Time
3 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:00
hello and welcome to P C Security Intermediate Course.
00:04
And in this video I will be talking about your fine Melber
00:09
in particular about details and the way the first known unify wires or malware is operating.
00:21
So what we're talking about is, uh,
00:25
malware that is known as logics.
00:28
And it's made by Fancy Bear Russian Hacking group, which may or may not have some deep connections with some kind of government agencies in Russia.
00:42
As I said, this is first you if I virus or malware that has been detected in the wild,
00:50
and it exploits a vulnerability in what is called CompuTrace LoJack, which is kind of like application within the U. F. I may be a complete trays, which is there to enhance the possibility of fighting a lost or stolen PC.
01:10
Eso what is LoJack doing
01:12
is basically acting below the operating system and pinging if it's activated that they were devices to a certain server, revealing its location. Importance is important thing for this viruses that LoJack
01:34
is working even before the operating system is loaded or if there is no operating system whatsoever in the peace. Even if there is no hard drive in the PC or SST.
01:47
So, uh, fancy bear has exploited this functionality off most unify biases, which have computrace logic
01:57
and created their low jacks, which is a two component Mulder. One component is in the BIOS, and the other is, um, in the on the hard drive of the PC.
02:12
So how how the attack works.
02:15
Well, first of all, you you catch your bug somehow,
02:20
and it you have something called persistent agent dropper, which essentially is dropped in the unified bio small module.
02:30
It's a it's a let's say, add onto your bias or changes something in your bias.
02:38
And then what it does is ah replaces legit. Oh, to check the tags it with the infected one
02:46
and the next step out to check the tags. Air drops agent called rpc. Net Peter Texan
02:54
and sold the same the agent as a service in the operating system.
03:00
And, uh,
03:02
then this agenting injects the L. L in SBC host and Internet Explorer, and then he goes online
03:14
and installs recovery agent on your hard drive. So this recovery agent is much bigger package than the original
03:21
dropper that has, uh,
03:24
done damage. Dio you a fight
03:29
and this is why has to go online for it.
03:31
And in the operational page of is of Flow Jacks.
03:36
You have the module in the u F I.
03:39
And you have, ah, recovery agent running on a PC.
03:44
So if you,
03:46
ah, re flesh the bias of the device itself,
03:51
Um, the recovery agent that is running on a PC will refresh the bias ones the machine has started.
03:59
So this is a problem.
04:00
You cannot just reflects the bias and say, Okay, I got rid off
04:04
Melber in my you if I
04:06
So how do you remove it?
04:10
Um,
04:12
first, you have the power of your machine.
04:15
Then you take your hard drive and essentially re midget outside your PC.
04:20
And then you reinstall buyers from USB during boots if it's possible. If you don't have that option on your PC
04:30
for whatever reason,
04:31
then you have to physically replace the mother board. And this is the ugly part because it can cost you a lot of money, regardless of the men our spend to do this thing.
04:45
Onda. Then the fourth step, you speeches apart off again. You put the hard drive back in the PC and you switch the power on. And now you have the BIOS, which has no logics,
04:58
and you have the hard drive, which has no agent there.
05:04
And, um,
05:06
this is okay if you have one PC infected. Okay, this is maybe half on hour, maybe 45 minutes, maybe one hour of work. Really? Really. Depending on how big your
05:16
images because and how big your biases and how long it takes for your PC. Toby
05:24
Ari Fleischer. The the older version of bias.
05:27
And you can do these things in parallel so you can put the hard drive. Toby ranged.
05:32
And while that is happening, you can the reflection, the bias. You can do these things in peril, so maybe you can be finished in 15 20 minutes.
05:43
Imagine now that low Jack's has infected one PC and spread through the network and infected like 2000.
05:49
Then you have a problem because then you have to have the army of people doing that.
05:56
And essentially you have to do that
05:59
because it can spread through a network. You have to do that by
06:02
essentially switching all the PC's off, putting them in one room. You have your little army of people going in doing all these things and then putting it but back in operation. And you have to do it, for example, for during a weekend or something like that.
06:20
Or you can set the non infected PC's and protect them from logics being spreading dam and spreading to them because you can prevent these things happening. So large axes not spreading on older known your version of processes, and it can spread on on just a few.
06:41
So logics is,
06:44
I should say, it's a proof of concept off off, having bias wires in the world. So this is something that
06:53
it does create a certain backdoor on your PC, and but it doesn't raise your data. It doesn't send it some of the toe, so the damage is a relatively small.
07:05
Let's say,
07:06
however, if you would have,
07:11
And the reason why has part of the malware on the hard drive. So this persistent dropper
07:17
you you can detected by anti wires. Now imagine that we would have some kind of other kind off bias wires that wouldn't do this hard right part.
07:32
It would be easier toe remove it,
07:35
meaning that you would simply have to reflect your bias, and you can do it remotely so very low men hours involved. But you will first have to know that it's actually there,
07:49
and this is a problem
07:50
because then you wouldn't be able to detect it.
07:56
So this is the whole thing about why these ah unify or bias wires is air so dangerous or by smaller
08:03
they can. They can just run in the background of your OS, and you don't know they're there.
08:11
And if you know they're there, then they are really difficult to remove,
08:16
especially costly to remove.
08:20
Okay, so we have finished everything about
08:24
unify malware and let's do a short learning checks of the question for you is what is the only way to remove logic. So you have three options you can do. Re mi charred, I restart the PC and the hard drive flash bias from OS.
08:39
You can replace the mother board, boot windows four month hard drive and then reinstall windows.
08:46
Or you can imagery image hard drivers. Are the PC fresh buyers during bullet return aged NPC, so the correct answer is the last one.
08:56
The other two will not remove Ah
09:01
of low jacks from the PC.
09:05
So in this video you have learned about you. If I'm Alber and why it's so dangerous and especially, you have learned about details of low jacks and in the next lesson, I will be talking about protecting the harder of your PC,
09:22
meaning I will be talking about protection off the
09:26
firmer over your PC.

Up Next

Intermediate PC Security

The Intermediate PC Security course will teach students about endpoint protection. Students will learn fundamental information about PC Security and common attack vectors.

Instructed By

Instructor Profile Image
Milan Cetic
IT Security Consultant
Instructor