View
147
Download
1
Category
Tags:
Preview:
DESCRIPTION
MaliciousEmailTrendMicr & concept explained easily
Citation preview
Recent Malicious Email AttackTrend Micro UpdatesSIRT IT Security Roundtable
Harvard TownsendChief Information Security Officerharv@ksu.eduAugust 14, 2009
Agenda
Recent malicious email attachments What happened? Why was it so effective? How can we defend against these attacks?
Trend Micro OfficeScan 10 Trend Micro Security for Macs Q&A
2
What happened?
Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment
Many more reports soon followed from around the world implicating many K-State IP addresses
Many K-Staters started reporting receipt of the malicious emails too
4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days
113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked
5:45pm – posted info/warning to IT security threats blog3
What happened?
Four different emails with the following subjects: Shipping update for your Amazon.com order 254-78546325-658742 You have received A Hallmark E-Card! Jessica would like to be your friend on hi5! Your friend invited you to twitter!
Three (somewhat) different attachments: Shipping documents.zip Postcard.zip Invitation card.zip
At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe” “attachment.htm .exe” “attachment.chm .exe”
4
What happened?
New variant of malware so Trend Micro OfficeScan did not detect it.
10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t.
11:52pm – warning email sent to profacstaff and classified mailing lists
July 14, 8:00am – virustotal.com reports 29 of 41 AV products identify the malware (not Trend Micro)www.virustotal.com/analisis/...
5
What happened?
July 14, 9:00am – finally get samples uploaded to Trend Micro
11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available
2:00pm – bandage pattern file pushed out to OfficeScan clients
Production pattern file released later that evening which detects the malware
397 instances detected/deleted by TMOS since July 13 IT Tuesday article posted about it
itnews.itac.k-state.edu/2009/07/malicious... July 29 and August 7 - similar attacks with new variants of
the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware
6
Malware Characteristics
Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies
Modified registry to run every time the computer boots
Copied itself to mounted file systems, including USB flash drives
Copied itself to common P2P file sharing folders, masquerading as enticing software downloads
7
Malware Characteristics Sample P2P folders used:
%ProgramFiles%\ICQ\Shared Folder %ProgramFiles%\Grokster\My Grokster %ProgramFiles%\EMule\Incoming %ProgramFiles%\Morpheus\My Shared Folder %ProgramFiles%\LimeWire\Shared
Sample enticing software downloads: Ad-aware 2009.exe Adobe Photoshop CS4 crack.exe Avast 4.8 Professional.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Microsoft Office 2007 Home and Student keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Total Commander7 license+keygen.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Perfect keylogger family edition with crack.exe … and about 25 more
8
Why was it so effective? Used familiar services
Amazon.com Hallmark eCard greeting Twitter
Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com, or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment
by padding the name with lots of spaces New variant that spread quickly so initial infections missed by
antivirus protection I was too slow submitting samples to Trend (better the second and
third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people
caught off-guard 9
What can we do?
10
Users need to learn to recognize scams Hallmark, amazon.com, etc. do not send
info in attachments Don’t open attachment unless you are
expecting it and have verified with sender Think before you click Be paranoid!
11
MaliciousHallmarkE-Card
12
LegitimateHallmarkE-Card
13
MaliciousAmazonShippingNotice
14
LegitimateAmazonShippingNotice
15
MaliciousTwitterInvitation
What can we do?
16
Better malware filtering in e-mail Need to work more closely with
Zimbra/Yahoo Submit malware samples sooner
(we’re doing that now) Trend Micro OfficeScan 10…
Trend Micro OfficeScan 10 Major upgrade from current version 8 (where did version 9
go?!) Ripe with marketing hype (“Cloud-Client Architecture”, “Smart
Protection Network”, “Global Threat Intelligence”) But it appears to provide real value:
Faster deployment of pattern file updates Smaller client footprint Windows 7 support (not officially supported in OfficeScan 8) More options for re-scheduling missed scheduled scans Better Active Directory integration Better control of removable devices like USB drives Protection of the OfficeScan program itself (prevents malware
from altering OfficeScan files, processes and registry entries)
17
Trend Micro OfficeScan 10 “In-the-cloud” scanning (“SmartScan”) vs.
conventional scanning Client uses pattern info stored on local or global
servers rather than having to store everything on every client computer
Updates pattern files hourly instead of daily Smaller pattern files on the client, less network
bandwidth used to deploy pattern files Some heuristic-based detection Can still do conventional scanning for systems
with limited Internet access18
Trend Micro OfficeScan 10 Better options for dealing with missed scheduled scan
Postpone a schedule scan before it begins Stop and Resume a current active schedule scan Resume a missed schedule scan Automatically skip schedule scan when Laptop Battery is
below certain % Automatically stop schedule scan when it lasts over a
certain amount of period.
19
Trend Micro OfficeScan 10 Device Access Control
Sysadmins can control use of removable drives Examples: Removable Thumb Drives, Firewire Hard Drives,
PC-Cards, Media Players.
20
Trend Micro OfficeScan 10 The Trend Micro Unauthorized Change
Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed To prevent OSCE applications being injected with
malware and impact business operation Feature provides the ability to protect OfficeScan
files / file types within folders from being modified Protect OfficeScan system processes to prevent
unauthorized shut-down Protect OfficeScan system registries from
unauthorized modification21
Trend Micro OfficeScan 10 TMOS 10 concerns
Is a major upgrade so needs to thorough testing Uncertainty about use of SmartScan vs. conventional
scan Significant CPU utilization every hour on Local Scan
Server when it downloads and processes new pattern files
Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0
1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000-8,000 clients for latter) – called “Integrated Scan Server”
No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22
Trend Micro OfficeScan 10 TMOS 10 plans
Is available now, been out for a while (service pack 1 in beta)
Needs more testing – campus sysadmins encouraged to test
Central TMOS 10 server for testing sometime... SIRT will plan coordinated rollout for campus
(can be pushed from the server) No timeline at this point, but advantages warrant
a somewhat aggressive schedule, as does release of Windows 7 in late October
23
Trend Micro Security for Macs
K-State’s license for Symantec AV for Macs expires October 27, 2009
No budget for renewal or replacement TM Security for Macs (TMSM) new
product from Trend Micro, included in our campus site license
Barring a show-stopper problem, we will switch to TMSM this fall
24
Trend Micro Security for Macs Features/Advantages:
No additional cost Managed product (can push pattern file updates,
manage configuration, centralized reporting, etc.) Managed as plug-in to current Windows OfficeScan
servers, so have common mgmt platform Supports MacOS 10.4 and 10.5 on Intel and
PowerPC processors Includes Web Reputation Services to help prevent
users from visiting known malicious web sites Covered by current Silver Premium Support
contract Single vendor for all AV product No additional cost 25
Trend Micro Security for Macs
Timeline: Version 1.5 in beta test now Being tested pretty extensively at K-State
Fixed known issues we had with v1.0 Production release available to K-State after
August 25 Switch by October 27, or semester break for
imaged labs (SAV will continue to work) New Macs should install Symantec now
but plan to switch
26
What’s on your mind?
27
Recommended