WEBVTT - 7 Types of Malware 0:00:04.400 --> 0:00:07.800 Welcome to tech Stuff, a production from I Heart Radio. 0:00:11.920 --> 0:00:14.520 He there, and welcome to tech Stuff. I'm your host, 0:00:14.680 --> 0:00:17.760 Jonathan Strickland. I'm an executive producer with I Heart Radio 0:00:17.840 --> 0:00:21.040 and how the tech are you So? On the tech 0:00:21.079 --> 0:00:25.079 Stuff news episodes, I often end up talking about stories 0:00:25.320 --> 0:00:30.480 involving malware, and I'm guessing you're all aware of malware 0:00:30.520 --> 0:00:33.080 at least to some degree. If you work for a 0:00:33.120 --> 0:00:37.200 company like mine, you'll hear about malware several times a month, 0:00:37.520 --> 0:00:40.760 as we have an extremely proactive I T security team 0:00:40.840 --> 0:00:43.400 that works hard to keep employees up to speed on 0:00:43.440 --> 0:00:47.000 the dangers of malware and the various tactics used to 0:00:47.040 --> 0:00:51.200 deliver payloads to targets. But I figure it's always good 0:00:51.360 --> 0:00:55.440 to do a quick rundown on different variations of malware 0:00:56.120 --> 0:00:59.760 and what they do. Now, keep in mind, well I'll 0:00:59.800 --> 0:01:04.200 be talking about broad categories. You can sometimes find examples 0:01:04.319 --> 0:01:07.319 of specific malware that kind of belonged to more than 0:01:07.400 --> 0:01:12.360 one type or category. And I'm really I'm using categories 0:01:12.360 --> 0:01:16.720 that are identified by Cisco because you have to take 0:01:16.760 --> 0:01:20.080 definitions from somewhere. But as it turns out, because of 0:01:20.120 --> 0:01:23.880 these similarities between different types, you can sometimes find other 0:01:23.920 --> 0:01:26.720 companies that will define them in a slightly different way, 0:01:27.280 --> 0:01:31.280 but I figure your Cisco is a pretty good authority 0:01:31.319 --> 0:01:35.320 to build this episode off of. Just keep in mind, 0:01:35.319 --> 0:01:38.800 if you do your own research, you might find variations 0:01:38.959 --> 0:01:41.880 on what we'll be talking about here. So starting off, 0:01:41.920 --> 0:01:45.600 before we even get into the different kinds, let's define malware, 0:01:45.760 --> 0:01:52.600 so that term is short for malicious software malware. Back 0:01:52.640 --> 0:01:55.720 in the early days of computing, I always just heard 0:01:55.720 --> 0:02:00.200 of viruses, and you know, viruses are a subcategory. There 0:02:00.240 --> 0:02:05.120 are a type of malware, and I actually to this 0:02:05.240 --> 0:02:09.960 day still have to focus to refer to malicious software 0:02:10.000 --> 0:02:12.400 as malware instead of just doing the lazy thing and 0:02:12.440 --> 0:02:16.040 calling them all viruses. Because when I was a kid 0:02:16.440 --> 0:02:20.160 and personal computers were first becoming a thing, that's what 0:02:20.240 --> 0:02:23.240 we referred to all malicious software. It was all of virus, 0:02:23.680 --> 0:02:26.520 partly because networking was not really a thing with personal 0:02:26.520 --> 0:02:30.520 computers in the early days. So anyway, old habits die hard. 0:02:30.560 --> 0:02:34.000 That's why I sometimes will still do it. But uh, 0:02:34.240 --> 0:02:36.880 as I said, we'll see that virus is one subset 0:02:36.880 --> 0:02:41.360 of malware. And because we're talking malicious software and not 0:02:41.520 --> 0:02:45.480 just cheeky programs that are meant to cause mischief. We 0:02:45.560 --> 0:02:49.040 typically will say that cyber criminals are the ones responsible 0:02:49.080 --> 0:02:51.799 for developing the software in the first place, and they 0:02:51.800 --> 0:02:54.000 may or may not be the same cyber criminals who 0:02:54.040 --> 0:02:58.240 actually distribute the malware. Now, many folks will use the 0:02:58.280 --> 0:03:03.080 word hacker to stand in for cyber criminal, but I 0:03:03.160 --> 0:03:07.960 object to that because it implies that hackers collectively are 0:03:08.560 --> 0:03:12.880 bad people. But if you'll forgive me a short tangent, 0:03:13.120 --> 0:03:16.160 I'd like to explain why that's not really the case. 0:03:16.800 --> 0:03:19.960 So the word hacker in the context of someone who 0:03:20.000 --> 0:03:23.440 works with code dates back to the late nineteen fifties 0:03:23.480 --> 0:03:27.800 and early nineteen sixties at m i T the Massachusetts 0:03:27.880 --> 0:03:33.359 Institute of Technology in other words, and it an originated 0:03:33.400 --> 0:03:37.800 of the college's Tech Model Railroad Club or t m 0:03:37.960 --> 0:03:41.760 r C. In fact, there's this humorous definition that Peter R. 0:03:41.960 --> 0:03:46.280 Sampson created for the term hack, which then could be 0:03:46.320 --> 0:03:51.040 extended to hacker. And the definition for hack, according to Sampson, 0:03:51.320 --> 0:03:57.440 is this hack something done without constructive end, a project 0:03:57.520 --> 0:04:02.720 undertaken on bad self advice, an intrope booster, or to 0:04:02.800 --> 0:04:07.040 produce or attempt to produce a hack. So noun and 0:04:07.160 --> 0:04:10.040 a verb, and I do not wish to put words 0:04:10.080 --> 0:04:13.080 into Mr Sampson's mouth, but I believe he may be 0:04:13.360 --> 0:04:17.040 using the word entropy here to specifically refer to a 0:04:17.080 --> 0:04:22.599 decline into general disorder. Anyway, the blossoming field of computer 0:04:22.680 --> 0:04:25.640 science took on hacker to mean people who were putting 0:04:25.640 --> 0:04:30.559 together code, sometimes fruitlessly, as they were trying to get 0:04:30.600 --> 0:04:34.359 a system to do something specific, Like they had a 0:04:34.400 --> 0:04:38.359 specific goal they were working toward, and they were hacking 0:04:38.440 --> 0:04:42.599 their way to getting that goal to come true. And 0:04:42.760 --> 0:04:46.360 you know, the early days of computer science there was 0:04:46.400 --> 0:04:49.200 a lot of trial and error when it came to 0:04:49.320 --> 0:04:52.520 writing code that could achieve a specific purpose. There are 0:04:52.560 --> 0:04:56.760 a lot of early programs that essentially did what they 0:04:56.760 --> 0:05:00.360 set out to do, but on careful review of the code, 0:05:01.240 --> 0:05:06.800 as as Jonathan Colton might say, it is not elegant, uh, 0:05:06.839 --> 0:05:10.920 and it does not really do the goal efficiently, and 0:05:10.920 --> 0:05:14.839 that you know, it's it's really a poorly programmed piece 0:05:14.839 --> 0:05:16.720 of code, except for the fact that it actually does 0:05:16.760 --> 0:05:19.840 achieve what it set out to do. Now, later on, 0:05:20.120 --> 0:05:23.119 the word hacker would be used to describe curious folks 0:05:23.160 --> 0:05:27.600 who just wanted to know how different technological stuff works, like, 0:05:27.920 --> 0:05:32.240 for example, how does a telephone network route calls. These 0:05:32.279 --> 0:05:37.200 hackers would explore technology and technological systems. They would learn 0:05:37.279 --> 0:05:40.760 all about the quirks of those pieces of tech, you know, 0:05:40.839 --> 0:05:44.599 what made them tick, and perhaps most importantly, how to 0:05:44.720 --> 0:05:49.600 make the tech do stuff it wasn't necessarily intended to do, 0:05:50.839 --> 0:05:54.360 Because there's something really satisfying about figuring out a way 0:05:54.360 --> 0:05:57.760 to achieve a result using tech that wasn't you know, 0:05:58.760 --> 0:06:02.800 built to do that thing. It I think it kind 0:06:02.800 --> 0:06:06.159 of taps into the same part of our brains for 0:06:06.240 --> 0:06:08.960 the people who really enjoy doing things like designing Rube 0:06:08.960 --> 0:06:14.240 Goldberg devices. Those are those needlessly complex devices that are 0:06:14.920 --> 0:06:20.719 designed to carry out some uh trivially simple task. Well, 0:06:21.600 --> 0:06:24.200 I think the same thing that that pleases folks who 0:06:24.240 --> 0:06:27.800 really love Rube Goldberg devices is what pleases people to 0:06:28.440 --> 0:06:30.599 learn how the system works and then find ways to 0:06:30.720 --> 0:06:35.240 exploit it to do something different, not necessarily something bad, 0:06:36.080 --> 0:06:40.760 but different anyway. The word hacker really is more general 0:06:41.320 --> 0:06:44.480 than the specific use case of, you know, people who 0:06:44.520 --> 0:06:49.200 make malicious software, or even person who wants to infiltrate 0:06:49.279 --> 0:06:53.760 a secure system. There are hackers who fall into those subcategories, 0:06:54.279 --> 0:06:58.719 but I wouldn't use hacker as a broad stroke brush 0:06:59.120 --> 0:07:03.880 to say person with malicious intent. Um, but frequently that's 0:07:03.880 --> 0:07:07.240 how we encounter the word in the media. And you know, 0:07:07.560 --> 0:07:12.200 language is fluid, Language does evolve, so it could very 0:07:12.200 --> 0:07:14.560 well be that I'm trying to hold back a flood 0:07:15.000 --> 0:07:18.080 and I should just accept that. Hacker effectively now means 0:07:18.320 --> 0:07:21.600 jerk face who wants to ruin your day, or maybe 0:07:21.720 --> 0:07:25.280 ruin your computer, or maybe the company you work for, 0:07:25.840 --> 0:07:29.040 or maybe the country you live in. It can get 0:07:29.080 --> 0:07:32.000 pretty scary. Now, one other thing before we start to 0:07:32.000 --> 0:07:36.480 dive into the categories. The folks who distribute malware are 0:07:36.560 --> 0:07:41.600 not necessarily the same folks who built the malware. They 0:07:41.640 --> 0:07:45.120 can be, but they don't have to be. There are 0:07:45.320 --> 0:07:49.720 malware programmers for higher out there. We could actually call 0:07:49.800 --> 0:07:53.600 them hacks, because one of the definitions of hack is 0:07:53.640 --> 0:07:57.080 a person who does you know, work for higher It's 0:07:57.160 --> 0:08:01.960 kind of like the gig economy, and often we associate 0:08:02.000 --> 0:08:05.120 it with someone who does, you know, like bare minimum 0:08:05.200 --> 0:08:08.680 quality work and does a lot of it in order 0:08:08.720 --> 0:08:11.280 to make a living. So like a hack, writer is 0:08:11.320 --> 0:08:15.640 someone who generates an awful lot of writing but isn't 0:08:15.680 --> 0:08:21.119 necessarily deeply concerned about the quality of their work. So 0:08:21.720 --> 0:08:26.240 we could refer to these malicious coders for higher as 0:08:26.360 --> 0:08:30.640 hackers in that sense, slightly different context from what we 0:08:30.640 --> 0:08:34.600 were talking about earlier. Now, these programmers go on to 0:08:34.679 --> 0:08:39.000 create malicious software and then frequently they will sell it 0:08:39.280 --> 0:08:43.480 on a dark market, like on the dark Web, where 0:08:43.480 --> 0:08:46.760 people are are looking for pieces of malware that they 0:08:46.800 --> 0:08:51.959 specifically want to use to target either a specific target 0:08:52.120 --> 0:08:56.200 or general target, and they have a specific goal that 0:08:56.240 --> 0:09:00.040 they want to achieve. Uh. Sometimes they'll even make a 0:09:00.480 --> 0:09:04.199 software available for free for distribution, but more often than 0:09:04.240 --> 0:09:08.320 not you'll find it as like a pay for tool, 0:09:08.480 --> 0:09:11.320 a weapon you can use in your arsenal. Now, often 0:09:11.720 --> 0:09:16.040 cyber criminals who purchase these pieces of malware will then 0:09:16.080 --> 0:09:20.040 go on to tweak that malware put their own spin 0:09:20.120 --> 0:09:24.040 on it. So very frequently we will find lots of 0:09:24.120 --> 0:09:28.320 variations of certain types of malware, and if you do 0:09:28.360 --> 0:09:32.720 a forensics investigation into the malware, you will discover that 0:09:32.760 --> 0:09:38.360 there are some common threads of DNA among different types 0:09:38.400 --> 0:09:41.560 of malware. That can also be useful because if there 0:09:41.600 --> 0:09:47.160 are common elements between different distributions of malware, it can 0:09:47.200 --> 0:09:50.520 be easier to scan for that malware and detect it 0:09:50.559 --> 0:09:55.240 before it does too much damage. Um, the more different 0:09:56.040 --> 0:09:59.760 a version is from its origin point, the more likely 0:10:00.000 --> 0:10:03.520 it is going to escape immediate detection. This is one 0:10:03.520 --> 0:10:06.560 of the reasons why anti virus software, which we will 0:10:06.559 --> 0:10:09.880 talk about towards the end of this episode, is really 0:10:10.000 --> 0:10:13.840 important because we get new variations on old malware all 0:10:13.880 --> 0:10:16.080 the time, and if it's if it's a dramatic enough 0:10:16.080 --> 0:10:19.720 departure from the original piece of malware, your anti virus 0:10:19.760 --> 0:10:23.160 program may not pick up on it. So these things 0:10:23.160 --> 0:10:30.440 have to be you know, investigated and then updated frequently. Okay, 0:10:30.520 --> 0:10:33.520 I think we have laid all the groundwork we need 0:10:33.559 --> 0:10:36.240 to lay. When we come back, we're gonna start with 0:10:36.480 --> 0:10:41.080 the various types of malware and we'll we'll get it 0:10:41.200 --> 0:10:45.960 going with a good old computer virus. But first let's 0:10:45.960 --> 0:10:57.720 take this quick break, all right. As I said, we're 0:10:57.720 --> 0:11:00.640 going to start with the computer virus. So the heck 0:11:00.880 --> 0:11:04.439 is a virus within the context of malware. So a 0:11:04.559 --> 0:11:08.880 virus is a piece of malicious software that gloams onto 0:11:08.960 --> 0:11:12.720 a file that supports some form of macros like you know, 0:11:12.800 --> 0:11:17.000 most document files do this, and so this this malicious 0:11:17.040 --> 0:11:21.200 code is piggybacking on top of a file and it 0:11:21.240 --> 0:11:24.360 is like a virus inside of a host. The host 0:11:24.400 --> 0:11:27.400 in this case is the file that contains the malicious code, 0:11:27.720 --> 0:11:31.160 and when someone opens up that file that has the 0:11:31.240 --> 0:11:35.720 virus attached, it can activate the virus. So the file 0:11:35.880 --> 0:11:40.040 that you're opening appears to be legit or safe, but 0:11:40.160 --> 0:11:44.320 the malicious code that's within the the file then gets 0:11:44.360 --> 0:11:47.120 to run rampant on your machine. Now, the goal of 0:11:47.120 --> 0:11:51.160 your typical virus is to disrupt a computer system in 0:11:51.240 --> 0:11:54.160 some way. Now may do this by placing a very 0:11:54.280 --> 0:11:58.200 large demands on computer memory. So now your computer can't 0:11:58.200 --> 0:12:01.559 really run anything properly because it's memory is completely taken 0:12:01.600 --> 0:12:05.280 up by dealing with this virus. Or it might replicate 0:12:05.320 --> 0:12:09.880 itself and or otherwise replicate nonsense information and fill up 0:12:10.200 --> 0:12:14.120 your computer storage with garbage data. And it may even 0:12:14.160 --> 0:12:17.200 overwrite files so that you can no longer access key 0:12:17.280 --> 0:12:19.760 data or programs. That kind of thing. By the way, 0:12:19.800 --> 0:12:24.560 overwriting files, that's like scorched Earth policy, because if you 0:12:24.640 --> 0:12:28.240 delete a file, it doesn't actually leave your machine. The 0:12:28.400 --> 0:12:33.000 deleted file is essentially marked by your computer as this 0:12:33.160 --> 0:12:36.360 area of storage is now available, so we can write 0:12:36.400 --> 0:12:39.160 over it if we want to. But if you haven't 0:12:39.240 --> 0:12:44.560 overwritten anything. You can still retrieve deleted files. Overwriting files 0:12:44.880 --> 0:12:50.959 makes retrieval way more difficult. There are entire forensics companies 0:12:50.960 --> 0:12:55.600 out there that will take great strides to try and 0:12:55.600 --> 0:12:59.959 retrieve information from overwritten files, but it's very hard to do. Uh. 0:13:00.520 --> 0:13:03.200 A common feature of computer viruses is that they do 0:13:03.360 --> 0:13:08.960 self replicate. That is a pretty standard uh component of 0:13:08.960 --> 0:13:12.400 of computer viruses, and again they typically do that to 0:13:12.480 --> 0:13:16.040 kind of gum up with a computer with copies of itself. Okay, 0:13:16.080 --> 0:13:21.040 next up, let's talk about trojan's sometimes also called trojan viruses. 0:13:21.120 --> 0:13:25.280 They do share some similarities with your bog standard viruses 0:13:25.280 --> 0:13:29.440 that we just talked about. A trojan is malware disguised 0:13:29.480 --> 0:13:34.400 as a legitimate file or program. So maybe you are 0:13:34.480 --> 0:13:38.840 prompted to download a video player because you're trying to 0:13:39.000 --> 0:13:43.319 play some sort of online content online media, but you're 0:13:43.360 --> 0:13:46.520 getting a message saying, hey, you need to download this 0:13:46.600 --> 0:13:50.120 media player if you want to watch this. Well, in 0:13:50.320 --> 0:13:52.640 some cases, not in all of them. Sometimes this is 0:13:52.640 --> 0:13:56.079 a legitimate message, but frequently this is a tactic that 0:13:56.400 --> 0:13:59.680 criminals use to convince you to download a file that's 0:13:59.720 --> 0:14:04.080 acte a trojan that's housing malicious software. Back in the 0:14:04.080 --> 0:14:08.199 heyday of media piracy, there were lots of trojans disguised 0:14:08.240 --> 0:14:13.559 as useful programs, so everything from pirated video games, to 0:14:14.200 --> 0:14:19.000 productivity software suites, to even anti virus packages. Clever go 0:14:19.680 --> 0:14:21.280 you would go and say, Hey, I don't want to 0:14:21.320 --> 0:14:24.280 pay for this expensive piece of software, I'm gonna find 0:14:24.280 --> 0:14:28.680 it online for free. There was a chance that the 0:14:28.840 --> 0:14:32.440 free version you found was actually a trojan that was 0:14:32.800 --> 0:14:36.960 housing malicious software. Now, typically once a person downloads the 0:14:37.000 --> 0:14:40.360 trojan and then activates it, the trojan jumps in to 0:14:40.480 --> 0:14:46.080 get access to sensitive data on the computer or computer device. 0:14:46.760 --> 0:14:50.000 It might have some code that sends that data back 0:14:50.040 --> 0:14:52.720 to the jerks who distributed the malware in the first place. 0:14:52.760 --> 0:14:55.160 That kind of falls into another category we'll talk about 0:14:55.160 --> 0:14:59.840 a bit later. So in those cases, the militia software 0:14:59.880 --> 0:15:04.920 is collecting information that someone else should absolutely not have 0:15:05.000 --> 0:15:08.400 access to. Could be your personal information, could be stuff 0:15:08.440 --> 0:15:11.840 like your bank account, could be your medical records, could 0:15:11.840 --> 0:15:14.440 be any combination of these, could be everything on your computer. 0:15:14.520 --> 0:15:19.240 Really Now, something else that a trojan virus might have 0:15:19.640 --> 0:15:23.400 within it is what's called a root kit attack. So 0:15:23.600 --> 0:15:27.600 root kit it's attacking the root of your operating system 0:15:27.720 --> 0:15:30.920 and the purpose of this is to give a cyber 0:15:31.000 --> 0:15:34.680 criminal access to your machine, almost as if the cyber 0:15:34.680 --> 0:15:38.320 criminal was sitting down at your keyboard directly. And when 0:15:38.320 --> 0:15:42.720 a criminal gets administrative access to a computer, that's super 0:15:42.800 --> 0:15:45.240 bad news. It can also lead to the criminal not 0:15:45.280 --> 0:15:49.760 only just compromising one machine, but potentially launching attacks on 0:15:50.200 --> 0:15:54.840 connected systems, so networked devices that that machine can is 0:15:54.880 --> 0:15:57.640 connected to that could be the next vector of attack. 0:15:58.200 --> 0:16:02.920 Trojan malware is often the delivery system for other specific 0:16:02.920 --> 0:16:07.240 subcategories of malware, such as ransomware. So let's go ahead 0:16:07.280 --> 0:16:10.040 and do that one now because it is so closely connected. 0:16:10.040 --> 0:16:12.840 So this is category number three. We've had virus, we 0:16:12.880 --> 0:16:16.280 have trojan virus. Now we have ransomware. And it's been 0:16:16.320 --> 0:16:18.880 in the news a lot over the last couple of years. 0:16:18.920 --> 0:16:22.720 There's been some high profile ransomware attacks over the last 0:16:22.760 --> 0:16:26.360 few years. And it's similar in many ways to viruses, 0:16:26.400 --> 0:16:28.640 and that the goal is to cut off access to 0:16:28.840 --> 0:16:34.240 important programs, files, folders, entire directories, that kind of thing. 0:16:34.760 --> 0:16:37.320 But the way it goes about this is slightly different 0:16:37.360 --> 0:16:40.960 from viruses. So once ransomware has been injected into a 0:16:41.000 --> 0:16:44.840 computer system, it will run an encryption program and it 0:16:44.920 --> 0:16:49.720 will encrypt data on part or all of the computer system. 0:16:50.000 --> 0:16:52.800 Often it will encrypt data on any part of the 0:16:52.800 --> 0:16:56.080 computer system it can get access to, so the computer's 0:16:56.160 --> 0:17:00.360 user will be unable to access those encrypted files because 0:17:00.560 --> 0:17:02.600 to the computer all that data will just appear to 0:17:02.640 --> 0:17:06.480 be gibberish. It won't look like useful files or programs, 0:17:06.480 --> 0:17:10.240 it will just look like random data. And the companying 0:17:10.320 --> 0:17:14.200 message will alert the user that some criminal has locked 0:17:14.200 --> 0:17:18.040 away important stuff on this computer and that only by 0:17:18.080 --> 0:17:22.120 paying a ransom, typically in some form of cryptocurrency, will 0:17:22.160 --> 0:17:25.639 the user regain access to their programs and files. This 0:17:25.720 --> 0:17:28.400 can also end up being a type of blackmail as 0:17:28.400 --> 0:17:32.159 well for personal stuff. Like let's say that you have 0:17:32.400 --> 0:17:35.240 your computer. You're not necessarily part of some big company, 0:17:35.280 --> 0:17:39.080 but you get by ransomware, and the people who have 0:17:39.600 --> 0:17:41.960 locked away your data are saying, hey, if you don't 0:17:42.000 --> 0:17:46.120 want sensitive stuff on here leaked to the public, you've 0:17:46.119 --> 0:17:48.439 gotta pay me. So that this can also come in 0:17:48.480 --> 0:17:52.399 the form of blackmail. Well, what they're saying is if 0:17:52.400 --> 0:17:55.160 you pay us, then we will give you the key 0:17:55.200 --> 0:17:59.320 that will allow you to access your programs and files. Again. Uh, 0:17:59.400 --> 0:18:03.160 so the criminal can grant access by sharing this mathematical key, 0:18:03.240 --> 0:18:06.440 and that does allow for decryption, you can reverse the 0:18:06.560 --> 0:18:11.720 encryption process and regain your files and programs and turn 0:18:11.760 --> 0:18:14.840 it back into useful stuff. So the criminal is essentially 0:18:14.840 --> 0:18:18.679 holding a user's programs and files or directories or whatever 0:18:18.800 --> 0:18:22.560 hostage until they get paid a ransom. Now I've said 0:18:22.600 --> 0:18:25.440 this many times on tech news episodes, but it bears repeating. 0:18:25.840 --> 0:18:28.880 It is pretty much always a bad idea to pay 0:18:29.240 --> 0:18:33.280 the ransom. It can be very hard to resist the 0:18:33.520 --> 0:18:37.280 urge to pay to get to regain control of your systems, 0:18:37.520 --> 0:18:41.600 but it's bad to do because paying reinforces that method 0:18:41.640 --> 0:18:46.120 of attack. If criminals see that ransomware can make them money, 0:18:46.200 --> 0:18:49.600 even if it only works one time out of five 0:18:49.640 --> 0:18:52.520 times or anything like that, well that could be enough 0:18:52.560 --> 0:18:55.400 to keep these attacks going. It's it's proven to work, 0:18:55.480 --> 0:18:58.119 so they're going to keep doing it. So paying ransoms 0:18:58.160 --> 0:19:00.760 really just ensures that more attack X will follow in 0:19:00.800 --> 0:19:07.080 the future, maybe not directly against you, but definitely against others. Also, 0:19:07.160 --> 0:19:08.520 another thing you need to keep in mind is the 0:19:08.600 --> 0:19:11.280 victim can never be really sure that the criminal is 0:19:11.320 --> 0:19:14.800 actually going to hand over the key needed to decrypt 0:19:14.800 --> 0:19:17.359 the data. They could just take the money and run 0:19:17.800 --> 0:19:21.119 and leave you with an encrypted system and then you 0:19:21.160 --> 0:19:24.240 don't really have any options. You can try and decrypt it, 0:19:24.359 --> 0:19:29.280 but like decryption programs can take a lot of computational 0:19:29.359 --> 0:19:31.879 processing and a ton of time. This is one of 0:19:31.920 --> 0:19:36.640 the things that quantum computers will completely transform in the future, 0:19:36.680 --> 0:19:40.719 but we're not there yet. Well, criminals could do that. 0:19:40.840 --> 0:19:43.320 It is risky for a criminal to just take the 0:19:43.359 --> 0:19:45.639 money and run because if folks figure out who carried 0:19:45.680 --> 0:19:48.960 out the attack, even if it's just like in general terms, 0:19:49.000 --> 0:19:52.160 like you kind of know what hacker network was likely 0:19:52.240 --> 0:19:55.119 responsible for the attack, well, that sends a message to 0:19:55.160 --> 0:19:58.320 future victims that even if they pay the ransom, they'll 0:19:58.320 --> 0:20:00.479 still get stuck. So there's no point in hang. So 0:20:01.480 --> 0:20:04.480 criminals are not likely to hold back on it, but 0:20:04.560 --> 0:20:07.919 it is a possibility still. It's always a bad idea 0:20:08.119 --> 0:20:11.600 to really pay the ransom, but it can be difficult 0:20:11.600 --> 0:20:15.600 to hold off. Criminals like to target companies and organizations 0:20:15.640 --> 0:20:20.320 that have critical sensitive data on them, which obviously ups 0:20:20.359 --> 0:20:24.240 the stakes considerably. So hospitals and other healthcare facilities are 0:20:24.280 --> 0:20:29.000 frequent targets because there are literal life and death situations 0:20:29.000 --> 0:20:32.679 connected to that data. It is not easy to deny 0:20:32.720 --> 0:20:36.600 a ransom. When you think that people's lives literally hold 0:20:36.800 --> 0:20:41.320 in the balance, that's a difficult thing to do. Um 0:20:41.359 --> 0:20:43.160 The same can be said of a lot of government 0:20:43.160 --> 0:20:47.159 agencies that have really sensitive information that they need access to. 0:20:47.720 --> 0:20:52.280 It is difficult to resist paying that ransom. There are 0:20:52.280 --> 0:20:54.560 a lot of potential ways that ransomware can find its 0:20:54.560 --> 0:20:58.360 way onto a system, from targeted attacks to more kind 0:20:58.359 --> 0:21:02.399 of broad approaches, like a phishing scam can be a 0:21:02.480 --> 0:21:06.080 very broadway to get ransomware onto machines. If you don't 0:21:06.080 --> 0:21:09.200 know what fishing is, then you are a sweet summer child, 0:21:09.480 --> 0:21:11.680 and I really hate to chip away at your innocence. 0:21:11.760 --> 0:21:15.480 But a phishing attack is when criminals create what seems 0:21:15.520 --> 0:21:20.280 to be a legitimate message, or legitimate website or email, 0:21:20.480 --> 0:21:23.280 that kind of thing, but it actually directs people to 0:21:23.359 --> 0:21:26.840 either voluntarily give up information that they should not give up, 0:21:27.280 --> 0:21:31.119 such as like a bank account number and log in information, 0:21:32.080 --> 0:21:35.160 or it will direct people to a link that will 0:21:35.760 --> 0:21:40.040 have them download the malware. Okay, we've got a couple 0:21:40.119 --> 0:21:42.639 more types to talk about, but before we get to that, 0:21:42.720 --> 0:21:54.840 let's take another quick break. Okay, next up, we're gonna 0:21:54.880 --> 0:21:58.040 talk about worms so not the squiggly little guys who 0:21:58.080 --> 0:22:00.600 live in apples and that kind of thing. We're talking 0:22:00.640 --> 0:22:04.040 computer worms. And a computer worm is malware designed to 0:22:04.119 --> 0:22:07.640 replicate itself very quickly and then to spread across numerous 0:22:07.680 --> 0:22:10.440 connected devices on a network. So it's only job really 0:22:11.040 --> 0:22:14.440 is to replicate and infect, and to do that as 0:22:15.000 --> 0:22:17.840 as widely and quickly as possible. So if one machine 0:22:17.840 --> 0:22:20.800 on a network gets hit, others on that same network 0:22:20.800 --> 0:22:24.399 are in immediate danger. But how does the initial attack happen? 0:22:24.480 --> 0:22:27.560 How does the worm get on you know, patient zero 0:22:27.760 --> 0:22:30.760 in the computer network. Well, unlike a virus, a worm 0:22:30.840 --> 0:22:34.400 doesn't rely on a host file in order to execute 0:22:34.400 --> 0:22:37.119 its attack, So this isn't a case where a file 0:22:37.280 --> 0:22:39.639 like a PDF or something happens to be carrying a 0:22:39.680 --> 0:22:44.000 worm as well. The worm can infect through a direct download, 0:22:44.560 --> 0:22:46.840 or it can be injected through some other means, such 0:22:46.880 --> 0:22:49.480 as on a USB drive. By the way, just in 0:22:49.520 --> 0:22:53.760 case you haven't heard this for a while, never connect 0:22:54.160 --> 0:22:58.280 some found USB drive to your computer. You never know 0:22:58.760 --> 0:23:02.240 if the drive on that USB drive has some executable 0:23:02.240 --> 0:23:07.280 code on it that's just waiting to infect a network. Anyway, 0:23:07.520 --> 0:23:10.919 once the worm is on an infected system, it copies 0:23:10.960 --> 0:23:13.920 itself and sends those copies to other machines on the network, 0:23:14.200 --> 0:23:17.600 all with the goal of disrupting operations and or destroying 0:23:17.680 --> 0:23:22.280 data in the process. So those are also bad news. 0:23:23.440 --> 0:23:26.199 The next two types of malware are very similar, so 0:23:26.240 --> 0:23:29.919 we're just gonna put them together. We're talking spyware and 0:23:30.080 --> 0:23:34.000 add ware. So spyware, as the name suggests, is this 0:23:34.080 --> 0:23:36.800 malicious software that runs in the background on a machine, 0:23:37.200 --> 0:23:40.879 real secret like, and then it sends information back to 0:23:40.920 --> 0:23:43.720 a remote user. You heard me talk about this kind 0:23:43.720 --> 0:23:47.800 of with the trojan viruses. Spyware can be delivered via 0:23:47.880 --> 0:23:53.879 trojan and the whole purpose is to send sensitive information 0:23:53.960 --> 0:23:57.800 back to the criminal. So spyware can also include specific 0:23:57.840 --> 0:24:01.080 stuff like key loggers. These are programs that, as the 0:24:01.119 --> 0:24:05.640 name suggests, record or log every single key stroke made 0:24:05.720 --> 0:24:09.320 on a computer, so the criminal back home can use 0:24:09.320 --> 0:24:12.120 that information to figure out stuff like log in credentials, 0:24:12.760 --> 0:24:17.200 you know, banking information, all sorts of stuff. Well made 0:24:17.240 --> 0:24:20.719 spyware will not alert the target that something is wrong. 0:24:21.960 --> 0:24:26.200 It doesn't necessarily impact computer performance that much, at least 0:24:26.240 --> 0:24:29.040 not to a noticeable degree. So the goal is to 0:24:29.080 --> 0:24:32.520 stay under the radar for as long as possible to 0:24:32.600 --> 0:24:35.120 get as much information as possible. This, by the way, 0:24:35.200 --> 0:24:38.000 is why I say that James Bond is a terrible, 0:24:38.119 --> 0:24:41.200 terrible spy. I mean the guy goes around and introduces 0:24:41.240 --> 0:24:45.200 himself everywhere he goes. He violates like rule number one 0:24:45.280 --> 0:24:49.600 of spy ishness, so that spyware. But then what is 0:24:49.640 --> 0:24:54.080 adwere well, similar to spyware, adware monitors your computer use, 0:24:54.160 --> 0:24:58.120 but instead of using the information to steal your personal 0:24:58.280 --> 0:25:02.480 details or gain access to your accounts, adware is spying 0:25:02.520 --> 0:25:07.359 on you in order to serve up more applicable ads 0:25:07.480 --> 0:25:11.800 to you. This can include stuff like even hijacking your 0:25:11.800 --> 0:25:15.240 web browser so that when you open up your web browser, 0:25:15.280 --> 0:25:18.840 your homepage is no longer whatever it was before, but 0:25:18.920 --> 0:25:22.000 now it goes to some other site that's connected to 0:25:22.040 --> 0:25:26.040 the adware creators or their distributors. This can also lead 0:25:26.119 --> 0:25:29.760 down pathways to other types of malware, so adware, while 0:25:29.880 --> 0:25:33.399 it is not necessarily malicious on its own, can lead 0:25:33.920 --> 0:25:38.600 you to downloading stuff that is malicious. Um and as 0:25:38.680 --> 0:25:42.440 much nastier machines can also get bogged down with adware. 0:25:42.800 --> 0:25:46.080 So even if it's not outright malicious, if a lot 0:25:46.119 --> 0:25:49.000 of different adware gets on your computer, it can start 0:25:49.040 --> 0:25:54.359 to affect your computer's performance over time. So because it 0:25:54.440 --> 0:25:58.680 has been used for malicious purposes, because it's often part 0:25:58.680 --> 0:26:03.560 of the the entire strategy of attack that that criminals 0:26:03.560 --> 0:26:08.560 are using, it gets lumped in as a version of malware, 0:26:08.960 --> 0:26:14.680 so it's it's not necessarily malicious, but it's used frequently 0:26:14.760 --> 0:26:18.400