Securing Against MalwareSecuring Against Malware

Nick Hall and Fred BaumhardtNick Hall and Fred Baumhardt

Security Technology ArchitectsSecurity Technology Architects

Microsoft EMEAMicrosoft EMEA

AgendaAgenda

History of VirusesHistory of Viruses

Current ThreatsCurrent Threats

Future…?Future…?

What is Microsoft Doing?What is Microsoft Doing?

ThiefThief

SpySpy

AuthorAuthor

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialist

Microsoft ExecutionMicrosoft Execution

The AttackersThe AttackersThe AttackersThe Attackers

TrespasserTrespasser

Largest Area Largest Area By $$ LostBy $$ Lost

Fastest Fastest Growing Growing SegmentSegment

Largest Segment By Largest Segment By $$ Spent On Defense$$ Spent On Defense

Largest Largest Area By Area By VolumeVolume

VandalVandal

PhishingPhishing

..this is actually the legitimate site you are returned to.

Virus InformationVirus Information

Viruses: speed is dependent on the vectorViruses: speed is dependent on the vector

File viruses took months to years to spread widelyFile viruses took months to years to spread widely

Macro viruses took weeks to monthsMacro viruses took weeks to months

Mass Mailers took daysMass Mailers took days

Code Red took about 12 hoursCode Red took about 12 hours

Klez went around the world in 2.5 hoursKlez went around the world in 2.5 hours

SQL Slammer affected the world in about 10 minutesSQL Slammer affected the world in about 10 minutes

Source: ICSA Virus Prevalence Survey 2003Source: ICSA Virus Prevalence Survey 2003

““Just how fast is instant messaging?”Just how fast is instant messaging?”

"We advise customers to contact their anti-virus software provider and obtain "We advise customers to contact their anti-virus software provider and obtain

the latest signatures for the virus, which should now be available.“the latest signatures for the virus, which should now be available.“

W32/Kelvir – Slowed down a network by putting additional traffic on it, it did W32/Kelvir – Slowed down a network by putting additional traffic on it, it did

not create backdoors, install keyloggers, or steal money from brokerage not create backdoors, install keyloggers, or steal money from brokerage

accounts. accounts. BUT THE NEXT ONE MIGHT !!!!BUT THE NEXT ONE MIGHT !!!!

You're You're 10 times10 times more likely to click on a URL that comes from someone on more likely to click on a URL that comes from someone on

your buddy list than something that comes in over email”your buddy list than something that comes in over email”

Viruses Over IMViruses Over IM

SpywareSpyware

www.ISpyNow.comwww.ISpyNow.com

www.keykatcher.comwww.keykatcher.com

Spies per Consumer PCSpies per Consumer PC

Oct to Dec 2005Oct to Dec 2005

UK 21.6UK 21.6

Norway 20.3Norway 20.3

Sweden: 19.1Sweden: 19.1

Lithuania 17.2Lithuania 17.2

Slovenia 15.7Slovenia 15.7

Source: BBC websiteSource: BBC website

Worms are Anonymous – they don’t carry your Worms are Anonymous – they don’t carry your password database….password database….

Pathogens Break protocol rules – you wrote a Pathogens Break protocol rules – you wrote a buffer for 72 characters – attacker sent you 182buffer for 72 characters – attacker sent you 182

Worms send clients something they didn’t ask forWorms send clients something they didn’t ask for

Authenticate Traffic – Stops foreign InfectionAuthenticate Traffic – Stops foreign Infection

Enforce Protocol Rules at the Network Device – Enforce Protocol Rules at the Network Device – things that break are droppedthings that break are dropped

Don’t process traffic that you didn’t ask for, Don’t process traffic that you didn’t ask for, understand protocols and know what to expectunderstand protocols and know what to expect

Worm Malware TheoryWorm Malware Theory

Future…?Future…?

Creation of a Superbug (usually worm propagating)?Creation of a Superbug (usually worm propagating)?

Vector is changing. i.e. music, videoVector is changing. i.e. music, video

The attackers themselves are changingThe attackers themselves are changing

““New World” virus writersNew World” virus writers

New threats like “Spear Fishing"New threats like “Spear Fishing"

SPAMSPAM

Is it Malware ?Is it Malware ?

Nuisance or Pain ?Nuisance or Pain ?

Same mindset to AV ?Same mindset to AV ?

4 Million mails, generate 4 responses with 1 person buying (well in 4 Million mails, generate 4 responses with 1 person buying (well in the US anyway !!!)the US anyway !!!)

Going away…………..You decide?Going away…………..You decide?

What is Microsoft Doing ?What is Microsoft Doing ?

Individual usersIndividual users BusinessesBusinesses

Windows Services HardeningWindows Services Hardening

Windows Firewall with advanced security Windows Firewall with advanced security

Reduced administrative privilegesReduced administrative privileges

User Account ProtectionUser Account Protection

Internet Explorer 7 with Protected ModeInternet Explorer 7 with Protected Mode

Secure Start-upSecure Start-up

Integrated Anti-MalwareIntegrated Anti-Malware

Control over removable device installationControl over removable device installation

Restart manager to reduce rebootsRestart manager to reduce reboots

Security Center enhancementsSecurity Center enhancements

ActiveX Opt-in puts users in controlActiveX Opt-in puts users in control

Phising FilterPhising Filter

Simple and EasySimple and Easy

ComprehensiveComprehensive

AutomatedAutomated

EvolvingEvolving

Protection PlusProtection Plus

Performance PlusPerformance Plus

Backup & RestoreBackup & Restore

Help and SupportHelp and Support

Design Principles Product Features

“Windows OneCare is the comprehensive PC health service for consumers that continuously and automatically manages vital

computer tasks to help protect and maintain your PC”

Prioritizes data Prioritizes data to help focus to help focus resources on resources on

the right issuesthe right issues

Maximizes the Maximizes the value of value of existing existing

investments investments

Guards against Guards against current and current and emerging emerging

malware threatsmalware threats

Provides businesses the control they need to protect Provides businesses the control they need to protect against current and emerging malware threatsagainst current and emerging malware threats

Live Live Communications Communications

ServerServer

SharePoint SharePoint ServerServer

Exchange ServersExchange Servers

ISA ISA ServerServer

Windows SMTP Windows SMTP ServerServer

VirusesViruses

WormsWorms

IM and IM and DocumentsDocuments

AntigeAntigenn

AntigeAntigenn

AntigeAntigenn

AntigeAntigenn

E-E-mailmail

AntigeAntigenn

caching

Content filtering

application publishing

advanced application layer firewall

caching

content filtering

application publishing

advanced application layer firewall / vpn

Transport and CAS/UM are rewritten in managed codeTransport and CAS/UM are rewritten in managed code

Encryption of all links among E12 servers by default if Encryption of all links among E12 servers by default if encryption can be supportedencryption can be supported

Emails between two E12 organizations can be Emails between two E12 organizations can be encrypted over the Internet without end-user S/MIMEencrypted over the Internet without end-user S/MIME

SMTP Gateway Throttling SMTP Gateway Throttling

Much enhanced Anti-spam protection in addition to Much enhanced Anti-spam protection in addition to Ex2003 IMFEx2003 IMF

Microsoft Exchange Hosted Microsoft Exchange Hosted ServicesServices

Real-time threat prevention featuresReal-time threat prevention features

Multi-layer anti-spam and anti-virusMulti-layer anti-spam and anti-virus

Customized content and policy enforcementCustomized content and policy enforcement

E-mail retention for help with compliance and e-discoveryE-mail retention for help with compliance and e-discovery

Customized report generation for help demonstrating complianceCustomized report generation for help demonstrating compliance

Fully indexed, searchable archiveFully indexed, searchable archive

Full e-mail encryption Full e-mail encryption

No public and private key managementNo public and private key management

Gateway, policy-based e-mail encryptionGateway, policy-based e-mail encryption

Uninterrupted e-mail accessibilityUninterrupted e-mail accessibility

Rapid recovery from unplanned disasters and network outagesRapid recovery from unplanned disasters and network outages

Thirty-day rolling historical e-mail storeThirty-day rolling historical e-mail store

Remove most Remove most prevalent prevalent

viruses viruses Remove all Remove all known viruses known viruses

Real-time Real-time antivirusantivirus

Remove all Remove all known known

spywarespywareReal-time Real-time antispywareantispyware

Central Central reporting and reporting and

alertingalertingCustomizationCustomization

MicrosoftMicrosoftClientClient

Protection Protection

FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES

MSRT MSRT Windows Windows DefenderDefender

Windows Windows Live Safety Live Safety

Center Center

Windows Windows OneCare OneCare

Live Live

IT IT Infrastructure Infrastructure

IntegrationIntegration

Important DatesImportant DatesQ2 06 Q2 06

Exchange Hosted ServicesExchange Hosted Services

Antigen V 9.0 for Exchange, SMTP & AEMAntigen V 9.0 for Exchange, SMTP & AEM

Microsoft Client Protection – BetaMicrosoft Client Protection – Beta

Antigen for E12 – BetaAntigen for E12 – Beta

Windows OneCareWindows OneCare

Q3 06 Q3 06

Antigen V 9.0 for IM, SharePointAntigen V 9.0 for IM, SharePoint

ISA 2006 - RTMISA 2006 - RTM

Q4 06 Q4 06

Microsoft Client ProtectionMicrosoft Client Protection

Antigen for E12Antigen for E12

ISA 2006 - RTMISA 2006 - RTMQ1 07Q1 07

Q1 07 Q1 07

Windows VistaWindows Vista

Antigen for ISAAntigen for ISA

© 2005-06 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.