Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:05,366 Welcome to our last lesson of Introduction to Malware Analysis 2 00:00:08,200 --> 00:00:16,300 Step 1. We already talk about social engineering campaigns we might add that the atackers use pishing, fake 3 00:00:16,300 --> 00:00:25,200 mails, free antivirus, books, and pirated software, all of them to trick users into download malware. 4 00:00:25,200 --> 00:00:34,866 Infected websites, those are specially scary because you are inocently surfing the internet and you don’t know 5 00:00:34,866 --> 00:00:41,699 if the site was infected with malvertising or maybe cross site scripting, 6 00:00:41,700 --> 00:00:49,733 Malvertising is malicious advertising, and uses legitimate online advertising services to spread malware. 7 00:00:49,733 --> 00:00:57,599 Cross site scripting infect an online site then if you visit that site you could get infected. 8 00:00:57,600 --> 00:01:07,433 As a general rule be carefull the address is https, if you are sending sensitive data, and keep updated your 9 00:01:07,433 --> 00:01:11,066 navigator and antivirus. And of course sharing infected files 10 00:01:11,066 --> 00:01:21,199 Step 2 dropper, deliver the payload to directly install malware, for example if you open a word document and execute a macro this could 11 00:01:21,200 --> 00:01:21,566 contain a payload which will install malware directly in your system. 12 00:01:21,566 --> 00:01:27,932 contain a payload which will install malware directly in your system. 13 00:01:27,933 --> 00:01:35,699 Downloader, this malware installs a connection to a CC and try to download more malware, 14 00:01:35,700 --> 00:01:45,700 a famous one is Upatre, is a very nasty malware. Persistence, to achieve persistence a malware could install services, 15 00:01:45,700 --> 00:01:52,033 modifiy the regedit, use startup folder, install in bios and more. 16 00:01:52,033 --> 00:01:58,333 Step3, payload is the malaware code, the bomb that will actually explode 17 00:01:58,333 --> 00:02:09,766 and infect your system, let say with a keylogger or maybe ransomware, later we'll see those two in theory and practice. 18 00:02:09,766 --> 00:02:20,432 spread, it means the malware try to infect the equipments you are contected to. They use a technique call LATERAL MOVEMENT: 19 00:02:20,433 --> 00:02:31,266 It goes like this: first scans active directory, this directory holds information about resources network, as users, 20 00:02:31,266 --> 00:02:41,732 servers, printers, etc it is the first step to identify the other network resources find vulnerabilities, try to escalate privileges 21 00:02:41,733 --> 00:02:45,733 and try to infect them. 22 00:02:46,133 --> 00:02:50,133 and persistence again that I just explained. 23 00:02:52,133 --> 00:03:03,133 Prevention methods. This is not a course about cyber security risks then I only will mention some basic and relevant for this course. 24 00:03:03,133 --> 00:03:11,866 A BASIC ONE, Keep updated your antivirus and operating system, I am gonna stress the importance of a good antivirus 25 00:03:11,866 --> 00:03:17,232 because often people prefered those ones that are free. 26 00:03:17,233 --> 00:03:21,633 The cost of a good antivirus is around 60 dolars 27 00:03:21,633 --> 00:03:25,066 they generally give you several licenses, 28 00:03:25,066 --> 00:03:31,032 you could share the costs with you relatives or friends for example, 29 00:03:31,033 --> 00:03:34,233 Expensive? I don’t think so. 30 00:03:34,233 --> 00:03:43,166 REVEAL HIDDEN FILE EXTENSIONS IN WINDOWS. This is because attackers could try to masquerade executables in 31 00:03:43,166 --> 00:03:51,632 pdf, word documents and more. To do so go file explorer, view and details. 32 00:03:51,633 --> 00:03:58,666 PRIVILEGE ADMINISTRATION, it means don't give Administrator privileges indiscriminately, 33 00:03:58,666 --> 00:04:03,499 instead grant only the privileges each user needs. 34 00:04:03,500 --> 00:04:08,366 This prevents lateral movements and privilege escalation. 35 00:04:08,366 --> 00:04:13,566 BACKUP YOUR DATA, you could try Data Loss Prevention Systems 36 00:04:13,566 --> 00:04:18,066 especially usefull in case of ransomware attacks. 37 00:04:18,066 --> 00:04:25,899 CHECK REMOVABLE MEDIA before open it, set up your AV for doing so. 38 00:04:25,900 --> 00:04:34,100 IS WELL KNOWN Humans are the weakest cybersecurity link: keep updated your knowledge about cyber risks, 39 00:04:34,100 --> 00:04:40,766 if you are in charge of a team encourage training to enforce safe behaviors, 40 00:04:40,766 --> 00:04:48,032 some advices: check twice email links and attachments, Ignore online deals, 41 00:04:48,033 --> 00:04:54,033 be aware of pishing, try to visit trusted pages. 42 00:04:54,033 --> 00:05:04,033 PROOF YOUR DEFENSES. companies that take cybersecurity seriously, hired read teaming exercises to proof their defenses, 43 00:05:04,033 --> 00:05:11,233 read team is basically a group of pentester trying to exploit vulnerabilities in your system. 44 00:05:11,233 --> 00:05:18,266 Also you can proof your defenses in case of ransomware attack in this web site, 45 00:05:18,266 --> 00:05:22,966 you can find the address in Ransomware help document. 46 00:05:23,366 --> 00:05:28,332 types of analysis, static and dynamic analysis 47 00:05:28,600 --> 00:05:38,566 static, It means inspecting the file’s binary without executing it. It is the first and basic step in your analysis. Its main purpose is to extract 48 00:05:38,566 --> 00:05:45,332 useful information from the malware, to make assumptions about the type of threat you are dealing with. Also, should give us a clue on the 49 00:05:45,333 --> 00:05:54,799 path to take, on later analysis. Knowing things like the type of file, text strings or apis present in the binary, will be useful to understand what 50 00:05:54,800 --> 00:06:00,800 could be its possible behavior and what tools we’ll need for further analysis. 51 00:06:05,400 --> 00:06:14,366 Dynamic analysis, Dynamic means the malicious code is alive or running and executing all its functionalities, then we can 52 00:06:14,366 --> 00:06:22,232 search for suspicious activities in: file system, regedit, network, processes, and services. Analyzing runtime malicious code could be 53 00:06:22,233 --> 00:06:29,366 dangerous, then we are taking all possible precautions. That's why we set up our lab in Section Setting up the Lab, this way we can 54 00:06:29,533 --> 00:06:31,366 run any malware safely. 55 00:06:31,366 --> 00:06:39,566 please join me on the next section, we'll set up a safe lab to execute our malware samples 7098