Download PPT

724 views
630 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
724
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Download PPT

  1. 1. Trojans, Worms, Virri Dave Wade G4UGM
  2. 2. Malware? <ul><li>What is Malware? </li></ul><ul><ul><li>Any hostile, intrusive, or annoying software or program code. </li></ul></ul><ul><ul><li>Includes the following:- </li></ul></ul><ul><ul><ul><li>Virus - Infects other programs </li></ul></ul></ul><ul><ul><ul><li>Trojan - Does not work as advertised </li></ul></ul></ul><ul><ul><ul><li>Worm - Spreads by securty flaws or bugs </li></ul></ul></ul><ul><ul><ul><li>Spyware - Reports on you actions in an unwanted way </li></ul></ul></ul><ul><ul><ul><li>Adware - Makes pop-ups or alters web pages </li></ul></ul></ul><ul><ul><li>I would also include “phishing” and “pharming”…. </li></ul></ul>
  3. 3. History <ul><li>1987 – Christmas Exec Trojan </li></ul><ul><ul><li>Infiltrates Bitnet and VNET IBM networks </li></ul></ul><ul><li>1988 – Student Robert Morris unleashes a worm on the Internet </li></ul><ul><ul><li>that crashes 6,000 computers. </li></ul></ul><ul><ul><li>Morris becomes the first person convicted under the US Computer Fraud and Abuse Act. </li></ul></ul>
  4. 4. Viruses <ul><li>Whilst the press often describe any piece of malware as a “virus” really has very specific attributes:- </li></ul><ul><ul><li>Spread by changing existing programs </li></ul></ul><ul><ul><li>When run the usually infect more programs </li></ul></ul><ul><li>Despite popular myth:- </li></ul><ul><ul><li>Not the oldest type of malware </li></ul></ul><ul><ul><ul><li>Trojans and Worms are older </li></ul></ul></ul><ul><ul><li>Probably not the most common </li></ul></ul><ul><ul><ul><li>Adware etc. </li></ul></ul></ul><ul><ul><li>May cause damage later when “triggered” or not at all. </li></ul></ul><ul><ul><ul><li>Other wise they would not spread </li></ul></ul></ul><ul><ul><ul><li>“ Trigger” may be date, time or event </li></ul></ul></ul><ul><li>Some Viruses also have “worm” characteristics </li></ul><ul><ul><li>spread via e-mail (e.g. Melissa). </li></ul></ul>
  5. 5. Viruses (cont.) <ul><li>Note that as many files/documents can contain code, they can also be used by viruses. </li></ul><ul><li>Typical examples include:- </li></ul><ul><ul><li>Word Documents </li></ul></ul><ul><ul><li>Spread Sheets </li></ul></ul><ul><ul><li>Mail Messages </li></ul></ul><ul><li>Traditional Virus scanners detect virus by scanning files and looking for tell-tale sequences of code </li></ul>
  6. 6. Trojan <ul><li>Is a program that does not work as advertised </li></ul><ul><ul><li>Screen Saver, “Time Sync”, Peer-to-Peer file share </li></ul></ul><ul><li>The program may actually </li></ul><ul><ul><li>Logs keystrokes and passwords </li></ul></ul><ul><ul><li>Uses PC to send SPAM </li></ul></ul><ul><ul><li>Launch DOS attacks on web sites </li></ul></ul><ul><li>Normally installed by the user unwittingily </li></ul>
  7. 7. Worms <ul><li>Programs that use computer networks to spread. </li></ul><ul><ul><li>Normally spread by exploiting security holes </li></ul></ul><ul><ul><li>Free-standing so don’t need to infect other programs </li></ul></ul>
  8. 8. Other Malware <ul><li>AdWare </li></ul><ul><ul><li>Programs that generally work as advertised but which cause advertisments or “popups” to appear on your screen. </li></ul></ul><ul><ul><li>May also tamper with content of web pages or re-direct links to sponsering sites. </li></ul></ul><ul><li>SpyWare </li></ul><ul><ul><li>Programs that report on what your computer is doing </li></ul></ul><ul><ul><li>Especially web sites but also record login data </li></ul></ul><ul><ul><li>May re-direct you to other web sites. </li></ul></ul><ul><ul><li>Often coupled with Adware. </li></ul></ul><ul><li>Phishing </li></ul><ul><ul><li>Forged e-mail design to get you disclose securty creditials. </li></ul></ul><ul><li>Pharming </li></ul><ul><ul><li>Forged web site. May be sued as part of a phish. </li></ul></ul>
  9. 9. Protection - Scanners <ul><li>Virus Scanners </li></ul><ul><ul><li>Obviously protect against viruses </li></ul></ul><ul><ul><li>Usually Trojans and Worms </li></ul></ul><ul><ul><li>But not other nasties.. </li></ul></ul><ul><li>How do they work:- </li></ul><ul><ul><li>Look for unique patterns in a the virus </li></ul></ul><ul><ul><li>Alert when the pattern is detected </li></ul></ul><ul><li>In either:- </li></ul><ul><ul><li>scheduled scan </li></ul></ul><ul><ul><ul><li>all files are checked on a schedule </li></ul></ul></ul><ul><ul><li>“ on access” scan </li></ul></ul><ul><ul><ul><li>Files are checked as they are used </li></ul></ul></ul>
  10. 10. Limitations - I <ul><li>Patterns need to be updated frequently </li></ul><ul><ul><li>Not a problem with broadband. </li></ul></ul><ul><ul><li>Unless you are the first to spot the virus. </li></ul></ul><ul><li>Pattern may be disguised by </li></ul><ul><ul><li>compression </li></ul></ul><ul><ul><ul><li>ZIP files </li></ul></ul></ul><ul><ul><li>Encryption :- </li></ul></ul><ul><ul><ul><li>Passwords on word files. </li></ul></ul></ul><ul><ul><li>The virus itself </li></ul></ul><ul><ul><ul><li>Polymorphic viruses :- encrypt or encode themselves. </li></ul></ul></ul><ul><li>False positives </li></ul><ul><ul><li>Patter exists in another file, by chance that does not have the virus. </li></ul></ul>
  11. 11. Example Virus Scanners <ul><li>Not an exclusive list:- </li></ul><ul><li>Free </li></ul><ul><ul><li>http://free.grisoft.com/doc/2/lng/us/tpl/v5 </li></ul></ul><ul><ul><li>http://www.free-av.com/ </li></ul></ul><ul><li>Paid For </li></ul><ul><ul><li>http://uk.mcafee.com/ </li></ul></ul><ul><ul><li>http://www.symantecstore.com/ </li></ul></ul><ul><ul><li>http://www.sophos.com/ </li></ul></ul>
  12. 12. Detecting Spyware & AdWare <ul><li>Spyware and Adware scanners. </li></ul><ul><ul><li>These tend to be less reliable as often these programs are installed by the user, and the agreement allow them to be installed. </li></ul></ul><ul><ul><li>Some makers of adware removal programs have been sued by adware providers. </li></ul></ul><ul><ul><li>Also the programs use a variety of techniques to install </li></ul></ul><ul><ul><ul><li>May be hard to un-install without damaging the system or stopping some other item working </li></ul></ul></ul><ul><ul><ul><li>Newnames.net => spyware => Removal can stop the network running </li></ul></ul></ul>
  13. 13. Real Time Protection <ul><li>Spyware/Adware/Trojan protection:- </li></ul><ul><ul><li>Monitor key parts of the OS and warn of changes </li></ul></ul><ul><ul><ul><li>Internet Explorer Home Pages </li></ul></ul></ul><ul><ul><ul><li>Browser plug-ins and Helpers </li></ul></ul></ul><ul><ul><ul><li>Registry start-up keys </li></ul></ul></ul><ul><ul><ul><li>System.ini file </li></ul></ul></ul><ul><ul><ul><li>Services Data base </li></ul></ul></ul><ul><ul><ul><li>Hosts file </li></ul></ul></ul>
  14. 14. Spyware Tools <ul><li>Need to be careful here. </li></ul><ul><ul><li>Many things advertised as spyware tools contain spyware! </li></ul></ul><ul><ul><li>Also as spyware is “ill defined” may be harder to spot. </li></ul></ul><ul><li>In short:- </li></ul><ul><ul><li>May need to run multiple tools </li></ul></ul><ul><ul><li>May need separate scanner and checker </li></ul></ul>
  15. 15. Spyware Tools (continued) <ul><li>I run two tools that provide real time protection:- </li></ul><ul><ul><li>Windows Defender ( www.microsoft.com/spyware ) </li></ul></ul><ul><ul><li>Winpatrol </li></ul></ul><ul><ul><ul><li>www.winpatrol.com </li></ul></ul></ul><ul><li>I also use other tools </li></ul><ul><ul><li>AdAware SE – a scanner </li></ul></ul><ul><ul><ul><li>http://www.lavasoftusa.com/products/ad-aware_se_personal.php </li></ul></ul></ul><ul><ul><li>HiJackThis </li></ul></ul><ul><ul><ul><li>http://www.majorgeeks.com/download3155.html </li></ul></ul></ul><ul><ul><li>Spyware Blaster </li></ul></ul><ul><ul><ul><li>http://www.javacoolsoftware.com/spywareblaster.html </li></ul></ul></ul>
  16. 16. What is a firewall? <ul><li>A fire wall is a tool that monitors network connections </li></ul><ul><li>Simple Firewall </li></ul><ul><ul><li>Monitors which protocols are in use </li></ul></ul><ul><ul><li>So can allow http for web, but stop SMTP </li></ul></ul><ul><li>Advanced Firewall </li></ul><ul><ul><li>Monitors ports/programs </li></ul></ul><ul><ul><ul><li>Allow Outlook Express to send and receive e-mail </li></ul></ul></ul><ul><ul><ul><li>Prevents any worms or spyware doing the same. </li></ul></ul></ul>
  17. 17. Where should we run it.. <ul><li>Can run on local PC </li></ul><ul><ul><li>Means can monitor programs </li></ul></ul><ul><li>Can run on a router or router modem </li></ul><ul><ul><li>Provides “perimeter” defence </li></ul></ul><ul><ul><li>Keeps out unwanted protocols such as MS file sharing </li></ul></ul><ul><ul><li>Can’t tell if an unwanted program is connecting to an “normal port” </li></ul></ul>
  18. 18. What are the problems? <ul><li>Many programs connect to the internet:- </li></ul><ul><ul><li>Anti Virus for updates for new viruses </li></ul></ul><ul><ul><li>Windows, Office and other programs </li></ul></ul><ul><ul><ul><li>Check for udates against worms etc. </li></ul></ul></ul><ul><ul><li>Some programs check for data </li></ul></ul><ul><ul><ul><li>Language translation programs </li></ul></ul></ul><ul><ul><li>Some check for unwanted info </li></ul></ul><ul><ul><ul><li>Update pop-up adverts </li></ul></ul></ul><ul><ul><ul><li>Accept back door instructions </li></ul></ul></ul><ul><li>Many firewalls will prompt the user:- </li></ul><ul><ul><li>E.G. </li></ul></ul><ul><ul><li>“ Should I allow MSIMN.EXE to connect on POP3?” </li></ul></ul>
  19. 19. Well Should we? <ul><li>YES! </li></ul><ul><li>(MSIMN.EXE is Outlook Express!) </li></ul><ul><li>There is currently only one free firewall </li></ul><ul><ul><ul><li>ZoneAlarm - http:// www.zonelabs.com / </li></ul></ul></ul><ul><li>Sygate may still be available </li></ul><ul><ul><li>http://www.tucows.com/preview/213160 </li></ul></ul>
  20. 20. Spam Filters <ul><li>Try and detect spam </li></ul><ul><li>Much harder than any of other nastys </li></ul><ul><ul><li>Only need to get information to the user who then acts. </li></ul></ul><ul><ul><li>No programs need to run </li></ul></ul><ul><li>This means the e-mail can be </li></ul><ul><ul><li>Changed frequently </li></ul></ul><ul><ul><li>Not even have to contain any text. </li></ul></ul>
  21. 21. A latest generation SPAM
  22. 22. Message Header <ul><ul><li>Microsoft Mail Internet Headers Version 2.0 </li></ul></ul><ul><ul><li>Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830); </li></ul></ul><ul><ul><li> Wed, 13 Dec 2006 16:28:50 +0000 </li></ul></ul><ul><ul><li>Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by scnmailsweeper.stockport.gov.uk </li></ul></ul><ul><ul><li>(Clearswift SMTPRS 5.2.5) with ESMTP id <T7c890fbcc0ac106a09930@scnmailsweeper.stockport.gov.uk> for <dave.wade@offertonparkparishcouncil.gov.uk>; </li></ul></ul><ul><ul><li>Wed, 13 Dec 2006 16:30:54 +0000 </li></ul></ul><ul><ul><li>Received: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.uk </li></ul></ul><ul><ul><li>(Content Technologies SMTPRS 4.3.17) with SMTP id <T7c890dfadcac106a084c4@mailsweeper5.stockport.gov.uk> for <dave.wade@stockport.gov.uk>; </li></ul></ul><ul><ul><li>Wed, 13 Dec 2006 16:28:59 +0000 </li></ul></ul><ul><ul><li>Received: from sck ([71.248.60.110]) </li></ul></ul><ul><ul><li>by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id kBDGX1dU037473; </li></ul></ul><ul><ul><li>Wed, 13 Dec 2006 11:33:01 -0500 </li></ul></ul><ul><ul><li>Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck> </li></ul></ul><ul><ul><li>From: &quot;Fontenot&quot; <btmw@lethlee.dk> </li></ul></ul><ul><ul><li>To: <dave.wade@stockport.gov.uk> </li></ul></ul><ul><ul><li>Subject: gasoline </li></ul></ul><ul><ul><li>Date: Wed, 13 Dec 2006 11:22:19 -0500 </li></ul></ul>
  23. 23. www.dnsstuff.com
  24. 24. Anatomy of an E-Mail <ul><li>Note from field:- </li></ul><ul><ul><li>“ @lethlee.dk” </li></ul></ul><ul><li>www.dnsstuff.com </li></ul><ul><ul><li>Did an NSLOOKUP ? </li></ul></ul><ul><ul><ul><li>Name: lethlee.dk </li></ul></ul></ul><ul><ul><ul><li>Address: 195.47.247.81 </li></ul></ul></ul><ul><li>Where did it really start:- </li></ul><ul><ul><li>Log shows “71.248.60.110” </li></ul></ul><ul><ul><li>pool-71-248-60-110.bltmmd.east.verizon.net </li></ul></ul><ul><li>These don’t match </li></ul>
  25. 25. Why did we accept the record. <ul><li>Its common for the addresses not to match </li></ul><ul><li>Allows users to roam and have multiple e-mail addresses. </li></ul><ul><li>This does make it hard to stop spam. </li></ul>
  26. 26. What can we do about this <ul><li>Choose an ISP with reasonable SPAM filters </li></ul><ul><ul><li>They have a big sample of SPAM so the maths work better. </li></ul></ul><ul><ul><li>SPAM is filtered at source so you don’t download </li></ul></ul><ul><ul><li>Do need to check from time to time as there will me false positives. </li></ul></ul><ul><ul><li>May help to use local spam filter </li></ul></ul>
  27. 27. Setting up a local SPAM filter <ul><li>Manu available all less than perfect. </li></ul><ul><ul><li>They don’t catch all spam </li></ul></ul><ul><ul><ul><li>“ False Positive” => Need to check spam folders </li></ul></ul></ul><ul><ul><li>They miss some spam </li></ul></ul><ul><ul><ul><li>Spammer get clever </li></ul></ul></ul><ul><ul><ul><ul><li>Use random from addresses </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Myss-sp€ll words. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Put words in pictures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Add random text from web. </li></ul></ul></ul></ul><ul><ul><li>Result is as above. </li></ul></ul>
  28. 28. Some personal spam filters. <ul><li>SpamAssassin:- http://spamassassin.apache.org/ </li></ul><ul><ul><li>Not easy to use in windows </li></ul></ul><ul><li>SpamPal http://www.spampal.org/ </li></ul><ul><ul><li>Uses black lists of sites </li></ul></ul><ul><ul><ul><li>Not all spam sites are on the black list </li></ul></ul></ul><ul><ul><ul><li>Some usefull sites (Yahoo) end up on spam list. </li></ul></ul></ul><ul><li>Usual suspects also have tools:- </li></ul><ul><ul><li>Norton, Free-Av (Not Free), GriSoft etc. </li></ul></ul>
  29. 29. Phish
  30. 30. Phish II <ul><li>Look at the url:- </li></ul><ul><ul><li>The site it points to will be displayed in the bar below (this one was “sanitized”) </li></ul></ul><ul><ul><ul><li>http://today.slac.stanford.edu/ </li></ul></ul></ul><ul><li>This can be prevented at two places </li></ul><ul><ul><li>Most Spam Filters can block the Phish from arriving </li></ul></ul><ul><ul><li>Firewall can block access to the dangerous site. </li></ul></ul>
  31. 31. Summary <ul><li>Problem is no longer simple:- </li></ul><ul><ul><li>May need to use multiple tools from multiple suppliers for best results. </li></ul></ul><ul><ul><li>Tools may not be effective </li></ul></ul><ul><ul><li>Preventions is better than cure. </li></ul></ul>
  32. 32. Do Not <ul><li>Install programs from unknown sources </li></ul><ul><li>Click on humour links indiscriminately </li></ul><ul><li>Open files from un-known sources </li></ul>
  33. 33. Do <ul><li>Keep software up to date </li></ul><ul><ul><li>Security updates protect against worms </li></ul></ul><ul><li>Run a selection of security fixes </li></ul><ul><ul><li>Virus Scanner (ONLY ONE) </li></ul></ul><ul><ul><li>Spyware Monitor </li></ul></ul><ul><ul><li>Firewall </li></ul></ul>
  34. 34. Any Questions?

×