1
00:00:00,160 --> 00:00:06,319
this hard drive contains 25 million

2
00:00:03,320 --> 00:00:12,400
pieces of malware and this computer is about to become very very sick what do

3
00:00:10,120 --> 00:00:17,160
you mean threat service has stopped Windows Defender is completely

4
00:00:14,879 --> 00:00:22,600
disabled but I guess that's what happens when you send $500 to a faceless person

5
00:00:20,080 --> 00:00:28,920
named smelly who runs a shady Network that collects develops studies and

6
00:00:25,160 --> 00:00:30,480
reverse Engineers nefarious code so why

7
00:00:28,920 --> 00:00:34,520
did I do that because if you're trying to learn about

8
00:00:32,040 --> 00:00:39,520
computer security this is probably the most valuable textbook you could find it

9
00:00:37,079 --> 00:00:44,039
contains their entire repository of malware samples research papers blog

10
00:00:41,879 --> 00:00:48,399
posts from security researchers and source code now of course it's all

11
00:00:46,440 --> 00:00:53,960
freely available on the VX underground website but the $500 isn't really for

12
00:00:51,480 --> 00:00:59,640
the content it's a donation to ensure they can keep building this repository

13
00:00:56,719 --> 00:01:04,360
which wait is that actually a good thing well let's talk about that the single

14
00:01:02,039 --> 00:01:09,759
biggest hole in most Security Systems computer or otherwise is trust new

15
00:01:07,360 --> 00:01:15,479
malware pops up every day and defending against it is a never-ending game

16
00:01:12,040 --> 00:01:17,840
of whack-a-mole that is such a constant

17
00:01:15,479 --> 00:01:22,479
churn of zero day exploits and unpatched vulnerabilities that it's better to just

18
00:01:19,840 --> 00:01:27,320
assume the worst that is why today's episode sponsor threat Locker uses a

19
00:01:25,079 --> 00:01:31,520
zero trust approach to security their endpoint protection platform works by

20
00:01:29,159 --> 00:01:34,799
assuming that applic a are guilty until they're proven innocent meaning that

21
00:01:33,040 --> 00:01:38,960
users within your organization can't just accidentally open the wrong email

22
00:01:36,759 --> 00:01:42,680
attachment or program installer and take down the entire company from the inside

23
00:01:40,720 --> 00:01:45,159
lead to a whole bunch of really bad like oh I don't know

24
00:01:51,640 --> 00:01:57,560
maybe the very first thing I asked when this video got pitched to me was isn't

25
00:01:56,119 --> 00:02:03,840
this thing kind of dangerous to have lying around and the answer is yes yes

26
00:02:00,280 --> 00:02:07,039
but also no these mostly aren't ready to

27
00:02:03,840 --> 00:02:08,840
go viruses mostly and while they

28
00:02:07,039 --> 00:02:12,920
absolutely can wreak havoc on your system if you're not careful you don't

29
00:02:10,879 --> 00:02:17,120
really need to worry about doing a lock bit on yourself and encrypting your

30
00:02:14,519 --> 00:02:21,440
whole Drive part of the reason for that is how things are stored most

31
00:02:19,239 --> 00:02:25,560
executables are missing the exe file extension so the system is far less

32
00:02:23,480 --> 00:02:29,239
likely to automatically run them and everything else is in a password

33
00:02:27,080 --> 00:02:33,680
protected 7zip archive to prevent it from being automatically unpacked

34
00:02:31,599 --> 00:02:38,200
furthermore many of these malwares are older and the only real damage they can

35
00:02:35,800 --> 00:02:42,120
do to a fully updated system is by overloading Windows Defender threat

36
00:02:39,959 --> 00:02:46,879
detection engine that's what caused the weird behavior that you saw before of

37
00:02:44,360 --> 00:02:51,120
course many of them are still dangerous and once you've got them decompressed

38
00:02:48,440 --> 00:02:57,280
and armed all safety is completely out the Windows and also macOS and Linux

39
00:02:54,720 --> 00:03:02,319
Borat rat popped up in 2022 and was referred to as a triple threat because

40
00:02:59,640 --> 00:03:08,159
on on top of granting remote access it also includes dods and ransomware tools

41
00:03:06,200 --> 00:03:13,760
this seems like exactly the kind of thing I would want to just run launch

42
00:03:10,519 --> 00:03:16,760
Borat 7z archive in any run Windows 10

43
00:03:13,760 --> 00:03:18,760
or 11 this is Linux yes would you like

44
00:03:16,760 --> 00:03:24,519
me to show you any run they do sandboxing there's so much resetting and

45
00:03:21,400 --> 00:03:27,040
reimaging and everything in this project

46
00:03:24,519 --> 00:03:30,080
a fun one right oh it's just the best well interesting at least right it's

47
00:03:28,879 --> 00:03:33,680
interesting it's abs absolutely interesting it's also uh extremely scary

48
00:03:32,640 --> 00:03:38,760
I mean it's not like you could single-handedly take down the whole company if you do anything irresponsible

49
00:03:37,239 --> 00:03:43,720
or careless Windows 10 or 11 so we'll do

50
00:03:40,959 --> 00:03:48,599
Windows 11 here we'll run a public analysis it's going to start uploading

51
00:03:45,560 --> 00:03:51,000
the file we have 660 seconds to do this

52
00:03:48,599 --> 00:03:55,360
before it implodes implodes oh this instance just goes away in 10 11 minutes

53
00:03:53,879 --> 00:04:00,760
no matter what that's correct we're going to launch Bor at. exe so if

54
00:03:57,680 --> 00:04:03,280
someone managed to execute this on your

55
00:04:00,760 --> 00:04:07,480
system this is what would happen this right here is actually the control panel

56
00:04:04,760 --> 00:04:11,879
for it so this is what the hacker Sees God it and what I want to do right now

57
00:04:09,959 --> 00:04:17,600
is I'm going to go build a client for this so I'm going to go just quickly

58
00:04:14,840 --> 00:04:22,320
here build alls yep yeah we'll choose an icon here let's give it the Borat rat

59
00:04:19,799 --> 00:04:27,919
icon okay so we are going to go build exe here client.exe is going to save

60
00:04:25,240 --> 00:04:31,960
into the Borat folder and then what we should be able to do and this works 50%

61
00:04:30,400 --> 00:04:36,120
of the time for me is when we open up client.exe so this will infect this

62
00:04:34,000 --> 00:04:40,080
instance this is what we would try to remotely execute on the target system

63
00:04:38,560 --> 00:04:45,160
yeah so we would try and remotely execute that and you can see that we've done that we've successfully infected

64
00:04:43,240 --> 00:04:50,639
ourselves it's going to run a couple it's going to run system info. exe

65
00:04:47,479 --> 00:04:52,400
conhost host name. exe just spit out

66
00:04:50,639 --> 00:04:57,240
absolutely everything that we want to know about this system here is

67
00:04:54,360 --> 00:05:00,560
everything about it all in just this uh this text file here and this will get

68
00:04:58,560 --> 00:05:05,120
sent to the attacker probably as fun as it gets as in the utilities so we can

69
00:05:03,320 --> 00:05:10,080
hide and show our taskbar hide and show our desktop just to mess with people

70
00:05:07,360 --> 00:05:16,440
yeah oh Mouse is the best swap will swap around the left and right click dude we

71
00:05:12,880 --> 00:05:20,199
can turn off the webcam light yep most

72
00:05:16,440 --> 00:05:22,160
webcams do work with the webcam light

73
00:05:20,199 --> 00:05:25,840
just kind of hardwired into the camera circuitry but some of them don't and

74
00:05:24,440 --> 00:05:30,840
that's where this is going to really exploit it the other thing this is going to do is allow you to turn on their

75
00:05:28,520 --> 00:05:34,280
webcam light basically activating their camera but not actually have to do any

76
00:05:32,800 --> 00:05:38,039
it's just a quick way of freaking them out if they're trying to make threats at

77
00:05:35,960 --> 00:05:41,759
you over the phone while you uh try and extort them for money fod helper watch

78
00:05:40,160 --> 00:05:44,880
how easy it is to get admin you can see permission right here it says permission

79
00:05:43,199 --> 00:05:49,360
user over on the right side we're going to hit fod

80
00:05:46,360 --> 00:05:52,479
helper it's going to restart the

81
00:05:49,360 --> 00:05:54,440
client and oh look admin that's it and

82
00:05:52,479 --> 00:06:00,160
they haven't patched that yet okay what are we running on yeah 2021 second half

83
00:05:58,039 --> 00:06:04,319
so this is pretty old window that's good that's that's really good

84
00:06:02,280 --> 00:06:07,080
that that's still unpatched on this version but it's probably patched

85
00:06:05,680 --> 00:06:12,479
somewhere else I I've not run this for real I'm very afraid of it obviously

86
00:06:09,960 --> 00:06:17,199
this dashboard here right there's a lot of lines yep I mean you could have a lot

87
00:06:15,360 --> 00:06:21,240
of clients and you could just poke around in one anytime you want what's

88
00:06:18,599 --> 00:06:25,199
surveillance do oh surveillance just uh just lets you watch a little bit you can

89
00:06:22,759 --> 00:06:30,240
remote shell remote screen remote camera go into their file manager you can

90
00:06:27,919 --> 00:06:34,960
record you can get their uh their Network information see what's what

91
00:06:32,319 --> 00:06:40,440
processes are running else we got here uh control so you can send files to them

92
00:06:37,240 --> 00:06:42,199
you can run yep key logger is built into

93
00:06:40,440 --> 00:06:46,120
every malware these days malware is where it gets real interesting oh I just

94
00:06:43,840 --> 00:06:48,759
pick what malware I want yeah you want to Dos somebody you can do that

95
00:06:47,440 --> 00:06:52,880
especially if you've got a lot of bots there uh you can ransomware them so if

96
00:06:51,160 --> 00:06:58,000
you wanted to just do a lock bit on someone you can just ransomware them

97
00:06:55,400 --> 00:07:03,720
like that there is a way in here to steal credentials for

98
00:07:00,240 --> 00:07:05,520
Discord it steals the the session token

99
00:07:03,720 --> 00:07:09,120
for Discord so that you can gain access to somebody's Discord and then start

100
00:07:07,879 --> 00:07:13,879
messaging all their friends start messaging their friends with your client.exe which you've just made look

101
00:07:12,199 --> 00:07:18,160
like whatever program you want because that's part of the whole uh Builder and

102
00:07:16,120 --> 00:07:23,199
this is this is old but it's it's not that old it's still active in some

103
00:07:20,560 --> 00:07:26,800
regards maybe not this exact version but clearly there's still people using it

104
00:07:25,440 --> 00:07:31,680
and this kind of thing is only going to get scarier and scarier when Windows 10

105
00:07:29,000 --> 00:07:35,400
reaches into of Life dude M cuz so many people are going to stay on Windows 10

106
00:07:34,039 --> 00:07:38,960
and it's not going to be getting security patches guys patch your

107
00:07:37,080 --> 00:07:42,840
software the stuff that gets patched isn't what really worries me it's the

108
00:07:40,360 --> 00:07:45,680
zero days there's so many zero days and there's so much money in this now

109
00:07:44,280 --> 00:07:48,199
especially with all of those hospitals getting Ransom

110
00:07:48,720 --> 00:07:54,720
weed anyway good

111
00:07:52,080 --> 00:07:58,720
luck practically speaking there is no limit to what a creative attacker could

112
00:07:56,800 --> 00:08:01,879
do with something like Borat rat we haven't even touched on some of the

113
00:07:59,879 --> 00:08:05,919
basic functionality like exfiltrating data popping up text messages so the

114
00:08:03,759 --> 00:08:11,039
attacker can communicate with the victim but how does it do so much well a big

115
00:08:09,080 --> 00:08:15,520
part of it is thanks to the dll files that are included these DLS are mostly

116
00:08:13,800 --> 00:08:20,560
feature plugins that are taken from a fork of DC rat called Santa rat when you

117
00:08:19,000 --> 00:08:25,000
really think about it Borat does look a bit like a dirty Wizard or a homeless

118
00:08:22,639 --> 00:08:30,520
Santa but that's besides the point the point is if we run the rat in a malware

119
00:08:27,759 --> 00:08:36,440
sandbox like any run which using here we can get some idea of how it's executing

120
00:08:33,279 --> 00:08:39,440
individual exploits take the fod helper

121
00:08:36,440 --> 00:08:42,200
exploit for example how is it giving the

122
00:08:39,440 --> 00:08:46,959
rat administrator privileges with almost no effort whatsoever well we can see

123
00:08:45,160 --> 00:08:52,000
that it makes some registry changes before launching fod Helper but what

124
00:08:49,560 --> 00:08:56,120
registry changes is it making exactly searching through the VX drive we can

125
00:08:54,120 --> 00:09:01,279
find the source code for it and see that it uses UAC bypass method 3 from

126
00:08:58,839 --> 00:09:05,720
options. dll the source code for options. DL might be missing but as we

127
00:09:03,720 --> 00:09:10,480
know it came from Santa rat so we can check the source code for that and see

128
00:09:07,720 --> 00:09:14,399
that it's modifying this key in the registry even if we don't have any

129
00:09:12,480 --> 00:09:18,120
programming knowledge just searching our virus drive for Borat reveals several

130
00:09:16,440 --> 00:09:22,480
articles that summarize the threat in slightly more legible terms how can we

131
00:09:20,279 --> 00:09:26,079
use this though well if we're a bad actor now we know a way to get to a

132
00:09:24,720 --> 00:09:30,640
command prompt window with admin privileges and we can explain that but

133
00:09:28,079 --> 00:09:35,360
if we're a good actor we know to set up something to watch that section of the

134
00:09:32,320 --> 00:09:37,600
registry in order to avoid this issue

135
00:09:35,360 --> 00:09:42,399
that is where today's episode sponsor threat Locker comes in if we try to run

136
00:09:40,480 --> 00:09:46,440
this on a protected machine threat Locker will block the executable not

137
00:09:44,519 --> 00:09:51,519
because it's a known virus but because it's trying to execute at all our threat

138
00:09:49,519 --> 00:09:55,399
Locker administrator account can now see it within Response Center open it up in

139
00:09:53,720 --> 00:09:59,760
a virtualized testing environment to ensure that it's safe and either keep it

140
00:09:57,680 --> 00:10:03,839
on the block list add it to the allow list outright or allow it with ring

141
00:10:01,959 --> 00:10:08,279
fencing just in case you're not sure about the application ring fencing is

142
00:10:06,320 --> 00:10:12,000
the act of limiting what a program can do like blocking it from connecting to

143
00:10:10,279 --> 00:10:15,839
the internet blocking it from writing to the registry accessing protected files

144
00:10:14,000 --> 00:10:19,920
or interacting with high-risk applications like Powershell and command

145
00:10:17,959 --> 00:10:23,360
prompt after all malware can't get access to an Administrator Command

146
00:10:21,360 --> 00:10:27,680
Prompt if it can't open a command prompt at all coming back to our VX underground

147
00:10:25,399 --> 00:10:31,959
drive though being able to pone Windows not exactly a big accomplishment Windows

148
00:10:29,519 --> 00:10:37,040
machines get hacked every day what about Linux here's the thing web servers

149
00:10:34,920 --> 00:10:40,880
usually run Linux and there's a lot of things that are trying to Target that a

150
00:10:39,240 --> 00:10:46,639
WordPress server is especially susceptible to attacks like the c99

151
00:10:43,800 --> 00:10:50,240
backdoor ooh is it demo time WordPress is often used by wouldbe web Masters

152
00:10:48,440 --> 00:10:55,440
because it is relatively user friendly at least on the surface and free to use

153
00:10:52,560 --> 00:11:00,800
but not all of the plugins are free technically because of wordpress's GPL

154
00:10:58,079 --> 00:11:04,920
license all der Works including plugins are required to use GPL as well that

155
00:11:02,920 --> 00:11:10,160
means that they can charge money but they also can't stop people from sharing

156
00:11:07,000 --> 00:11:12,480
their code so websites that host cracked

157
00:11:10,160 --> 00:11:17,160
plugins aren't usually able to be taken down by lawyers they do however often

158
00:11:15,279 --> 00:11:21,360
serve plugins with a little something extra that might make you want to pay

159
00:11:19,000 --> 00:11:25,079
for plugins from the official Source they can be used to host sketchy files

160
00:11:23,720 --> 00:11:29,399
they can be used to ransomware your network and once a back door is

161
00:11:27,079 --> 00:11:33,200
installed other malware can be uploaded and potentially

162
00:11:31,040 --> 00:11:39,200
executed want to show us how it works what I've done is gone ahead and just

163
00:11:35,240 --> 00:11:41,519
added uh our back door into one of the

164
00:11:39,200 --> 00:11:45,519
most generic websites of all time yeah this is a default theme the way that

165
00:11:43,360 --> 00:11:52,480
this could be kind of replicated in real world other than just through infected

166
00:11:48,800 --> 00:11:56,880
uh themes or plugins is also through

167
00:11:52,480 --> 00:11:58,639
mismanaged upload uh credentials so okay

168
00:11:56,880 --> 00:12:01,920
if you've got user uploads they can potentially make this happen and uh this

169
00:12:00,240 --> 00:12:05,079
is what the back door actually looks like so you can see that here we're

170
00:12:03,240 --> 00:12:08,800
going to Local Host into the themes folder and we're just running this

171
00:12:06,279 --> 00:12:14,279
simple PHP file and now we have access to everything wait what okay so hold on

172
00:12:11,800 --> 00:12:19,519
a second so my server is serving that website that's correct and you took

173
00:12:16,519 --> 00:12:22,279
advantage of a misconfigured upload

174
00:12:19,519 --> 00:12:27,199
permission setting yes I just uploaded this file

175
00:12:24,160 --> 00:12:29,600
and I have this

176
00:12:27,199 --> 00:12:34,120
yes so this could be used to do any number of things let's say that your

177
00:12:31,160 --> 00:12:39,720
website was hosting um you know a cool mod for something or or a cool useful

178
00:12:37,399 --> 00:12:43,199
little application I could go in and I could replace the file with something

179
00:12:41,399 --> 00:12:47,160
completely different and if they don't bother to actually check the check sum

180
00:12:45,040 --> 00:12:50,800
that I publish on my site although I could of course overwrite the check sum

181
00:12:49,160 --> 00:12:55,000
as well then they could download a completely different file execute that

182
00:12:52,920 --> 00:13:00,279
on their computer and boom they're infected and since everything is usually

183
00:12:57,279 --> 00:13:03,320
done with not the greatest encryption

184
00:13:00,279 --> 00:13:05,360
for PHP websites usually especially

185
00:13:03,320 --> 00:13:11,440
WordPress the encryption on passwords Is Not Great you could just go in grab the

186
00:13:08,600 --> 00:13:16,279
database and then use I don't know your RTX 490 at home to right crack the

187
00:13:14,480 --> 00:13:18,680
passwords kind of like in the uh Wi-Fi cracking video right you should check

188
00:13:17,519 --> 00:13:23,160
out that video If you haven't seen it already equally scary honestly that's a

189
00:13:21,440 --> 00:13:26,120
little bit less scary than uh than some of these things because people can steal

190
00:13:24,680 --> 00:13:29,760
your Wi-Fi credentials but this will allow them to do stuff to you from

191
00:13:28,120 --> 00:13:32,399
anywhere sure but if they're on your network then it's it's just so

192
00:13:31,320 --> 00:13:38,240
convenient at least you know they're nearby though that's nice that's true

193
00:13:34,959 --> 00:13:40,240
means I'm not alone now PHP is a just

194
00:13:38,240 --> 00:13:44,600
intime programming language so malware spreaders need to be a bit more creative

195
00:13:42,240 --> 00:13:49,680
than simply hiding it within a binary file that's where things like base 64

196
00:13:47,120 --> 00:13:54,480
encoding and GP come into play by converting everything into unreadable

197
00:13:52,040 --> 00:14:00,639
text that also fits into a single line in a code editor they can turn 5,000

198
00:13:57,920 --> 00:14:05,120
lines of backd door code into only nine pretty lines of totally not suspicious

199
00:14:02,720 --> 00:14:08,120
at all gibberish if that gibberish code gets into a publicly accessible part of

200
00:14:06,720 --> 00:14:12,040
a web server either through misconfigured file upload permissions or

201
00:14:10,040 --> 00:14:17,560
nefarious WordPress plugins it can be executed by anyone who knows it's there

202
00:14:14,759 --> 00:14:22,560
with php's eval function nefarious code can break out of the PHP container and

203
00:14:20,040 --> 00:14:27,480
start executing commands directly on the operating system now whoa whoa hold on a

204
00:14:25,040 --> 00:14:31,800
second here lonus all this seems pretty irresponsible are you guys really really

205
00:14:29,440 --> 00:14:39,199
just trusting VX underground and plugging this drive into a live system

206
00:14:34,160 --> 00:14:41,519
here the answer is no and of course not

207
00:14:39,199 --> 00:14:45,399
even though we're not using any run here like we were with Windows our sponsor

208
00:14:43,600 --> 00:14:49,759
threat Locker would never forgive us if we just blindly gave out trust I mean

209
00:14:47,560 --> 00:14:54,639
that's the antithesis of the zero trust model trusting a stranger is the number

210
00:14:52,079 --> 00:14:58,800
one way to get pwned no worm or back door can ever match the effectiveness of

211
00:14:56,680 --> 00:15:02,360
a social engineering attack so if a guy named name smelly tells you that the

212
00:15:00,720 --> 00:15:06,920
drive he gave you contains lots and lots of malware you should probably believe

213
00:15:04,680 --> 00:15:11,880
him and take the necessary precautions but what are they well to start with we

214
00:15:09,839 --> 00:15:16,360
set up our Linux machine to be air gapped okay to clarify no system is

215
00:15:14,600 --> 00:15:20,199
completely immune and it was only a few months ago that the popular compression

216
00:15:18,160 --> 00:15:25,320
Library XZ was found to contain a back door but desktop Linux is less likely to

217
00:15:23,360 --> 00:15:30,440
be attacked with simple automated malware as for air gapping this refers

218
00:15:28,160 --> 00:15:35,360
to the practice of isolating a computer from the rest of your networked machines

219
00:15:32,639 --> 00:15:40,480
and it can be simulated with vlans but if you want to be sure I'd recommend

220
00:15:37,199 --> 00:15:42,759
just unplugging it VLAN hopping isn't a

221
00:15:40,480 --> 00:15:46,920
huge risk these days but it isn't impossible of course if you want to step

222
00:15:44,959 --> 00:15:52,440
up your safety level further you need a malware sandbox a virtual machine on a

223
00:15:50,399 --> 00:15:57,079
virtual Network that is completely isolated from any other machine and that

224
00:15:55,120 --> 00:16:01,040
will be destroyed the moment that you no longer need it threat Locker has their

225
00:15:59,519 --> 00:16:04,279
testing environment feature that allows you to pass executables that are

226
00:16:02,720 --> 00:16:09,959
quarantined from your protected computers into their sandbox without any

227
00:16:07,399 --> 00:16:13,519
runs overly restrictive time limit or the requirement to make your sample

228
00:16:11,319 --> 00:16:17,639
public now we're using any run for deeper Dives right now simply because it

229
00:16:15,560 --> 00:16:22,959
allows us to upload our samples directly but threat Locker's Response Center is

230
00:16:19,680 --> 00:16:24,959
more than adequate for 99% of use cases

231
00:16:22,959 --> 00:16:28,480
the two products the sponsored one and the other one actually complement each

232
00:16:26,440 --> 00:16:33,079
other really nicely to fill different sand boxing needs threat Locker is great

233
00:16:31,279 --> 00:16:37,800
for production environment work while any run is better suited for noodling

234
00:16:35,360 --> 00:16:42,360
around shall we noodle some more Hey look it's the chief noodler himself what

235
00:16:39,560 --> 00:16:46,959
are we looking at now ooh lock bit yeah we're going to take a quick look at lock

236
00:16:43,880 --> 00:16:49,639
bit so I'm told it's shocking how simple

237
00:16:46,959 --> 00:16:53,560
it actually is that's in the script this is super cool is this a paid

238
00:16:51,680 --> 00:16:57,519
version of any run yes okay did they send that over to us they did hey shout

239
00:16:55,079 --> 00:17:01,319
out any run thanks so we're doing the same thing we did with B rat we're going

240
00:16:58,720 --> 00:17:07,520
to drag it out of here and I did not passord protect this one

241
00:17:05,360 --> 00:17:11,439
Tanner hey if we get infected I don't own the

242
00:17:09,039 --> 00:17:17,480
company so here we've got just some configuration things uh local discs true

243
00:17:14,640 --> 00:17:17,480
Network shares

244
00:17:18,480 --> 00:17:25,360
true yeah so I think it makes my skin crawl just thinking about something like

245
00:17:23,160 --> 00:17:29,080
this getting on our Network oh have I clarified that it's a ransomware well

246
00:17:27,600 --> 00:17:35,799
it's a ransomware if I didn't say that already so now we've got our decrypter

247
00:17:32,200 --> 00:17:40,640
mhm we've got password. dll so that's

248
00:17:35,799 --> 00:17:43,000
the decryption password here if uh if it

249
00:17:40,640 --> 00:17:48,960
is executed through dll the exe version is a slightly different password but

250
00:17:45,480 --> 00:17:51,160
yeah it's it's essentially here's the

251
00:17:48,960 --> 00:17:56,280
here's the encrypter and then here's the key that you can provide to the victim

252
00:17:53,640 --> 00:18:00,640
in whatever form you like yeah what a lot of people have been doing lately is

253
00:17:57,840 --> 00:18:05,120
accepting the payment from their victims and then not decrypting so that is an

254
00:18:02,520 --> 00:18:11,080
option too that is a that is a whole other level of yeah so if you uh were to

255
00:18:08,159 --> 00:18:16,880
run lb3 exe and yeah you've now lost everything

256
00:18:14,159 --> 00:18:23,159
that was quick it actually looks you can set what kinds of files it looks for off

257
00:18:19,280 --> 00:18:25,320
the bat so you can aim for uh databases

258
00:18:23,159 --> 00:18:28,919
first if you want which is what a lot of places have going after more of a

259
00:18:26,640 --> 00:18:32,880
commercial entity yep see this is the kind of thing we cover on Wow and we

260
00:18:30,880 --> 00:18:37,080
talk about in the news and and we discuss but there's a big difference

261
00:18:35,159 --> 00:18:41,440
between you know sort of talking about what's out there and and these

262
00:18:39,039 --> 00:18:47,400
high-profile attacks and just seeing how simple the tools are you

263
00:18:45,760 --> 00:18:50,559
want to know I could do this you want to know how simple some of these are you

264
00:18:48,760 --> 00:18:54,400
know the W to cry virus that was the one that was that was the ransomware that

265
00:18:52,200 --> 00:18:58,360
was just all over the place for several years there it got defeated when

266
00:18:56,280 --> 00:19:04,400
somebody went into to the source code for it did a whole decompilation found uh found

267
00:19:02,120 --> 00:19:09,400
a line of code in there that kept calling one particular website address

268
00:19:07,520 --> 00:19:11,919
yeah so they decided to buy the domain because it hadn't been registered

269
00:19:10,640 --> 00:19:18,000
apparently that domain was just being used by wan to cry as a kill switch so

270
00:19:15,200 --> 00:19:22,320
they accidentally stopped W to cry the guy ended up uh getting caught by the

271
00:19:20,200 --> 00:19:26,720
FBI for credit card fraud that he did earlier in his life and then the judge

272
00:19:24,440 --> 00:19:30,840
at judgment was like n the you know what the public good that you've done kind of

273
00:19:28,960 --> 00:19:34,840
outweighs whatever credit card fraud so if you're going to commit credit card

274
00:19:31,960 --> 00:19:39,039
fraud also stop the worst ransomware attacks in

275
00:19:36,799 --> 00:19:43,039
history of course the groups that are executing ransomware attacks be they

276
00:19:40,880 --> 00:19:46,919
monoc cry or lock bit or something else aren't just using ransomware they need

277
00:19:45,520 --> 00:19:51,720
to find a way to infiltrate their targets organization spread it around

278
00:19:49,600 --> 00:19:56,000
and remain undetected and many of these tasks require some level of social

279
00:19:53,400 --> 00:19:59,679
engineering so what might start as a fishing attack could then transition

280
00:19:57,840 --> 00:20:04,440
into a rat being planted which can then be used to plant the ransomware Borat

281
00:20:02,240 --> 00:20:09,240
rat isn't its own ransomware necessarily but rather it's a vessel for carrying

282
00:20:06,799 --> 00:20:14,080
many payloads one of which happens to be lock bit style ransomwares and all of

283
00:20:12,120 --> 00:20:18,840
this is being accomplished by several competing groups um some are simply

284
00:20:16,280 --> 00:20:22,760
trying to cash in but some clearly have other goals in mind as there's strong

285
00:20:21,200 --> 00:20:27,159
evidence that many malware groups operate as part of government entities

286
00:20:24,880 --> 00:20:32,080
North Korea's Lazarus group uh Russia's berserk bear and Amer America's NSA

287
00:20:29,520 --> 00:20:37,440
equation group are just a few suspected examples so is this hard drive only for

288
00:20:35,600 --> 00:20:42,520
researchers or could somebody conceivably use this repository to

289
00:20:39,960 --> 00:20:47,520
create and spread malware possibly in an act of state sponsored

290
00:20:44,240 --> 00:20:49,840
terrorism don't kid yourself this is on

291
00:20:47,520 --> 00:20:54,400
the blacker side of gray and the only moral justification for its existence is

292
00:20:52,000 --> 00:20:57,919
that realistically the bad guys have access to this information anyway and by

293
00:20:56,440 --> 00:21:03,480
shedding light on it we're at least giving the good gu a hoping chance to

294
00:21:01,000 --> 00:21:07,600
counter any upcoming threats security through obscurity is a pipe dream and

295
00:21:05,840 --> 00:21:11,120
just like we probably upset some gas station owners when we made our video on

296
00:21:09,039 --> 00:21:15,279
The Flipper zero we're probably ruffling some feathers with this one but we feel

297
00:21:12,960 --> 00:21:19,440
it's a valuable conversation to start and one that we should keep on having

298
00:21:18,200 --> 00:21:24,840
the last question you guys might be asking is what are we planning to do

299
00:21:22,120 --> 00:21:28,720
with the VX underground hard drive well the first thing is to put a warning

300
00:21:26,159 --> 00:21:32,440
label on it maybe even a bigger one than this and then after that I don't know

301
00:21:30,840 --> 00:21:36,200
we've actually had some really cool ideas for videos in the past that have

302
00:21:34,159 --> 00:21:41,880
required us to intentionally infect a system but providing real malware to us

303
00:21:39,400 --> 00:21:45,120
is against the policy of every white hat organization and person that we have

304
00:21:43,320 --> 00:21:49,760
ever interacted with so we have struggled at times to create for example

305
00:21:47,640 --> 00:21:53,520
an infected system to bring to a shop for servicing if you have any other

306
00:21:51,640 --> 00:21:57,799
ideas we're open to them but for now we're going to Fester on it for a little

307
00:21:55,159 --> 00:22:02,960
bit and seeing the kinds of threats that are not only out there but more numerous

308
00:22:00,440 --> 00:22:06,559
than I previously imagined I guess we'll look into hardening our security maybe

309
00:22:05,080 --> 00:22:10,279
with some help from our sponsor threat Locker if you guys liked this video why

310
00:22:08,880 --> 00:22:15,520
don't you check out the time we bought antivirus USB sticks from

311
00:22:12,720 --> 00:22:18,320
Facebook they were they were USB sticks all right