WEBVTT 00:01.340 --> 00:02.600 Types of malware. 00:03.020 --> 00:04.370 Common Types. 00:04.550 --> 00:07.250 Droppers or Downloaders. 00:07.520 --> 00:08.810 Keyloggers. 00:08.810 --> 00:09.560 Or info. 00:09.560 --> 00:10.490 Stealers. 00:10.940 --> 00:13.730 Bots or spam Bots. 00:13.880 --> 00:14.690 Banker. 00:15.140 --> 00:16.040 Worm. 00:16.070 --> 00:18.320 Ransomware Miner. 00:18.530 --> 00:19.250 Backdoor. 00:21.060 --> 00:21.780 First. 00:22.140 --> 00:25.320 What are droppers and downloaders? 00:25.770 --> 00:33.000 Droppers use embedded scripts to extract embedded executable from itself and then execute. 00:33.000 --> 00:40.350 It typically spreads through malware spam using office word or Excel documents. 00:41.370 --> 00:50.100 Downloaders are the same as droppers, except in this second stage is downloaded remotely from a C2 00:50.130 --> 00:52.770 server command and Control server. 00:53.490 --> 01:00.510 So the file is not embedded, but instead the malware will reach out to the internet to download the 01:00.510 --> 01:01.500 second stage. 01:03.150 --> 01:05.700 Info stealers and keyloggers. 01:06.060 --> 01:11.730 Info stealers and Keyloggers typically come in one same executable. 01:12.540 --> 01:15.120 Their purpose is to log keystrokes. 01:15.910 --> 01:19.990 To exfiltrate data by emailing the logs. 01:20.530 --> 01:26.170 The key logs that it has captured or it could use FTP as well. 01:27.230 --> 01:30.220 Data may also be stored locally. 01:31.130 --> 01:34.670 Communication with the server could be encrypted. 01:36.310 --> 01:40.150 It may be able to steal browser or application password. 01:40.660 --> 01:47.140 For example, Chrome, Firefox, Imvu Outlook or files passwords. 01:49.020 --> 01:51.120 Things to look out for for keyloggers. 01:51.150 --> 01:51.810 Keyloggers. 01:51.810 --> 01:54.990 Typically use the following API. 01:55.500 --> 01:57.210 Get async key state. 01:57.810 --> 02:06.420 Set windows hook x and get foreground window features using Steelers. 02:06.570 --> 02:15.480 Examples are sqlite3 used for Chrome, firefox DL and also the API called crypt. 02:15.510 --> 02:22.290 Unprotected data in order to decrypt the credentials that are stored in Chrome. 02:24.110 --> 02:31.520 Then we also have spam or spam bots or just bots, in short, a type of malware. 02:31.910 --> 02:35.360 So an infected machine becomes part of a botnet. 02:36.260 --> 02:40.730 The botnet is controlled by the bot master or masters. 02:41.090 --> 02:50.090 It may be used in mining, cryptocurrencies or in distributed denial of service attacks, also known 02:50.090 --> 02:51.440 as D, d, o. 02:51.500 --> 02:52.100 S. 02:52.340 --> 02:56.090 Or it can also be used for sending malicious spam. 02:56.960 --> 03:02.120 Examples are Mirai, satori, cartwheel and zeroaccess. 03:02.360 --> 03:07.300 So on the right is a diagram of a hierarchy of a typical botnet. 03:07.310 --> 03:11.540 At the top we could have a bot master below it. 03:11.570 --> 03:18.860 We have the command and control servers, short C2 servers, and below that we have all the infected 03:18.860 --> 03:19.700 machines. 03:20.690 --> 03:23.880 Then we also have banker malware. 03:24.480 --> 03:29.460 These are very common and exist alongside info stealers. 03:29.760 --> 03:33.870 Their main purpose is to steal banking information. 03:34.260 --> 03:39.410 It does that through web injection or API hooking. 03:39.420 --> 03:51.240 For example, Zeus DNA bought Ramnit a sample of API hooking it can intercept APIs and redirect it to 03:51.240 --> 03:55.050 its own fake API in order to steal information. 03:55.170 --> 03:59.580 For example hooking of http send request API. 04:00.940 --> 04:02.650 Then you also have worms. 04:02.830 --> 04:06.310 Worms self propagates across the network. 04:06.490 --> 04:08.950 Usually no interaction is required. 04:09.490 --> 04:14.880 This is because it can exploit vulnerabilities in operating systems. 04:14.890 --> 04:18.880 For example, the eternalblue exploit or vulnerability. 04:18.910 --> 04:23.500 A worm can contain malicious payload, for example WannaCry. 04:24.520 --> 04:31.150 It uses the eternal blue and double pulsar exploit, and it contains ransomware payload. 04:31.510 --> 04:34.270 Then we also have the ransomware malware. 04:34.930 --> 04:43.300 Ransomware encrypts files and displays message to ask payment in order to release those files and typically 04:43.300 --> 04:47.710 uses bitcoin as payment for example WannaCry. 04:48.490 --> 04:56.140 It is gaining popularity because of cryptocurrency attacks are becoming larger, involving hundreds 04:56.140 --> 05:04.700 of thousands of machines becoming encrypted and there are also miners also known as crypto miners. 05:05.240 --> 05:12.890 They are usually created from open source cryptocurrency mining software, and miners use the victim 05:12.890 --> 05:18.740 machines to mine for cryptocurrency and send them to the attacker's wallet. 05:19.460 --> 05:22.730 It can spread through botnets or malware spamming. 05:23.770 --> 05:25.750 Then we also have the back doors. 05:26.050 --> 05:33.670 Back doors are also known as Rad, which stands for Remote access to or remote access Trojans. 05:34.120 --> 05:38.290 This gives the attacker hidden remote access to the system. 05:38.980 --> 05:43.630 It may include the info stealing and keylogging functionality. 05:43.930 --> 05:52.330 It also could use reverse TCP connection if the victim machine is behind the firewall, so it can do 05:52.330 --> 05:56.290 a reverse connection to a control and command server on the internet. 05:56.380 --> 06:02.290 Sophisticated back doors or wraps utilize modular framework for example. 06:02.290 --> 06:03.460 Remcos Rat. 06:03.790 --> 06:05.110 Thank you for watching.