Download PPT

11

Trojans, Worms, VirriTrojans, Worms, Virri

Dave Wade Dave Wade

G4UGMG4UGM

12/15/200612/15/2006 22 Dave Wade G4UGMDave Wade G4UGM

Malware?Malware?

What is Malware?What is Malware? Any Any hostile, intrusive, or annoying software or hostile, intrusive, or annoying software or

program code.program code. Includes the following:-Includes the following:-

• Virus Virus - Infects other programs- Infects other programs• TrojanTrojan - Does not work as advertised- Does not work as advertised• WormWorm - Spreads by securty flaws or bugs- Spreads by securty flaws or bugs• SpywareSpyware - Reports on you actions in an unwanted - Reports on you actions in an unwanted

wayway• AdwareAdware - Makes pop-ups or alters web pages - Makes pop-ups or alters web pages

I would also include “phishing” and “pharming”….I would also include “phishing” and “pharming”….


HistoryHistory

1987 – Christmas Exec Trojan1987 – Christmas Exec Trojan Infiltrates Bitnet and VNET IBM networks Infiltrates Bitnet and VNET IBM networks

1988 – Student Robert Morris unleashes a 1988 – Student Robert Morris unleashes a wormworm on the Internet on the Internet that crashes 6,000 computers. that crashes 6,000 computers. Morris becomes the first person convicted Morris becomes the first person convicted

under the US Computer Fraud and Abuse Act.under the US Computer Fraud and Abuse Act.


VirusesViruses Whilst the press often describe any piece of malware as Whilst the press often describe any piece of malware as

a “virus” really has very specific attributes:-a “virus” really has very specific attributes:- Spread by changing existing programsSpread by changing existing programs When run the usually infect more programsWhen run the usually infect more programs

Despite popular myth:-Despite popular myth:- Not the oldest type of malwareNot the oldest type of malware

• Trojans and Worms are olderTrojans and Worms are older Probably not the most commonProbably not the most common

• Adware etc.Adware etc. May cause damage later when “triggered” or not at all.May cause damage later when “triggered” or not at all.

• Other wise they would not spreadOther wise they would not spread• ““Trigger” may be date, time or eventTrigger” may be date, time or event

Some Viruses also have “worm” characteristics Some Viruses also have “worm” characteristics spread via e-mail (e.g. Melissa).spread via e-mail (e.g. Melissa).


Viruses (cont.)Viruses (cont.)

Note that as many files/documents can contain Note that as many files/documents can contain code, they can also be used by viruses. code, they can also be used by viruses.

Typical examples include:-Typical examples include:- Word DocumentsWord Documents Spread SheetsSpread Sheets Mail MessagesMail Messages

Traditional Virus scanners detect virus by Traditional Virus scanners detect virus by scanning files and looking for tell-tale sequences scanning files and looking for tell-tale sequences of codeof code


TrojanTrojan

Is a program that does not work as Is a program that does not work as advertisedadvertised Screen Saver, “Time Sync”, Peer-to-Peer file Screen Saver, “Time Sync”, Peer-to-Peer file

shareshare The program may actuallyThe program may actually

Logs keystrokes and passwordsLogs keystrokes and passwords Uses PC to send SPAMUses PC to send SPAM Launch DOS attacks on web sitesLaunch DOS attacks on web sites

Normally installed by the user unwittingilyNormally installed by the user unwittingily


WormsWorms

Programs that use computer networks to Programs that use computer networks to spread.spread. Normally spread by exploiting security holesNormally spread by exploiting security holes Free-standing so don’t need to infect other Free-standing so don’t need to infect other

programsprograms


Other MalwareOther Malware AdWareAdWare

Programs that generally work as advertised but which cause Programs that generally work as advertised but which cause advertisments or “popups” to appear on your screen.advertisments or “popups” to appear on your screen.

May also tamper with content of web pages or re-direct links to May also tamper with content of web pages or re-direct links to sponsering sites.sponsering sites.

SpyWareSpyWare Programs that report on what your computer is doingPrograms that report on what your computer is doing Especially web sites but also record login dataEspecially web sites but also record login data May re-direct you to other web sites.May re-direct you to other web sites. Often coupled with Adware.Often coupled with Adware.

PhishingPhishing Forged e-mail design to get you disclose securty creditials.Forged e-mail design to get you disclose securty creditials.

PharmingPharming Forged web site. May be sued as part of a phish.Forged web site. May be sued as part of a phish.


Protection - ScannersProtection - Scanners Virus ScannersVirus Scanners

Obviously protect against virusesObviously protect against viruses Usually Trojans and WormsUsually Trojans and Worms But not other nasties..But not other nasties..

How do they work:-How do they work:- Look for unique patterns in a the virusLook for unique patterns in a the virus Alert when the pattern is detectedAlert when the pattern is detected

In either:-In either:- scheduled scan scheduled scan

• all files are checked on a scheduleall files are checked on a schedule ““on access” scanon access” scan

• Files are checked as they are usedFiles are checked as they are used


Limitations - ILimitations - I

Patterns need to be updated frequentlyPatterns need to be updated frequently Not a problem with broadband.Not a problem with broadband. Unless you are the first to spot the virus.Unless you are the first to spot the virus.

Pattern may be disguised by Pattern may be disguised by compression compression

• ZIP filesZIP files Encryption :- Encryption :-

• Passwords on word files.Passwords on word files. The virus itselfThe virus itself

• Polymorphic viruses :- encrypt or encode themselves.Polymorphic viruses :- encrypt or encode themselves.

False positivesFalse positives Patter exists in another file, by chance that does not have the Patter exists in another file, by chance that does not have the

virus.virus.


Example Virus ScannersExample Virus Scanners

Not an exclusive list:-Not an exclusive list:- FreeFree

http://free.grisoft.com/doc/2/lng/us/tpl/v5http://free.grisoft.com/doc/2/lng/us/tpl/v5 http://www.free-av.com/http://www.free-av.com/

Paid ForPaid For http://uk.mcafee.com/http://uk.mcafee.com/ http://www.symantecstore.com/http://www.symantecstore.com/ http://www.sophos.com/http://www.sophos.com/


Detecting Spyware & AdWareDetecting Spyware & AdWare

Spyware and Adware scanners.Spyware and Adware scanners. These tend to be less reliable as often these These tend to be less reliable as often these

programs are installed by the user, and the programs are installed by the user, and the agreement allow them to be installed.agreement allow them to be installed.

Some makers of adware removal programs have Some makers of adware removal programs have been sued by adware providers.been sued by adware providers.

Also the programs use a variety of techniques to Also the programs use a variety of techniques to installinstall

• May be hard to un-install without damaging the system or May be hard to un-install without damaging the system or stopping some other item workingstopping some other item working

• Newnames.net => spyware => Removal can stop the Newnames.net => spyware => Removal can stop the network runningnetwork running


Real Time ProtectionReal Time Protection

Spyware/Adware/Trojan protection:-Spyware/Adware/Trojan protection:- Monitor key parts of the OS and warn of Monitor key parts of the OS and warn of

changeschanges• Internet Explorer Home PagesInternet Explorer Home Pages• Browser plug-ins and HelpersBrowser plug-ins and Helpers• Registry start-up keysRegistry start-up keys• System.ini fileSystem.ini file• Services Data baseServices Data base• Hosts fileHosts file


Spyware ToolsSpyware Tools

Need to be careful here. Need to be careful here. Many things advertised as spyware tools Many things advertised as spyware tools

contain spyware!contain spyware! Also as spyware is “ill defined” may be harder Also as spyware is “ill defined” may be harder

to spot.to spot. In short:-In short:-

May need to run multiple toolsMay need to run multiple tools May need separate scanner and checkerMay need separate scanner and checker


Spyware Tools (continued)Spyware Tools (continued) I run two tools that provide real time protection:-I run two tools that provide real time protection:-

Windows Defender (www.microsoft.com/spyware)Windows Defender (www.microsoft.com/spyware) WinpatrolWinpatrol

• www.winpatrol.comwww.winpatrol.com I also use other toolsI also use other tools

AdAware SE – a scannerAdAware SE – a scanner• http://www.lavasoftusa.com/products/ad-http://www.lavasoftusa.com/products/ad-

aware_se_personal.phpaware_se_personal.php HiJackThisHiJackThis

• http://www.majorgeeks.com/download3155.htmlhttp://www.majorgeeks.com/download3155.html Spyware BlasterSpyware Blaster

• http://www.javacoolsoftware.com/spywareblaster.htmlhttp://www.javacoolsoftware.com/spywareblaster.html


What is a firewall?What is a firewall? A fire wall is a tool that monitors network A fire wall is a tool that monitors network

connectionsconnections Simple FirewallSimple Firewall

Monitors which protocols are in useMonitors which protocols are in use So can allow http for web, but stop SMTPSo can allow http for web, but stop SMTP

Advanced FirewallAdvanced Firewall Monitors ports/programsMonitors ports/programs

• Allow Outlook Express to send and receive e-mailAllow Outlook Express to send and receive e-mail• Prevents any worms or spyware doing the same.Prevents any worms or spyware doing the same.


Where should we run it..Where should we run it..

Can run on local PCCan run on local PC Means can monitor programsMeans can monitor programs

Can run on a router or router modemCan run on a router or router modem Provides “perimeter” defenceProvides “perimeter” defence Keeps out unwanted protocols such as MS file Keeps out unwanted protocols such as MS file

sharingsharing Can’t tell if an unwanted program is Can’t tell if an unwanted program is

connecting to an “normal port”connecting to an “normal port”


What are the problems?What are the problems? Many programs connect to the internet:-Many programs connect to the internet:-

Anti Virus for updates for new virusesAnti Virus for updates for new viruses Windows, Office and other programsWindows, Office and other programs

• Check for udates against worms etc.Check for udates against worms etc. Some programs check for dataSome programs check for data

• Language translation programsLanguage translation programs Some check for unwanted infoSome check for unwanted info

• Update pop-up advertsUpdate pop-up adverts• Accept back door instructionsAccept back door instructions

Many firewalls will prompt the user:-Many firewalls will prompt the user:- E.G.E.G.““Should I allow MSIMN.EXE to connect on POP3?”Should I allow MSIMN.EXE to connect on POP3?”


Well Should we?Well Should we?

YES!YES!

(MSIMN.EXE is Outlook Express!)(MSIMN.EXE is Outlook Express!)

There is currently only one free firewallThere is currently only one free firewall

• ZoneAlarm - http://www.zonelabs.com/ ZoneAlarm - http://www.zonelabs.com/

Sygate may still be availableSygate may still be available http://www.tucows.com/preview/213160http://www.tucows.com/preview/213160


Spam FiltersSpam Filters

Try and detect spamTry and detect spam Much harder than any of other nastysMuch harder than any of other nastys

Only need to get information to the user who Only need to get information to the user who then acts. then acts.

No programs need to runNo programs need to run This means the e-mail can beThis means the e-mail can be

Changed frequentlyChanged frequently Not even have to contain any text.Not even have to contain any text.


A latest generation SPAMA latest generation SPAM


Message HeaderMessage HeaderMicrosoft Mail Internet Headers Version 2.0Microsoft Mail Internet Headers Version 2.0Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by

SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830);SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:28:50 +0000Wed, 13 Dec 2006 16:28:50 +0000

Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by scnmailsweeper.stockport.gov.ukscnmailsweeper.stockport.gov.uk

(Clearswift SMTPRS 5.2.5) with ESMTP id (Clearswift SMTPRS 5.2.5) with ESMTP id <[email protected]> for <[email protected]> for <[email protected]>;<[email protected]>;

Wed, 13 Dec 2006 16:30:54 +0000Wed, 13 Dec 2006 16:30:54 +0000Received: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.ukReceived: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.uk (Content Technologies SMTPRS 4.3.17) with SMTP id (Content Technologies SMTPRS 4.3.17) with SMTP id

<[email protected]> for <[email protected]> for <[email protected]>;<[email protected]>;

Wed, 13 Dec 2006 16:28:59 +0000Wed, 13 Dec 2006 16:28:59 +0000Received: from sck ([71.248.60.110])Received: from sck ([71.248.60.110])

by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id kBDGX1dU037473;kBDGX1dU037473;Wed, 13 Dec 2006 11:33:01 -0500Wed, 13 Dec 2006 11:33:01 -0500

Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck>Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck>From: "Fontenot" <[email protected]>From: "Fontenot" <[email protected]>To: <[email protected]>To: <[email protected]>Subject: gasolineSubject: gasolineDate: Wed, 13 Dec 2006 11:22:19 -0500Date: Wed, 13 Dec 2006 11:22:19 -0500


www.dnsstuff.comwww.dnsstuff.com


Anatomy of an E-MailAnatomy of an E-Mail

Note from field:-Note from field:-““@lethlee.dk”@lethlee.dk”

www.dnsstuff.comwww.dnsstuff.com Did an NSLOOKUP ?Did an NSLOOKUP ?

Name: lethlee.dkName: lethlee.dkAddress: 195.47.247.81Address: 195.47.247.81

Where did it really start:-Where did it really start:- Log shows “71.248.60.110”Log shows “71.248.60.110” pool-71-248-60-110.bltmmd.east.verizon.net pool-71-248-60-110.bltmmd.east.verizon.net

These don’t matchThese don’t match


Why did we accept the record.Why did we accept the record.

Its common for the addresses not to matchIts common for the addresses not to match Allows users to roam and have multiple e-Allows users to roam and have multiple e-

mail addresses.mail addresses. This does make it hard to stop spam.This does make it hard to stop spam.


What can we do about thisWhat can we do about this

Choose an ISP with reasonable SPAM Choose an ISP with reasonable SPAM filtersfilters They have a big sample of SPAM so the They have a big sample of SPAM so the

maths work better.maths work better. SPAM is filtered at source so you don’t SPAM is filtered at source so you don’t

downloaddownload Do need to check from time to time as there Do need to check from time to time as there

will me false positives.will me false positives. May help to use local spam filterMay help to use local spam filter


Setting up a local SPAM filter Setting up a local SPAM filter

Manu available all less than perfect.Manu available all less than perfect. They don’t catch all spamThey don’t catch all spam

• ““False Positive” => Need to check spam foldersFalse Positive” => Need to check spam folders They miss some spamThey miss some spam

• Spammer get cleverSpammer get clever Use random from addressesUse random from addresses Myss-sp€ll words.Myss-sp€ll words. Put words in picturesPut words in pictures Add random text from web.Add random text from web.

Result is as above.Result is as above.


Some personal spam filters.Some personal spam filters.

SpamAssassin:- SpamAssassin:- http://spamassassin.apache.org/http://spamassassin.apache.org/ Not easy to use in windowsNot easy to use in windows

SpamPal SpamPal http://www.spampal.org/http://www.spampal.org/ Uses black lists of sitesUses black lists of sites

• Not all spam sites are on the black listNot all spam sites are on the black list• Some usefull sites (Yahoo) end up on spam list.Some usefull sites (Yahoo) end up on spam list.

Usual suspects also have tools:-Usual suspects also have tools:- Norton, Free-Av (Not Free), GriSoft etc.Norton, Free-Av (Not Free), GriSoft etc.


PhishPhish


Phish IIPhish II

Look at the url:-Look at the url:- The site it points to will be displayed in the bar The site it points to will be displayed in the bar

below (this one was “sanitized”)below (this one was “sanitized”)• http://today.slac.stanford.edu/http://today.slac.stanford.edu/

This can be prevented at two placesThis can be prevented at two places Most Spam Filters can block the Phish from Most Spam Filters can block the Phish from

arrivingarriving Firewall can block access to the dangerous Firewall can block access to the dangerous

site.site.


SummarySummary

Problem is no longer simple:-Problem is no longer simple:- May need to use multiple tools from multiple May need to use multiple tools from multiple

suppliers for best results.suppliers for best results. Tools may not be effectiveTools may not be effective Preventions is better than cure.Preventions is better than cure.


Do NotDo Not

Install programs from unknown sourcesInstall programs from unknown sources Click on humour links indiscriminatelyClick on humour links indiscriminately Open files from un-known sourcesOpen files from un-known sources


DoDo

Keep software up to dateKeep software up to date Security updates protect against wormsSecurity updates protect against worms

Run a selection of security fixesRun a selection of security fixes Virus Scanner (ONLY ONE)Virus Scanner (ONLY ONE) Spyware MonitorSpyware Monitor FirewallFirewall


Any Questions?Any Questions?