The exercise files do not contain malware. They only contain the malware data we collect in the course so you can follow along with the course and analyze the same trace file. There is a baseline collection and a malware collection in order for comparisons to be made. If you don't have access to the exercise files that is okay; you can still follow along to see the inside of malware.
- [Voiceover] The purpose of this demo is to show you how malware can be lurking on your computer undetected. With that said, I want to bring your attention to this SvcHost desktop shortcut that I have. This is the malware, and it's disguised itself as the trusted Windows process SvcHost. SvcHost handles background services, and in your Task Manager, you can see many instances of it. The malware pretends to be SvcHost in order to blend in. If I right-click on the malware, and I open the file location, and then go to the file properties, we can see that it looks to come from Microsoft, and that the original name also says SvcHost.
Even the file description matches that of the normal SvcHost process. The final details can easily be spoofed by adding a version resource to your visual studio project. In that resource, you can change the file properties to whatever you want. So, if I wanted to change the file details to say it came from Google, I could do that right here. And if I want the name to be the same as the Command Prompt process, I can change it to cmd.exe. For now, I'm going to switch it back.
Now coming back to the desktop, I have anti-virus, anti-malware, and a VPN installed on this machine. I'm first going to scan it with my anti-virus. Okay, no threats detected. I'm now going to scan it with my anti-malware. Once again, threats detected: 0. I'm now going to go to "http://virustotal.com", which is a site where you can upload files you suspect are malware. I'm going to upload the malware and scan it. While "http://virustotal.com" scans it, it computes the hash signature of the uploaded file, and cross-checks the databases for every anti-virus and anti-malware program.
The databases for all the anti-virus and anti-malware programs listed on this page are costantly being updated. Once the scan completes, we can see it can evade most of the computer protection programs listed on this page, with a detection ratio of 8/60. So, only eight anti-virus programs were able to pick this up out of a total of 60. If I scroll down, here's the anti-viruses that were able to pick it up, and all the ones that couldn't. The fact that eight anti-virus programs were able to detect it means that the malware is popular enough to have its own anti-virus database signature. This means professional hackers are using this malware.
We revisit "http://virustotal.com" later on in the course. But for now, I'm going to exit out of here, and go back to the desktop. Now that I'm back on my desktop, I'm going to connect to my VPN. Once connected, I'm going to launch the malware. First our anti-virus shows a pop-up, saying that a host process for Windows Services is attempting to access the audio stream. Pay attention to these pop-ups, don't just blindly click the "allow" button. Make sure you know what process is trying to access your Windows audio stream.
We can see that even the anti-virus pop-up description for the malware is wrong, since it says it's a Host Process for Windows Services. This is because the malware spoofed its file details. Now, for the purposes of this demo, I'm going to click on the "allow" button, but make sure you keep an eye out for pop-ups like this, even if they are from your anti-virus. After that, we get another pop-up, only this one is for gaining access to the webcam. What this pop-up means is that even with webcam protection enabled on your anti-virus, if your anti-virus is misconfigured, malware can still gain access due to human error. Once again, for the purposes of this demo, I'm going to click on the "allow" button, but remember, always pay attention to your anti-virus pop-up notifications. Always look at the process trying to gain access to your Windows audio stream, or to your webcam. Now, notice how after I click on the "allow" button for the webcam, we get a notification from our anti-virus at the top, saying "Host Process for Windows Services is using the webcam". This is the malware recording us.
Now, when it comes to the key-logging and screen-recording, there are no pop-ups or indicators of any kind. This is where the Windows Performance Toolkit comes in. We use it to catch malware when anti-viruses miss it. At this time, everything I say, type, and do on the screen is being recorded. Also, the booth I'm in is being recorded by this malware. These recordings are being automatically emailed, by this machine, to a dummy Gmail account, where a hacker can easily view my daily activities. We can now see what the hacker would see, a bunch of emails with recording files attached.
Each email is labeled with the type of recording task, the files associated with, and the time stamp the recording started. We can see the emails are labeled "WEBCAM", "SCREENCAP", "MICROPHONE", and "KEYSTROKES". The "WEBCAM" one shows me in-booth, with my recording headset on. The "SCREENCAP" recording shows me browsing the web. A time lapse video of all the screenshots is emailed, instead of individual images. This way, the hacker doesn't need to open up an image one at a time.
They can just watch a video of what you did on your computer screen. The "MICROPHONE" email has the recording for my microphone. Even with the third party audio application I'm using to record this video, it still picked it up. At this time, everything I say, type, and do on the screen is being recorded. Also, the booth I'm in is being recorded by this malware. And lastly, the "KEYSTROKES" one contains the keys I was pressing. It picked up caps lock, and even left shift.
Even with a VPN, this will still provide the hacker with your passwords, and the answers to your secret security questions. This malware not only gathers a lot of private personal information about its victims, but it makes it easy for the hacker to check up on a victim's daily activities. As we just saw, the anti-viruses and anti-malware programs give a false sense of security. Just because you did a virus scan and you are 100% clean, doesn't mean there's no one watching you. The Windows Performance Toolkit gives you the power to play detective, and you can use it to catch your own malware, when other security programs fail you.
- Analyzing malware
- Reviewing the overall structure of the malware
- Collecting malware data
- Finding and analyzing keylogger patterns
- Analyzing screen recordings
- Analyzing webcam recordings
- Analyzing microphone recordings
- Recording prevention tips