If you want to look at some, warm out where there's plenty of websites where you can get it and there's many websites like contains your jump shares. Ah, love where they will provide analysis. They will say, Hey, I saw this
virus do this Does this interesting thing involve ball ball ball and you can download them outward and try to find that stuff
I like parties share.
if you really don't like it in your stuff from other people, you can always catch your own, make a honeypot. There is plenty of software out there that will cover later, or you can just
next next, next deploy, and
we'll just catch my wear and
and of course, you can always make grown malware. There's playing builders out there, and there's source code out there.
A few notes for apparently people among you, and I won't let this slide at the end of every lecture.
Uh, some malware can execute upon being scanned by antivirus products. I've seen vulnerabilities in anti virus scanners. They're not infallible.
I've seen malware. They will execute, assumes the icon is You'd like a word icon or, Ah, pdf icon or even a system icon. In fact, that's how those 10 days that stuxnet had assumed the file system,
It would automatically execute code, which is pretty dangerous, especially from our analyst where
you were just looking at that
Now we didn't have an extension on it, but we're still looking at it.
extracting the file from the archives like we did,
uh, can execute code.
that was a Matthews your day. But know this stuff is out there.
Uh, not very common, but it's out there, and you should be careful, and we'll learn how to deal with our more safe manner in the next video.
Uh, another note for those people who are paranoid MD five is the industry standard right now, but it can be
manipulated as in there
rnd five hashes out there for
benign files like Mr National Institute for Science and Technology. I love them. They keep a database of benign caches of known good software hashes.
Um, but someone's just look at the Indy five of those hashes
They could make their malware produce that ash where it is not the exact
replica of those Bith is a file of their own creation, and that's what we call a hash collision.
And that's bad. We should never have that,
but it is more common with Indy five. I don't think anyone has ever successfully done it for shot 56
and the industry is moving toward the shock 56
identification. But it's not there yet.
for those people who are paranoid about Ewing icons, we can work
command line only environment.
And just to show you that, I'll show you hear that
you have Sigmund open.
So everything we did
we can do from the command line
drive. We could go to yours.
to just auto complete. I just hit Tab.
So now I'm in the desktop,
and here The first thing we did was we looked at in a hex editor. So I do accept,
uh, in the file them
and then I will pipe it
to less, so I could be just the top of the file.
And here we see you.
There's the empty header.
There is the DOS move string.
There is a P E heather.
You learn about that in the future,
we now know it's Mexican won't get your ghetto file.
we can even ruin a string
toe. Love if you same sort of strength
go down on the bottom. We see some,
so we know that it can create a file we know that
is looking for another
by me by file name. We know it's important. Carl could teach you dirty yellow,
which is pretty common.
way see the same sort of strays we've seen before. Patting, patting, patting
acute exit from less.
we also got the Indy five some
the of the Mahler so we can go ahead and do that.
So here is the Indy five cash that we had before.
We can search for us total for this is all out,
looking at the iPhone.
And if we just want to verify that it was acceptable we used to file command,
it will tell us that is a P E excusable
using the gooey subsystem, the graphics subsystem.
So just to recap of what we've learned today, we learned
with the vernacular and terminology was for malware. We learned about different malware types and functionality and how they easily overlap with those.
When the overlap happens, all the blended threat.
we did a one minute triage,
Freely available tools. We can also, I also showed how to do that from the command line.
why should you want to get samples if you need them? And I will also suggest that the end of every lecture good resource is
if you want to get more into various topics,
Uh, and this is very bond, but I highly suggest practical now analysis. It's a big, thick
it is very, very good. They have malware that they give you, and
based on whatever you learned that chapter
and at the back of book, they will show you their analysis, which you should have seen what you should the conclusion should have come to. And that has been extremely effective learning tool for it.
For me and many of the people virus research and defense is a classic boat that's been around for a while.
Uh, it's a little dry to read it straight through.
It's also big, but it's really Maur meant to be a reference.
I know most people in law and my career field in your real career, for you
and in your field as well.
Pretty much all of them have practical matter where analysis
right there on the desk.
So thank you for watching
the introduction team. Our analysis on cyber.
We hope you have learned a lot, and we'll continue to watch our videos here.
Uh, how about Thursday?