Unformatted text preview: VNSA220 VNSA220 Cyber Self Defense Malware and Vulnerabilities
Daryl Johnson & Erik Golen NSSA © Daryl G Johnson 2006 What is Malware What is Malware
• Umbrella title for several classes of – Trojans – Viruses – Worms – Spyware – Adware malevolent software that can damage your PC Trojans Trojans
• Program that has one advertised use and another hidden ability used by an attacker • User must download and install • Does not replicate • Ex.
– BackOrifice – NetBus – PrettyPark Viruses Viruses
• • • • • • •
Program that attaches to another program or file Needs user to start an infected program Can spread to other programs Can spread to another computer Can do “something” Often consumes resources Ex.
– – – Brain virus (1986) Melissa virus (1999) CIH(Chernobyl) (1999) BIOS Worms Worms
• • • •
Subclass of virus Does not need user interaction Spreads from computer to computer Can replicate and spread to many computers • Ex.
– Morris worm (1988) – CodeRed (2001) Hoaxes Hoaxes
• Common occurrence • Verify by – Http://hoaxbusters.ciac.org/ (DOE) – http://www.symantec.com/enterprise/security_resp – http://www.sophos.com/security/hoaxes/ – http://www.snopes.com/ Spyware Spyware
• A program that collects information about a user, • • •
their computer and their habits and communicated that to another party without the users informed consent or knowledge Growing threat – potentially larger than SPAM Software that spies on you and your computer and tells someone else Ex.
– Gator (Claria) Adware Adware
• Similar to Spyware but with the goal of getting targeted advertisements in your face • Banners, popups, cover over windows and redirected URLs • May come by virus, worm, trojan or shareware Common examples of Spy/Adware Common examples of Spy/Adware
• Bundled Spy/Adware
– Eudora—Email client – Opera—Web browser – DivX—Video codec – Kazaa—Filesharing program – iMesh—Filesharing program Top 10 Spy/Adware –Aug ‘04 Top 10 Spy/Adware –Aug ‘04 1. Gain 2. Claria(formerly Gator) 3. Game Spy Arcade 4. Hotbar 5. Ezula 6. BonziBuddy 7. WeatherCast 8. LinkGrabber 99 9. TopPicks 10. Cydoor Top 10 Spyware in 2006 Top 10 Spyware in 2006
• 1 Adware/Gator 2 Adware/WUpd 3 Adware/nCase 4 Adware/CWS 5 adware/emediacodec 6 Adware/Lop 7 Application/Winantivirus2006 8 Adware/CWS.Searchmeup 9 Application/Winfixer2005 10 Spyware/New.net By Panda Labs (http://www.pandasoftware.com/) • • All of these processes are malware! Top Vulnerabilities 2007 Top Vulnerabilities 2007
• • • • • •
Clientside Vulnerabilities Serverside Vulnerabilities Security Policy and Personnel: Application Abuse Network Devices Zero Day Attacks http://www.sans.org/top20/ Attack Scenario 1 Attack Scenario 1
• The Chief Information Security Officer of a medium sized, but sensitive, federal agency learned that his computer was sending data to computers in China. • He had been the victim of a new type of spear phishing attack highlighted in this year's Top 20. • Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agency’s systems. Attack Scenario 2 Attack Scenario 2
• Hundreds of senior federal officials and business executives visited a political thinktank Web site that had been infected and caused their computers to become zombies. • Keystroke loggers, placed on their computers by the criminals (or nationstate), captured their user names and passwords when they signed on to their personal bank accounts, and their stock trading accounts and their employers computers, and sent the data to computers in different countries. • Bank balances were depleted; stock accounts lost money; servers inside their organizations were compromised and sensitive data was copied and sent to outsiders. • Back doors were placed on some of those computers and are still there. Attack Scenario 3 Attack Scenario 3
• A hospital’s Web site was compromised • •
because a Web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients health records to be spread all over the Internet. Attack Scenario 4 Attack Scenario 4
• A teenager visits a Web site that exploits the old • • • •
version of her media player that she never updated. She didn't do anything but visit the site; the video started up automatically when the page opened. The attacker put a keystroke logger on her computer. Her father used the same computer to access the family bank account. The attackers got his user name and password and emptied his bank account (the bank reimbursed him). US law enforcement officials followed the money and found that it ended up in an account being used by a terrorist group that recruits suicide bombers. New Risks are the Big Issue New Risks are the Big Issue
• For most large and sensitive organizations, •
the newest risks are the ones causing the most trouble… The new risks are MUCH harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organizations have, so far, been willing to implement
– Alan Paller, director of research at SANS. Result Result
• When systems are compromised through any of the new attack targets, spyware infections (including keystroke loggers) are among the most common result. Impact Impact
• Since January 2007 • 183 percent increase in Web sites harboring spyware. • Infection rates for Spyware and Trojans that steal keystrokes are currently at 31 percent and rapidly growing • Based on a small and medium size enterprise survey we conducted in September, 2007, 77 percent said their success depends on the Internet, and 47.2 percent reported lost sales due to spyware.
Gerhard Eschelbeck, chief technology officer of Webroot Top New Risks That Are Top New Risks That Are Particularly Difficult To Defend
• Risk 1Critical vulnerabilities in Web applications enabling the Web site to be poisoned, the data behind the Web site to be stolen, and other computers connected to the Web site to be compromised. Top New Risks Top New Risks
• Risk 2Gullible, busy, accommodating computer users, including executives, IT staff, and others with privileged access, who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage and much more. Other Priorities That Have Other Priorities That Have Grown In Importance
Priority 1 • Critical vulnerabilities in software on personal computers inside and outside enterprises (clientside vulnerabilities) allowing these systems to be turned intozombies and recruited into botnets and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations. – – – – Web Browsers Office Software Email Clients Media Players Vulnerabilities in Office products Vulnerabilities in Office products Priority 2 Priority 2
• Critical vulnerabilities in the software and systems that provides the operating environment and primary services to computer users (server side software) – – – – – – – Windows Services Unix and Mac OS Services Backup Software Antivirus Software Management Servers Database Software VOIP servers Web Applications Web Applications
• Web application insecurity is particularly troublesome because so many developers are writing and deploying Web applications without ever demonstrating that they can write secure applications. • Most of their Web applications provide access to backend databases that hold sensitive information. Priority 3 Priority 3
• Policy and Enforcement Problems that allow malware to do extra harm and that lead to loss of large amounts of data • Excessive User Rights and Unauthorized Devices • Unencrypted Laptops and Removable Media Priority 4 Priority 4
• Application abuse of tools that are user favorites leading to client and server compromise, loss of sensitive information, and use of enterprise systems for illegal activity such as serving child pornography – Instant Messaging – PeertoPeer Programs Priority 5 Priority 5
• Zeroday attacks
• A zero day vulnerability occurs when a flaw in software code has been discovered and exploits of the flaw appear before a fix or patch is available. Once a working exploit of the vulnerability is released into the wild, users of the affected software will be compromised until a software patch is available or some form of mitigation is taken by the user. Several zero day attacks were recorded in 2007 although that number has dropped from the previous year. Best Practices 1 Best Practices 1
• Configure systems, from the first day, with the most secure configuration • • • • •
that your business functionality will allow, and use automation to keep users from installing/uninstalling software Use automation to make sure systems maintain their secure configuration, remain fully patched with the latest version of the software (including keeping antivirus software up to date) Use proxies on your border network, configuring all client services (HTTP, HTTPS, FTP, DNS, etc.) so that they have to pass through the proxies to get to the Internet Protect sensitive data through encryption, data classification mapped against access control, and through automated data leakage protection Use automated inoculation for awareness and provide penalties for those who do not follow acceptable use policy. Remove the security flaws in Web applications by testing programmers security knowledge and testing the software for flaws. NY State Spyware Law NY State Spyware Law
• New York S.07141 Status: Passed Senate, June 17, •
2004. According to the bill's summary, the bill creates a crime of unlawful dissemination of spyware, ordinarily a class A misdemeanor and a class E felony for repeat offenders. Unlawful dissemination of spyware takes place when a person "having no right to do so" installs software ("including but not limited to a keylogg[er]") to gather and transmit personal information or data without a user's knowledge or explicit authorization. Criminal penalties Check RIT Policies as well • • What can I do? What can I do?
• Keep your OS and applications patched! • • • • •
Install a personal firewall Use a firewall appliance Use and keep patched antivirus Use and keep patched antispy/adware Common sense – caution & skepticism
– Or use a Mac! Get help! Get help!
• RIT provides McAfee for free for faculty, staff •
and students Both Windows and Mac versions available
– http://www.rit.edu/its/services/security/ • For other users: • For Spyware/Adware:
• http://www.lavasoft.de/ – http://free.grisoft.com/doc/1 – Spybot Search & Destroy
• http://www.safernetworking.org/en/index.html Clientside Vulnerabilities Clientside Vulnerabilities
• C1. Web Browsers C2. Office Software C3. Email Clients C4. Media Players Serverside Vulnerabilities Serverside Vulnerabilities
• S1. Web Applications S2. Windows Services S3. Unix and Mac OS Services S4. Backup Software S5. Antivirus Software S6. Management Servers S7. Database Software Security Policy and Personnel Security Policy and Personnel H1. Excessive User Rights and Unauthorized • H1. Excessive User Rights and Unauthorized D • H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Me • H3. Unencrypted Laptops and Removable Med Application Abuse Application Abuse
• A1. Instant Messaging • A2. PeertoPeer Programs Network Devices Network Devices
• N1. VoIP Servers and Phones Zero Day Attacks Zero Day Attacks
• Z1. Zero Day Attacks ...
View Full Document
- Fall '08
- web site, web applications, Spyware, attack scenario, Excessive User Rights