beyond virus, trojan and worm- new threats and appropriate responses david perry director of virus...
TRANSCRIPT
Beyond Virus, Trojan and Worm-Beyond Virus, Trojan and Worm-New Threats and Appropriate ResponsesNew Threats and Appropriate Responses
David PerryDirector of Virus
Education,Trend Micro Inc.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
2
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWhat is a computer virus…?What is a computer virus…?
The original computer virus was not located on a pc
It was not on an apple It was not on a mini or mainframe It was not located on computer hardware
or software of any kind
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
3
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
It was in a work of fiction!
What is a computer virus…?What is a computer virus…?
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
4
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineFred Cohen, PhD, first theorized viruses
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
5
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRobert Morris wrote the internet worm in 1988
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
6
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrojan Horse programs come from the Odyssey!
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
7
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
Today, viruses are only one type of a whole menagerie of computer ills that are collectively known as malware
From spam to spyware, Trend Micro detects, prevents and protects
against all kinds of content security ills
What is a computer virus…?What is a computer virus…?
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
8
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
Broadband & Wireless/PDA Detection
Mail Server and Gateway/Proxy Scanning
Advanced Encryption and Polymorphic Scanning
Heuristic Detection & File Server Based Scanning
Emulation and Decryption
Simple String Scanning & Integrity Checking
MS-DOS WIN 3.X WIN 9X WIN 2k
WITH NOTES ON ANTIVIRUS TECHNOLOGYWITH NOTES ON ANTIVIRUS TECHNOLOGY
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
9
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineVirus Virus du Jourdu Jour
Boot Sector
File Infector
Macro Virus
Email Worm
Blended Threat
Virus prehistory
Elk
clo
ner,
etc
TODAY
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
10
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
NIMDACodeRed
SQLP
MSBLASTNACHI
Internet
SASSER
MSBLAST
8/11, 2003MS03-026 7/16, 2003
26 D
MS02-0397/24, 2002
SQLP
1/25, 2003
185 D
336 DNIMDA
MS00-07810/17, 2000
9/18, 2001
SASSER
5/1, 2004
17 D
MS04-011 4/13, 2004
Zero day attack brought Zero day attack brought by network virus is by network virus is
coming?coming?
Current solution cannot stop network viruses.VAIDSVPN
FireWallAV
Days required viruses to appear after vulnerability announced.
ADWARE, SPYWARE, UPWARE, ADWARE, SPYWARE, UPWARE, DOWNWARE, MEWARE, YOUWAREDOWNWARE, MEWARE, YOUWARE
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
12
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
122,000?2,000?260?
HOW MANY VIRUSES????HOW MANY VIRUSES????
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
13
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
122,000!—all viruses ever discovered including zoo (never infected anyone) samples.
2,000!—viruses discovered or reported in the wild (actually infecting computer systems)
260!—mean number of viruses in circulation at any given month
5!—number of viruses active on any single day
HOW MANY VIRUSES????HOW MANY VIRUSES????
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
14
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
WHY AM I TELLING YOU THIS?
It has taken fifteen years for there to have ever been 1,100 ITW viruses.
In a little less than two years, there are more than TWENTY THOUSAND spyware.
That is the difference that profit motivation makes.
HOW MANY VIRUSES????HOW MANY VIRUSES????
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
15
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineCan you spot the wildlist Can you spot the wildlist founders in the photo?founders in the photo?
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
16
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWildlist DataWildlist Data
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
17
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineSpyware-Adware DetectionSpyware-Adware Detection
What is Spyware? Software application that monitors a user’s computing habits
and personal information, and sends this information to third parties without the user’s authorization or knowledge
Key loggers, event loggers, cookies, screen captures or a combination of these forms
What is Adware? Software application that displays advertising banners while
the program is running Gray Area
Some users view them as useful tools or utilities, while others view them as malicious applications that should be detected.
Some companies that make Adware have attempted to sue AV companies that categorize their software as Spyware or a virus.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
18
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineMalware vs. Adware = Gray AreaMalware vs. Adware = Gray Area
Malware Grey Area (Some Adware and Spyware)
Origin Virus Writers and Hackers
Legitimate Software/Application Vendors
Considered Malicious
?
Always Not always, user-dependent.
Potential legal
issues detecting
it?
No Maybe in some cases.
Default detection
Always On Default turned off. User must turn feature on themselves.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
19
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
Anti-spyware Capability of Trend Micro IWSSAnti-spyware Capability of Trend Micro IWSS
Detects and blocks malicious/illicit spyware via standard virus pattern file
Can be set by administrator to block legitimate but unwanted spyware, adware, remote access tools, hacking tools and more - via a separate spyware pattern file
Anti-phishing feature can also block communication to spyware related URLs
SPAM and PhishingSPAM and Phishing
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
21
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line This Is Nigeria.This Is Nigeria.
Sir,
First, I must solicit your strictest confidence in
this transaction, this is by virtue of its nature as
being utterly confidential and top secret as you were
introduced to us in confidence through the Nigerian
Chamber of Commerce, foreign trade division.
We are top officials from the Federal Ministry of
Works and Housing (FMW&H), Federal Ministry of Finance
and the Presidency, making up the Contract Review
Panel (CRP) set up by the Federal Government of
Nigeria to review contracts awarded by the past
military administrations.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
22
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWhy Is It Called Why Is It Called SPAMSPAM??
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
23
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineHow Can We Eliminate SPAM 100%How Can We Eliminate SPAM 100%
Switch to another medium of Switch to another medium of communications? communications?
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
24
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrend Micro SPSTrend Micro SPS
Sending Mail Servers
Postini Anti-Spam Engine
Trend Micro Gateway Product
Message Parser & Decoder
Content Analysis
Header Analysis
Internal Mail Server
End User Machines
Rule Weighting file and Engine downloads
1
2
4
3
- Anti-spam heuristic application acts on messages in real-time as they flow through the system
- MIME parts, including message content exposed to spam detection routines
- Message Parser scores each message based on statistical analysis and filter configuration and write score into message header
- MTA sorts messages based on spam score and routes based on organizational policy
1
2
3
4
Trend Micro Spam Prevention Trend Micro Spam Prevention ServiceServiceAdmin Tools & Integration APIs
Phishing is more than just SPAM
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
26
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 linePHISHING is a CRIME!PHISHING is a CRIME!
Phishing combines an ordinary spam confidence job with a technological ‘back end’ that can harvest passwords, credit card numbers, account numbers and more!
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
27
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 linePHISHING is a CRIME!PHISHING is a CRIME!
By using the actual logos, typefaces and ‘spoofed’ return addresses of the actual agencies, users are misled into divulging important information
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
28
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 linePHISHING is a CRIME!PHISHING is a CRIME!
Phishing is SPAM, it arrives as mass email Phishing is a Trojan Horse, it defrauds the victim Phishing is spoofed, like spam and viruses Phishing is not a virus, it is a bona fide crime!
How can we guard against Phishing, in the enterprise network, and at home…
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
29
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineAnti-phishing CapabilityAnti-phishing Capability
Blocks outbound transmission to malicious URLs Phishing related sites,
malicious code distribution sites, spyware sites
Helps protect against identity theft and theft of confidential company data
Complements more traditional inbound detection of phishing-related spam in Trend’s Spam Prevention Solution Lenient sensitivity settings
or tag/deliver and quarantine rules may still allow suspected phishing messages to reach the end user
New ThreatsNew Threats
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
31
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineNew threats coming...New threats coming...
Cell phone viruses Threats against Windows embedded devices
like POS terminal, ATM and more…
Any network enabled devices is facing threats of malware.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
32
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWindows ATMs raise security Windows ATMs raise security issues in XPe platformissues in XPe platform
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
33
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineAntivirus for Windows Antivirus for Windows embedded devicesembedded devices
◆ MVP Appliance will protect Windows embedded devices from network viruses . It’ll reside outside of these devices as separate box.
MVP Appliance
MVP appliance will monitor packets and detect/eliminate network viruses before these get to these devices. Once it detects network virus infected packets, it'll block them to avoid virus outbreak.
Clean Packet
POS
ATM
KIOSK terminal
MFP
Trend Micro EPSTrend Micro EPS
SERVICE BASED AV
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
35
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
VulnerabilityPrevention
Vulnerability Discovered
Vulnerability Isolation
Security Policy Enforcement
Trend Micro Vulnerability Assessment
Outbreak Prevention
Malicious Code Attack
Network Outbreak Monitoring and Prevention
Virus Response
Network Virus Detection
Assessment and Restoration
Malicious Code Eliminated
Infection LocatorAutomated Cleanup
Ne
two
rkL
ay
er
Trend Micro Antivirus and Content Security Products
Ap
pli
ca
tio
nL
ay
er
Trend Micro Antivirus and Content Security Products
Ou
tbre
ak
Mg
mt.
Outbreak Prevention Services
Virus ResponseServices
Damage Cleanup Services
Centralized Outbreak Management
Enterprise Protection Strategy: Proactive Outbreak Lifecycle Management
Centralized Management = LIFECYCLE management, deployment, and reporting
Our ApprochOur Approch
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
36
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
Business UnitBusiness Unit
TrendLabs-400 researchers and growingTrendLabs-400 researchers and growing!!
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line
37
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line