03:36,878 --> 00:03:39,558 that was used by the WannaCry ransomware. 95 00:03:39,558 --> 00:03:41,431 What they ended up doing was they searched the internet 96 00:03:41,431 --> 00:03:43,236 for unpatched Windows machines, 97 00:03:43,236 --> 00:03:46,998 and when they found them that were missing the patch 17-010 98 00:03:46,998 --> 00:03:48,777 they ran an exploit against them 99 00:03:48,777 --> 00:03:52,007 to gain administrative rights and encrypt the user's files 100 00:03:52,007 --> 00:03:54,868 and then post a message saying, "Your computer's locked 101 00:03:54,868 --> 00:03:56,522 and if you want to get the access to it, 102 00:03:56,522 --> 00:03:58,643 you're going to pay me some money." 103 00:03:58,643 --> 00:04:00,422 In this section, we're going to look at 104 00:04:00,422 --> 00:04:02,760 various infection vectors that malware uses. 105 00:04:02,760 --> 00:04:04,323 As well as how to prevent malware 106 00:04:04,323 --> 00:04:06,272 from being installed on your system. 107 00:04:06,272 --> 00:04:08,330 Also, we'll cover how to remove malware 108 00:04:08,330 --> 00:04:10,184 if it does find it's way in. 109 00:04:10,184 --> 00:04:12,101 So, let's get started.