Most computer viruses use software vulnerabilities to get installed. This is a brief look at the risk software vulnerabilities pose.

1. How malware
works:
Software
Vulnerabilities
30th October 2013 – 11am (UK)
Bunmi Sowande
bunmi.Sowande@f-secure.com
+44 (0) 7818 515 687

2. Agenda
• Introduction – F-Secure
• Security in the news
• Malware – how you get infected
• Software vulnerabilities
• Anatomy of a cyber crime
• Software publishers fight back
• We will protect you – F-Secure’s 8 layers of protection
• F-Secure Software Updater

4. Praised by Analysts
The Forrester Wave™: Endpoint Security, Q1 2013
Forrester Research Inc. gave us the
highest score among all vendors for
our product roadmap and strategy.
We received top ranking scores on
our performance and satisfaction, in
addition to our advanced antimalware technologies.

5. Awarded Protection
Prestigious Best Protection awards by AV-Test
“We are proud to
congratulate the
entire F-Secure team
for receiving the AVtest Best Protection
Award 2012”
“Out of all corporate
endpoint protection
products reviewed, FSecure Client Security
offered by far the best
protection.”
Andreas Marx, CEO
of AV-TEST
Andreas
Marx, CEO of AVTEST

6. Awarded Protection
Top Ranked Protection year after year!
Top Rated Protection
since 2006!

7. Awarded Protection
Certified and awarded by numerous 3rd parties!

8. Comprehensive Protection
Providing 360 protection from all threats
Protection Service for Business
Business Suite
In-House IT
Policy Manager
Management as a Service
Internet Gatekeeper Messaging Security
Gateway
PSB Portal
Out-sourced IT
Server Security
Client Security
Email and Server
Security
Mobile Security
Linux Security
AV for
Workstations
PSB Server
Security
PSB Email and
Server Security
PSB Workstation
Security
Protection
Service for Email
PSB Mobile Security

9. SECURITY IN THE NEWS

10. SECURITY IN THE NEWS

11. SECURITY IN THE NEWS

12. SECURITY IN THE NEWS

13. Malware Attack Vectors
INFECTED
CONTAMINATED CONTAMINATED MALICIOUS LINK
ADVERTISEMENT
WEBSITE
ATTACHMENT TO MALWARE
An otherwise legitimate website
A legitimate website is
An authentic looking email
An email from a seemingly
is infected though hostile
compromised by an attacker deceives the end-user to open trusted or legitimate source
advertisements originating from and consequently contaminated
a seemingly genuine
deceives the end-user to follow
non-website related
by inserting malicious content attachment, which contains an a link to an external website
independent 3rd party adinto it, which then infects every integrated malware. Which
which contains malicious
agencies, which then
visitor going to the site.
through software vulnerability software that infects every
contaminates visitors by
or exploit gains access to the
visitor going to the site.
exploiting software
system.
vulnerabilities.

14. Malware Attack – What Next?
VULNERABILITY
BACKDOOR
ACCESS
But due to a vulnerability from
outdated software, an
integrated malware payload is
installed.
Malware contacts remote
server and deploys additional
malware, ensuring multiple
backdoor and remote access.
With access secured, the
attacker aims to escalate
privileges in order to gain further
access in the network.

15. Malware Attack – What Next?
DATA
ESCAPE
With access to most confidential parts
and files of the network, the criminal
identifies most valuable data and
starts sending it to external staging
servers.
Valuable data is then extracted
and send forward. Attacker
destroys evidence and hides
tracks, but might leave a
backdoor for further access.

17. Karmina
Senior Analyst
WHAT IS A SOFTWARE
VULNERABILITY?
Software bug or defect that allows your
device to be compromised.
Security (an intersection of 3 elements):
• a system susceptibility or flaw
• attacker access to the flaw
• and attacker capability to exploit the flaw

18. Vulnerabilities by Numbers
Top 10 Vendors
Vendor
No. of vulnerabilities
2012
Oracle
Apple
Mozilla
Microsoft
IBM
Google
Adobe
Cisco
HP
Apache
2011
424 ↑
270 ↑
262
195 ↑
169 ↓
110
154 ↑
150 ↓
143
137 ↓
134 ↓
189
74 ↓
55 ↑
144
246
244
299
135
44
Source: National Vulnerability Database (http://nvd.nist.gov/)

19. Vulnerabilities by Numbers
Most Targeted Applications
Operating Systems
Operating System
No. of vulnerabilities
2012
2011
Apple iOS
Microsoft Windows Server 2003
Microsoft XP
Microsoft Windows 2008
Microsoft Windows Vista
Microsoft Windows 7
Cisco IOS
Linux Kernel
Oracle Solaris
VMware ESXi
VMware ESX
Cisco IOS XE
Citrix Xen
Apple Mac OS X
Apple Mac OS X Server
86
45
42
48
41
42
36
45
47
12
11
9
33
21
17
↑
↓
↓
↓
↓
↓
↑
↓
↑
↑
↑
↓
↑
↓
↓
35
105
96
101
91
98
36
45
47
7
7
13
3
69
66
Application
Mozilla FireFox
Mozilla Thunderbird
Mozilla SeaMonkey
Google Chrome
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Apple iTunes
Apple Safari
Adobe Flash Player
Oracle Java
Adobe Air
Adobe Flash Player for Android
Ffmpeg
Microsoft Internet Explorer
Adobe Shockwave Player
Adobe Reader
No. of
vulnerabil
ities
2012
159
144
143
125
115
109
102
85
66
58
54
53
42
41
27
25
2011
↑
↑
↑
↓
↑
↑
↑
↑
↑
↑
↓
↓
↓
97
63
63
275
78
45
63
37
27
10
45
38
65
Source: National Vulnerability Database (http://nvd.nist.gov/)

20. Is Windows Update based Patch Management
Enough?

21. Vulnerability Types
RCE
EOP
DOS
Leak

22. Vulnerability Types -RCE
• RCE – Remote Code
Execution
• Runs code without
authorisation or
authentication
• “Drive by installations”
• Code is designed as data
• Documents, emails and
websites can be used

23. Vulnerability Types - EOP
• EOP – Elevation of Privilege
• Allows attacker to either gain higher privileges or impersonate
another user with higher privileges
• Usually targets the “admin” or “root” account
• Combined with RCE, allows an attacker to install malware on
one or more systems

24. Vulnerability Types – DOS
• DOS – Denial of Service
• Makes a device or system unavailable to intended users
• Uses or creates software bottlenecks
• Excessive CPU usage, memory leaks, disk I/O, slow or long
LDAP searches, database calls or large join operations.
• Motives for DOS
• Protestors, hacktivists
• Industrial espionage
• Distraction from criminal activity

25. Vulnerability Types – Leaks
Leaks (or information disclosure)
• Enables an attacker to
gain valuable
information
• Memory dumps, log
files, network traffic
• Mobile Phone Apps –
unencrypted data
• Invisible to the user

26. Gregory
Senior Software Engineer
ZERO – DAY: An attack that exploits a previously
unknown vulnerability
APT – Advanced Persistent Threat – Targeted
attack aimed at specific organisations
• Governments
• Financial institutions
• Medical organisations

27. Veli-Jussi
Director, Security Products
ANATOMY OF A
CRIME - RSA
Source: RSA
http://blogs.rsa.com/anatomy-of-an-attack/

28. Anatomy of a crime – RSA – March 2011
Source: RSA
http://blogs.rsa.com/anatomy-of-an-attack/
201
RE
1
C
1
2
3
PHISHING
EMPLOYEE
VULNERABILITY
Attacker sent two „spear
phishing‟ emails during
the course of two-day
period.
The email, titled 2011
Recruitment Plan, related well
with the ongoing recruitment
process in the company.
Emails were sent to two
small groups of employees
without particularly high
profile or target value.
It was crafted well enough to
trick one employee to retrieve
it from their Junk mail
folder, and open the attached
excel file.
The attached excel file
contained a zero-day exploit
that installed a backdoor
through an Adobe Flash
vulnerability.
(CVE-2011-0609)

29. Anatomy of a crime - RSA
4
REMOTE
ACCESS
Having the backdoor
secured, the attacker
installed a remote
administration tool called
„Poison Ivy‟, which allowed
the attacker to remotely
control the computer.
5
SENSITIVE DATA
$66.3 Million
With remote access
Direct bottom-line
established, the attacker
cost of investigating
leveraged the original
and monitoring of
credentials in gaining entry to
corporate customer
more „strategic‟ systems and
transactions
employees with access to
sensitive data.
Data was then extracted and
aggregated to an internal
staging server.
6
EVASION & EXIT
From there, data was send to
an external staging server at a
compromised machine – and
subsequently pulled by the
attacker.
Traces and data was removed
from the compromised host
to remove any traces.

30. Rasomware – Targeting SMB’s and home users

31. Rasomware – Targeting SMB’s and home users

32. Rasomware – Targeting SMB’s and home users

33. Blackhole Exploit Kit
• Off the shelf malware tool – currently most prevalent web threat
• Targets web users through out of date browsers to install malware
• Once infected, the attacker can see what other vulnerabilities can
be exploited

34. 87%
of corporate
computers
miss critical
software
updates.
13
13
25
49
Missing updates
0 1-4 5-9 >10

35. Software Publishers fight back
•
•
•
•
Microsoft – Patch Tuesday
SAP + Adobe – Patch Tuesday
Oracle – Quarterly patches
Apple

36. Software publishers fight back
• Bug Bounty Programs

37. Software publishers fight back
• T-Shirt Gate - Yahoo !

38. How can you protect yourself?
•
Patch regularly, patch quickly
•
Reduce your attack surface
•
Less (software) is more
•
Avoid vulnerable software – Java, in
particular
•
Get an anti virus program – keep it up to
date!
•
Have a strong security policy and enforce it
•
“Educate Rob” – user education. You are
only as strong as your weakest link.

39. How can you protect yourself?
•
Patch regularly, patch quickly
•
Reduce your attack surface
•
Less (software) is more
•
Avoid vulnerable software – Java, in
particular
•
Get an anti virus program – keep it up to
date!
•
Have a strong security policy and enforce it
•
“Educate Rob” – user education. You are
only as strong as your weakest link.

40. How can you protect yourself?
• 95% of all attack attempts can be attributed to just 5 vulnerabilities
• 1 vulnerability in Windows, 4 in Java
• 3 of the top 5 were less than 6 months old, the most prevalent is 2
years old and was top vulnerability in 2012

41. Comprehensive Protection
Providing you with 8 layers of protection
1. URL/WEB ACCESS FILTERING
2. HTTP PROTOCOL SCANNING
3. EXPLOIT DETECTION
4. CLOUD REPUTATION QUERIES
5. SANDBOXING AND BEHAVIOURAL ANALYSIS
6. REAL-TIME SCANNING
7. MEMORY SCANNING
8. RUNTIME HEURISTICS
Corporate
Client Security
Server Security
Email and Server Security
PSB Workstation Security
PSB Email and Server Security
Consumer
Internet Security 2014
Mobile
F-Secure Mobile Security

42. Software
Updater
is unique
Unique
automatic
deployment of
security
updates
Patch
management
not just for
Windows but
also for 3rd
party products
Best
detection, automatic
updates and integrated
management for an
affordable package
price

43. Software Updater
Combining operational efficiency and security
Out-of-date 3rd party software is a significant security
risk, yet expensive to update without Software Updater!
…
= Significant Cost Savings!
Can be deployed in less than one hour.

44. Software updater supported applications
.NET Framework
7-Zip
Access
Access Database Engine
Access Runtime
Acrobat Distiller
Acrobat Elements
Acrobat Reader
Adobe Acrobat
Adobe AIR
Adobe Flash
Adobe Flash Player Plugin
Adobe Reader
Adobe Reader MUI
Adobe Shockwave Player
Apache
Apache Tomcat
Apple Application Support
Apple iTunes
Apple QuickTime
AT&T Global Network Client
Audacity
BizTalk Server
BlackBerry Desktop Manager
BlackBerry Server for Exchange
Business Contact Manager for Outlook
CCleaner
CDBurnerXP
Citrix Group Policy Management
Citrix MetaFrame XP
Citrix Online Plugin
Citrix Password Manager Console
Citrix Presentation Server
Citrix Single Sign-On Console
Citrix XenApp
Commerce Server
Content Management Server
CoreFTP
DirectX
Excel
Microsoft Office Excel Viewer
Exchange
Exchange System Manager
FileZilla
Firefox
Flash Player Plugin
Foxit Reader
Microsoft FrontPage Server Extensions
Gimp
Google Chrome
Google Picasa
Google Talk
Groove
Host Integration Server
HP System Management Homepage
Hyper-V
InfoPath
Internet Explorer
Internet Information Server
Internet Information Services
ISA Server
Java Development Kit
LibreOffice
MDAC
Microsoft Antigen for SMTP Gateways
Microsoft AntiXSS
Microsoft CAPICOM
Microsoft Digital Image
Microsoft Expression Blend
Microsoft Expression Design
Microsoft Expression Encoder
Microsoft Expression Media
Microsoft Expression Studio
Microsoft Expression Web
Microsoft FAST Search Server 2010 for
Sharepoint
Microsoft Forefront Client Security
Microsoft Forefront Endpoint Protection
Microsoft Forefront Security for Exchange
Server
Microsoft Forefront Security for SharePoint
Microsoft Forefront Threat Management
Gateway
Windows Journal Viewer
Microsoft Lync
Microsoft Lync Server
Microsoft Office
Microsoft Office Communications Server
Microsoft Office Communicator
Microsoft Office Converter Pack
Microsoft Office File Validation Add-In
Microsoft Office Groove Server
Microsoft Office InfoPath
Microsoft Office Outlook
Microsoft Office Pinyin IME
Microsoft Office Project Server
Microsoft Office Search Server
Microsoft Office SharePoint Server
Microsoft Office Small Business Accounting
Microsoft Office Visual Web Developer
Microsoft Office Web Apps Application
Server Components
Microsoft Outlook Express
Microsoft Project Web Front End Server
Microsoft Report Viewer Redistributable
Microsoft Search Server
Services For Unix
Microsoft SharePoint
Microsoft Silverlight
Microsoft Step By Step Interactive Training
Microsoft System Center Configuration
Manager
Microsoft Systems Management Server
MICROSOFT UNIFIED ACCESS GATEWAY
Microsoft Virtual Machine (VM)
Microsoft Virtual PC
Microsoft Virtual Server
Microsoft Visual C++ Redistributable
Microsoft Visual Studio
Microsoft Visual Studio Tools for Applications
Microsoft Windows Defender
Microsoft Windows Live OneCare
Microsoft Word Server
Microsoft Works 6-9 Converter
MozyHome
MozyPro
MSComctl Analysis Services
MSN Messenger
MSXML
NetChk Protect
Notepad++
Office
Microsoft Office
OneNote
Opera
Oracle OpenOffice.Org
Outlook
Outlook Express
Outlook TimeZoneMove
Pidgin
PowerPoint
PowerPoint Viewer
Producer for PowerPoint
Microsoft Project
Proofing Tools
Publisher
RealPlayer
RealVNC
Safari
Salesforce Chatter Desktop
SeaMonkey
Sharepoint Designer
Microsoft SharePoint Team Services
Sharepoint Workspace
Shavlik NetChk Protect
SkyDrive Pro
Skype
Skype Business
Small Business Server
SNA Server
Snapshot Viewer for Microsoft Access
SQL Server
SQL Server Desktop Engine (MSDE)
Sun Java Runtime Environment
Thunderbird
TortoiseSVN
http://www.f-secure.com/en/web/business_global/swup
UltraVNC
Virtual CloneDrive
Visio
Visio Viewer
Visual Basic
Visual Basic for Applications SDK
Visual C++ Redistributable
Visual FoxPro
Visual Studio .NET
VLC Media Player
VMware Player
VMware Workstation
Winamp
Windows Server
Windows
Windows Embedded Standard
Windows Home Server
Windows Storage Server
Windows Hyper-V Server
Windows Internal Database
Windows Live Messenger
Windows Mail
Windows Media Encoder
Windows Media Player
Windows Media Services
Windows Messenger
MSN MESSENGER
Windows Movie Maker
Windows Search
Windows SharePoint Services
Windows Small Business Server
Windows Storage Server
Windows Web Server
WinRAR
WinZip
SQL Server Desktop Engine (Windows)
Word
Word Viewer
WSUS
Zimbra Desktop

45. F-Secure DeepGuard 5 – EXPLOIT DETECTION
…
DG 5.0 monitors the most commonly
exploited software
Protects
against
threats such
as “Red
October"
If the software starts to behave
suspiciously, DeepGuard stops the
exploit
Special logic for handling document
exploits

46. F-Secure DeepGuard
Sandboxing and Behavioural Analysis
Proactive behaviour-based protection against emerging
threats
Unknown
Program
Executes
Behavior
Analysis
Reputation
Check
Event
Analysis
DeepGuard is our behaviour analysis feature, providing
you with a last line of defence against unknown malware

47. DeepGuard 5 vs IE Zero-Day Exploit CVE-2013-3893

48. CLOUD REPUTATION QUERIES
Real Time Protection Network
“
Quite a few protection
features gain their
bleeding edge with
cloud-based operations
and this requires
connection to the
F-Secure cloud.

49. URL/WEB ACCESS FILTERING
F-Secure Browsing Protection
While browsing the internet, it is nice to
see where you could safely go…
And when your user takes a wrong
turn, we are there to stop them.

50. HTTP PROTOCOL SCANNING
Network Interceptor Framework (NIF)
No more browser plugins
All HTTP, IMAP4, POP3 and SMTP traffic scanned
Firewall - Network Traffic Control
POP
F-Secure Firewall controls all network traffic to
and from your workstation
Unknown
HTTP
Email

51. F-Secure Reseller/Partner Technical Training day coming soon
6th December 2013
Slough Copthorne Hotel
Places limited - contact me for details
07818 515 687
bunmi.Sowande@f-secure.com