1
00:00:01,830 --> 00:00:08,830
Let's examine another example the is for this example are universally applicable and are not limited

2
00:00:08,830 --> 00:00:17,210
to global outbreaks only the above picture is a good overview of the virus propagation methods.

3
00:00:17,280 --> 00:00:21,540
The first vector is the security hole we've mentioned.

4
00:00:21,590 --> 00:00:25,220
The next method includes spreading using removable media.

5
00:00:25,490 --> 00:00:27,170
We'll focus on this in a minute.

6
00:00:30,190 --> 00:00:36,830
Local Area Network is the third vector the creators of the virus attempted to save the malicious code

7
00:00:36,920 --> 00:00:40,840
in all badly protected network shares.

8
00:00:40,880 --> 00:00:45,200
The fourth technique used user password cracking to propagate the virus.

9
00:00:46,640 --> 00:00:48,580
The first vector was quite smart.

10
00:00:49,510 --> 00:00:57,380
It involved a degree of social engineering a manipulation method we've discussed before.

11
00:00:57,490 --> 00:01:01,980
The windows above are well known and don't raise suspicions.

12
00:01:02,070 --> 00:01:07,940
We've gotten used to them being displayed as soon as it USPO drive is plugged into the computer but

13
00:01:07,940 --> 00:01:10,840
there's a piece of information in these windows that is duplicated

14
00:01:16,910 --> 00:01:21,020
configure has modified the auto run file.

15
00:01:21,160 --> 00:01:25,350
You can see on the left hand side a typical auto run file.

16
00:01:25,600 --> 00:01:29,650
The right side shows a file that's been altered by Conficker.

17
00:01:29,770 --> 00:01:36,250
The virus referred to a system library to display the window shown before the language version an operating

18
00:01:36,250 --> 00:01:42,160
system version always match selecting the first default option did not cause the U.S. directories to

19
00:01:42,160 --> 00:01:43,930
open.

20
00:01:44,080 --> 00:01:47,860
What it did was launched a virus file hit on the USP stick

21
00:01:52,400 --> 00:01:55,720
a portion of the virus code can be seen on the picture above.

22
00:01:57,640 --> 00:02:04,640
After it was launched the virus created a new system service with a random name system services are

23
00:02:04,640 --> 00:02:09,320
unique in that they run automatically even when the user who has launched them has logged out.

24
00:02:11,150 --> 00:02:15,640
As a result after restarting the computer the virus was already running in the system

25
00:02:22,150 --> 00:02:26,690
the virus propagated also in another way through passwords.

26
00:02:26,820 --> 00:02:33,700
The virus codes stored in most common passwords configure use the list to determine the password of

27
00:02:33,700 --> 00:02:41,790
a targeted user it tried to submit passwords like root test or password but also check the name of the

28
00:02:41,790 --> 00:02:42,960
authenticated user

29
00:02:46,300 --> 00:02:47,490
using this value.

30
00:02:47,610 --> 00:02:53,580
It submitted a potentially matching password for the user name John.

31
00:02:53,610 --> 00:02:57,240
It tried passwords like John 1 2 3 or 1 John

32
00:03:00,360 --> 00:03:07,880
this resulted in massive user account Lockett's a single copy of the virus was able to block as many

33
00:03:07,880 --> 00:03:10,960
as a thousand accounts.

34
00:03:10,960 --> 00:03:16,590
This is a hint that can help us gauge the scope of the infection.

35
00:03:16,620 --> 00:03:21,050
It would be enough to determine which computers are responsible for locking user accounts.

36
00:03:21,940 --> 00:03:25,380
If we locate them we'll know which computers have been infected.

37
00:03:27,150 --> 00:03:33,590
A free optional tool for Windows administrators is a package called Account lockout and management tools.

38
00:03:35,280 --> 00:03:43,340
Event common tea is a component of this package the empty abbreviation in the applications name indicates

39
00:03:43,340 --> 00:03:51,310
that it's a multi-threaded edition of the tool event come MT enables users to read security logs for

40
00:03:51,310 --> 00:03:58,030
multiple computer and aggressive security logs from many computers from your network.

41
00:03:58,060 --> 00:04:02,610
When all this data is put into a single repository you can run log parser.

42
00:04:02,890 --> 00:04:04,720
That's all we've shown before.

43
00:04:05,020 --> 00:04:12,880
To identify the IP addresses of host they came up in the User Account lock out event record below you

44
00:04:12,880 --> 00:04:20,210
can see a log parser query that return IP addresses of these computers performing these actions results

45
00:04:20,210 --> 00:04:27,440
in documenting the territory of the attack at the same time you should take measures to reduce the risk

46
00:04:27,440 --> 00:04:30,620
of infecting other computers.

47
00:04:30,630 --> 00:04:34,910
The first thing to do is block TCAP port for 4 or 5.

48
00:04:34,920 --> 00:04:43,740
This port is used in Microsoft Windows networks to access remote network shares.

49
00:04:43,760 --> 00:04:49,430
The second step is to modify access privileges to the registry key according to the strategies outlined

50
00:04:49,430 --> 00:04:52,550
in a knowledge base article.

51
00:04:52,610 --> 00:04:57,110
It's necessary to do this in a way that prevents the virus from launching in a pseudo randomly named

52
00:04:57,110 --> 00:05:00,590
web service.

53
00:05:00,590 --> 00:05:04,840
Thirdly you need to block the automatic launch of auto run.

54
00:05:04,900 --> 00:05:08,380
The file is stored in removable disks.

55
00:05:08,500 --> 00:05:22,080
By doing this because all the known doors that would have let the virus in.

56
00:05:22,090 --> 00:05:25,150
Now it's time to remove the virus from the infected computers.

57
00:05:26,290 --> 00:05:34,330
To do this you specialist dedicated tools Microsoft software or third person software.

58
00:05:34,420 --> 00:05:38,500
You can also try to remove the virus manually.

59
00:05:38,610 --> 00:05:42,890
We can analyze remove viruses using tsis internals tools.

60
00:05:43,020 --> 00:05:53,040
We'll talk about doing this in one of the next modules.

61
00:05:53,050 --> 00:05:58,690
The last step is making sure that the results of the attack are removed from the system.

62
00:05:58,700 --> 00:06:06,500
The easiest case requires restarting infected computers after a restart check whether the unwanted service

63
00:06:06,500 --> 00:06:14,610
appears again the case study we've presented him to show you how an administrator should properly react

64
00:06:14,700 --> 00:06:17,160
under unknown and stressful circumstances.

65
00:06:18,580 --> 00:06:25,030
These circumstances are a situation where an anomaly has been detected in the behavior of a system especially

66
00:06:25,030 --> 00:06:27,420
if this is a security related event.

67
00:06:29,100 --> 00:06:32,610
We've prepared a plan of action and need to stick to it step by step.

68
00:06:34,120 --> 00:06:38,130
First identify attack territory.

69
00:06:38,230 --> 00:06:43,470
Secondly document the attack and take measures to keep the infection from spreading on to other computers.

70
00:06:45,420 --> 00:06:49,540
This doesn't always mean shutting down the computer or unplugging the power cord.

71
00:06:51,230 --> 00:06:54,860
Understanding vectors of infection and the detected attack is vital.

72
00:06:56,550 --> 00:07:01,170
Next we need to eliminate the consequences of the attack and make sure that all traces of the attack

73
00:07:01,170 --> 00:07:03,270
are completely removed from the system.

74
00:07:08,040 --> 00:07:09,600
Thank you for your attention.