Upload File

1 e lectrical e ngineering and c omputer s ciences u niversity of c alifornia berkeley combating...

  • Home
  • Documents
  • 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause
33
1 ELECTRICAL ENGINEERING AND COMPUTER SCIENCES UNIVERSITY OF CALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences

Upload: kerry-brittney-mathews

Post on 23-Dec-2015

217 views

Category:

Documents


1 download

Report

TRANSCRIPT

  • Slide 1
  • 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences
  • Slide 2
  • 2 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Overview EECS Network Background Security Concerns Existing Protections FireEye Deployment Infection Examples Futures and Challenges
  • Slide 3
  • 3 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley EECS Network Background EECS is Large Department Serves More Than 4000 Undergrads 500 Grad Students 100 Faculty 200 Staff Network Largely Separate From Rest Of UCB
  • Slide 4
  • 4 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Security Concerns Security A Constant Issue Berkeley Often A Target Security Is Now An Arms Race Hackers Have Moved From Notoriety To Crime More Concern About Compliance
  • Slide 5
  • 5 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Security Concerns Mobile Devices A Big Concern Boom In WiFi Over The Air Traffic Often Insecure Less Enterprise Control Over User Owned Devices EECS Uses Internal And External WLANs Zero Day Concerns
  • Slide 6
  • 6 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Existing Protections Enterprise Firewall Less Effective In An Open Academic Net A/V A Struggle To Keep Up To Date IDS A Lot of False Positives Host Based Firewalls Anti-Spam Appliances
  • Slide 7
  • 7 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley FireEye Deployment Targeted Primarily At Wireless Traffic Out Of Band Solution Very Important For EECS Completely Clientless Also Very Important Wireless Data Mirrored To Two Appliances
  • Slide 8
  • 8 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley FireEye Deployment Appliances Run Traffic Against Virtual Victim Clients Positive Infection Can Result In Alerts Or Blocks Dynamic Updates From Botwall Network
  • Slide 9
  • 9 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 10
  • 10 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Infection Examples Spam Bots
  • Slide 11
  • 11 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Clients Receive Malware Rustock
  • Slide 12
  • Slide 13
  • Slide 14
  • Slide 15
  • Slide 16
  • Ken Chiang, Levi Lloyd Sandia National lab 16 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Rustock Spam Mail Bot Installs a Rootkit Installs a SPAM module Uses Encryption Can Install any Arbitrary Code Flexible & Easy to Update
  • Slide 17
  • 17 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botted Clients Send Spam
  • Slide 18
  • 18 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 19
  • 19 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 20
  • 20 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Trojan.farfli
  • Slide 21
  • Slide 22
  • (Excerpt From Symantec)22 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Discovered: July 29, 2007 Updated: July 29, 2007 8:51:54 AM Also Known As: TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 It then hooks or patches ZwSetValueKey to prevent other threats or security risks overwriting the Start Page registry entry. If it finds a specific Web browser installed, it modifies files so that when a user performs a search it is conducted via the Baidu URL with the specific affiliate name:
  • Slide 23
  • 23 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet IRC Channel Join Trojan-Downloader.QQHelper
  • Slide 24
  • 24 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 25
  • 25 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley User or Malware Connects to: http://www.yahoo550.com/image/logo.jpg?queryid=21 kXXXXj412http://www.yahoo550.com/image/logo.jpg?queryid=21 kXXXXj412 User connects to the site with a specific query id The site sent the browser a file called logo.jpg Really a UPX packed malware executable The browser installed the exe Begin the Bot communication on IRC.
  • Slide 26
  • 26 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG
  • Slide 27
  • 27 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 28
  • 28 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley
  • Slide 29
  • 29 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG Trojan-Downloader:W32/Small.HSG downloads and runs a file that is detected as Trojan- Downloader.Win32.Agent.HQL. Normally arrives as a dropped file by other malware or is downloaded unsuspectingly by the user from a malicious website. Once running on the system, this trojan will download a file from the following website: http://ymq.a2000150.wrs.mcboo.com/[Removed] The downloaded file will then be stored as: %Windows%\17PHolmes2000150.exe
  • Slide 30
  • 30 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Futures And Challenges Move Appliances To Network Edge Capture Both Wireless And Wired Traffic Mirroring Or Span Difficulties Use Gigamon Data Access Switch Explore OSPF Null Routing To Block Traffic To Botnets More Mobile Platforms
  • Slide 31
  • 31 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Summary Our Existing Protections No Longer Adequate Botnet Traffic Was Previously Difficult To Detect Botnet Detection Gives Us A New Weapon To Battle Stealth Malware
  • Slide 32
  • 32 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Questions?
  • Slide 33

ciences et T - disciplines.ac-toulouse.fr

hemiCAl CieNCeS lAbOrAtOry

Appendix Lectrical

R EDUCING E LECTRICAL E NERGY C ONSUMPTION Lesson 12A

S.I. ( S ciences de l’ I ngénieur)

Network Theory Lectrical

La série STG S ciences S ciences et et T echnologies T echnologies de la G estion

IRIS Computing Orientation Lars Rohrbach Instructional and Research Information Systems (IRIS) 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY

omputer 19. Intractability cience

ASIC LECTRICAL AFETY - Main Menu

Layali Rashid, Karthik Pattabiraman and Sathish Gopalakrishnan D EPARTMENT OF E LECTRICAL AND C OMPUTER E NGINEERING T HE U NIVERSITY OF B RITISH C OLUMBIA

Industrial lectrical Solutions System - Worldwide ... A.1 Industrial lectrical Solutions A. System Overview B1. Cable Ties and Tools B2. Cable Accessories B3. Stainless Steel Cable

SCHOOL OF ATHEMATICAL AND COMPUTING CIENCES

SECOND EDITION omputer Graphics - GBV

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Mitigating the Compiler Optimization Phase- Ordering Problem using Machine Learning

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Intelligent Compilation John Cavazos Computer & Information Sciences Department

Alain Coc CSNSM ( C entre de S ciences N ucléaires et de S ciences de la M atière, Orsay )

e Journa of Materia ciences ngineering

omputer Hoy

les Les sfemmes &ciences - Inria

C omputer networks !

Civil W ar C omputer Competency

1 EECS IT Town Hall Meeting Anthony Joseph, CNIL Vice Chair Eric Fraser, EECS Director of IT February 21, 2007 E LECTRICAL E NGINEERING AND C OMPUTER S

Department of Clinical Laboratory S ciences ,

District omputer Inventory System - achieve.lausd.net

RAKTIKUM RSITEKTUR SISTEM OMPUTER

CM SPECIALIST VEHICLE DIVISION LECTRICAL

Modul1 dsr dasar jaringan k omputer

P ersonal C omputer

EPARTMENT OF OMPUTER RCHITECTURE AND ECHNOLOGY

omputer CSpecificationArt Sheet Current Software:

C omputer G raphics

OLLECTION RENOBLE CIENCES DIRIGÉE PAR JEAN BORNAREL

C omputer A ided D esign

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Optimizing Compilers CISC 673 Spring 2009 Dynamic Compilation II John Cavazos University