security threat review. page 2 agenda main topics central threats terminology malware in action...
TRANSCRIPT
Page 2
Agenda
Main topics
• Central threats
• Terminology
• Malware in Action
• Brief history, case examples, functionality
• F-Secure Anti-Virus Research
Page 4
Threats:Viruses, Worms and Other Malware
Malware
• Different kinds of viruses and worms spread extremely rapidly
• First viruses for mobile phones and handheld computers found
Adware and spam are crossing from an annoyance to a threat
Hacking
• Client devices outside the firewall are prone to hacking which may grant access to corporate networks
• Stolen data
• Web is full of tools that enable hacking, spying and eavesdropping
Page 5
Threats:Underground Economy Using Internet
Cybercrime is on the rise
• Often uses spyware and spam when targetting users
• Credit card frauds, stolen identities, access to confidential information, taking over somebody’s computer, using somebody’s computer to launch attacks or send spam, etc...
• Also other issues such as distributed denial of service attacks (DDoS) and web page defacements
Page 6
Threats:Everything Is Connected
Reality is heavily connected to the
data networks
• Physical networks (electricity, water, transportation) depend on data networks
Many people using computers do
not fully understand the technology
behind
• Home users connected to the internet without personal firewall
• Easy targets for attacks
Page 8
Virus
VIRUS is a computer program that replicates
by attaching itself to another object
• Boot sector virus
• Attackes itself to the boot sector of a diskette
• Almost extinct today
• File virus
• Attaches itself to programs
• For example executables
• Macro virus
• Attaches itself to documents
• Spreads effectively through e-mail
Excel macro virus ”Button”
File virus ”Funlove”
Page 9
Worm
WORM is a computer program that replicates independently by sending itself to other systems
• E-mail worms
• Spreading using e-mail technology (stealth SMTP relays)
• Network worms
• Very fast spreading
• Network worms connect directly over the network (using the whole TCP/IP protocol suit)
• Bluetooth worms
Page 10
Terminology
REPLICATION MECHANISM is a mandatory
part of every virus and worm
• If it doesn't have a replication mechanism, it’s by definition not a virus or worm
PAYLOAD is an optional part of the
virus/worm. It may do something funny or
destructive
Page 11
Other Malware
MALWARE is a common name for all kinds of
unwanted software such as viruses, worms,
spyware and trojans
TROJAN HORSE (or trojan) is a program with
hidden functionality, generally either destructive
or manipulative
Page 12
Spyware
SPYWARE is software that aids in gathering information about a person
or organization without their knowledge, and can relay this information
back to an unauthorized third party
Spyware can get in a computer as a software virus or as the result of
installing a new program
• Technically not viruses, but pose a threat to Internet users' privacy – some programs come with “spyware attached”, others just “call home” without asking.
Page 13
Spyware Types
COOKIE is a mechanism for storing a user’s information on a local drive that websites may access
• PERSONALIZATION COOKIE allows users to customize pages, personalize web experience and remember passwords
• TRACKING COOKIE allows multiple web sites to store and access records that may contain personal information
DRIVE-BY DOWNLOAD is a program which is automatically downloaded to a host without user consent or knowledge
BROWSER HELPER OBJECT (BHO) is a program that runs automatically every time a browser is launched. They can track usage data and collect any information displayed on the Internet.
WEB BUG (or web beacon) is a file,
usually a a transparent picture, placed
on a web page or in an e-mail to
monitor user behaviour without
consent
Page 14
Spyware Types
BROWSER HIJACKER is an applications that attempts to take control over a user's start page or desktop icons, resetting them to conform with the attacker’s wishes
SYSTEM HIJACKER is software that uses the host computer's resources to proliferate itself or use the system as a resource for other activities
• Acting as a spamming zombie
• Contributing to DDoS attacks
• Trojan payload
KEYLOGGER (or system monitor) is designed to monitor computer activity by capturing virtually everything a user does on the computer, including recording all keystrokes
PREMIUM DIALER (or expensive dialer) create a dial-up connection (without asking the user) to a high cost number
Page 16
Brief History of Malware: 1980’s
Personal Computers introduced
• Information exchange on diskettes
• 16 bit operating systems
Internet emerged
• Arpanet (Advanced Research Projects Agency Network) changed its name to Internet in 1987
• Grew out of the first network of computers, which in the beginning connected US military bases and later also universities
• “Security was not an issue in Arpanet, which was a fully classified network” (Vint Cerf, father of TCP/IP)
Central threats
• Illegal physical access to the machines
• Boot sector viruses
• Traditional file viruses
• Direct hacker attacks
Page 17
Brief History of Malware: 1990’s
PC a common tool in all business
areas and Internet use becomes part
of everyday activities
• Faster internet connections and LANs allows file sharing and downloading
• E-mail and Microsoft Office heavily used
• Workforce becomes mobile as fast connections available outside office
New threats
• New malware
• 32-bit file viruses, macro viruses (1995) and email worms (1999)
• 32-bit operating systems and applications bring more security holes
• Internet use enables eavesdropping
• Mobile units vulnerable to attacks
• Laptop thefts
Page 18
Brief History of Malware: Early 00’s
Handheld computers introduced and
mobile phones evolve towards
handheld computers
• Workforce becomes even more mobile
For-profit virus-writing emerges as
spammers start employing malware
New threats:
• Network worms (2001)
• Spam
• Viruses for PDA and mobile phones (2004)
• Spyware
• D-DoS
• Phishing
Page 19
Future Threats
More mobile phone and Bluetooth malware
• Speading by sending SIS files as MMS messages, text message spamming worms (e.g. Commwarrior)
• Over 40 different types since June 2004
Root kits (aka stealth viruses)
Flash worms
• Very fast spreading worm (less than 30 seconds), implemented by including a list of all likely vulnerable hosts
Page 20
Virus vs. Spyware
Similarities
• Delivered via web sites, downloads and e-mail attachments
• Ability to capture and destroy information
• Ruin the system performance
Differences
• Virus has a replication mechanism and spreads faster, spyware is usually installed by the user
• Virus writers are unknown (and criminal), spyware vendors are known
• Typically the user is made aware of spyware installations (EULA)
• It is not illegal to write and distribute spyware
Page 21
Typical Ways to Get Infected
Virus
• Every time data is transmitted a virus may spread as well
• E-mail attachment account for approx. 80% of the cases, but infection may also spread through web, chat channels, peer-to-peer networks, CD-ROMs, floppies, infrared beaming, Bluetooth, etc…
Worm
• Spread through email or find their way through security holes (vulnerabilities), without user intervention
Spyware
• Normal web browsing and program installations
• Badly configured browser (allowing ActiveX, accepting cookies from 3rd parties)
• Free software (freeware, pirated software, adware)
• Some commonly trusted software comes bundled with spyware
Page 22
Identification
Viruses & worms
• Must have a replication mechanism
Trojans and other malware
• If payload, the thing that does someting annoying or destructive, is present the trojan will be removed
Spyware
• Criteria to add software to Spyware database is based on a point system (TAC)
• This list is public and complying to these strict rules is important as most spyware is legal software
• 5 Criterias: Removal, Integration, Distribution, Behaviour, Privacy
• TAC number of three or higher (out of ten) required to be included in the database
Page 23
Example: Mydoom.A
Malware type: Email worm
First variant: 2004 (in the wild)
Family: Mydoom
Replication mechanism:
• Spreads over email and Kazaa
Payload:
• Installs a backdoor and launches an DDoS attack
Effect:
• The largest email incident in history
• At its worst, close to 10% of all email traffic globally was caused by Mydoom.A
Page 24
Example: CoolWebSearch
Category: Malware
Family: CoolWebSearch
First variant: 2003 (in the wild)
TAC level: 10
Behavior:
• Operates hidden
• Hijacks browser
• Redirects browsing search results
• Own LSP implemented
• Tracks users surfing habits
• Javascript which guesses adult pages
Page 25
Other Threats
ROOT KIT is a set of tools used by an intruder to maintain and hide
access to the system and use it for malicious purposes
PHISHING means luring sensitive information (like passwords) from a
victim by masquerading as someone trustworthy with a real need for
such information
SPAM means unsolicited bulk email, something the recipient did not
ask for it and that is sent in large volumes
Page 26
Other Threats
CRACKING (also HACKING) is gaining direct access to a target system
• Wide range of methods available (stolen access information, finding open ports, known security holes, etc.)
• Attacks can be divided to external attacks and internal attacks
• Majority of attacks have an external sources, but most successful attacks come from inside the network
D-DOS (aka DISTRIBUTED DENIAL OF SERVICE) means
overloading a service and thus denying legitimate users’ service
Page 28
Fast Reaction Times
Virus and spyware software is only as good as the antivirus
company's capability to provide cure for new virus outbreaks
• Spyware updates are not as urgent as anti-virus updates
F-Secure Virus Research Team is on call 24-hours a day responding
new and emerging threats (approx. 10 new viruses found every day)
• Two labs: Helsinki (Finland) and San Jose (USA)
• Virus definitions updated on average 2 times a day
• Automated update methods
Page 29
How Does the Anti-Virus Lab Work?
Incoming samples
• Most comes in via e-mail from customers
• 30% comes via sample exchange from competitors
• A vary small part through honeypots and directly from virus writers
Send samples to
Page 30
Average Response Times forMajor Outbreaks During Q1/2004
0
2
4
6
8
10
12
14
Hours
F-Secure Trend McAfee Symantec
Data source AV-Test.org
Page 31
Radar Security News
Anti-Virus Research issues Radar
security news when new threats
emerge
• Protection status for every reported malware
Three alert levels
• Level 1: Worldwide virus epidemic
• Level 2: New virus causing large, localised infections
• Level 3: New virus technique or platform found