Upload
sandra4211
View
533
Download
1
Tags:
Embed Size (px)
Citation preview
11
Trojans, Worms, VirriTrojans, Worms, Virri
Dave Wade Dave Wade
G4UGMG4UGM
12/15/200612/15/2006 22 Dave Wade G4UGMDave Wade G4UGM
Malware?Malware?
What is Malware?What is Malware? Any Any hostile, intrusive, or annoying software or hostile, intrusive, or annoying software or
program code.program code. Includes the following:-Includes the following:-
• Virus Virus - Infects other programs- Infects other programs• TrojanTrojan - Does not work as advertised- Does not work as advertised• WormWorm - Spreads by securty flaws or bugs- Spreads by securty flaws or bugs• SpywareSpyware - Reports on you actions in an unwanted - Reports on you actions in an unwanted
wayway• AdwareAdware - Makes pop-ups or alters web pages - Makes pop-ups or alters web pages
I would also include “phishing” and “pharming”….I would also include “phishing” and “pharming”….
12/15/200612/15/2006 33 Dave Wade G4UGMDave Wade G4UGM
HistoryHistory
1987 – Christmas Exec Trojan1987 – Christmas Exec Trojan Infiltrates Bitnet and VNET IBM networks Infiltrates Bitnet and VNET IBM networks
1988 – Student Robert Morris unleashes a 1988 – Student Robert Morris unleashes a wormworm on the Internet on the Internet that crashes 6,000 computers. that crashes 6,000 computers. Morris becomes the first person convicted Morris becomes the first person convicted
under the US Computer Fraud and Abuse Act.under the US Computer Fraud and Abuse Act.
12/15/200612/15/2006 44 Dave Wade G4UGMDave Wade G4UGM
VirusesViruses Whilst the press often describe any piece of malware as Whilst the press often describe any piece of malware as
a “virus” really has very specific attributes:-a “virus” really has very specific attributes:- Spread by changing existing programsSpread by changing existing programs When run the usually infect more programsWhen run the usually infect more programs
Despite popular myth:-Despite popular myth:- Not the oldest type of malwareNot the oldest type of malware
• Trojans and Worms are olderTrojans and Worms are older Probably not the most commonProbably not the most common
• Adware etc.Adware etc. May cause damage later when “triggered” or not at all.May cause damage later when “triggered” or not at all.
• Other wise they would not spreadOther wise they would not spread• ““Trigger” may be date, time or eventTrigger” may be date, time or event
Some Viruses also have “worm” characteristics Some Viruses also have “worm” characteristics spread via e-mail (e.g. Melissa).spread via e-mail (e.g. Melissa).
12/15/200612/15/2006 55 Dave Wade G4UGMDave Wade G4UGM
Viruses (cont.)Viruses (cont.)
Note that as many files/documents can contain Note that as many files/documents can contain code, they can also be used by viruses. code, they can also be used by viruses.
Typical examples include:-Typical examples include:- Word DocumentsWord Documents Spread SheetsSpread Sheets Mail MessagesMail Messages
Traditional Virus scanners detect virus by Traditional Virus scanners detect virus by scanning files and looking for tell-tale sequences scanning files and looking for tell-tale sequences of codeof code
12/15/200612/15/2006 66 Dave Wade G4UGMDave Wade G4UGM
TrojanTrojan
Is a program that does not work as Is a program that does not work as advertisedadvertised Screen Saver, “Time Sync”, Peer-to-Peer file Screen Saver, “Time Sync”, Peer-to-Peer file
shareshare The program may actuallyThe program may actually
Logs keystrokes and passwordsLogs keystrokes and passwords Uses PC to send SPAMUses PC to send SPAM Launch DOS attacks on web sitesLaunch DOS attacks on web sites
Normally installed by the user unwittingilyNormally installed by the user unwittingily
12/15/200612/15/2006 77 Dave Wade G4UGMDave Wade G4UGM
WormsWorms
Programs that use computer networks to Programs that use computer networks to spread.spread. Normally spread by exploiting security holesNormally spread by exploiting security holes Free-standing so don’t need to infect other Free-standing so don’t need to infect other
programsprograms
12/15/200612/15/2006 88 Dave Wade G4UGMDave Wade G4UGM
Other MalwareOther Malware AdWareAdWare
Programs that generally work as advertised but which cause Programs that generally work as advertised but which cause advertisments or “popups” to appear on your screen.advertisments or “popups” to appear on your screen.
May also tamper with content of web pages or re-direct links to May also tamper with content of web pages or re-direct links to sponsering sites.sponsering sites.
SpyWareSpyWare Programs that report on what your computer is doingPrograms that report on what your computer is doing Especially web sites but also record login dataEspecially web sites but also record login data May re-direct you to other web sites.May re-direct you to other web sites. Often coupled with Adware.Often coupled with Adware.
PhishingPhishing Forged e-mail design to get you disclose securty creditials.Forged e-mail design to get you disclose securty creditials.
PharmingPharming Forged web site. May be sued as part of a phish.Forged web site. May be sued as part of a phish.
12/15/200612/15/2006 99 Dave Wade G4UGMDave Wade G4UGM
Protection - ScannersProtection - Scanners Virus ScannersVirus Scanners
Obviously protect against virusesObviously protect against viruses Usually Trojans and WormsUsually Trojans and Worms But not other nasties..But not other nasties..
How do they work:-How do they work:- Look for unique patterns in a the virusLook for unique patterns in a the virus Alert when the pattern is detectedAlert when the pattern is detected
In either:-In either:- scheduled scan scheduled scan
• all files are checked on a scheduleall files are checked on a schedule ““on access” scanon access” scan
• Files are checked as they are usedFiles are checked as they are used
12/15/200612/15/2006 1010 Dave Wade G4UGMDave Wade G4UGM
Limitations - ILimitations - I
Patterns need to be updated frequentlyPatterns need to be updated frequently Not a problem with broadband.Not a problem with broadband. Unless you are the first to spot the virus.Unless you are the first to spot the virus.
Pattern may be disguised by Pattern may be disguised by compression compression
• ZIP filesZIP files Encryption :- Encryption :-
• Passwords on word files.Passwords on word files. The virus itselfThe virus itself
• Polymorphic viruses :- encrypt or encode themselves.Polymorphic viruses :- encrypt or encode themselves.
False positivesFalse positives Patter exists in another file, by chance that does not have the Patter exists in another file, by chance that does not have the
virus.virus.
12/15/200612/15/2006 1111 Dave Wade G4UGMDave Wade G4UGM
Example Virus ScannersExample Virus Scanners
Not an exclusive list:-Not an exclusive list:- FreeFree
http://free.grisoft.com/doc/2/lng/us/tpl/v5http://free.grisoft.com/doc/2/lng/us/tpl/v5 http://www.free-av.com/http://www.free-av.com/
Paid ForPaid For http://uk.mcafee.com/http://uk.mcafee.com/ http://www.symantecstore.com/http://www.symantecstore.com/ http://www.sophos.com/http://www.sophos.com/
12/15/200612/15/2006 1212 Dave Wade G4UGMDave Wade G4UGM
Detecting Spyware & AdWareDetecting Spyware & AdWare
Spyware and Adware scanners.Spyware and Adware scanners. These tend to be less reliable as often these These tend to be less reliable as often these
programs are installed by the user, and the programs are installed by the user, and the agreement allow them to be installed.agreement allow them to be installed.
Some makers of adware removal programs have Some makers of adware removal programs have been sued by adware providers.been sued by adware providers.
Also the programs use a variety of techniques to Also the programs use a variety of techniques to installinstall
• May be hard to un-install without damaging the system or May be hard to un-install without damaging the system or stopping some other item workingstopping some other item working
• Newnames.net => spyware => Removal can stop the Newnames.net => spyware => Removal can stop the network runningnetwork running
12/15/200612/15/2006 1313 Dave Wade G4UGMDave Wade G4UGM
Real Time ProtectionReal Time Protection
Spyware/Adware/Trojan protection:-Spyware/Adware/Trojan protection:- Monitor key parts of the OS and warn of Monitor key parts of the OS and warn of
changeschanges• Internet Explorer Home PagesInternet Explorer Home Pages• Browser plug-ins and HelpersBrowser plug-ins and Helpers• Registry start-up keysRegistry start-up keys• System.ini fileSystem.ini file• Services Data baseServices Data base• Hosts fileHosts file
12/15/200612/15/2006 1414 Dave Wade G4UGMDave Wade G4UGM
Spyware ToolsSpyware Tools
Need to be careful here. Need to be careful here. Many things advertised as spyware tools Many things advertised as spyware tools
contain spyware!contain spyware! Also as spyware is “ill defined” may be harder Also as spyware is “ill defined” may be harder
to spot.to spot. In short:-In short:-
May need to run multiple toolsMay need to run multiple tools May need separate scanner and checkerMay need separate scanner and checker
12/15/200612/15/2006 1515 Dave Wade G4UGMDave Wade G4UGM
Spyware Tools (continued)Spyware Tools (continued) I run two tools that provide real time protection:-I run two tools that provide real time protection:-
Windows Defender (www.microsoft.com/spyware)Windows Defender (www.microsoft.com/spyware) WinpatrolWinpatrol
• www.winpatrol.comwww.winpatrol.com I also use other toolsI also use other tools
AdAware SE – a scannerAdAware SE – a scanner• http://www.lavasoftusa.com/products/ad-http://www.lavasoftusa.com/products/ad-
aware_se_personal.phpaware_se_personal.php HiJackThisHiJackThis
• http://www.majorgeeks.com/download3155.htmlhttp://www.majorgeeks.com/download3155.html Spyware BlasterSpyware Blaster
• http://www.javacoolsoftware.com/spywareblaster.htmlhttp://www.javacoolsoftware.com/spywareblaster.html
12/15/200612/15/2006 1616 Dave Wade G4UGMDave Wade G4UGM
What is a firewall?What is a firewall? A fire wall is a tool that monitors network A fire wall is a tool that monitors network
connectionsconnections Simple FirewallSimple Firewall
Monitors which protocols are in useMonitors which protocols are in use So can allow http for web, but stop SMTPSo can allow http for web, but stop SMTP
Advanced FirewallAdvanced Firewall Monitors ports/programsMonitors ports/programs
• Allow Outlook Express to send and receive e-mailAllow Outlook Express to send and receive e-mail• Prevents any worms or spyware doing the same.Prevents any worms or spyware doing the same.
12/15/200612/15/2006 1717 Dave Wade G4UGMDave Wade G4UGM
Where should we run it..Where should we run it..
Can run on local PCCan run on local PC Means can monitor programsMeans can monitor programs
Can run on a router or router modemCan run on a router or router modem Provides “perimeter” defenceProvides “perimeter” defence Keeps out unwanted protocols such as MS file Keeps out unwanted protocols such as MS file
sharingsharing Can’t tell if an unwanted program is Can’t tell if an unwanted program is
connecting to an “normal port”connecting to an “normal port”
12/15/200612/15/2006 1818 Dave Wade G4UGMDave Wade G4UGM
What are the problems?What are the problems? Many programs connect to the internet:-Many programs connect to the internet:-
Anti Virus for updates for new virusesAnti Virus for updates for new viruses Windows, Office and other programsWindows, Office and other programs
• Check for udates against worms etc.Check for udates against worms etc. Some programs check for dataSome programs check for data
• Language translation programsLanguage translation programs Some check for unwanted infoSome check for unwanted info
• Update pop-up advertsUpdate pop-up adverts• Accept back door instructionsAccept back door instructions
Many firewalls will prompt the user:-Many firewalls will prompt the user:- E.G.E.G.““Should I allow MSIMN.EXE to connect on POP3?”Should I allow MSIMN.EXE to connect on POP3?”
12/15/200612/15/2006 1919 Dave Wade G4UGMDave Wade G4UGM
Well Should we?Well Should we?
YES!YES!
(MSIMN.EXE is Outlook Express!)(MSIMN.EXE is Outlook Express!)
There is currently only one free firewallThere is currently only one free firewall
• ZoneAlarm - http://www.zonelabs.com/ ZoneAlarm - http://www.zonelabs.com/
Sygate may still be availableSygate may still be available http://www.tucows.com/preview/213160http://www.tucows.com/preview/213160
12/15/200612/15/2006 2020 Dave Wade G4UGMDave Wade G4UGM
Spam FiltersSpam Filters
Try and detect spamTry and detect spam Much harder than any of other nastysMuch harder than any of other nastys
Only need to get information to the user who Only need to get information to the user who then acts. then acts.
No programs need to runNo programs need to run This means the e-mail can beThis means the e-mail can be
Changed frequentlyChanged frequently Not even have to contain any text.Not even have to contain any text.
12/15/200612/15/2006 2121 Dave Wade G4UGMDave Wade G4UGM
A latest generation SPAMA latest generation SPAM
12/15/200612/15/2006 2222 Dave Wade G4UGMDave Wade G4UGM
Message HeaderMessage HeaderMicrosoft Mail Internet Headers Version 2.0Microsoft Mail Internet Headers Version 2.0Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by
SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830);SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:28:50 +0000Wed, 13 Dec 2006 16:28:50 +0000
Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by scnmailsweeper.stockport.gov.ukscnmailsweeper.stockport.gov.uk
(Clearswift SMTPRS 5.2.5) with ESMTP id (Clearswift SMTPRS 5.2.5) with ESMTP id <[email protected]> for <[email protected]> for <[email protected]>;<[email protected]>;
Wed, 13 Dec 2006 16:30:54 +0000Wed, 13 Dec 2006 16:30:54 +0000Received: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.ukReceived: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.uk (Content Technologies SMTPRS 4.3.17) with SMTP id (Content Technologies SMTPRS 4.3.17) with SMTP id
<[email protected]> for <[email protected]> for <[email protected]>;<[email protected]>;
Wed, 13 Dec 2006 16:28:59 +0000Wed, 13 Dec 2006 16:28:59 +0000Received: from sck ([71.248.60.110])Received: from sck ([71.248.60.110])
by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id kBDGX1dU037473;kBDGX1dU037473;Wed, 13 Dec 2006 11:33:01 -0500Wed, 13 Dec 2006 11:33:01 -0500
Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck>Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck>From: "Fontenot" <[email protected]>From: "Fontenot" <[email protected]>To: <[email protected]>To: <[email protected]>Subject: gasolineSubject: gasolineDate: Wed, 13 Dec 2006 11:22:19 -0500Date: Wed, 13 Dec 2006 11:22:19 -0500
12/15/200612/15/2006 2323 Dave Wade G4UGMDave Wade G4UGM
www.dnsstuff.comwww.dnsstuff.com
12/15/200612/15/2006 2424 Dave Wade G4UGMDave Wade G4UGM
Anatomy of an E-MailAnatomy of an E-Mail
Note from field:-Note from field:-““@lethlee.dk”@lethlee.dk”
www.dnsstuff.comwww.dnsstuff.com Did an NSLOOKUP ?Did an NSLOOKUP ?
Name: lethlee.dkName: lethlee.dkAddress: 195.47.247.81Address: 195.47.247.81
Where did it really start:-Where did it really start:- Log shows “71.248.60.110”Log shows “71.248.60.110” pool-71-248-60-110.bltmmd.east.verizon.net pool-71-248-60-110.bltmmd.east.verizon.net
These don’t matchThese don’t match
12/15/200612/15/2006 2525 Dave Wade G4UGMDave Wade G4UGM
Why did we accept the record.Why did we accept the record.
Its common for the addresses not to matchIts common for the addresses not to match Allows users to roam and have multiple e-Allows users to roam and have multiple e-
mail addresses.mail addresses. This does make it hard to stop spam.This does make it hard to stop spam.
12/15/200612/15/2006 2626 Dave Wade G4UGMDave Wade G4UGM
What can we do about thisWhat can we do about this
Choose an ISP with reasonable SPAM Choose an ISP with reasonable SPAM filtersfilters They have a big sample of SPAM so the They have a big sample of SPAM so the
maths work better.maths work better. SPAM is filtered at source so you don’t SPAM is filtered at source so you don’t
downloaddownload Do need to check from time to time as there Do need to check from time to time as there
will me false positives.will me false positives. May help to use local spam filterMay help to use local spam filter
12/15/200612/15/2006 2727 Dave Wade G4UGMDave Wade G4UGM
Setting up a local SPAM filter Setting up a local SPAM filter
Manu available all less than perfect.Manu available all less than perfect. They don’t catch all spamThey don’t catch all spam
• ““False Positive” => Need to check spam foldersFalse Positive” => Need to check spam folders They miss some spamThey miss some spam
• Spammer get cleverSpammer get clever Use random from addressesUse random from addresses Myss-sp€ll words.Myss-sp€ll words. Put words in picturesPut words in pictures Add random text from web.Add random text from web.
Result is as above.Result is as above.
12/15/200612/15/2006 2828 Dave Wade G4UGMDave Wade G4UGM
Some personal spam filters.Some personal spam filters.
SpamAssassin:- SpamAssassin:- http://spamassassin.apache.org/http://spamassassin.apache.org/ Not easy to use in windowsNot easy to use in windows
SpamPal SpamPal http://www.spampal.org/http://www.spampal.org/ Uses black lists of sitesUses black lists of sites
• Not all spam sites are on the black listNot all spam sites are on the black list• Some usefull sites (Yahoo) end up on spam list.Some usefull sites (Yahoo) end up on spam list.
Usual suspects also have tools:-Usual suspects also have tools:- Norton, Free-Av (Not Free), GriSoft etc.Norton, Free-Av (Not Free), GriSoft etc.
12/15/200612/15/2006 2929 Dave Wade G4UGMDave Wade G4UGM
PhishPhish
12/15/200612/15/2006 3030 Dave Wade G4UGMDave Wade G4UGM
Phish IIPhish II
Look at the url:-Look at the url:- The site it points to will be displayed in the bar The site it points to will be displayed in the bar
below (this one was “sanitized”)below (this one was “sanitized”)• http://today.slac.stanford.edu/http://today.slac.stanford.edu/
This can be prevented at two placesThis can be prevented at two places Most Spam Filters can block the Phish from Most Spam Filters can block the Phish from
arrivingarriving Firewall can block access to the dangerous Firewall can block access to the dangerous
site.site.
12/15/200612/15/2006 3131 Dave Wade G4UGMDave Wade G4UGM
SummarySummary
Problem is no longer simple:-Problem is no longer simple:- May need to use multiple tools from multiple May need to use multiple tools from multiple
suppliers for best results.suppliers for best results. Tools may not be effectiveTools may not be effective Preventions is better than cure.Preventions is better than cure.
12/15/200612/15/2006 3232 Dave Wade G4UGMDave Wade G4UGM
Do NotDo Not
Install programs from unknown sourcesInstall programs from unknown sources Click on humour links indiscriminatelyClick on humour links indiscriminately Open files from un-known sourcesOpen files from un-known sources
12/15/200612/15/2006 3333 Dave Wade G4UGMDave Wade G4UGM
DoDo
Keep software up to dateKeep software up to date Security updates protect against wormsSecurity updates protect against worms
Run a selection of security fixesRun a selection of security fixes Virus Scanner (ONLY ONE)Virus Scanner (ONLY ONE) Spyware MonitorSpyware Monitor FirewallFirewall
12/15/200612/15/2006 3434 Dave Wade G4UGMDave Wade G4UGM
Any Questions?Any Questions?