Topics for Discussion
• Malware
• Threats and Techniques
• Impact and Effects
• Incident Management
• Preparation
• Detection and Containment
• Eradication and Recovery
• Reporting and Analysis
• Demonstration
• Summary
What is Malware?
• Any piece of hardware, software or firmware that is intentionally included or introduced into a computer system for unauthorized purposes usually without the knowledge or consent of the use
• Includes
– Viruses
– Trojan horse programs
– Worms
– Hoaxes
– Logic bombs
– Joke programs
Virus – Defined
“…a program which makes a copy of itself in such a way as to ‘infect’ parts of the operating system and/or application programs.” - Survivor’s Guide to Computer Viruses, Virus Bulletin, 1993.
• Replicates
– file to file
– system to system
– disk to disk
• Typically requires a “host”
• Must be executed
• May cause a symptom or damage (payload)
Virus Infection Process
Ensures virus executes before original executable
Types of Viruses
• Boot sector
– Infects boot record on diskette or hard drive
– Only spreads if booted from infected diskette
• File infector
– Infects program files or portable executables
• Macro
– Infects operating environment
• Scripts
– Similar to batch files
• Multi-partite
– Combinations of any of the types above
Virus - Example
• W97M.Marker
– Infects Word documents
– Records a log of the infection including user name, mailing address, and date/time of the infection
– Attempts to send the log file to an outside organization via the Internet
Worm - Defined
• Self-contained
• Does not require a host
• Replicates from system to system
• Infects systems not files
• Typically “network-aware”
Worm - Example
• ExploreZip
– Sends email with infected attachment
– Infects local system
– set file size to 0
– Attempts to infect mapped systems
– Attempts to set file size to 0 on mapped systems
– Attempts to infect remote systems with shared resources
Trojan horse – Defined
• Deliberately do something unexpected
– Steal passwords
– Delete files
– Open backdoors
– Connect to external sites
• Do not replicate
Trojan horse - Examples
• NetBus and BackOrifice
– Remote Administration Tools (RAT)
– Usually sent inside a game, such as “checkers” or “whack a mole”
– Allows a remote user to have control
• Subseven
– Arrives as masqueraded file (with double extension)
– Uses IRC to notify others of infection
– Grants access to system and can be used to launch DDoS
Joke Program – Defined
• A type of Trojan horse
• Does not replicate
• Not intended to be malicious
Joke Program – Example
• Wobbler
– Causes victim’s screen display to “shake” as if experiencing an earthquake
– Only stopped by hitting <ESC> key
– No data loss as direct result
Hoax – Defined
• Does not self
- replicate
• Messages only
– false warnings
• Spread rapidly
• Cause no direct damage
Hoax - Example
VIRUS WARNING !!!!!!
If you receive an email titled "WIN A HOLIDAY" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in our address book so that this may be stopped.
And so it goes on...
Logic Bomb – Defined
• Does not replicate
• Portion of code that only activates based upon a pre
- determined or programmed trigger
• Typically cause some form of damage
Logic Bomb – Example
• Software programmer creates module to only execute when she is no longer displayed in payroll
• Module is set to modify pay rates for management employees
Internet Threats
• JAVA
– Interpreted executable content
– Interpreted at client computer
– Sandbox model
• Behavior can be restricted
• ActiveX
– Native executable content
– No special restrictions
– Can do anything that users can do
• Hostile applets
– Limited by accountability
– System must be both a web server and browser for these to replicate
Exposures
• Diskettes and other storage media
• Shared files on servers
• Web sites
• Bulletin boards and downloaded files
• Electronic mail messages and attachments
• Newsgroups
• Internet/network connections
Propagation Requirements
“Three basic things allow viruses to spread: sharing, programming, and changes. All we have to do is eliminate those three things and we will be perfectly free of viruses.”
• Ability to receive information or programs
• Ability to store and process at minimal levels
• Ability to communicate with other computers
• Ability to accept information communicated from others as programming commands with access to a minimum level of resources
Propagation
• Malware can infect
– Program files
– Files that contain executable portions, such as macros
– Diskettes and other storage media
– Email message attachments
– HTML based email messages
• Malware cannot infect
– Hardware (though it can be malicious)
– Text based files or messages
– Write
- protected storage media
How Fast Do They Spread?
Concealment Techniques
• Spoofing/Stealth
– Trapping calls to system and providing false replies
• Encryption
– Using some key to encrypt code
• Polymorphism – Cause virus to have a new look each time it is executed
– Encryption is one form of polymorphism if encryption key is different each time
– Mutation engine
Impact and Effects
• Nuisance
• Spoofing
• Denial of Service
• Overwriting and Data diddling
• Destruction
• Psychological
• “Netspionage”
– Siphoning data
– Exposing vulnerabilities
• Social Engineering
Impact and Effects (concluded)
• Compromise or Loss of Data
• Loss of Productivity
• Denial of Service
• Data Manipulation
• Loss of Credibility
• Loss of Revenue
• Embarrassment
Incident Management Model
• Preparation
– Know threats, vulnerabilities, risks
– Implement controls
– Document written incident response procedures
– Identify Response Team
– Test procedures
Response Team Members
• System and Network Admins
– Email
– Network
– Firewalls
– IDS
• Security Staff
• Management
• Legal Counsel
• Public Relations
Incident Management Model (continued)
• Detection
– Detect and identify incident (diagnosis)
– Products and tools can be beneficial
– Determine source and scope
• Containment
– Limit spread of incident
– Downstream liability
Tools
• Scanners
• Integrity checkers
• Heuristics
• Sandboxes
• Content Filters
• Firewalls
• Intrusion Detection
• Routers
Techniques
• Block addresses
• Inbox/Outbox
• Message Headers
• Malware
• Threats and Techniques
• Impact and Effects
• Incident Management
• Preparation
• Detection and Containment
• Eradication and Recovery
• Reporting and Analysis
• Demonstration
• Summary
What is Malware?
• Any piece of hardware, software or firmware that is intentionally included or introduced into a computer system for unauthorized purposes usually without the knowledge or consent of the use
• Includes
– Viruses
– Trojan horse programs
– Worms
– Hoaxes
– Logic bombs
– Joke programs
Virus – Defined
“…a program which makes a copy of itself in such a way as to ‘infect’ parts of the operating system and/or application programs.” - Survivor’s Guide to Computer Viruses, Virus Bulletin, 1993.
• Replicates
– file to file
– system to system
– disk to disk
• Typically requires a “host”
• Must be executed
• May cause a symptom or damage (payload)
Virus Infection Process
Ensures virus executes before original executable
Types of Viruses
• Boot sector
– Infects boot record on diskette or hard drive
– Only spreads if booted from infected diskette
• File infector
– Infects program files or portable executables
• Macro
– Infects operating environment
• Scripts
– Similar to batch files
• Multi-partite
– Combinations of any of the types above
Virus - Example
• W97M.Marker
– Infects Word documents
– Records a log of the infection including user name, mailing address, and date/time of the infection
– Attempts to send the log file to an outside organization via the Internet
Worm - Defined
• Self-contained
• Does not require a host
• Replicates from system to system
• Infects systems not files
• Typically “network-aware”
Worm - Example
• ExploreZip
– Sends email with infected attachment
– Infects local system
– set file size to 0
– Attempts to infect mapped systems
– Attempts to set file size to 0 on mapped systems
– Attempts to infect remote systems with shared resources
Trojan horse – Defined
• Deliberately do something unexpected
– Steal passwords
– Delete files
– Open backdoors
– Connect to external sites
• Do not replicate
Trojan horse - Examples
• NetBus and BackOrifice
– Remote Administration Tools (RAT)
– Usually sent inside a game, such as “checkers” or “whack a mole”
– Allows a remote user to have control
• Subseven
– Arrives as masqueraded file (with double extension)
– Uses IRC to notify others of infection
– Grants access to system and can be used to launch DDoS
Joke Program – Defined
• A type of Trojan horse
• Does not replicate
• Not intended to be malicious
Joke Program – Example
• Wobbler
– Causes victim’s screen display to “shake” as if experiencing an earthquake
– Only stopped by hitting <ESC> key
– No data loss as direct result
Hoax – Defined
• Does not self
- replicate
• Messages only
– false warnings
• Spread rapidly
• Cause no direct damage
Hoax - Example
VIRUS WARNING !!!!!!
If you receive an email titled "WIN A HOLIDAY" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in our address book so that this may be stopped.
And so it goes on...
Logic Bomb – Defined
• Does not replicate
• Portion of code that only activates based upon a pre
- determined or programmed trigger
• Typically cause some form of damage
Logic Bomb – Example
• Software programmer creates module to only execute when she is no longer displayed in payroll
• Module is set to modify pay rates for management employees
Internet Threats
• JAVA
– Interpreted executable content
– Interpreted at client computer
– Sandbox model
• Behavior can be restricted
• ActiveX
– Native executable content
– No special restrictions
– Can do anything that users can do
• Hostile applets
– Limited by accountability
– System must be both a web server and browser for these to replicate
Exposures
• Diskettes and other storage media
• Shared files on servers
• Web sites
• Bulletin boards and downloaded files
• Electronic mail messages and attachments
• Newsgroups
• Internet/network connections
Propagation Requirements
“Three basic things allow viruses to spread: sharing, programming, and changes. All we have to do is eliminate those three things and we will be perfectly free of viruses.”
• Ability to receive information or programs
• Ability to store and process at minimal levels
• Ability to communicate with other computers
• Ability to accept information communicated from others as programming commands with access to a minimum level of resources
Propagation
• Malware can infect
– Program files
– Files that contain executable portions, such as macros
– Diskettes and other storage media
– Email message attachments
– HTML based email messages
• Malware cannot infect
– Hardware (though it can be malicious)
– Text based files or messages
– Write
- protected storage media
How Fast Do They Spread?
Concealment Techniques
• Spoofing/Stealth
– Trapping calls to system and providing false replies
• Encryption
– Using some key to encrypt code
• Polymorphism – Cause virus to have a new look each time it is executed
– Encryption is one form of polymorphism if encryption key is different each time
– Mutation engine
Impact and Effects
• Nuisance
• Spoofing
• Denial of Service
• Overwriting and Data diddling
• Destruction
• Psychological
• “Netspionage”
– Siphoning data
– Exposing vulnerabilities
• Social Engineering
Impact and Effects (concluded)
• Compromise or Loss of Data
• Loss of Productivity
• Denial of Service
• Data Manipulation
• Loss of Credibility
• Loss of Revenue
• Embarrassment
Incident Management Model
• Preparation
– Know threats, vulnerabilities, risks
– Implement controls
– Document written incident response procedures
– Identify Response Team
– Test procedures
Response Team Members
• System and Network Admins
– Network
– Firewalls
– IDS
• Security Staff
• Management
• Legal Counsel
• Public Relations
Incident Management Model (continued)
• Detection
– Detect and identify incident (diagnosis)
– Products and tools can be beneficial
– Determine source and scope
• Containment
– Limit spread of incident
– Downstream liability
Tools
• Scanners
• Integrity checkers
• Heuristics
• Sandboxes
• Content Filters
• Firewalls
• Intrusion Detection
• Routers
Techniques
• Block addresses
• Inbox/Outbox
• Message Headers
No comments:
Post a Comment