WEBVTT

00:00:00.160 --> 00:00:06.319
this hard drive contains 25 million

00:00:03.320 --> 00:00:12.400
pieces of malware and this computer is about to become very very sick what do

00:00:10.120 --> 00:00:17.160
you mean threat service has stopped Windows Defender is completely

00:00:14.879 --> 00:00:22.600
disabled but I guess that's what happens when you send $500 to a faceless person

00:00:20.080 --> 00:00:28.920
named smelly who runs a shady Network that collects develops studies and

00:00:25.160 --> 00:00:30.480
reverse Engineers nefarious code so why

00:00:28.920 --> 00:00:34.520
did I do that because if you're trying to learn about

00:00:32.040 --> 00:00:39.520
computer security this is probably the most valuable textbook you could find it

00:00:37.079 --> 00:00:44.039
contains their entire repository of malware samples research papers blog

00:00:41.879 --> 00:00:48.399
posts from security researchers and source code now of course it's all

00:00:46.440 --> 00:00:53.960
freely available on the VX underground website but the $500 isn't really for

00:00:51.480 --> 00:00:59.640
the content it's a donation to ensure they can keep building this repository

00:00:56.719 --> 00:01:04.360
which wait is that actually a good thing well let's talk about that the single

00:01:02.039 --> 00:01:09.759
biggest hole in most Security Systems computer or otherwise is trust new

00:01:07.360 --> 00:01:15.479
malware pops up every day and defending against it is a never-ending game

00:01:12.040 --> 00:01:17.840
of whack-a-mole that is such a constant

00:01:15.479 --> 00:01:22.479
churn of zero day exploits and unpatched vulnerabilities that it's better to just

00:01:19.840 --> 00:01:27.320
assume the worst that is why today's episode sponsor threat Locker uses a

00:01:25.079 --> 00:01:31.520
zero trust approach to security their endpoint protection platform works by

00:01:29.159 --> 00:01:34.799
assuming that applic a are guilty until they're proven innocent meaning that

00:01:33.040 --> 00:01:38.960
users within your organization can't just accidentally open the wrong email

00:01:36.759 --> 00:01:42.680
attachment or program installer and take down the entire company from the inside

00:01:40.720 --> 00:01:45.159
lead to a whole bunch of really bad like oh I don't know

00:01:51.640 --> 00:01:57.560
maybe the very first thing I asked when this video got pitched to me was isn't

00:01:56.119 --> 00:02:03.840
this thing kind of dangerous to have lying around and the answer is yes yes

00:02:00.280 --> 00:02:07.039
but also no these mostly aren't ready to

00:02:03.840 --> 00:02:08.840
go viruses mostly and while they

00:02:07.039 --> 00:02:12.920
absolutely can wreak havoc on your system if you're not careful you don't

00:02:10.879 --> 00:02:17.120
really need to worry about doing a lock bit on yourself and encrypting your

00:02:14.519 --> 00:02:21.440
whole Drive part of the reason for that is how things are stored most

00:02:19.239 --> 00:02:25.560
executables are missing the exe file extension so the system is far less

00:02:23.480 --> 00:02:29.239
likely to automatically run them and everything else is in a password

00:02:27.080 --> 00:02:33.680
protected 7zip archive to prevent it from being automatically unpacked

00:02:31.599 --> 00:02:38.200
furthermore many of these malwares are older and the only real damage they can

00:02:35.800 --> 00:02:42.120
do to a fully updated system is by overloading Windows Defender threat

00:02:39.959 --> 00:02:46.879
detection engine that's what caused the weird behavior that you saw before of

00:02:44.360 --> 00:02:51.120
course many of them are still dangerous and once you've got them decompressed

00:02:48.440 --> 00:02:57.280
and armed all safety is completely out the Windows and also macOS and Linux

00:02:54.720 --> 00:03:02.319
Borat rat popped up in 2022 and was referred to as a triple threat because

00:02:59.640 --> 00:03:08.159
on on top of granting remote access it also includes dods and ransomware tools

00:03:06.200 --> 00:03:13.760
this seems like exactly the kind of thing I would want to just run launch

00:03:10.519 --> 00:03:16.760
Borat 7z archive in any run Windows 10

00:03:13.760 --> 00:03:18.760
or 11 this is Linux yes would you like

00:03:16.760 --> 00:03:24.519
me to show you any run they do sandboxing there's so much resetting and

00:03:21.400 --> 00:03:27.040
reimaging and everything in this project

00:03:24.519 --> 00:03:30.080
a fun one right oh it's just the best well interesting at least right it's

00:03:28.879 --> 00:03:33.680
interesting it's abs absolutely interesting it's also uh extremely scary

00:03:32.640 --> 00:03:38.760
I mean it's not like you could single-handedly take down the whole company if you do anything irresponsible

00:03:37.239 --> 00:03:43.720
or careless Windows 10 or 11 so we'll do

00:03:40.959 --> 00:03:48.599
Windows 11 here we'll run a public analysis it's going to start uploading

00:03:45.560 --> 00:03:51.000
the file we have 660 seconds to do this

00:03:48.599 --> 00:03:55.360
before it implodes implodes oh this instance just goes away in 10 11 minutes

00:03:53.879 --> 00:04:00.760
no matter what that's correct we're going to launch Bor at. exe so if

00:03:57.680 --> 00:04:03.280
someone managed to execute this on your

00:04:00.760 --> 00:04:07.480
system this is what would happen this right here is actually the control panel

00:04:04.760 --> 00:04:11.879
for it so this is what the hacker Sees God it and what I want to do right now

00:04:09.959 --> 00:04:17.600
is I'm going to go build a client for this so I'm going to go just quickly

00:04:14.840 --> 00:04:22.320
here build alls yep yeah we'll choose an icon here let's give it the Borat rat

00:04:19.799 --> 00:04:27.919
icon okay so we are going to go build exe here client.exe is going to save

00:04:25.240 --> 00:04:31.960
into the Borat folder and then what we should be able to do and this works 50%

00:04:30.400 --> 00:04:36.120
of the time for me is when we open up client.exe so this will infect this

00:04:34.000 --> 00:04:40.080
instance this is what we would try to remotely execute on the target system

00:04:38.560 --> 00:04:45.160
yeah so we would try and remotely execute that and you can see that we've done that we've successfully infected

00:04:43.240 --> 00:04:50.639
ourselves it's going to run a couple it's going to run system info. exe

00:04:47.479 --> 00:04:52.400
conhost host name. exe just spit out

00:04:50.639 --> 00:04:57.240
absolutely everything that we want to know about this system here is

00:04:54.360 --> 00:05:00.560
everything about it all in just this uh this text file here and this will get

00:04:58.560 --> 00:05:05.120
sent to the attacker probably as fun as it gets as in the utilities so we can

00:05:03.320 --> 00:05:10.080
hide and show our taskbar hide and show our desktop just to mess with people

00:05:07.360 --> 00:05:16.440
yeah oh Mouse is the best swap will swap around the left and right click dude we

00:05:12.880 --> 00:05:20.199
can turn off the webcam light yep most

00:05:16.440 --> 00:05:22.160
webcams do work with the webcam light

00:05:20.199 --> 00:05:25.840
just kind of hardwired into the camera circuitry but some of them don't and

00:05:24.440 --> 00:05:30.840
that's where this is going to really exploit it the other thing this is going to do is allow you to turn on their

00:05:28.520 --> 00:05:34.280
webcam light basically activating their camera but not actually have to do any

00:05:32.800 --> 00:05:38.039
it's just a quick way of freaking them out if they're trying to make threats at

00:05:35.960 --> 00:05:41.759
you over the phone while you uh try and extort them for money fod helper watch

00:05:40.160 --> 00:05:44.880
how easy it is to get admin you can see permission right here it says permission

00:05:43.199 --> 00:05:49.360
user over on the right side we're going to hit fod

00:05:46.360 --> 00:05:52.479
helper it's going to restart the

00:05:49.360 --> 00:05:54.440
client and oh look admin that's it and

00:05:52.479 --> 00:06:00.160
they haven't patched that yet okay what are we running on yeah 2021 second half

00:05:58.039 --> 00:06:04.319
so this is pretty old window that's good that's that's really good

00:06:02.280 --> 00:06:07.080
that that's still unpatched on this version but it's probably patched

00:06:05.680 --> 00:06:12.479
somewhere else I I've not run this for real I'm very afraid of it obviously

00:06:09.960 --> 00:06:17.199
this dashboard here right there's a lot of lines yep I mean you could have a lot

00:06:15.360 --> 00:06:21.240
of clients and you could just poke around in one anytime you want what's

00:06:18.599 --> 00:06:25.199
surveillance do oh surveillance just uh just lets you watch a little bit you can

00:06:22.759 --> 00:06:30.240
remote shell remote screen remote camera go into their file manager you can

00:06:27.919 --> 00:06:34.960
record you can get their uh their Network information see what's what

00:06:32.319 --> 00:06:40.440
processes are running else we got here uh control so you can send files to them

00:06:37.240 --> 00:06:42.199
you can run yep key logger is built into

00:06:40.440 --> 00:06:46.120
every malware these days malware is where it gets real interesting oh I just

00:06:43.840 --> 00:06:48.759
pick what malware I want yeah you want to Dos somebody you can do that

00:06:47.440 --> 00:06:52.880
especially if you've got a lot of bots there uh you can ransomware them so if

00:06:51.160 --> 00:06:58.000
you wanted to just do a lock bit on someone you can just ransomware them

00:06:55.400 --> 00:07:03.720
like that there is a way in here to steal credentials for

00:07:00.240 --> 00:07:05.520
Discord it steals the the session token

00:07:03.720 --> 00:07:09.120
for Discord so that you can gain access to somebody's Discord and then start

00:07:07.879 --> 00:07:13.879
messaging all their friends start messaging their friends with your client.exe which you've just made look

00:07:12.199 --> 00:07:18.160
like whatever program you want because that's part of the whole uh Builder and

00:07:16.120 --> 00:07:23.199
this is this is old but it's it's not that old it's still active in some

00:07:20.560 --> 00:07:26.800
regards maybe not this exact version but clearly there's still people using it

00:07:25.440 --> 00:07:31.680
and this kind of thing is only going to get scarier and scarier when Windows 10

00:07:29.000 --> 00:07:35.400
reaches into of Life dude M cuz so many people are going to stay on Windows 10

00:07:34.039 --> 00:07:38.960
and it's not going to be getting security patches guys patch your

00:07:37.080 --> 00:07:42.840
software the stuff that gets patched isn't what really worries me it's the

00:07:40.360 --> 00:07:45.680
zero days there's so many zero days and there's so much money in this now

00:07:44.280 --> 00:07:48.199
especially with all of those hospitals getting Ransom

00:07:48.720 --> 00:07:54.720
weed anyway good

00:07:52.080 --> 00:07:58.720
luck practically speaking there is no limit to what a creative attacker could

00:07:56.800 --> 00:08:01.879
do with something like Borat rat we haven't even touched on some of the

00:07:59.879 --> 00:08:05.919
basic functionality like exfiltrating data popping up text messages so the

00:08:03.759 --> 00:08:11.039
attacker can communicate with the victim but how does it do so much well a big

00:08:09.080 --> 00:08:15.520
part of it is thanks to the dll files that are included these DLS are mostly

00:08:13.800 --> 00:08:20.560
feature plugins that are taken from a fork of DC rat called Santa rat when you

00:08:19.000 --> 00:08:25.000
really think about it Borat does look a bit like a dirty Wizard or a homeless

00:08:22.639 --> 00:08:30.520
Santa but that's besides the point the point is if we run the rat in a malware

00:08:27.759 --> 00:08:36.440
sandbox like any run which using here we can get some idea of how it's executing

00:08:33.279 --> 00:08:39.440
individual exploits take the fod helper

00:08:36.440 --> 00:08:42.200
exploit for example how is it giving the

00:08:39.440 --> 00:08:46.959
rat administrator privileges with almost no effort whatsoever well we can see

00:08:45.160 --> 00:08:52.000
that it makes some registry changes before launching fod Helper but what

00:08:49.560 --> 00:08:56.120
registry changes is it making exactly searching through the VX drive we can

00:08:54.120 --> 00:09:01.279
find the source code for it and see that it uses UAC bypass method 3 from

00:08:58.839 --> 00:09:05.720
options. dll the source code for options. DL might be missing but as we

00:09:03.720 --> 00:09:10.480
know it came from Santa rat so we can check the source code for that and see

00:09:07.720 --> 00:09:14.399
that it's modifying this key in the registry even if we don't have any

00:09:12.480 --> 00:09:18.120
programming knowledge just searching our virus drive for Borat reveals several

00:09:16.440 --> 00:09:22.480
articles that summarize the threat in slightly more legible terms how can we

00:09:20.279 --> 00:09:26.079
use this though well if we're a bad actor now we know a way to get to a

00:09:24.720 --> 00:09:30.640
command prompt window with admin privileges and we can explain that but

00:09:28.079 --> 00:09:35.360
if we're a good actor we know to set up something to watch that section of the

00:09:32.320 --> 00:09:37.600
registry in order to avoid this issue

00:09:35.360 --> 00:09:42.399
that is where today's episode sponsor threat Locker comes in if we try to run

00:09:40.480 --> 00:09:46.440
this on a protected machine threat Locker will block the executable not

00:09:44.519 --> 00:09:51.519
because it's a known virus but because it's trying to execute at all our threat

00:09:49.519 --> 00:09:55.399
Locker administrator account can now see it within Response Center open it up in

00:09:53.720 --> 00:09:59.760
a virtualized testing environment to ensure that it's safe and either keep it

00:09:57.680 --> 00:10:03.839
on the block list add it to the allow list outright or allow it with ring

00:10:01.959 --> 00:10:08.279
fencing just in case you're not sure about the application ring fencing is

00:10:06.320 --> 00:10:12.000
the act of limiting what a program can do like blocking it from connecting to

00:10:10.279 --> 00:10:15.839
the internet blocking it from writing to the registry accessing protected files

00:10:14.000 --> 00:10:19.920
or interacting with high-risk applications like Powershell and command

00:10:17.959 --> 00:10:23.360
prompt after all malware can't get access to an Administrator Command

00:10:21.360 --> 00:10:27.680
Prompt if it can't open a command prompt at all coming back to our VX underground

00:10:25.399 --> 00:10:31.959
drive though being able to pone Windows not exactly a big accomplishment Windows

00:10:29.519 --> 00:10:37.040
machines get hacked every day what about Linux here's the thing web servers

00:10:34.920 --> 00:10:40.880
usually run Linux and there's a lot of things that are trying to Target that a

00:10:39.240 --> 00:10:46.639
WordPress server is especially susceptible to attacks like the c99

00:10:43.800 --> 00:10:50.240
backdoor ooh is it demo time WordPress is often used by wouldbe web Masters

00:10:48.440 --> 00:10:55.440
because it is relatively user friendly at least on the surface and free to use

00:10:52.560 --> 00:11:00.800
but not all of the plugins are free technically because of wordpress's GPL

00:10:58.079 --> 00:11:04.920
license all der Works including plugins are required to use GPL as well that

00:11:02.920 --> 00:11:10.160
means that they can charge money but they also can't stop people from sharing

00:11:07.000 --> 00:11:12.480
their code so websites that host cracked

00:11:10.160 --> 00:11:17.160
plugins aren't usually able to be taken down by lawyers they do however often

00:11:15.279 --> 00:11:21.360
serve plugins with a little something extra that might make you want to pay

00:11:19.000 --> 00:11:25.079
for plugins from the official Source they can be used to host sketchy files

00:11:23.720 --> 00:11:29.399
they can be used to ransomware your network and once a back door is

00:11:27.079 --> 00:11:33.200
installed other malware can be uploaded and potentially

00:11:31.040 --> 00:11:39.200
executed want to show us how it works what I've done is gone ahead and just

00:11:35.240 --> 00:11:41.519
added uh our back door into one of the

00:11:39.200 --> 00:11:45.519
most generic websites of all time yeah this is a default theme the way that

00:11:43.360 --> 00:11:52.480
this could be kind of replicated in real world other than just through infected

00:11:48.800 --> 00:11:56.880
uh themes or plugins is also through

00:11:52.480 --> 00:11:58.639
mismanaged upload uh credentials so okay

00:11:56.880 --> 00:12:01.920
if you've got user uploads they can potentially make this happen and uh this

00:12:00.240 --> 00:12:05.079
is what the back door actually looks like so you can see that here we're

00:12:03.240 --> 00:12:08.800
going to Local Host into the themes folder and we're just running this

00:12:06.279 --> 00:12:14.279
simple PHP file and now we have access to everything wait what okay so hold on

00:12:11.800 --> 00:12:19.519
a second so my server is serving that website that's correct and you took

00:12:16.519 --> 00:12:22.279
advantage of a misconfigured upload

00:12:19.519 --> 00:12:27.199
permission setting yes I just uploaded this file

00:12:24.160 --> 00:12:29.600
and I have this

00:12:27.199 --> 00:12:34.120
yes so this could be used to do any number of things let's say that your

00:12:31.160 --> 00:12:39.720
website was hosting um you know a cool mod for something or or a cool useful

00:12:37.399 --> 00:12:43.199
little application I could go in and I could replace the file with something

00:12:41.399 --> 00:12:47.160
completely different and if they don't bother to actually check the check sum

00:12:45.040 --> 00:12:50.800
that I publish on my site although I could of course overwrite the check sum

00:12:49.160 --> 00:12:55.000
as well then they could download a completely different file execute that

00:12:52.920 --> 00:13:00.279
on their computer and boom they're infected and since everything is usually

00:12:57.279 --> 00:13:03.320
done with not the greatest encryption

00:13:00.279 --> 00:13:05.360
for PHP websites usually especially

00:13:03.320 --> 00:13:11.440
WordPress the encryption on passwords Is Not Great you could just go in grab the

00:13:08.600 --> 00:13:16.279
database and then use I don't know your RTX 490 at home to right crack the

00:13:14.480 --> 00:13:18.680
passwords kind of like in the uh Wi-Fi cracking video right you should check

00:13:17.519 --> 00:13:23.160
out that video If you haven't seen it already equally scary honestly that's a

00:13:21.440 --> 00:13:26.120
little bit less scary than uh than some of these things because people can steal

00:13:24.680 --> 00:13:29.760
your Wi-Fi credentials but this will allow them to do stuff to you from

00:13:28.120 --> 00:13:32.399
anywhere sure but if they're on your network then it's it's just so

00:13:31.320 --> 00:13:38.240
convenient at least you know they're nearby though that's nice that's true

00:13:34.959 --> 00:13:40.240
means I'm not alone now PHP is a just

00:13:38.240 --> 00:13:44.600
intime programming language so malware spreaders need to be a bit more creative

00:13:42.240 --> 00:13:49.680
than simply hiding it within a binary file that's where things like base 64

00:13:47.120 --> 00:13:54.480
encoding and GP come into play by converting everything into unreadable

00:13:52.040 --> 00:14:00.639
text that also fits into a single line in a code editor they can turn 5,000

00:13:57.920 --> 00:14:05.120
lines of backd door code into only nine pretty lines of totally not suspicious

00:14:02.720 --> 00:14:08.120
at all gibberish if that gibberish code gets into a publicly accessible part of

00:14:06.720 --> 00:14:12.040
a web server either through misconfigured file upload permissions or

00:14:10.040 --> 00:14:17.560
nefarious WordPress plugins it can be executed by anyone who knows it's there

00:14:14.759 --> 00:14:22.560
with php's eval function nefarious code can break out of the PHP container and

00:14:20.040 --> 00:14:27.480
start executing commands directly on the operating system now whoa whoa hold on a

00:14:25.040 --> 00:14:31.800
second here lonus all this seems pretty irresponsible are you guys really really

00:14:29.440 --> 00:14:39.199
just trusting VX underground and plugging this drive into a live system

00:14:34.160 --> 00:14:41.519
here the answer is no and of course not

00:14:39.199 --> 00:14:45.399
even though we're not using any run here like we were with Windows our sponsor

00:14:43.600 --> 00:14:49.759
threat Locker would never forgive us if we just blindly gave out trust I mean

00:14:47.560 --> 00:14:54.639
that's the antithesis of the zero trust model trusting a stranger is the number

00:14:52.079 --> 00:14:58.800
one way to get pwned no worm or back door can ever match the effectiveness of

00:14:56.680 --> 00:15:02.360
a social engineering attack so if a guy named name smelly tells you that the

00:15:00.720 --> 00:15:06.920
drive he gave you contains lots and lots of malware you should probably believe

00:15:04.680 --> 00:15:11.880
him and take the necessary precautions but what are they well to start with we

00:15:09.839 --> 00:15:16.360
set up our Linux machine to be air gapped okay to clarify no system is

00:15:14.600 --> 00:15:20.199
completely immune and it was only a few months ago that the popular compression

00:15:18.160 --> 00:15:25.320
Library XZ was found to contain a back door but desktop Linux is less likely to

00:15:23.360 --> 00:15:30.440
be attacked with simple automated malware as for air gapping this refers

00:15:28.160 --> 00:15:35.360
to the practice of isolating a computer from the rest of your networked machines

00:15:32.639 --> 00:15:40.480
and it can be simulated with vlans but if you want to be sure I'd recommend

00:15:37.199 --> 00:15:42.759
just unplugging it VLAN hopping isn't a

00:15:40.480 --> 00:15:46.920
huge risk these days but it isn't impossible of course if you want to step

00:15:44.959 --> 00:15:52.440
up your safety level further you need a malware sandbox a virtual machine on a

00:15:50.399 --> 00:15:57.079
virtual Network that is completely isolated from any other machine and that

00:15:55.120 --> 00:16:01.040
will be destroyed the moment that you no longer need it threat Locker has their

00:15:59.519 --> 00:16:04.279
testing environment feature that allows you to pass executables that are

00:16:02.720 --> 00:16:09.959
quarantined from your protected computers into their sandbox without any

00:16:07.399 --> 00:16:13.519
runs overly restrictive time limit or the requirement to make your sample

00:16:11.319 --> 00:16:17.639
public now we're using any run for deeper Dives right now simply because it

00:16:15.560 --> 00:16:22.959
allows us to upload our samples directly but threat Locker's Response Center is

00:16:19.680 --> 00:16:24.959
more than adequate for 99% of use cases

00:16:22.959 --> 00:16:28.480
the two products the sponsored one and the other one actually complement each

00:16:26.440 --> 00:16:33.079
other really nicely to fill different sand boxing needs threat Locker is great

00:16:31.279 --> 00:16:37.800
for production environment work while any run is better suited for noodling

00:16:35.360 --> 00:16:42.360
around shall we noodle some more Hey look it's the chief noodler himself what

00:16:39.560 --> 00:16:46.959
are we looking at now ooh lock bit yeah we're going to take a quick look at lock

00:16:43.880 --> 00:16:49.639
bit so I'm told it's shocking how simple

00:16:46.959 --> 00:16:53.560
it actually is that's in the script this is super cool is this a paid

00:16:51.680 --> 00:16:57.519
version of any run yes okay did they send that over to us they did hey shout

00:16:55.079 --> 00:17:01.319
out any run thanks so we're doing the same thing we did with B rat we're going

00:16:58.720 --> 00:17:07.520
to drag it out of here and I did not passord protect this one

00:17:05.360 --> 00:17:11.439
Tanner hey if we get infected I don't own the

00:17:09.039 --> 00:17:17.480
company so here we've got just some configuration things uh local discs true

00:17:14.640 --> 00:17:17.480
Network shares

00:17:18.480 --> 00:17:25.360
true yeah so I think it makes my skin crawl just thinking about something like

00:17:23.160 --> 00:17:29.080
this getting on our Network oh have I clarified that it's a ransomware well

00:17:27.600 --> 00:17:35.799
it's a ransomware if I didn't say that already so now we've got our decrypter

00:17:32.200 --> 00:17:40.640
mhm we've got password. dll so that's

00:17:35.799 --> 00:17:43.000
the decryption password here if uh if it

00:17:40.640 --> 00:17:48.960
is executed through dll the exe version is a slightly different password but

00:17:45.480 --> 00:17:51.160
yeah it's it's essentially here's the

00:17:48.960 --> 00:17:56.280
here's the encrypter and then here's the key that you can provide to the victim

00:17:53.640 --> 00:18:00.640
in whatever form you like yeah what a lot of people have been doing lately is

00:17:57.840 --> 00:18:05.120
accepting the payment from their victims and then not decrypting so that is an

00:18:02.520 --> 00:18:11.080
option too that is a that is a whole other level of yeah so if you uh were to

00:18:08.159 --> 00:18:16.880
run lb3 exe and yeah you've now lost everything

00:18:14.159 --> 00:18:23.159
that was quick it actually looks you can set what kinds of files it looks for off

00:18:19.280 --> 00:18:25.320
the bat so you can aim for uh databases

00:18:23.159 --> 00:18:28.919
first if you want which is what a lot of places have going after more of a

00:18:26.640 --> 00:18:32.880
commercial entity yep see this is the kind of thing we cover on Wow and we

00:18:30.880 --> 00:18:37.080
talk about in the news and and we discuss but there's a big difference

00:18:35.159 --> 00:18:41.440
between you know sort of talking about what's out there and and these

00:18:39.039 --> 00:18:47.400
high-profile attacks and just seeing how simple the tools are you

00:18:45.760 --> 00:18:50.559
want to know I could do this you want to know how simple some of these are you

00:18:48.760 --> 00:18:54.400
know the W to cry virus that was the one that was that was the ransomware that

00:18:52.200 --> 00:18:58.360
was just all over the place for several years there it got defeated when

00:18:56.280 --> 00:19:04.400
somebody went into to the source code for it did a whole decompilation found uh found

00:19:02.120 --> 00:19:09.400
a line of code in there that kept calling one particular website address

00:19:07.520 --> 00:19:11.919
yeah so they decided to buy the domain because it hadn't been registered

00:19:10.640 --> 00:19:18.000
apparently that domain was just being used by wan to cry as a kill switch so

00:19:15.200 --> 00:19:22.320
they accidentally stopped W to cry the guy ended up uh getting caught by the

00:19:20.200 --> 00:19:26.720
FBI for credit card fraud that he did earlier in his life and then the judge

00:19:24.440 --> 00:19:30.840
at judgment was like n the you know what the public good that you've done kind of

00:19:28.960 --> 00:19:34.840
outweighs whatever credit card fraud so if you're going to commit credit card

00:19:31.960 --> 00:19:39.039
fraud also stop the worst ransomware attacks in

00:19:36.799 --> 00:19:43.039
history of course the groups that are executing ransomware attacks be they

00:19:40.880 --> 00:19:46.919
monoc cry or lock bit or something else aren't just using ransomware they need

00:19:45.520 --> 00:19:51.720
to find a way to infiltrate their targets organization spread it around

00:19:49.600 --> 00:19:56.000
and remain undetected and many of these tasks require some level of social

00:19:53.400 --> 00:19:59.679
engineering so what might start as a fishing attack could then transition

00:19:57.840 --> 00:20:04.440
into a rat being planted which can then be used to plant the ransomware Borat

00:20:02.240 --> 00:20:09.240
rat isn't its own ransomware necessarily but rather it's a vessel for carrying

00:20:06.799 --> 00:20:14.080
many payloads one of which happens to be lock bit style ransomwares and all of

00:20:12.120 --> 00:20:18.840
this is being accomplished by several competing groups um some are simply

00:20:16.280 --> 00:20:22.760
trying to cash in but some clearly have other goals in mind as there's strong

00:20:21.200 --> 00:20:27.159
evidence that many malware groups operate as part of government entities

00:20:24.880 --> 00:20:32.080
North Korea's Lazarus group uh Russia's berserk bear and Amer America's NSA

00:20:29.520 --> 00:20:37.440
equation group are just a few suspected examples so is this hard drive only for

00:20:35.600 --> 00:20:42.520
researchers or could somebody conceivably use this repository to

00:20:39.960 --> 00:20:47.520
create and spread malware possibly in an act of state sponsored

00:20:44.240 --> 00:20:49.840
terrorism don't kid yourself this is on

00:20:47.520 --> 00:20:54.400
the blacker side of gray and the only moral justification for its existence is

00:20:52.000 --> 00:20:57.919
that realistically the bad guys have access to this information anyway and by

00:20:56.440 --> 00:21:03.480
shedding light on it we're at least giving the good gu a hoping chance to

00:21:01.000 --> 00:21:07.600
counter any upcoming threats security through obscurity is a pipe dream and

00:21:05.840 --> 00:21:11.120
just like we probably upset some gas station owners when we made our video on

00:21:09.039 --> 00:21:15.279
The Flipper zero we're probably ruffling some feathers with this one but we feel

00:21:12.960 --> 00:21:19.440
it's a valuable conversation to start and one that we should keep on having

00:21:18.200 --> 00:21:24.840
the last question you guys might be asking is what are we planning to do

00:21:22.120 --> 00:21:28.720
with the VX underground hard drive well the first thing is to put a warning

00:21:26.159 --> 00:21:32.440
label on it maybe even a bigger one than this and then after that I don't know

00:21:30.840 --> 00:21:36.200
we've actually had some really cool ideas for videos in the past that have

00:21:34.159 --> 00:21:41.880
required us to intentionally infect a system but providing real malware to us

00:21:39.400 --> 00:21:45.120
is against the policy of every white hat organization and person that we have

00:21:43.320 --> 00:21:49.760
ever interacted with so we have struggled at times to create for example

00:21:47.640 --> 00:21:53.520
an infected system to bring to a shop for servicing if you have any other

00:21:51.640 --> 00:21:57.799
ideas we're open to them but for now we're going to Fester on it for a little

00:21:55.159 --> 00:22:02.960
bit and seeing the kinds of threats that are not only out there but more numerous

00:22:00.440 --> 00:22:06.559
than I previously imagined I guess we'll look into hardening our security maybe

00:22:05.080 --> 00:22:10.279
with some help from our sponsor threat Locker if you guys liked this video why

00:22:08.880 --> 00:22:15.520
don't you check out the time we bought antivirus USB sticks from

00:22:12.720 --> 00:22:18.320
Facebook they were they were USB sticks all right