WEBVTT - TechStuff Checks the Flame 0:00:00.280 --> 0:00:02.960 Brought to you by the reinvented two thousand twelve Camray. 0:00:03.160 --> 0:00:08.880 It's ready. Are you get in touch with technology? With 0:00:08.960 --> 0:00:17.520 tech Stuff from how stuff works dot com. Hello everyone, 0:00:17.560 --> 0:00:20.360 and welcome to tech Stuff. My name is Chris Poulette, 0:00:20.360 --> 0:00:22.680 and I'm an editor at how stuff works dot com. 0:00:22.680 --> 0:00:25.840 Sitting across from me as usual as senior writer Jonathan Strickland. 0:00:25.920 --> 0:00:29.480 Hey there, all right, then, so we're going to talk 0:00:29.480 --> 0:00:35.840 about the latest except it's not malware to make headlines 0:00:35.920 --> 0:00:39.080 all over the world and and and cause international incidents 0:00:39.080 --> 0:00:41.440 and all of that. As of the recording of this podcast. Anyway, 0:00:41.720 --> 0:00:43.479 by the time this podcast goes live, there may be 0:00:43.680 --> 0:00:48.040 even worse news. It's it's funny because we were talking 0:00:48.080 --> 0:00:50.720 about what we wanted to call this and and uh 0:00:51.120 --> 0:00:53.880 we we thought of all of our flame metaphors and 0:00:54.000 --> 0:00:57.200 jokes and puns and puns um and I was going 0:00:57.240 --> 0:00:59.920 to make the joke about it being our old flame 0:01:00.000 --> 0:01:02.760 even like except it's new. Except it, as it turns out, 0:01:02.800 --> 0:01:06.440 it's not this. This malware has been making headlines over 0:01:06.440 --> 0:01:09.360 the past few weeks as of the date of recording 0:01:09.400 --> 0:01:13.160 on June one and two thousand twelve. But as it 0:01:13.160 --> 0:01:19.400 turns out um this brand new, latest um Um malware. 0:01:19.440 --> 0:01:21.000 I was going to call it a virus, but let's 0:01:21.000 --> 0:01:25.080 just call it malware. UM isn't new at all, and 0:01:25.120 --> 0:01:26.959 that's one of the fascinating things about it. But there 0:01:27.000 --> 0:01:31.679 are many fascinating things. Yeah. The the component file name, 0:01:31.760 --> 0:01:36.240 the main part the foundation of this malware made date 0:01:36.280 --> 0:01:39.800 back as early as two thousand seven, possibly even earlier. 0:01:40.200 --> 0:01:43.279 And one of the reasons why this is a really 0:01:43.319 --> 0:01:46.920 fascinating uh, well, there's so many reasons why this is 0:01:46.959 --> 0:01:50.080 fascinating malware. One is that it was able to escape 0:01:50.200 --> 0:01:54.680 attention for so long. Yes, because you're talking about a 0:01:54.760 --> 0:01:57.760 file that is capable of doing lots and lots of 0:01:57.760 --> 0:02:00.880 stuff depending upon what you add to it, which is 0:02:00.960 --> 0:02:04.040 brings us to fascinating thing number two. It's a modular 0:02:04.200 --> 0:02:08.720 kind of malware. Now, in general, when someone creates some malware, 0:02:09.200 --> 0:02:13.440 there is there tends to be a specific goal in 0:02:13.560 --> 0:02:16.680 mind of the person who's designing it. Right, They're thinking, 0:02:17.080 --> 0:02:19.640 I want to design this malware because what it'll do 0:02:19.680 --> 0:02:23.360 is it allow me to get backdoor access to another 0:02:23.400 --> 0:02:26.640 person's computer, and I'll be able to get administrative control 0:02:26.639 --> 0:02:28.640 over that machine, and then I can create a button 0:02:28.639 --> 0:02:31.400 net that that would be one example. Or I want 0:02:31.480 --> 0:02:33.919 to record key strokes so that I can get user 0:02:34.000 --> 0:02:37.639 names and passwords for people's accounts and maybe commit identity 0:02:37.680 --> 0:02:39.720 theft right, Or I want to create a piece of 0:02:39.760 --> 0:02:43.640 code that will propagate itself across a network, which you know, 0:02:43.720 --> 0:02:46.359 on its own is just one thing like so you 0:02:46.440 --> 0:02:49.600 might want to add more to it. And and historically 0:02:49.800 --> 0:02:53.519 hackers and malware programmers have been doing that. They've been 0:02:53.639 --> 0:02:58.200 creating malware that either complements some other piece of code 0:02:58.680 --> 0:03:01.520 or it acts as the first step to another piece 0:03:01.560 --> 0:03:07.440 of code that can, in combination create whatever the effect 0:03:07.560 --> 0:03:10.079 is that the hacker wants. So there might be one 0:03:10.120 --> 0:03:12.720 part of the code that is designed to help get 0:03:12.880 --> 0:03:16.920 access to a network, or perhaps it's designed to UH 0:03:17.000 --> 0:03:19.120 to copy itself once it gets on a network. It 0:03:19.200 --> 0:03:22.920 might even be to copy itself multiple times on the 0:03:22.960 --> 0:03:25.800 same machine in order to fill up that machine's memory 0:03:25.919 --> 0:03:29.560 and and hard drive space so that you brick the machine. 0:03:30.200 --> 0:03:33.120 It all depends on what the goal is for the hacker, UH, 0:03:33.160 --> 0:03:35.160 and then there might be some other component that does 0:03:35.200 --> 0:03:37.480 something else on top of it. Well. What makes flames 0:03:37.480 --> 0:03:40.280 so interesting is that it takes this concept to a 0:03:40.320 --> 0:03:45.640 new level. It's a modular kind of malware, meaning that 0:03:46.320 --> 0:03:49.560 the basis of Flame is so that you can infect 0:03:49.560 --> 0:03:54.160 a machine and then you can send a modular tweak 0:03:54.320 --> 0:03:58.040 to that malware that's now living on the victims machine 0:03:58.640 --> 0:04:02.600 and give its specific abilities. So think of it in 0:04:02.640 --> 0:04:06.200 a way as kind of a very very much scaled 0:04:06.480 --> 0:04:11.960 down operating system. Kind of it's a platform. Yeah, So 0:04:12.000 --> 0:04:14.360 it's not not a full operating system in the traditional sense. 0:04:14.400 --> 0:04:17.960 It's not like it's uh, taking over your operating system 0:04:18.040 --> 0:04:21.720 and and interacting with your computer's hardware. It's just sort 0:04:21.720 --> 0:04:25.360 of on a on a high level, the same basic concept. 0:04:25.440 --> 0:04:29.599 It's acting as a platform that other applications can operate 0:04:29.760 --> 0:04:33.440 on top of and affect how your computer behaves. And 0:04:33.440 --> 0:04:36.720 it all depends on which modules you send to the 0:04:36.800 --> 0:04:40.479 Flame foundation that will allow it to do whatever it 0:04:40.520 --> 0:04:44.200 is he wanted to do. Right right. Um. When we 0:04:44.279 --> 0:04:47.720 talked about hackers before on the show, we've we've discussed 0:04:48.640 --> 0:04:52.320 people who are known as script kitties, and that that's 0:04:52.760 --> 0:04:56.839 what they sort of, uh that it's sort of a 0:04:56.880 --> 0:05:02.280 derogatory term for people who are very very basic, um 0:05:02.279 --> 0:05:06.159 hackers who you are intent on causing mischief and the 0:05:06.160 --> 0:05:09.520 reason they're called that is not UM. Well, the reason 0:05:09.520 --> 0:05:11.120 I want to talk about why they're called that is 0:05:11.120 --> 0:05:14.520 because in order to create malware, it doesn't take a 0:05:14.560 --> 0:05:17.400 whole lot of code. To do this. UM you could 0:05:17.400 --> 0:05:20.200 basically say write a script that says, look, I want 0:05:20.240 --> 0:05:22.520 you to erase you know, I want you to copy 0:05:22.560 --> 0:05:26.039 all the the addresses in the address book, email a 0:05:26.120 --> 0:05:29.400 copy of this script to everybody in the address book, 0:05:29.440 --> 0:05:32.400 and then wipe the hard drive clean. Ha ha. It 0:05:32.480 --> 0:05:35.840 really doesn't have to be that complex. And and one 0:05:35.920 --> 0:05:39.520 of the things that uh uh is also interesting about 0:05:39.600 --> 0:05:43.279 flame is that, as Jonathan said, it's modular, but it 0:05:43.360 --> 0:05:47.200 takes up twenty megabytes of space now and and our 0:05:47.360 --> 0:05:49.960 terms today, that's not a particularly large file. A lot 0:05:50.000 --> 0:05:52.440 of people have broadband, it's not an an issue to 0:05:52.480 --> 0:05:54.880 download a twenty megabyte file. But you really don't need 0:05:55.160 --> 0:05:59.599 that much code to have a basic virus or trojan. UM. 0:05:59.720 --> 0:06:03.479 This is extensively written code. It's very sophisticated code to 0:06:03.520 --> 0:06:07.559 allow additional modules to operate on the main system. And 0:06:07.760 --> 0:06:13.120 that's why organizations that have been affected by it believe 0:06:13.240 --> 0:06:16.840 that it might be state sponsored. We we should point 0:06:16.880 --> 0:06:19.000 out to that this is not something that you're likely 0:06:19.040 --> 0:06:22.479 to get on your PC. This is aimed at very 0:06:22.640 --> 0:06:27.320 high level government run systems. Apparently, Yeah, if you're a 0:06:27.400 --> 0:06:32.000 high level government official, then maybe your PC would be 0:06:32.120 --> 0:06:35.480 at risk if you're and to be more specific, if 0:06:35.480 --> 0:06:38.839 you're a high level government official in a country in 0:06:38.920 --> 0:06:42.920 the Middle East, because that tends to be the possibly Hungary, 0:06:43.320 --> 0:06:45.839 because those that those tend to be the countries that 0:06:45.960 --> 0:06:50.960 have been targeted. Specifically, Iran and Israel have had the 0:06:51.040 --> 0:06:55.359 largest number of infected computers, but there are other countries 0:06:55.400 --> 0:06:57.800 that also seem to have it, or at least those 0:06:57.839 --> 0:07:02.000 are the the countries that have computers running this software. 0:07:03.440 --> 0:07:05.120 I'm sorry, go ahead, go ahead, I was gonna say. 0:07:05.120 --> 0:07:09.640 Also the West Bank, Palestinian West Bank and uh Lebanon 0:07:10.120 --> 0:07:13.720 are are known to be places, and then oddly enough 0:07:13.760 --> 0:07:17.400 in Hungary, although I you know that's I was about 0:07:17.440 --> 0:07:20.840 to go into a Renaissance festival speak. I've managed to 0:07:20.840 --> 0:07:23.120 avoid it this entire season, and I almost said, I 0:07:23.160 --> 0:07:30.840 know not why that is so? Austria, Russia, Hong Kong. Yeah, Now, 0:07:30.920 --> 0:07:36.080 some of these may be unintentional targets, right, they may 0:07:36.080 --> 0:07:39.880 not be the targeted computers because you would The conclusion 0:07:39.920 --> 0:07:42.960 we draw is whichever countries seem to have the highest 0:07:43.040 --> 0:07:47.000 rates of infection are more likely to be the targeted countries. 0:07:47.040 --> 0:07:49.520 Of course, we can't know that for sure. It may 0:07:49.560 --> 0:07:51.920 be based upon just the behaviors of the people who 0:07:51.960 --> 0:07:55.800 work within that that that country, but it's a it's 0:07:55.840 --> 0:07:57.920 a fair indicator. Now, let's talk a little bit about 0:07:58.640 --> 0:08:02.040 what this malware can actually do and then why someone 0:08:02.160 --> 0:08:05.680 might use it to target those particular countries. Well, some 0:08:05.720 --> 0:08:10.000 people feel that it's a relative of stocks net or 0:08:10.160 --> 0:08:13.920 or Dooku, both of which have been known to circulate 0:08:13.960 --> 0:08:16.960 in the same part of the world. Um stucks net 0:08:17.040 --> 0:08:24.200 was aimed apparently at power plants and other structure stuff. 0:08:24.240 --> 0:08:27.120 I think it's safe to say stocks net was specifically 0:08:27.120 --> 0:08:33.000 engineered to target Iranian nuclear power facilities. That that's the way. 0:08:33.120 --> 0:08:36.040 That's that's the way it's presented. Yet because I didn't 0:08:36.040 --> 0:08:37.920 write it, so I don't know. One of the functions 0:08:37.960 --> 0:08:42.000 of stocks net was to change the the rate of 0:08:43.080 --> 0:08:47.679 revolutions per per minute for centrifuges, and the whole idea 0:08:47.800 --> 0:08:50.480 was that by changing that, that speed at which the 0:08:50.480 --> 0:08:54.800 centrifugure turns within a nuclear power facility you could cause 0:08:54.960 --> 0:08:58.920 a failure of that part of the facility, thus effectively 0:08:59.320 --> 0:09:02.719 shutting it down out um. Presumably if you could get 0:09:02.760 --> 0:09:07.600 it to spin uh erratically enough, you could cause more 0:09:07.679 --> 0:09:11.160 of a catastrophic failure than just you know, slowing down 0:09:11.160 --> 0:09:15.080 the program. But that appears to be what stucks net 0:09:15.160 --> 0:09:17.839 was all about. Now now we still don't have official 0:09:18.040 --> 0:09:20.720 news of who was behind it, although of course there 0:09:20.720 --> 0:09:23.000 are a lot of um, there are a lot of 0:09:23.080 --> 0:09:27.280 likely candidates. But but along those lines, Flame is a 0:09:27.320 --> 0:09:30.559 little different. Stucks Now, of course, was was looking at, 0:09:31.320 --> 0:09:36.960 at least from what we understand, physically, sabotaging a power facility. 0:09:37.400 --> 0:09:43.760 Flame looks like it's more about spying upon various targets. 0:09:43.960 --> 0:09:47.760 That's that's true. Um it is uh. It is also written, 0:09:48.400 --> 0:09:52.400 like those other two pieces of malware, using a h 0:09:52.480 --> 0:09:56.160 scripting language called Lua. I haven't ever heard that pronounced 0:09:56.280 --> 0:09:58.560 l u a, which is often used actually for in 0:09:58.600 --> 0:10:02.640 the gaming industry. Yeah, and Lua is an obscure enough 0:10:02.800 --> 0:10:07.360 language that it might actually be. One of the reasons 0:10:07.440 --> 0:10:11.000 why the hackers may have chosen Lua as one of 0:10:11.040 --> 0:10:14.400 the languages they worked in is because it was obscure 0:10:14.520 --> 0:10:19.319 enough to not raise red flags immediately. It wouldn't look 0:10:19.480 --> 0:10:23.079 like other kinds of malware just at first glance, and 0:10:23.160 --> 0:10:26.760 so that might be a reason why the hackers chose it, 0:10:26.840 --> 0:10:28.600 or may just be that the hackers were really really 0:10:28.600 --> 0:10:30.760 familiar with that particular language and it could do what 0:10:30.800 --> 0:10:33.960 they needed it to do. But Uh, a lot of 0:10:33.960 --> 0:10:37.320 the analysis I've read suggests that perhaps the reason for 0:10:37.360 --> 0:10:43.600 picking it was because it was less recognizable. But it does. 0:10:43.760 --> 0:10:48.080 Flame does record system information about the systems that it's on. 0:10:48.280 --> 0:10:51.480 Boy howdy does it. It's it's kind of an uh 0:10:51.760 --> 0:10:54.480 catch all when and again a lot of this depends 0:10:54.480 --> 0:10:58.080 on what modules are installed on top of Flame. You know, 0:10:58.160 --> 0:11:00.760 think about think about Flame in a way like uh, 0:11:01.320 --> 0:11:04.960 you would and operating system like iOS, and that you know, 0:11:05.000 --> 0:11:07.840 iOS can do lots of stuff, but it can do 0:11:07.920 --> 0:11:10.400 more stuff when you add apps to it. The apps 0:11:10.440 --> 0:11:14.720 give you very specific features. It's the basically the way 0:11:14.760 --> 0:11:18.880 that computers work exactly. So so, uh, Chris and I 0:11:18.960 --> 0:11:21.840 both happen to have an Android phone, different Android phones, 0:11:22.200 --> 0:11:25.320 and that I would wager that many of the apps 0:11:25.360 --> 0:11:27.520 that Chris has I do not have, and vice versa, 0:11:27.559 --> 0:11:29.160 and there are a few that we might have in common. 0:11:29.600 --> 0:11:32.079 And that that's because Chris wants this phone to do 0:11:32.600 --> 0:11:35.160 a certain set of things, and I want my phone 0:11:35.160 --> 0:11:37.000 to do a certain set of things. Hackers are the 0:11:37.040 --> 0:11:40.760 same way. They may want their their malware to do 0:11:41.040 --> 0:11:44.760 certain things in certain situations, and they don't necessarily need everything. 0:11:44.840 --> 0:11:47.079 It doesn't have to be a kitchen sink approach. So 0:11:47.120 --> 0:11:49.320 that's kind of the idea behind Flame. So some of 0:11:49.320 --> 0:11:53.360 the things that can do as far as cyber espionage go. Uh. 0:11:53.400 --> 0:11:58.160 It can do keyboard activities, So a key logger function, 0:11:58.240 --> 0:12:00.880 like Chris was talking about earlier, This is what tracks 0:12:01.240 --> 0:12:04.120 what keys are being pressed. Usually you use this so 0:12:04.160 --> 0:12:07.240 that you can find out things like passwords and that 0:12:07.320 --> 0:12:11.800 sort of stuff. It can monitor network traffic, so we 0:12:11.840 --> 0:12:15.280 can actually see what computers the infect the computer is 0:12:15.600 --> 0:12:19.080 communicating with and possibly even sniff out those that data. 0:12:19.640 --> 0:12:22.960 It can take screenshots, so the person on the other 0:12:23.080 --> 0:12:26.520 end of this uh, this connection can get a look 0:12:26.559 --> 0:12:30.280 at what the user is is looking at whenever they're 0:12:30.520 --> 0:12:34.240 using the computer. Also very important if that particular computer 0:12:34.360 --> 0:12:39.600 is used in a high security environment. It can even 0:12:39.679 --> 0:12:44.800 record audio. It can use a computer's microphone and record audio. 0:12:44.880 --> 0:12:48.040 So just imagine it's like bugging a a an office, 0:12:48.080 --> 0:12:49.720 except you don't have to put a bug in there, 0:12:50.360 --> 0:12:52.480 which is amazing how you think about it. There are 0:12:52.920 --> 0:12:55.080 you know, there are offices that are in such high 0:12:55.080 --> 0:13:00.199 security areas that there are frequent bug sweeps where the 0:13:00.720 --> 0:13:04.080 company or government agency will have someone come through and 0:13:04.200 --> 0:13:07.560 search for any electronic bugs that might have been planted 0:13:07.559 --> 0:13:10.480 there in order to record conversations. Well, this gets around 0:13:10.520 --> 0:13:14.880 that it turns the person's own computer into that recording instrument. 0:13:15.600 --> 0:13:20.000 It can even do things like a record Skype conversations. 0:13:20.559 --> 0:13:24.120 And the one I saw that I thought was particularly 0:13:24.200 --> 0:13:29.000 clever was there's apparently a module that will allow if 0:13:29.360 --> 0:13:36.160 the computer has Bluetooth capability, it will become a beacon, 0:13:36.320 --> 0:13:39.520 a Bluetooth beacon, and we'll try to connect with Bluetooth 0:13:39.559 --> 0:13:43.960 devices that are within range and download information from them. Interesting, 0:13:44.000 --> 0:13:46.880 So if you have a smartphone, you're a government official, 0:13:46.880 --> 0:13:49.280 and you've got a smartphone, you've got Bluetooth enabled so 0:13:49.320 --> 0:13:52.920 that you can use your cyborg earpiece that everyone tends 0:13:52.960 --> 0:13:56.520 to use, then that your computer might try to do 0:13:56.559 --> 0:14:00.760 a Bluetooth handshake with your device and pull information from 0:14:00.760 --> 0:14:04.079 your device into the computer so it can send it 0:14:04.120 --> 0:14:08.920 off to the hacker so it's all about gathering information. 0:14:09.200 --> 0:14:16.400 There's also been some some uh suggestions that perhaps this 0:14:16.480 --> 0:14:20.040 is related as well to another kind of malware. In fact, 0:14:20.080 --> 0:14:22.000 that malware may just be a module on top of 0:14:22.040 --> 0:14:26.480 Flame called Wiper, which does exactly what you would think 0:14:26.480 --> 0:14:29.600 it does. It wipes data from a device. So it 0:14:29.640 --> 0:14:32.800 may also not just be about data collection, but also 0:14:33.760 --> 0:14:36.960 destroying data. And in fact, it does look like there's 0:14:37.000 --> 0:14:41.320 been some some data loss, uh, particularly in Iran that 0:14:41.520 --> 0:14:46.000 may be due to this particular malware. UM. It is 0:14:46.040 --> 0:14:48.080 important to note too that this is not the only 0:14:48.120 --> 0:14:52.640 piece of modular mountainware out there. UM. It is just 0:14:53.400 --> 0:14:57.600 it is especially unusual in the size of this malware 0:14:57.640 --> 0:15:04.120 sophification and sophistication. UM. But yeah, it uh this is 0:15:04.360 --> 0:15:08.520 sort of an indication that, uh, the game might be 0:15:08.600 --> 0:15:14.920 afoot if you will, basically exactly what what what what's 0:15:14.920 --> 0:15:17.400 going on is And I think this is part of 0:15:17.400 --> 0:15:20.360 the reason that people are so if you if you 0:15:20.400 --> 0:15:24.880 follow the tech press or the tech media, let's say, um, 0:15:25.000 --> 0:15:27.240 you've probably seen a lot about this in the past 0:15:27.240 --> 0:15:30.920 few weeks. And I think the reason for that is 0:15:31.000 --> 0:15:33.640 because it's captured our imagination and it's it's made us 0:15:33.680 --> 0:15:40.040 all realize that, uh, electronic espionage is here. People are 0:15:40.120 --> 0:15:42.760 using it, and it's and it's not uh, it's not 0:15:42.840 --> 0:15:46.560 the exception anymore. I have the feeling that uh, and 0:15:46.880 --> 0:15:50.000 basically I am certainly not the only one from my 0:15:50.000 --> 0:15:54.840 my reading that uh, people seem to feel that this 0:15:54.920 --> 0:15:58.520 is state sponsored espionage and that this kind of thing 0:15:58.560 --> 0:16:01.560 is going to become more and more more common as 0:16:02.080 --> 0:16:04.440 the years go on, because this is the way the 0:16:04.480 --> 0:16:09.720 world does business um, and I mean all kinds of business. Um. Personally, 0:16:09.760 --> 0:16:13.600 I think the reason that it's designed to capture webcam 0:16:13.800 --> 0:16:17.480 stuff is so that they can postum videos on YouTube 0:16:17.640 --> 0:16:22.040 of high level officials dancing to Lady Gaga, videos in 0:16:22.080 --> 0:16:24.360 their closed offices that they've had swept for bugs so 0:16:24.360 --> 0:16:28.920 that they won't get caught doing it. That's ridiculous. That's 0:16:28.960 --> 0:16:34.320 Taylor Swift videos. But now the the the other thing 0:16:34.360 --> 0:16:36.800 about this is that I think it's interesting if you 0:16:36.840 --> 0:16:39.320 think that this this malware may have been around since 0:16:39.800 --> 0:16:44.120 two thousand seven, it shows that hackers were of the 0:16:44.200 --> 0:16:49.160 same mindset as Steve Jobs because they saw that apps 0:16:49.200 --> 0:16:52.800 were the next big thing. No really, seriously, when you 0:16:52.840 --> 0:16:54.520 think about it, it it is kind of amazing because they 0:16:54.520 --> 0:16:58.400 were thinking, well, let's make this a very flexible, adaptable 0:16:58.480 --> 0:17:01.560 malware system so that we can use it in multiple 0:17:02.000 --> 0:17:05.480 uh use cases and we don't have to again, we 0:17:05.520 --> 0:17:09.359 don't have to send the whole thing to everyone. Um 0:17:09.400 --> 0:17:12.440 it did you know? Just like other malware, it attempts 0:17:12.440 --> 0:17:14.679 to cover its tracks as much as possible, so that 0:17:14.720 --> 0:17:17.920 way you know that it can stay on an infected 0:17:17.960 --> 0:17:20.439 computer as long as possible. And it's very good at 0:17:20.440 --> 0:17:23.359 it if it's been around for years um and just 0:17:23.480 --> 0:17:27.639 now we're talking about it. Uh. And also it's it 0:17:27.800 --> 0:17:32.280 spreads kind of in a way similar to other types 0:17:32.320 --> 0:17:34.159 of malware. You might think, well, how does how do 0:17:34.240 --> 0:17:38.399 they get How is that initial entry into a system? 0:17:38.440 --> 0:17:40.600 How is that accomplished? Well, there are a couple of 0:17:40.640 --> 0:17:44.480 different ways you could do it. Um. There's some suggestion 0:17:44.520 --> 0:17:48.720 that perhaps it was a spear fishing attempt, which is 0:17:48.760 --> 0:17:52.240 where you have a specific target in mind and you know, 0:17:53.080 --> 0:17:55.199 you know, you have enough information about that target to 0:17:55.200 --> 0:17:57.639 be able to create an email that could tempt that 0:17:57.720 --> 0:18:03.600 target into executing a file that they probably shouldn't have done. Right. 0:18:03.680 --> 0:18:08.760 Phishing is uh with a pH is a social engineering 0:18:09.080 --> 0:18:12.960 tool to gather information you've probably just about everybody I'm 0:18:13.000 --> 0:18:16.040 sure who is listening to this has had a phishing 0:18:16.040 --> 0:18:19.240 email show up in their spam box where it says, hey, 0:18:19.480 --> 0:18:24.080 you've uh, your bank account has been compromised and we 0:18:24.160 --> 0:18:28.159 need you to send us your information. Um, and you go, 0:18:28.880 --> 0:18:30.720 you know, I haven't. I don't have an account at 0:18:30.720 --> 0:18:32.560 this bank and I've never had an account at this bank. 0:18:32.560 --> 0:18:36.680 I always chuckle at those because I think, nice try, um, 0:18:36.720 --> 0:18:38.840 but that that but that isn't what what fishing is 0:18:38.880 --> 0:18:40.959 known for. If you if you were to click on 0:18:41.000 --> 0:18:45.280 that link and go further and um enter your private 0:18:45.320 --> 0:18:47.399 information in there, they would be able to use that 0:18:47.440 --> 0:18:53.400 in identity theft um operation. But spear fishing is specifically 0:18:53.440 --> 0:18:57.479 targeted um as Jonathan said to a certain person. So 0:18:57.520 --> 0:19:00.560 it is especially effective because it says, hey, Jonathan in Strickland, 0:19:00.640 --> 0:19:03.720 we know that you have an account here. Uh and uh, 0:19:03.840 --> 0:19:05.800 this is a problem with your account. You need to 0:19:05.880 --> 0:19:09.960 enter your information stuff. There's been some unusual activity on 0:19:09.960 --> 0:19:14.520 your account. Which is even better because the unusual activity 0:19:15.080 --> 0:19:18.280 comes true. Yeah, because you go and you check your 0:19:18.320 --> 0:19:20.280 account and the next thing you know, you have actually 0:19:20.320 --> 0:19:22.680 given over the information to the people who will generate 0:19:22.720 --> 0:19:27.119 the unusual activity on your account. Don't ever follow those links. Yeah, no, no, 0:19:27.200 --> 0:19:30.240 it's better to it's better to go to those those 0:19:30.280 --> 0:19:34.680 sites directly through your your browser. Uh, as long as 0:19:34.720 --> 0:19:39.639 you don't have um the DNS changer now where on 0:19:39.800 --> 0:19:42.919 your computer, which leads you to the wrong browser anyway 0:19:42.920 --> 0:19:46.600 around wrong site rather anyway. So anyway, getting back to this, 0:19:47.680 --> 0:19:52.400 spear fishing is a very very possible way that this 0:19:52.560 --> 0:19:55.160 initially got out into the wild. However, it can also 0:19:55.200 --> 0:19:59.000 be spread through USB thumbsticks, which means getting physical access 0:19:59.040 --> 0:20:02.159 to someone's computer. Not always the easiest method, no, but 0:20:02.280 --> 0:20:04.840 that's that's exactly what they did with stucks Neat apparently, 0:20:05.480 --> 0:20:09.800 was they snuck it into nuclear power facilities on a 0:20:09.960 --> 0:20:13.639 USB flash drive, which you know it's not necessarily the 0:20:13.680 --> 0:20:15.639 easiest way, but it is. I mean, I guess it 0:20:15.680 --> 0:20:19.080 all depends on your target, because you could either do 0:20:19.119 --> 0:20:22.840 it yourself where you are. You know, you pose as 0:20:22.880 --> 0:20:26.160 say a technician saying I have to install this new 0:20:26.200 --> 0:20:30.200 software onto your computer so that we can maintain security, 0:20:30.520 --> 0:20:34.320 perhaps your Klaus Hergersheimer checking radiation shields, or you could 0:20:34.520 --> 0:20:38.600 uh actually mail thumbstick to a person and say here 0:20:38.680 --> 0:20:42.400 is the file you wanted and have them install it themselves. 0:20:42.480 --> 0:20:45.600 Sometimes it's that easy. Yeah, sometimes it sometimes that that works. 0:20:45.640 --> 0:20:48.360 I mean, because you know, people don't necessarily think, oh, 0:20:48.400 --> 0:20:51.920 there could be something bad on this thumb drive. By 0:20:51.920 --> 0:20:54.760 the way, there could be something bad on that thumb drive. Um, 0:20:54.920 --> 0:20:57.720 so you know that's another possibility. And also once it 0:20:57.760 --> 0:21:00.920 gets in the network, there were other ways of leveraging 0:21:00.960 --> 0:21:03.640 the network to help infect other computers. One of which 0:21:03.640 --> 0:21:10.399 I saw was using a printer spooling UH protocol where 0:21:10.440 --> 0:21:13.920 certain printers, you know, you could send the malware through 0:21:13.960 --> 0:21:16.840 the printer queue, and other computers as they connect to 0:21:16.840 --> 0:21:19.520 the printer queue could be infected that way, which is 0:21:19.600 --> 0:21:21.520 kind of interesting. But that means that you already have 0:21:21.600 --> 0:21:25.040 to get into the network initially in order to take 0:21:25.080 --> 0:21:28.000 advantage of something like that. So in other words, you 0:21:28.040 --> 0:21:31.359 can't just necessarily attack straight through the printer, although I 0:21:31.359 --> 0:21:33.680 suppose you could if it was a printer that had 0:21:34.080 --> 0:21:37.880 Internet connectivity and you had the password to get into that. 0:21:38.440 --> 0:21:42.679 But at any rate, it propagates through those ways, and 0:21:42.760 --> 0:21:47.399 apparently it will only do so under the direction of 0:21:47.440 --> 0:21:50.760 the hackers, So this is not the kind of malware 0:21:50.800 --> 0:21:54.520 that will just copy itself an infinite number of times 0:21:54.520 --> 0:21:57.440 and just send it to every single contact within a 0:21:57.560 --> 0:22:02.960 computers database. Instead, it's a very controlled attack, which is 0:22:03.119 --> 0:22:08.960 again another another reason why UH the analysts think this 0:22:09.080 --> 0:22:13.240 could be state sponsored, because typically if you have someone 0:22:13.280 --> 0:22:16.239 who's just interested in either creating as much trouble as 0:22:16.280 --> 0:22:19.600 possible or just trying to make a profit off whatever 0:22:19.640 --> 0:22:23.119 that is they're doing, they're probably less likely to have 0:22:23.320 --> 0:22:26.800 this sort of controlled approach where they're targeting specific computers, 0:22:27.240 --> 0:22:29.720 because why do that when you could go with a 0:22:29.760 --> 0:22:35.280 blanket bomb approach and just infect everyone you possibly can. UH. 0:22:35.320 --> 0:22:39.000 This appears to be much more of a precision attack, 0:22:39.119 --> 0:22:44.040 so that tends to suggest a state sponsored approach. Now 0:22:44.160 --> 0:22:47.760 by that we mean that some government has gone out 0:22:48.680 --> 0:22:53.840 and hired programmers to create this malware with the intent 0:22:54.000 --> 0:22:59.320 of using it on some other nations computers, possibly possibly 0:22:59.320 --> 0:23:01.679 computers within the own their own nation. I mean, it 0:23:01.680 --> 0:23:06.119 all depends on what the government's UH motives are, and 0:23:06.160 --> 0:23:10.600 then they're going to gather information and analyze it and 0:23:11.240 --> 0:23:13.639 make their own plans based upon what they see. So 0:23:13.960 --> 0:23:18.800 typical spy stuff as opposed to say a group of 0:23:18.800 --> 0:23:22.240 of you know, just just a group of hackers that 0:23:22.359 --> 0:23:24.159 just want to get as much information as possible in 0:23:24.240 --> 0:23:26.679 order to make as much money or as much trouble 0:23:26.760 --> 0:23:34.240 as they can. Yeah. The the country that has asserted 0:23:34.640 --> 0:23:37.359 the state sponsored claim more than any that I've seen 0:23:37.680 --> 0:23:42.960 is Iran, who blames Israel and the United States for 0:23:43.040 --> 0:23:46.160 the attack. And there was a statement from an Israeli 0:23:46.240 --> 0:23:51.960 government official that I think inadvertently kind of gave the 0:23:51.960 --> 0:23:57.040 the implication that Israel was directly involved. But I don't 0:23:57.080 --> 0:24:00.840 think that was the intention of the statement. Well, one 0:24:00.880 --> 0:24:03.280 way or the other. I'm sure it wasn't right, but 0:24:03.400 --> 0:24:06.359 the but the government official essentially said, we would you know, 0:24:06.760 --> 0:24:09.120 this is this is sort of that I'm paraphrasing here, 0:24:09.359 --> 0:24:12.560 this is the world we're in, and if if we 0:24:12.640 --> 0:24:14.639 think these tactics are going to work, we're going to 0:24:14.760 --> 0:24:21.040 use them, which essentially sounded like an admission. But the 0:24:21.119 --> 0:24:26.000 Israeli government very quickly said, no, no, no, we deny 0:24:26.080 --> 0:24:28.760 that we have anything to do with this. However, we 0:24:28.800 --> 0:24:31.440 could write a much more sophisticated program than that. Now 0:24:31.480 --> 0:24:34.720 I'm I'm kidding um, but yeah, I mean he they're 0:24:34.720 --> 0:24:39.360 saying that they they wouldn't uh, just because they did 0:24:39.480 --> 0:24:42.119 or did not launch this. This is the kind of 0:24:42.119 --> 0:24:43.600