1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating...
Preview:
Citation preview
- Slide 1
- 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in
Higher Education Educause Arlington 2008 Fred Archibald University
of California Berkeley Electrical Engineering and Computer
Sciences
- Slide 2
- 2 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Overview EECS Network Background Security
Concerns Existing Protections FireEye Deployment Infection Examples
Futures and Challenges
- Slide 3
- 3 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley EECS Network Background EECS is Large
Department Serves More Than 4000 Undergrads 500 Grad Students 100
Faculty 200 Staff Network Largely Separate From Rest Of UCB
- Slide 4
- 4 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Security Concerns Security A Constant Issue
Berkeley Often A Target Security Is Now An Arms Race Hackers Have
Moved From Notoriety To Crime More Concern About Compliance
- Slide 5
- 5 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Security Concerns Mobile Devices A Big
Concern Boom In WiFi Over The Air Traffic Often Insecure Less
Enterprise Control Over User Owned Devices EECS Uses Internal And
External WLANs Zero Day Concerns
- Slide 6
- 6 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Existing Protections Enterprise Firewall
Less Effective In An Open Academic Net A/V A Struggle To Keep Up To
Date IDS A Lot of False Positives Host Based Firewalls Anti-Spam
Appliances
- Slide 7
- 7 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley FireEye Deployment Targeted Primarily At
Wireless Traffic Out Of Band Solution Very Important For EECS
Completely Clientless Also Very Important Wireless Data Mirrored To
Two Appliances
- Slide 8
- 8 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley FireEye Deployment Appliances Run Traffic
Against Virtual Victim Clients Positive Infection Can Result In
Alerts Or Blocks Dynamic Updates From Botwall Network
- Slide 9
- 9 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 10
- 10 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Infection Examples Spam Bots
- Slide 11
- 11 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Clients Receive Malware Rustock
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Ken Chiang, Levi Lloyd Sandia National lab 16 E LECTRICAL E
NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA
Berkeley Rustock Spam Mail Bot Installs a Rootkit Installs a SPAM
module Uses Encryption Can Install any Arbitrary Code Flexible
& Easy to Update
- Slide 17
- 17 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botted Clients Send Spam
- Slide 18
- 18 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 19
- 19 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 20
- 20 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Trojan.farfli
- Slide 21
- Slide 22
- (Excerpt From Symantec)22 E LECTRICAL E NGINEERING AND C
OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Discovered:
July 29, 2007 Updated: July 29, 2007 8:51:54 AM Also Known As:
TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me,
Windows NT, Windows Server 2003, Windows 2000 It then hooks or
patches ZwSetValueKey to prevent other threats or security risks
overwriting the Start Page registry entry. If it finds a specific
Web browser installed, it modifies files so that when a user
performs a search it is conducted via the Baidu URL with the
specific affiliate name:
- Slide 23
- 23 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet IRC Channel Join
Trojan-Downloader.QQHelper
- Slide 24
- 24 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 25
- 25 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley User or Malware Connects to:
http://www.yahoo550.com/image/logo.jpg?queryid=21
kXXXXj412http://www.yahoo550.com/image/logo.jpg?queryid=21
kXXXXj412 User connects to the site with a specific query id The
site sent the browser a file called logo.jpg Really a UPX packed
malware executable The browser installed the exe Begin the Bot
communication on IRC.
- Slide 26
- 26 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG
- Slide 27
- 27 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 28
- 28 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
- Slide 29
- 29 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG
Trojan-Downloader:W32/Small.HSG downloads and runs a file that is
detected as Trojan- Downloader.Win32.Agent.HQL. Normally arrives as
a dropped file by other malware or is downloaded unsuspectingly by
the user from a malicious website. Once running on the system, this
trojan will download a file from the following website:
http://ymq.a2000150.wrs.mcboo.com/[Removed] The downloaded file
will then be stored as: %Windows%\17PHolmes2000150.exe
- Slide 30
- 30 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Futures And Challenges Move Appliances To
Network Edge Capture Both Wireless And Wired Traffic Mirroring Or
Span Difficulties Use Gigamon Data Access Switch Explore OSPF Null
Routing To Block Traffic To Botnets More Mobile Platforms
- Slide 31
- 31 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Summary Our Existing Protections No Longer
Adequate Botnet Traffic Was Previously Difficult To Detect Botnet
Detection Gives Us A New Weapon To Battle Stealth Malware
- Slide 32
- 32 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Questions?
- Slide 33