Sirt roundtable malicious-emailtrendmicro


Published on

MaliciousEmailTrendMicr & concept explained easily

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sirt roundtable malicious-emailtrendmicro

  1. 1. Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer August 14, 2009
  2. 2. Agenda  Recent malicious email attachments  What happened?  Why was it so effective?  How can we defend against these attacks?  Trend Micro OfficeScan 10  Trend Micro Security for Macs  Q&A 2
  3. 3. What happened?  Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment  Many more reports soon followed from around the world implicating many K-State IP addresses  Many K-Staters started reporting receipt of the malicious emails too  4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days  113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked  5:45pm – posted info/warning to IT security threats blog3
  4. 4. What happened?  Four different emails with the following subjects:  Shipping update for your order 254-78546325-658742  You have received A Hallmark E-Card!  Jessica would like to be your friend on hi5!  Your friend invited you to twitter!  Three (somewhat) different attachments:  Shipping   Invitation  At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension):  “attachment.pdf .exe”  “attachment.htm .exe”  “attachment.chm .exe” 4
  5. 5. What happened?  New variant of malware so Trend Micro OfficeScan did not detect it.  10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t.  11:52pm – warning email sent to profacstaff and classified mailing lists  July 14, 8:00am – reports 29 of 41 AV products identify the malware (not Trend Micro) 5
  6. 6. What happened?  July 14, 9:00am – finally get samples uploaded to Trend Micro  11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available  2:00pm – bandage pattern file pushed out to OfficeScan clients  Production pattern file released later that evening which detects the malware  397 instances detected/deleted by TMOS since July 13  IT Tuesday article posted about it  July 29 and August 7 - similar attacks with new variants of the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware 6
  7. 7. Malware Characteristics  Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies  Modified registry to run every time the computer boots  Copied itself to mounted file systems, including USB flash drives  Copied itself to common P2P file sharing folders, masquerading as enticing software downloads 7
  8. 8. Malware Characteristics  Sample P2P folders used:  %ProgramFiles%ICQShared Folder  %ProgramFiles%GroksterMy Grokster  %ProgramFiles%EMuleIncoming  %ProgramFiles%MorpheusMy Shared Folder  %ProgramFiles%LimeWireShared  Sample enticing software downloads:  Ad-aware 2009.exe  Adobe Photoshop CS4 crack.exe  Avast 4.8 Professional.exe  Kaspersky Internet Security 2009 keygen.exe  LimeWire Pro v4.18.3.exe  Microsoft Office 2007 Home and Student keygen.exe  Norton Anti-Virus 2009 Enterprise Crack.exe  Total Commander7 license+keygen.exe  Windows 2008 Enterprise Server VMWare Virtual Machine.exe  Perfect keylogger family edition with crack.exe  … and about 25 more 8
  9. 9. Why was it so effective?  Used familiar services   Hallmark eCard greeting  Twitter  Sensual enticement (“Jessica would like to be your friend on hi5!”)  Somewhat believable replicas of legitimate emails  Sent it to lots of people (bound to hit someone who just ordered something from, or is having a birthday)  Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces  New variant that spread quickly so initial infections missed by antivirus protection  I was too slow submitting samples to Trend (better the second and third time around)  Malware/attachment filtering in Zimbra did not stop it  Been a long time since attack came by email attachment so people caught off-guard 9
  10. 10. What can we do? 10  Users need to learn to recognize scams  Hallmark,, etc. do not send info in attachments  Don’t open attachment unless you are expecting it and have verified with sender  Think before you click  Be paranoid!
  11. 11. 11 Malicious Hallmark E-Card
  12. 12. 12 Legitimate Hallmark E-Card
  13. 13. 13 Malicious Amazon Shipping Notice
  14. 14. 14 Legitimate Amazon Shipping Notice
  15. 15. 15 Malicious Twitter Invitation
  16. 16. What can we do? 16  Better malware filtering in e-mail  Need to work more closely with Zimbra/Yahoo  Submit malware samples sooner (we’re doing that now)  Trend Micro OfficeScan 10…
  17. 17. Trend Micro OfficeScan 10  Major upgrade from current version 8 (where did version 9 go?!)  Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”)  But it appears to provide real value:  Faster deployment of pattern file updates  Smaller client footprint  Windows 7 support (not officially supported in OfficeScan 8)  More options for re-scheduling missed scheduled scans  Better Active Directory integration  Better control of removable devices like USB drives  Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 17
  18. 18. Trend Micro OfficeScan 10  “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning  Client uses pattern info stored on local or global servers rather than having to store everything on every client computer  Updates pattern files hourly instead of daily  Smaller pattern files on the client, less network bandwidth used to deploy pattern files  Some heuristic-based detection  Can still do conventional scanning for systems with limited Internet access 18
  19. 19. Trend Micro OfficeScan 10  Better options for dealing with missed scheduled scan  Postpone a schedule scan before it begins  Stop and Resume a current active schedule scan  Resume a missed schedule scan  Automatically skip schedule scan when Laptop Battery is below certain %  Automatically stop schedule scan when it lasts over a certain amount of period. 19
  20. 20. Trend Micro OfficeScan 10  Device Access Control  Sysadmins can control use of removable drives  Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 20
  21. 21. Trend Micro OfficeScan 10  The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed  To prevent OSCE applications being injected with malware and impact business operation  Feature provides the ability to protect OfficeScan files / file types within folders from being modified  Protect OfficeScan system processes to prevent unauthorized shut-down  Protect OfficeScan system registries from unauthorized modification 21
  22. 22. Trend Micro OfficeScan 10  TMOS 10 concerns  Is a major upgrade so needs to thorough testing  Uncertainty about use of SmartScan vs. conventional scan  Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files  Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0  1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000- 8,000 clients for latter) – called “Integrated Scan Server”  No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22
  23. 23. Trend Micro OfficeScan 10  TMOS 10 plans  Is available now, been out for a while (service pack 1 in beta)  Needs more testing – campus sysadmins encouraged to test  Central TMOS 10 server for testing sometime...  SIRT will plan coordinated rollout for campus (can be pushed from the server)  No timeline at this point, but advantages warrant a somewhat aggressive schedule, as does release of Windows 7 in late October 23
  24. 24. Trend Micro Security for Macs  K-State’s license for Symantec AV for Macs expires October 27, 2009  No budget for renewal or replacement  TM Security for Macs (TMSM) new product from Trend Micro, included in our campus site license  Barring a show-stopper problem, we will switch to TMSM this fall 24
  25. 25. Trend Micro Security for Macs  Features/Advantages:  No additional cost  Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.)  Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform  Supports MacOS 10.4 and 10.5 on Intel and PowerPC processors  Includes Web Reputation Services to help prevent users from visiting known malicious web sites  Covered by current Silver Premium Support contract  Single vendor for all AV product  No additional cost 25
  26. 26. Trend Micro Security for Macs  Timeline:  Version 1.5 in beta test now  Being tested pretty extensively at K-State  Fixed known issues we had with v1.0  Production release available to K-State after August 25  Switch by October 27, or semester break for imaged labs (SAV will continue to work)  New Macs should install Symantec now but plan to switch 26
  27. 27. What’s on your mind? 27