Introduction trend micro malicious email


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction trend micro malicious email

  1. 1. Recent Malicious Email AttackTrend Micro UpdatesSIRT IT Security Roundtable
  2. 2. Agenda Recent malicious email attachments  What happened?  Why was it so effective?  How can we defend against these attacks? Trend Micro OfficeScan 10 Trend Micro Security for Macs Q&A 2
  3. 3. What happened? Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment Many more reports soon followed from around the world implicating many K-State IP addresses Many K-Staters started reporting receipt of the malicious emails too 4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days 113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked 5:45pm – posted info/warning to IT security threats blog 3
  4. 4. What happened? Four different emails with the following subjects:  Shipping update for your order 254-78546325-658742  You have received A Hallmark E-Card!  Jessica would like to be your friend on hi5!  Your friend invited you to twitter! Three (somewhat) different attachments:  Shipping   Invitation At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension):  “attachment.pdf .exe”  “attachment.htm .exe”  “attachment.chm .exe” 4
  5. 5. What happened? New variant of malware so Trend Micro OfficeScan did not detect it. 10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t. 11:52pm – warning email sent to profacstaff and classified mailing lists July 14, 8:00am – reports 29 of 41 AV products identify the malware (not Trend Micro) 5
  6. 6. What happened? July 14, 9:00am – finally get samples uploaded to Trend Micro 11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available 2:00pm – bandage pattern file pushed out to OfficeScan clients Production pattern file released later that evening which detects the malware 397 instances detected/deleted by TMOS since July 13 IT Tuesday article posted about it July 29 and August 7 - similar attacks with new variants of the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware 6
  7. 7. Malware Characteristics Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies Modified registry to run every time the computer boots Copied itself to mounted file systems, including USB flash drives Copied itself to common P2P file sharing folders, masquerading as enticing software downloads 7
  8. 8. Malware Characteristics Sample P2P folders used:  %ProgramFiles%ICQShared Folder  %ProgramFiles%GroksterMy Grokster  %ProgramFiles%EMuleIncoming  %ProgramFiles%MorpheusMy Shared Folder  %ProgramFiles%LimeWireShared Sample enticing software downloads:  Ad-aware 2009.exe  Adobe Photoshop CS4 crack.exe  Avast 4.8 Professional.exe  Kaspersky Internet Security 2009 keygen.exe  LimeWire Pro v4.18.3.exe  Microsoft Office 2007 Home and Student keygen.exe  Norton Anti-Virus 2009 Enterprise Crack.exe  Total Commander7 license+keygen.exe  Windows 2008 Enterprise Server VMWare Virtual Machine.exe  Perfect keylogger family edition with crack.exe  … and about 25 more 8
  9. 9. Why was it so effective? Used familiar services   Hallmark eCard greeting  Twitter Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered something from, or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces New variant that spread quickly so initial infections missed by antivirus protection I was too slow submitting samples to Trend (better the second and third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people caught off-guard 9
  10. 10. What can we do? Users need to learn to recognize scams  Hallmark,, etc. do not send info in attachments  Don’t open attachment unless you are expecting it and have verified with sender  Think before you click  Be paranoid! 10
  11. 11. MaliciousHallmarkE-Card 11
  12. 12. LegitimateHallmarkE-Card 12
  13. 13. MaliciousAmazonShippingNotice 13
  14. 14. LegitimateAmazonShippingNotice 14
  15. 15. MaliciousTwitterInvitation 15
  16. 16. What can we do? Better malware filtering in e-mail  Need to work more closely with Zimbra/Yahoo Submit malware samples sooner (we’re doing that now) Trend Micro OfficeScan 10… 16
  17. 17. Trend Micro OfficeScan 10 Major upgrade from current version 8 (where did version 9 go?!) Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”) But it appears to provide real value:  Faster deployment of pattern file updates  Smaller client footprint  Windows 7 support (not officially supported in OfficeScan 8)  More options for re-scheduling missed scheduled scans  Better Active Directory integration  Better control of removable devices like USB drives  Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 17
  18. 18. Trend Micro OfficeScan 10 “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning  Client uses pattern info stored on local or global servers rather than having to store everything on every client computer  Updates pattern files hourly instead of daily  Smaller pattern files on the client, less network bandwidth used to deploy pattern files  Some heuristic-based detection  Can still do conventional scanning for systems with limited Internet access 18
  19. 19. Trend Micro OfficeScan 10 Better options for dealing with missed scheduled scan  Postpone a schedule scan before it begins  Stop and Resume a current active schedule scan  Resume a missed schedule scan  Automatically skip schedule scan when Laptop Battery is below certain %  Automatically stop schedule scan when it lasts over a certain amount of period. 19
  20. 20. Trend Micro OfficeScan 10 Device Access Control  Sysadmins can control use of removable drives  Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 20
  21. 21. Trend Micro OfficeScan 10 The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed  To prevent OSCE applications being injected with malware and impact business operation  Feature provides the ability to protect OfficeScan files / file types within folders from being modified  Protect OfficeScan system processes to prevent unauthorized shut-down  Protect OfficeScan system registries from unauthorized modification 21
  22. 22. Trend Micro OfficeScan 10 TMOS 10 concerns  Is a major upgrade so needs to thorough testing  Uncertainty about use of SmartScan vs. conventional scan  Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files  Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0  1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000- 8,000 clients for latter) – called “Integrated Scan Server”  No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22
  23. 23. Trend Micro OfficeScan 10 TMOS 10 plans  Is available now, been out for a while (service pack 1 in beta)  Needs more testing – campus sysadmins encouraged to test  Central TMOS 10 server for testing sometime...  SIRT will plan coordinated rollout for campus (can be pushed from the server)  No timeline at this point, but advantages warrant a somewhat aggressive schedule, as does release of Windows 7 in late October 23
  24. 24. Trend Micro Security for Macs K-State’s license for Symantec AV for Macs expires October 27, 2009 No budget for renewal or replacement TM Security for Macs (TMSM) new product from Trend Micro, included in our campus site license Barring a show-stopper problem, we will switch to TMSM this fall 24
  25. 25. Trend Micro Security for Macs Features/Advantages:  No additional cost  Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.)  Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform  Supports MacOS 10.4 and 10.5 on Intel and PowerPC processors  Includes Web Reputation Services to help prevent users from visiting known malicious web sites  Covered by current Silver Premium Support contract  Single vendor for all AV product  No additional cost 25
  26. 26. Trend Micro Security for Macs Timeline:  Version 1.5 in beta test now  Being tested pretty extensively at K-State  Fixed known issues we had with v1.0  Production release available to K-State after August 25  Switch by October 27, or semester break for imaged labs (SAV will continue to work) New Macs should install Symantec now but plan to switch 26
  27. 27. What’s on your mind? 27