Security basics.ppt 10385KB Jun 23 2011 12:14:16 PM
Jim Crowley
C3 – Crowley Computer Consulting
1
Apologies
This is long haired, geeky stuff.
This is long and boring.
This is version 1.
The analogies between safe sex and safe
computing cannot be ignored.
It is getting very difficult to protect older systems.
Too slow and not enough memory for security
programs.
No new patches older than Windows 2000.
This is meant to scare the *#$^ out of you.
2
3
Various services run over the
Internet
World Wide Web
Email
Instant Messaging
Peer to Peer sharing
Voice over IP phones
Gaming
Gopher
Audio streaming
Video streaming
The Internet was
designed for
enhancement.
It was not designed
for this level of
complexity.
IE. The easiest way
to prevent spam is
to authenticate the
sender. Email has no
method to do this.
4
IE. World Wide Web
HTML
XML
Java
JavaScript
Flash
Perl
ColdFusion
VBScript`
.Net
ActiveX
SHTML
And more!!!
5
IE. Instant Messaging
AOL
Google
ICQ
Microsoft
Yahoo
And more!!!
6
Email
World
Wide
Web
Peer to
Peer
Sharing
Instant
Messagin Audio
g
streamin
g
Gopher
Gaming
Voice
over IP
phones
Video
streamin
g
7
…it was hard and relatively expensive to “get
online.”
…it was slow.
Do you remember 300Bps and 1200Bps modems?
…the web didn’t exist!
Do you remember CompuServe and Prodigy and
AOL?
…it was geeky!
Users were hobbyists and it was all very 60s.
Exploits were confined to bugging your buddy and
showing off!
8
Now..
Everyone is online!
Over 50% of users in
the USA are on
broadband.
Exploits are
Dirty rotten @#*!!!
Money making
schemes and
ripping off grandma
Organized crime
9
Virus
Worms
Trojan horse
Spyware
Spam
Phishing
10
All of these types of attacks are man-made
and intentional.
There is no “natural” or “random” virus.
All of these ride the Internet services you
invite in!
Different companies and organizations
Will group attacks differently.
Will name attacks differently.
11
Software designed to infiltrate or damage a
computer system without the owner's
informed consent.
Originally harmless pranks or political
messages, now have evolved into profit
makers.
Include viruses, worms and Trojan horses.
12
a program or piece of code that is loaded
onto your computer (without your knowledge
and against your wishes), that (generally)
replicates itself and (generally) delivers a
payload.
1972
13
Virus
In the days of yore…
Who: typical author is young, smart and male
Why: looking to fight the status quo, promote
anarchy, make noise or simply show off to their
peers. There is no financial gain to writing viruses.
Now…
Who: professional coders or programmers using
“kits”
Why: financial gain by email delivery payments,
renting of botnets, extortion…
Often supported by mafia and black marketers.
14
Virus structure
Replication: viruses must propagate
themselves
Payload: the malicious activity a virus
performs when triggered.
Payload trigger: the date or counter or
circumstances present when a virus payload
goes off.
15
Payload examples
Nothing - just being annoying
Displaying messages
Launching DDoS attack
Erasing files randomly, by type or usage
Formatting hard drive
Overwrite mainboard BIOS
Sending email
Expose private information
16
Trigger examples
Date
Internet access
# emails sent
17
Boot sector virus
infects the first sector of a hard drive or disk.
The first sector contains the MBR or master
boot record.
18
File infector virus
attaches itself to a file on the computer and is
executed when that application is opened.
19
Multipartite
combines properties of boot sector and file
infector viruses.
20
Macro virus
virus written using script or macro languages
such as Microsoft Office’s VBA, executes
when a document containing the virus is
opened.
21
Memory resident
• virus that sits continuously in memory to do
its work, often making it more difficult to
clean. Most viruses now are memory resident.
22
Stealth virus
• a virus that actively hides from anti-virus
programs by altering it’s state or hiding
copies of itself or replacing needed files.
23
Polymorphic virus
• a virus that alters its signature or footprint,
to avoid detection.
24
Metamorphic virus
A virus that rewrites its code each time a new
executable is created.
Usually very large.
25
Malware: Worm
A self-replicating computer program that
uses networks to copy itself to other
computers without user intervention.
They often lack a payload of their own but
drop in backdoor programs.
1978
26
Malware: Trojan
A destructive program that masquerades as a
benign application, it requires a user to
execute it.
• A variety of payloads are possible, but often
they are used to install backdoor programs.
• Generally, trojans do not replicate.
• 1983
27
Spyware
Application installed, usually without the
user’s knowledge, intercepting or taking
partial control for the author’s personal gain
Estimates as high as 90% of Internet
connected computers are infected with
spyware.
Unlike a virus does not self-replicate.
28
Spyware: symptoms
Sluggish PC performance
An increase in pop-up ads
Mysterious new toolbars you can’t delete
Unexplained changes to homepage settings
Puzzling search results
Frequent computer crashes
29
Spyware: a loaded system
30
Spyware: rogue help
Antivirus Gold Family
Adware Delete
SpyAxe
Antivirus Gold
SpywareStrike
PS Guard Family
Security Iguard
Winhound
PSGuard
SpywareNO!
SpyDemmolisher
SpySheriff
SpyTrooper
SpywareNO!
Raze Spyware
RegFreeze
WinAntiSpyware 2005
WorldAntiSpy
31
Spyware: rogue help
This morning…
32
Spyware: Adware
Any software package which automatically
plays, displays or downloads advertising
material to a computer
Not necessarily “spyware” depending on your
definitions
Many “free” applications install adware,
creating a source of income.
Is it spyware?
http://www.symantec.com/enterprise/security_respo
nse/threatexplorer/risks/index.jsp
33
Spyware: Adware
34
Spyware: Backdoors
Backdoor = Remote Access
A method of bypassing normal authentication
or securing remote access while remaining
hidden from casual inspection.
May be an installed program (IE. Back
Orifice) or a modification to an existing
application (IE. Windows’ Remote Desktop).
35
Spyware: Browser hijacker
Alters your home page and may redirect
other requested pages, often away from
helpful sites.
Generally add advertising, porn, bookmarks
or pay-per-surf web sites.
36
Spyware: Dialers
Program that uses a computer’s modem to
dial out to a toll number or Internet site
900 numbers
Phone system flood attack
Can rack up huge phone bills! Often running
to international numbers in the Caribbean.
37
Spyware: Downloaders
Application designed to download and
possibly install another application.
Sometimes, they may receive instructions
from a web site or another trigger.
Also a typical form of Trojans.
38
Spyware: Rootkits
A type of Trojan that gives an attacker access to
the lowest level of the computer, the root level.
Removing rootkits can be very difficult to
impossible.
Microsoft’s recommendation to remove rootkits
from Windows Xp was to reformat the hard drive
and start over! Sometimes this is the only option.
Have been used for “legitimate” purposes,
Sony used for digital rights management licensing
on music CDs, system was shown to have security
holes, possibly giving up root access to an attacker.
39
Spyware: Scrapers
Extracting data from
output to the screen
or printer rather than
from files or databases
that may be secure.
Legitimate and
illegitimate
applications.
Temp files are often a
great source of
information!
40
Spyware: Tracking cookies
A small amount of data
sent back to the
requesting website by
your browser. They may
be temporary or
persistent, first or third
party.
Cookies are not bad and
make browsing life
better!
Third party cookies are
used to track surfing
habits and you may want
to disable them.
weather.com
LocID
TRUE
13669
/
FALSE
1218399413
41
Keylogger
A software application or hardware device
that captures a user’s keystrokes for
legitimate or illegitimate use.
Bad keyloggers will store information for
later retrieval or spit the captured
information to an email address or web page
for later analysis.
42
Social Engineering
Tricking a user into giving or giving access to
sensitive information in order to bypass
protection.
43
Social Engineering: pretexting
Creating a scenario to persuade a target to
release information done over the phone.
Often use commonly available information
like social security numbers or family names
to gain access to further information.
44
Social engineering: phishing
Creating a scenario to persuade a target to
release information done via email.
Often use commonly available information
like social security numbers or family names
to gain access to further information.
45
Social engineering: more
Road apple: using an infected floppy, CD or
USB memory key in a location where
someone is bound to find and check it
through simple curiosity.
Quid pro quo: targeting corporate employees
as “tech support” until some actually has a
problem and “allows them to help.”
46
True or false?
47
True or false?
48
True or false?
49
True or false?
50
Spam
Junk email.
An email message can contain any of the
threats mentioned, not to mention the time
wasted downloading and filtering through the
messages.
You do not have to open an attachment to
activate a threat.
Webmail eliminates few threats.
51
Spam
Threats that activate
via merely opening
the email are not
disabled by using the
email preview!
52
Email
World
Wide
Web
Instant
Messagin
g
Gaming
Peer to
Peer
Sharing
53
54
Don’t use the Internet
Are you really that isolationist?
Other user profiles on your computer?
Other computers connected to the Internet
Other devices…
Xbox, Playstation, Wii
Media Center Extenders
DVRs
55
Other connections
Wireless local
networks
Bluetooth personal
networks
Removable storage
Other connected
devices
Printers
Digital cameras
Video cameras
Floppy
CDs
DVDs
USB memory key
Flash memory
56
The first bug causing a
computer error was found by
Grace Hopper's team in 1945
using Harvard University's
Mark II computer.
57
And the stakes get higher…
Imagine the home of
the future
Broadband Internet
connection shared
by…
Computers
Television / DVR
Phone
Security / heating /
cooling
Kitchen appliances
Cell phone
Imagine hacker
exploits
Defrost your freezer
Turn off the heat
Trip / disable
security
Record “Boy Meets
World” instead of
“Desparate
Housewives” and
“24”!
58
What’s a guy or gal to do?
59
A software or hardware which permits or
denies data into and possibly out of a
computer network depending on levels of
trust and authentication.
Emerged in 1988.
60
Levels of protection
Network address translation: internal devices carry
separate addresses from Internet connection,
firewall translates, masking internal devices.
Packet filters: very basic inspection of individual
packets of inbound traffic for correct ports for basic
services.
Stateful filters: compare packets of traffic and rules
can change criteria of what is allowed.
Application layer: deep packet inspection
determines whether traffic is appropriate for a
specific port.
61
Protection: hardware firewall
Recommend a router
with stateful packet
inspection
Jim’s picks
Linksys
Sonicwall
62
Protection: software firewall
A good program will
know configure major
applications correctly,
but it is easy to
answer a firewall
incorrectly.
Software firewalls
often disrupt internal
networks
Jim’s “sorta” pick
ZoneAlarm
63
Protection: virus
Most mature category of protection. Detection
rate should be near perfect!
How do anti-virus programs work?
File fingerprinting
Active scanning
Heuristics
Unusual hard drive activities
Protection can be run at the
Internet service provider
Router
Server (if applicable)
Workstation – recommended
64
Protection: virus
Must be updated!
Jim’s picks
Norton Antivirus
(home)
Symantec Antivirus
Corporate Edition or
Small Business
Edition (offices)
AVG for older
systems
65
Protection: spyware
Fairly new application, running two anti-
spyware applications is often recommended,
but only one should be doing “active scanning.”
Detection rates are not nearly as accurate as
virus detection.
Anti-virus applications are now capable of
replacing active scanning spyware applications.
Spyware and virus scanners can fight, causing
system freeze ups and instability.
66
Protection: spyware
Jim’s picks
Webroot
SpySweeper
Spyware Doctor
Spybot *
Adaware *
• Not active scanner
67
Protection: spam
Spam filtering occurs by recognizing common
email addresses and domains for sending
spam and by recognizing keywords in email
and moves it automatically to a “junk” folder.
Can be done at email server or workstation.
Success rates are very individual!
68
Protection: spam
Avoid spam – once your email address is a
spam target, there is no eliminating it
Avoid posting address on web pages.
Use throw-away email addresses (IE. Yahoo,
Hotmail, Google) when working unknown or
very public sites (IE. Ebay, MySpace…)
You have to look through your Junk email
occasionally to find mis-labeled email!
The more “public” your email address, the
less you can filter without false positives.
69
Protection: spam
Jim’s thoughts
Outlook 2007 not bad
Andrew likes new
Thunderbird
Several clients like Inboxer
Several clients like Norton
AntiSpam
Several clients like their
ISP’s filtering but user must
check junk on web site
Dial up: ISP filtering
70
Protection: Operating System
updates
Most updates are
security patches not
functionality
enhancements!
I do not recommend
using driver updates
through Windows
Updates!
Get them only
through Windows
Updates!
71
Protection: Application updates
Browsers, email applications, instant
messaging applications, etc. all need security
patches!
72
Protection: Application updates
Application
Source of updates
AOL IM
www.aim.com
Internet Explorer
Windows Updates
Microsoft Messenger
Windows Updates
Mozilla Firefox
www.mozilla.com (Help)
Opera
www.opera.com (?)
Outlook Express
Windows Updates
Thunderbird email
www.mozilla.com (Help)
Windows Mail (Vista)
Windows Updates
Yahoo IM
www.yahoo.com
73
Vulnerability: Internet
World
Wide Web
74
Vulnerability: WWW
75
Vulnerability: Email
76
Vulnerability: Instant messaging
77
Vulnerability: Gaming
78
Vulnerability: Streaming
79
Vulnerability: P2P
80
Layers: onions, ogres & protection
Broadband
Dial up
Hardware firewall
Necessary
n/a
Software firewall
Maybe
Maybe
Virus protection
Necessary
Necessary
Spyware protection
Necessary
Necessary
Spam filtering
Recommended
Recommended
Operating system
patches
Necessary
Necessary
Browser/email/IM/…
patches
Necessary
Necessary
81
Protection purchasing
Best of breed
applications
Best possible protection
Probably less bloat
Security suite
Probably play together
better
Better pricing
Common interface
82
Protection purchasing: suites
Jim’s picks
Norton Internet Security
Norton 360
PC Magazine Editor’s
Choice
Norton 360
ZoneAlarm Internet
Security Suite 7
PC World
Norton Internet Security
McAfee Internet Security
Suite
83
Selecting protection
Do
Don’t
Read reviews from
Use advertising or blogs
professional, neutral
sources
Make sure you can
understand your
subscription’s status
Realize you generally get
what you pay for
Realize that bundled apps
are often 30 or 90 day trials
and often not installed
as your main source of
information
Use reviews from nontechnical sources
Run two software
firewalls, two anti-virus
or two active antispyware apps
84
Protection: Educate your users
Do not open attachments from anyone you don’t know.
Suspicious attachments from any known email address
may be threats that spoof senders.
Security measures are for their benefit, don’t subvert
them.
Don’t run ActiveX or Java from untrusted or unknown
websites.
Never click on suspicious ads or popups. Always click
the Windows Close X when you can.
Any connection can bring in threats…
Home computers logging in for remote work.
Office laptops connected in public Wi-Fi hotspots.
Removable storage.
85
Protection: Educate your users
It is much easier to protect yourself than to
get clean after an infection.
Internet Explorer is the only web browser
that uses Microsoft’s ActiveX tools. ActiveX is
a security nightmare. Avoid the problem, use
a different browser.
Jim’s pick: Mozilla Firefox
86
Protection: Educate your users
Fake Windows Updates
87
88
Procedure at C3
Interview client. Possibly start system as is to see
symptoms.
Remove hard drive and connect to C3 testing
systems.
Prevents threats from going active
Improves accuracy of scans for stealth, polymorphic
and rootkits
Virus scan (Symantec Antivirus Corporate Edition)
Spyware scan (Webroot Spysweeper)
Hard drive test (Scandisk or Norton Disk Doctor)
89
Procedure at C3
Clean temp files
Windows\Temp
Windows\Temporary Internet Files
User\Temp
User\Temporary Internet Files
Possibly other locations
Research infections
Return hard drive to client’s system
90
Procedure at C3
Probable: Safe mode startup and disable
Windows System Restore
Manual cleaning as needed while
“disconnected”
All Windows Updates
Probable: installation of appropriate security
package
All Updates
Full system scan
91
Procedure at C3
Total time: 2 to 8 hours
Total technician time: 1 to 4 hours
92
What can you do?
Know that Windows cannot diagnose most
problems.
Know that repairing Windows requires a
clean computer.
Know when to say “Uncle!” based on your
skill level.
Know when to say “Uncle!” if a computer
cannot be recovered and must be wiped.
Backup, Backup, Backup.
93
94
Non-operating Windows
Boot from the
appropriate
Windows CD and
attempt a repair
installation
Must match system
Version
Home vs. Professional
Upgrade vs. Retail vs.
OEM
Danger
Infections may corrupt
system further.
You may get “running”
until the threat kicks
in again and repeats
its damage.
Pros
Desperation – you’re
doing something
95
Non-starting Windows
Safe mode
Press F8 (or hold Ctrl)
prior to Windows splash
screen
Scan
Manual updates?
Virus scanner
Spyware scanner
Document, research,
follow necessary
instructions
Limit startups
Most threats are
inactive in safe mode.
You may be able to
download scanner
updates manually on
another computer and
install them.
Warning: more threats
successfully hide
themselves in safe
mode.
96
Safe mode
F8 during startup
Most drivers and
network not running
Often, you must log
on as administrator
97
Manual virus definition update
Highly dependent on
application
manufacturer
Expired subscription
may not allow use of
manual update
98
Limit startups
Start
Run
Msconfig
Services and Startup
tabs
Turn off anything
that you don’t
recognize, especially
“random” names.
Google names.
Restart
99
Operating Windows
Backup
Document!
Virus scan
Update installed app
Online scanner
Install new app
Spyware scan or 2
Update installed app
Online scanner
Install new app
Research infections
Manual attack and
tools
Follow instructions!
Take your time!
All Windows Updates
Install appropriate
security
All updates
Scan
Scan your backup
100
Update virus scanner
Particular to
application
Many threats will
attempt to subvert
connection
Subscription must
be active.
101
Online scanners (virus & spyware)
Symantec
www.symantec.com/home_
homeoffice/security_respon
se/index.jsp
Webroot
SpySweeper
www.webroot.com/shoppin
gcart/tryme.php?
bjpc=64021&vcode=DT02
A
Trend Micro
housecall.trendmicro.com/
102
I want a real antivirus – now!
Many vendors have demo downloads. IE.
Symantec offers a 15 day Norton Antivirus
trial that can be activated later by purchasing
a license or package
Delete – don’t quarantine.
When macro viruses were the rage, this was a
method to recover infected documents.
103
My antivirus isn’t playing!
Try updating.
Attempt a repair installation.
If you bought your security online, via
download – copy it to CD for semi-permanent
archival!
Realize all security applications “get old.”
Uninstall and reinstall.
Need RAM?
104
Research infections
Symantec Threat
Explorer
www.symantec.com/h
ome_homeoffice/secu
rity_response/threate
xplorer/index.jsp
Google
www.google.com
Scumware
http://scumware.com/
105
Disable System Restore
Right+click My
Computer
Properties
System Restore tab
Check “Turn off
System Restore”
OK
106
Registry Editor
Start
Run
Regedit
OK
Procedure
Backup!
Navigate
Nuking the bad
guys
107
Removal tools
CWShredder www.cwshredder.net
Major Geeks
www.majorgeeks.com/downloads16.html
108
System cleaning
Eliminate temporary
files
Start
All Programs
Accessories
System Tools
Disk Cleanup
109
System cleaning
Defragment your
hard drive
Start
All Programs
Accessories
System Tools
Disk
Defragmenter
110
System cleanup
Internet Explorer
automatically clearing
cache
Internet Explorer
Tools
Internet Options…
Advanced tab
Security section
Check “Empty
Temporary Internet
Files when browser is
closed”
111
Know when…
You’re…
Last backup was made
System and application CDs are
Over your head
Wasting your time
Your…
Windows is toast
112
Worthwhile freebies
Virus scanners
AVG – www.grisoft.com
Avast - www.avast.com
Spyware scanners
Spybot Search and Destroy www.safer-
networking.org/en/index.html
Discovery tools
Hijack This www.merijn.org
113
Web privacy
114
Web privacy
Google is not the problem. Google is just one
way to find this kind of data.
Blocking this data on Google will not block
other search engines.
All of this is in the phone book and then I can
go to any mapping application.
115
Email Hijack
From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx
Sent: Monday, June 11, 2007 10:45 AM
To: James D. Crowley
Subject: SPAM
Good Morning Jim:
I wanted to report a SPAM issue to you. This morning xxxxx received an email to her
xxxxxx account. The email was sent by her from an outside account. It was an email that
she sent to someone 6 months ago. Also on the email were individuals CCd who should
not have received that email. Basically what is occurring is someone is accessing her
email account and is sending its herself and others mail that should not be going out. Is
it possible that some type of hacker is doing this? She is also receiving SPAM from
xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and
cannot block it because its from my account. The frequency of this is increasing. What
can we be doing to prevent the SPAM and can someone access confidential information
that is being sent via email and send it to people in our contact list?
Xxxxx xxxxx
Administrative Assistant
Xxxxxxxxx Coordinator
Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.
116
Email Hijack
Not hijacked – spoofed!
Realize there are four primary locations that
your email can be hijaaked or spoofed like
Anita’s was.
Your computer or server
Your email server
The recipient’s email host
The recipient’s computer or server
117
Email Spoofing application
It peruses my email and randomly grabs xyz’s
message
Makes a copy
Probably alters the message somewhat
Attaches the virus or whatever its “payload” is
Reuses all original email addresses in the To, CC
and BCC
Maybe adds some more addresses
Maybe randomly generates more email addresses
And starts sending itself out
XYZ may get a copy of her message back…
118
Urban myths
119
www.av-test.org
www.icsalab.com
www.virusbtn.com
120
www.pcmag.com
http://www.pcmag.com/category2/0,1874,4829,
00.asp
www.pcworld.com
http://www.pcworld.com/tc/spyware/
121
www.geeksonwheels.com
www.pcmag.com/encyclopedia/
www.snopes.com
www.sunbelt-software.com
http://www.netvalley.com/archives/mirrors/ro
bert_cailliau_speech.htm
www.webroot.com
www.wikipedia.org
122
C3 – Crowley Computer Consulting
1
Apologies
This is long haired, geeky stuff.
This is long and boring.
This is version 1.
The analogies between safe sex and safe
computing cannot be ignored.
It is getting very difficult to protect older systems.
Too slow and not enough memory for security
programs.
No new patches older than Windows 2000.
This is meant to scare the *#$^ out of you.
2
3
Various services run over the
Internet
World Wide Web
Instant Messaging
Peer to Peer sharing
Voice over IP phones
Gaming
Gopher
Audio streaming
Video streaming
The Internet was
designed for
enhancement.
It was not designed
for this level of
complexity.
IE. The easiest way
to prevent spam is
to authenticate the
sender. Email has no
method to do this.
4
IE. World Wide Web
HTML
XML
Java
JavaScript
Flash
Perl
ColdFusion
VBScript`
.Net
ActiveX
SHTML
And more!!!
5
IE. Instant Messaging
AOL
ICQ
Microsoft
Yahoo
And more!!!
6
World
Wide
Web
Peer to
Peer
Sharing
Instant
Messagin Audio
g
streamin
g
Gopher
Gaming
Voice
over IP
phones
Video
streamin
g
7
…it was hard and relatively expensive to “get
online.”
…it was slow.
Do you remember 300Bps and 1200Bps modems?
…the web didn’t exist!
Do you remember CompuServe and Prodigy and
AOL?
…it was geeky!
Users were hobbyists and it was all very 60s.
Exploits were confined to bugging your buddy and
showing off!
8
Now..
Everyone is online!
Over 50% of users in
the USA are on
broadband.
Exploits are
Dirty rotten @#*!!!
Money making
schemes and
ripping off grandma
Organized crime
9
Virus
Worms
Trojan horse
Spyware
Spam
Phishing
10
All of these types of attacks are man-made
and intentional.
There is no “natural” or “random” virus.
All of these ride the Internet services you
invite in!
Different companies and organizations
Will group attacks differently.
Will name attacks differently.
11
Software designed to infiltrate or damage a
computer system without the owner's
informed consent.
Originally harmless pranks or political
messages, now have evolved into profit
makers.
Include viruses, worms and Trojan horses.
12
a program or piece of code that is loaded
onto your computer (without your knowledge
and against your wishes), that (generally)
replicates itself and (generally) delivers a
payload.
1972
13
Virus
In the days of yore…
Who: typical author is young, smart and male
Why: looking to fight the status quo, promote
anarchy, make noise or simply show off to their
peers. There is no financial gain to writing viruses.
Now…
Who: professional coders or programmers using
“kits”
Why: financial gain by email delivery payments,
renting of botnets, extortion…
Often supported by mafia and black marketers.
14
Virus structure
Replication: viruses must propagate
themselves
Payload: the malicious activity a virus
performs when triggered.
Payload trigger: the date or counter or
circumstances present when a virus payload
goes off.
15
Payload examples
Nothing - just being annoying
Displaying messages
Launching DDoS attack
Erasing files randomly, by type or usage
Formatting hard drive
Overwrite mainboard BIOS
Sending email
Expose private information
16
Trigger examples
Date
Internet access
# emails sent
17
Boot sector virus
infects the first sector of a hard drive or disk.
The first sector contains the MBR or master
boot record.
18
File infector virus
attaches itself to a file on the computer and is
executed when that application is opened.
19
Multipartite
combines properties of boot sector and file
infector viruses.
20
Macro virus
virus written using script or macro languages
such as Microsoft Office’s VBA, executes
when a document containing the virus is
opened.
21
Memory resident
• virus that sits continuously in memory to do
its work, often making it more difficult to
clean. Most viruses now are memory resident.
22
Stealth virus
• a virus that actively hides from anti-virus
programs by altering it’s state or hiding
copies of itself or replacing needed files.
23
Polymorphic virus
• a virus that alters its signature or footprint,
to avoid detection.
24
Metamorphic virus
A virus that rewrites its code each time a new
executable is created.
Usually very large.
25
Malware: Worm
A self-replicating computer program that
uses networks to copy itself to other
computers without user intervention.
They often lack a payload of their own but
drop in backdoor programs.
1978
26
Malware: Trojan
A destructive program that masquerades as a
benign application, it requires a user to
execute it.
• A variety of payloads are possible, but often
they are used to install backdoor programs.
• Generally, trojans do not replicate.
• 1983
27
Spyware
Application installed, usually without the
user’s knowledge, intercepting or taking
partial control for the author’s personal gain
Estimates as high as 90% of Internet
connected computers are infected with
spyware.
Unlike a virus does not self-replicate.
28
Spyware: symptoms
Sluggish PC performance
An increase in pop-up ads
Mysterious new toolbars you can’t delete
Unexplained changes to homepage settings
Puzzling search results
Frequent computer crashes
29
Spyware: a loaded system
30
Spyware: rogue help
Antivirus Gold Family
Adware Delete
SpyAxe
Antivirus Gold
SpywareStrike
PS Guard Family
Security Iguard
Winhound
PSGuard
SpywareNO!
SpyDemmolisher
SpySheriff
SpyTrooper
SpywareNO!
Raze Spyware
RegFreeze
WinAntiSpyware 2005
WorldAntiSpy
31
Spyware: rogue help
This morning…
32
Spyware: Adware
Any software package which automatically
plays, displays or downloads advertising
material to a computer
Not necessarily “spyware” depending on your
definitions
Many “free” applications install adware,
creating a source of income.
Is it spyware?
http://www.symantec.com/enterprise/security_respo
nse/threatexplorer/risks/index.jsp
33
Spyware: Adware
34
Spyware: Backdoors
Backdoor = Remote Access
A method of bypassing normal authentication
or securing remote access while remaining
hidden from casual inspection.
May be an installed program (IE. Back
Orifice) or a modification to an existing
application (IE. Windows’ Remote Desktop).
35
Spyware: Browser hijacker
Alters your home page and may redirect
other requested pages, often away from
helpful sites.
Generally add advertising, porn, bookmarks
or pay-per-surf web sites.
36
Spyware: Dialers
Program that uses a computer’s modem to
dial out to a toll number or Internet site
900 numbers
Phone system flood attack
Can rack up huge phone bills! Often running
to international numbers in the Caribbean.
37
Spyware: Downloaders
Application designed to download and
possibly install another application.
Sometimes, they may receive instructions
from a web site or another trigger.
Also a typical form of Trojans.
38
Spyware: Rootkits
A type of Trojan that gives an attacker access to
the lowest level of the computer, the root level.
Removing rootkits can be very difficult to
impossible.
Microsoft’s recommendation to remove rootkits
from Windows Xp was to reformat the hard drive
and start over! Sometimes this is the only option.
Have been used for “legitimate” purposes,
Sony used for digital rights management licensing
on music CDs, system was shown to have security
holes, possibly giving up root access to an attacker.
39
Spyware: Scrapers
Extracting data from
output to the screen
or printer rather than
from files or databases
that may be secure.
Legitimate and
illegitimate
applications.
Temp files are often a
great source of
information!
40
Spyware: Tracking cookies
A small amount of data
sent back to the
requesting website by
your browser. They may
be temporary or
persistent, first or third
party.
Cookies are not bad and
make browsing life
better!
Third party cookies are
used to track surfing
habits and you may want
to disable them.
weather.com
LocID
TRUE
13669
/
FALSE
1218399413
41
Keylogger
A software application or hardware device
that captures a user’s keystrokes for
legitimate or illegitimate use.
Bad keyloggers will store information for
later retrieval or spit the captured
information to an email address or web page
for later analysis.
42
Social Engineering
Tricking a user into giving or giving access to
sensitive information in order to bypass
protection.
43
Social Engineering: pretexting
Creating a scenario to persuade a target to
release information done over the phone.
Often use commonly available information
like social security numbers or family names
to gain access to further information.
44
Social engineering: phishing
Creating a scenario to persuade a target to
release information done via email.
Often use commonly available information
like social security numbers or family names
to gain access to further information.
45
Social engineering: more
Road apple: using an infected floppy, CD or
USB memory key in a location where
someone is bound to find and check it
through simple curiosity.
Quid pro quo: targeting corporate employees
as “tech support” until some actually has a
problem and “allows them to help.”
46
True or false?
47
True or false?
48
True or false?
49
True or false?
50
Spam
Junk email.
An email message can contain any of the
threats mentioned, not to mention the time
wasted downloading and filtering through the
messages.
You do not have to open an attachment to
activate a threat.
Webmail eliminates few threats.
51
Spam
Threats that activate
via merely opening
the email are not
disabled by using the
email preview!
52
World
Wide
Web
Instant
Messagin
g
Gaming
Peer to
Peer
Sharing
53
54
Don’t use the Internet
Are you really that isolationist?
Other user profiles on your computer?
Other computers connected to the Internet
Other devices…
Xbox, Playstation, Wii
Media Center Extenders
DVRs
55
Other connections
Wireless local
networks
Bluetooth personal
networks
Removable storage
Other connected
devices
Printers
Digital cameras
Video cameras
Floppy
CDs
DVDs
USB memory key
Flash memory
56
The first bug causing a
computer error was found by
Grace Hopper's team in 1945
using Harvard University's
Mark II computer.
57
And the stakes get higher…
Imagine the home of
the future
Broadband Internet
connection shared
by…
Computers
Television / DVR
Phone
Security / heating /
cooling
Kitchen appliances
Cell phone
Imagine hacker
exploits
Defrost your freezer
Turn off the heat
Trip / disable
security
Record “Boy Meets
World” instead of
“Desparate
Housewives” and
“24”!
58
What’s a guy or gal to do?
59
A software or hardware which permits or
denies data into and possibly out of a
computer network depending on levels of
trust and authentication.
Emerged in 1988.
60
Levels of protection
Network address translation: internal devices carry
separate addresses from Internet connection,
firewall translates, masking internal devices.
Packet filters: very basic inspection of individual
packets of inbound traffic for correct ports for basic
services.
Stateful filters: compare packets of traffic and rules
can change criteria of what is allowed.
Application layer: deep packet inspection
determines whether traffic is appropriate for a
specific port.
61
Protection: hardware firewall
Recommend a router
with stateful packet
inspection
Jim’s picks
Linksys
Sonicwall
62
Protection: software firewall
A good program will
know configure major
applications correctly,
but it is easy to
answer a firewall
incorrectly.
Software firewalls
often disrupt internal
networks
Jim’s “sorta” pick
ZoneAlarm
63
Protection: virus
Most mature category of protection. Detection
rate should be near perfect!
How do anti-virus programs work?
File fingerprinting
Active scanning
Heuristics
Unusual hard drive activities
Protection can be run at the
Internet service provider
Router
Server (if applicable)
Workstation – recommended
64
Protection: virus
Must be updated!
Jim’s picks
Norton Antivirus
(home)
Symantec Antivirus
Corporate Edition or
Small Business
Edition (offices)
AVG for older
systems
65
Protection: spyware
Fairly new application, running two anti-
spyware applications is often recommended,
but only one should be doing “active scanning.”
Detection rates are not nearly as accurate as
virus detection.
Anti-virus applications are now capable of
replacing active scanning spyware applications.
Spyware and virus scanners can fight, causing
system freeze ups and instability.
66
Protection: spyware
Jim’s picks
Webroot
SpySweeper
Spyware Doctor
Spybot *
Adaware *
• Not active scanner
67
Protection: spam
Spam filtering occurs by recognizing common
email addresses and domains for sending
spam and by recognizing keywords in email
and moves it automatically to a “junk” folder.
Can be done at email server or workstation.
Success rates are very individual!
68
Protection: spam
Avoid spam – once your email address is a
spam target, there is no eliminating it
Avoid posting address on web pages.
Use throw-away email addresses (IE. Yahoo,
Hotmail, Google) when working unknown or
very public sites (IE. Ebay, MySpace…)
You have to look through your Junk email
occasionally to find mis-labeled email!
The more “public” your email address, the
less you can filter without false positives.
69
Protection: spam
Jim’s thoughts
Outlook 2007 not bad
Andrew likes new
Thunderbird
Several clients like Inboxer
Several clients like Norton
AntiSpam
Several clients like their
ISP’s filtering but user must
check junk on web site
Dial up: ISP filtering
70
Protection: Operating System
updates
Most updates are
security patches not
functionality
enhancements!
I do not recommend
using driver updates
through Windows
Updates!
Get them only
through Windows
Updates!
71
Protection: Application updates
Browsers, email applications, instant
messaging applications, etc. all need security
patches!
72
Protection: Application updates
Application
Source of updates
AOL IM
www.aim.com
Internet Explorer
Windows Updates
Microsoft Messenger
Windows Updates
Mozilla Firefox
www.mozilla.com (Help)
Opera
www.opera.com (?)
Outlook Express
Windows Updates
Thunderbird email
www.mozilla.com (Help)
Windows Mail (Vista)
Windows Updates
Yahoo IM
www.yahoo.com
73
Vulnerability: Internet
World
Wide Web
74
Vulnerability: WWW
75
Vulnerability: Email
76
Vulnerability: Instant messaging
77
Vulnerability: Gaming
78
Vulnerability: Streaming
79
Vulnerability: P2P
80
Layers: onions, ogres & protection
Broadband
Dial up
Hardware firewall
Necessary
n/a
Software firewall
Maybe
Maybe
Virus protection
Necessary
Necessary
Spyware protection
Necessary
Necessary
Spam filtering
Recommended
Recommended
Operating system
patches
Necessary
Necessary
Browser/email/IM/…
patches
Necessary
Necessary
81
Protection purchasing
Best of breed
applications
Best possible protection
Probably less bloat
Security suite
Probably play together
better
Better pricing
Common interface
82
Protection purchasing: suites
Jim’s picks
Norton Internet Security
Norton 360
PC Magazine Editor’s
Choice
Norton 360
ZoneAlarm Internet
Security Suite 7
PC World
Norton Internet Security
McAfee Internet Security
Suite
83
Selecting protection
Do
Don’t
Read reviews from
Use advertising or blogs
professional, neutral
sources
Make sure you can
understand your
subscription’s status
Realize you generally get
what you pay for
Realize that bundled apps
are often 30 or 90 day trials
and often not installed
as your main source of
information
Use reviews from nontechnical sources
Run two software
firewalls, two anti-virus
or two active antispyware apps
84
Protection: Educate your users
Do not open attachments from anyone you don’t know.
Suspicious attachments from any known email address
may be threats that spoof senders.
Security measures are for their benefit, don’t subvert
them.
Don’t run ActiveX or Java from untrusted or unknown
websites.
Never click on suspicious ads or popups. Always click
the Windows Close X when you can.
Any connection can bring in threats…
Home computers logging in for remote work.
Office laptops connected in public Wi-Fi hotspots.
Removable storage.
85
Protection: Educate your users
It is much easier to protect yourself than to
get clean after an infection.
Internet Explorer is the only web browser
that uses Microsoft’s ActiveX tools. ActiveX is
a security nightmare. Avoid the problem, use
a different browser.
Jim’s pick: Mozilla Firefox
86
Protection: Educate your users
Fake Windows Updates
87
88
Procedure at C3
Interview client. Possibly start system as is to see
symptoms.
Remove hard drive and connect to C3 testing
systems.
Prevents threats from going active
Improves accuracy of scans for stealth, polymorphic
and rootkits
Virus scan (Symantec Antivirus Corporate Edition)
Spyware scan (Webroot Spysweeper)
Hard drive test (Scandisk or Norton Disk Doctor)
89
Procedure at C3
Clean temp files
Windows\Temp
Windows\Temporary Internet Files
User\Temp
User\Temporary Internet Files
Possibly other locations
Research infections
Return hard drive to client’s system
90
Procedure at C3
Probable: Safe mode startup and disable
Windows System Restore
Manual cleaning as needed while
“disconnected”
All Windows Updates
Probable: installation of appropriate security
package
All Updates
Full system scan
91
Procedure at C3
Total time: 2 to 8 hours
Total technician time: 1 to 4 hours
92
What can you do?
Know that Windows cannot diagnose most
problems.
Know that repairing Windows requires a
clean computer.
Know when to say “Uncle!” based on your
skill level.
Know when to say “Uncle!” if a computer
cannot be recovered and must be wiped.
Backup, Backup, Backup.
93
94
Non-operating Windows
Boot from the
appropriate
Windows CD and
attempt a repair
installation
Must match system
Version
Home vs. Professional
Upgrade vs. Retail vs.
OEM
Danger
Infections may corrupt
system further.
You may get “running”
until the threat kicks
in again and repeats
its damage.
Pros
Desperation – you’re
doing something
95
Non-starting Windows
Safe mode
Press F8 (or hold Ctrl)
prior to Windows splash
screen
Scan
Manual updates?
Virus scanner
Spyware scanner
Document, research,
follow necessary
instructions
Limit startups
Most threats are
inactive in safe mode.
You may be able to
download scanner
updates manually on
another computer and
install them.
Warning: more threats
successfully hide
themselves in safe
mode.
96
Safe mode
F8 during startup
Most drivers and
network not running
Often, you must log
on as administrator
97
Manual virus definition update
Highly dependent on
application
manufacturer
Expired subscription
may not allow use of
manual update
98
Limit startups
Start
Run
Msconfig
Services and Startup
tabs
Turn off anything
that you don’t
recognize, especially
“random” names.
Google names.
Restart
99
Operating Windows
Backup
Document!
Virus scan
Update installed app
Online scanner
Install new app
Spyware scan or 2
Update installed app
Online scanner
Install new app
Research infections
Manual attack and
tools
Follow instructions!
Take your time!
All Windows Updates
Install appropriate
security
All updates
Scan
Scan your backup
100
Update virus scanner
Particular to
application
Many threats will
attempt to subvert
connection
Subscription must
be active.
101
Online scanners (virus & spyware)
Symantec
www.symantec.com/home_
homeoffice/security_respon
se/index.jsp
Webroot
SpySweeper
www.webroot.com/shoppin
gcart/tryme.php?
bjpc=64021&vcode=DT02
A
Trend Micro
housecall.trendmicro.com/
102
I want a real antivirus – now!
Many vendors have demo downloads. IE.
Symantec offers a 15 day Norton Antivirus
trial that can be activated later by purchasing
a license or package
Delete – don’t quarantine.
When macro viruses were the rage, this was a
method to recover infected documents.
103
My antivirus isn’t playing!
Try updating.
Attempt a repair installation.
If you bought your security online, via
download – copy it to CD for semi-permanent
archival!
Realize all security applications “get old.”
Uninstall and reinstall.
Need RAM?
104
Research infections
Symantec Threat
Explorer
www.symantec.com/h
ome_homeoffice/secu
rity_response/threate
xplorer/index.jsp
www.google.com
Scumware
http://scumware.com/
105
Disable System Restore
Right+click My
Computer
Properties
System Restore tab
Check “Turn off
System Restore”
OK
106
Registry Editor
Start
Run
Regedit
OK
Procedure
Backup!
Navigate
Nuking the bad
guys
107
Removal tools
CWShredder www.cwshredder.net
Major Geeks
www.majorgeeks.com/downloads16.html
108
System cleaning
Eliminate temporary
files
Start
All Programs
Accessories
System Tools
Disk Cleanup
109
System cleaning
Defragment your
hard drive
Start
All Programs
Accessories
System Tools
Disk
Defragmenter
110
System cleanup
Internet Explorer
automatically clearing
cache
Internet Explorer
Tools
Internet Options…
Advanced tab
Security section
Check “Empty
Temporary Internet
Files when browser is
closed”
111
Know when…
You’re…
Last backup was made
System and application CDs are
Over your head
Wasting your time
Your…
Windows is toast
112
Worthwhile freebies
Virus scanners
AVG – www.grisoft.com
Avast - www.avast.com
Spyware scanners
Spybot Search and Destroy www.safer-
networking.org/en/index.html
Discovery tools
Hijack This www.merijn.org
113
Web privacy
114
Web privacy
Google is not the problem. Google is just one
way to find this kind of data.
Blocking this data on Google will not block
other search engines.
All of this is in the phone book and then I can
go to any mapping application.
115
Email Hijack
From: xxxxx xxxxxxxxx xxxxxx@xxxxxxx.xxx
Sent: Monday, June 11, 2007 10:45 AM
To: James D. Crowley
Subject: SPAM
Good Morning Jim:
I wanted to report a SPAM issue to you. This morning xxxxx received an email to her
xxxxxx account. The email was sent by her from an outside account. It was an email that
she sent to someone 6 months ago. Also on the email were individuals CCd who should
not have received that email. Basically what is occurring is someone is accessing her
email account and is sending its herself and others mail that should not be going out. Is
it possible that some type of hacker is doing this? She is also receiving SPAM from
xxxxxxx’s email account and xxxxxx’x account. I am receiving SPAM from myself, and
cannot block it because its from my account. The frequency of this is increasing. What
can we be doing to prevent the SPAM and can someone access confidential information
that is being sent via email and send it to people in our contact list?
Xxxxx xxxxx
Administrative Assistant
Xxxxxxxxx Coordinator
Xxxxxxxx xxxxxxx xxxxx xxxxxxxx, Inc.
116
Email Hijack
Not hijacked – spoofed!
Realize there are four primary locations that
your email can be hijaaked or spoofed like
Anita’s was.
Your computer or server
Your email server
The recipient’s email host
The recipient’s computer or server
117
Email Spoofing application
It peruses my email and randomly grabs xyz’s
message
Makes a copy
Probably alters the message somewhat
Attaches the virus or whatever its “payload” is
Reuses all original email addresses in the To, CC
and BCC
Maybe adds some more addresses
Maybe randomly generates more email addresses
And starts sending itself out
XYZ may get a copy of her message back…
118
Urban myths
119
www.av-test.org
www.icsalab.com
www.virusbtn.com
120
www.pcmag.com
http://www.pcmag.com/category2/0,1874,4829,
00.asp
www.pcworld.com
http://www.pcworld.com/tc/spyware/
121
www.geeksonwheels.com
www.pcmag.com/encyclopedia/
www.snopes.com
www.sunbelt-software.com
http://www.netvalley.com/archives/mirrors/ro
bert_cailliau_speech.htm
www.webroot.com
www.wikipedia.org
122