Transcript SECURITY THREAT REVIEW

SECURITY THREAT REVIEW
Agenda
Main topics
• Central threats
• Terminology
• Malware in Action
• Brief history, case examples, functionality
• F-Secure Anti-Virus Research
Page 2
CENTRAL THREATS
Threats:
Viruses, Worms and Other Malware
Malware
• Different kinds of viruses and worms spread extremely rapidly
• First viruses for mobile phones and handheld computers found
Adware and spam are crossing from an annoyance to a threat
Hacking
• Client devices outside the firewall are prone to hacking which may grant
access to corporate networks
• Stolen data
• Web is full of tools that enable hacking, spying and eavesdropping
Page 4
Threats:
Underground Economy Using Internet
Cybercrime is on the rise
• Often uses spyware and spam when
targetting users
• Credit card frauds, stolen identities,
access to confidential information,
taking over somebody’s computer,
using somebody’s computer to launch
attacks or send spam, etc...
• Also other issues such as distributed denial
of service attacks (DDoS) and web page
defacements
Page 5
Threats:
Everything Is Connected
Reality is heavily connected to the
data networks
• Physical networks (electricity,
water, transportation) depend on
data networks
Many people using computers do
not fully understand the technology
behind
• Home users connected to the
internet without personal firewall
• Easy targets for attacks
Page 6
TERMINOLOGY
Virus
VIRUS is a computer program that replicates
by attaching itself to another object
• Boot sector virus
• Attackes itself to the boot sector of a
diskette
• Almost extinct today
Excel macro virus ”Button”
• File virus
• Attaches itself to programs
• For example executables
• Macro virus
• Attaches itself to documents
• Spreads effectively through e-mail
File virus ”Funlove”
Page 8
Worm
WORM is a computer program that
replicates independently by
sending itself to other systems
• E-mail worms
• Spreading using e-mail
technology (stealth SMTP
relays)
• Network worms
• Very fast spreading
• Network worms connect
directly over the network (using
the whole TCP/IP protocol suit)
• Bluetooth worms
Page 9
Terminology
REPLICATION MECHANISM is a mandatory
part of every virus and worm
• If it doesn't have a replication mechanism, it’s
by definition not a virus or worm
PAYLOAD is an optional part of the
virus/worm. It may do something funny or
destructive
Page 10
Other Malware
MALWARE is a common name for all kinds of
unwanted software such as viruses, worms,
spyware and trojans
TROJAN HORSE (or trojan) is a program with
hidden functionality, generally either destructive
or manipulative
Page 11
Spyware
SPYWARE is software that aids in gathering information about a person
or organization without their knowledge, and can relay this information
back to an unauthorized third party
Spyware can get in a computer as a software virus or as the result of
installing a new program
• Technically not viruses, but pose a threat to Internet users' privacy – some
programs come with “spyware attached”, others just “call home” without
asking.
Page 12
Spyware Types
COOKIE is a mechanism for storing a BROWSER HELPER OBJECT (BHO) is
user’s information on a local drive that a program that runs automatically
websites may access
every time a browser is launched.
They can track usage data and collect
• PERSONALIZATION COOKIE allows
users to customize pages, personalize any information displayed on the
Internet.
web experience and remember
passwords
• TRACKING COOKIE allows multiple
web sites to store and access records
that may contain personal information
DRIVE-BY DOWNLOAD is a program
which is automatically downloaded to
a host without user consent or
knowledge
WEB BUG (or web beacon) is a file,
usually a a transparent picture, placed
on a web page or in an e-mail to
monitor user behaviour without
consent
Page 13
Spyware Types
BROWSER HIJACKER is an
applications that attempts to take
control over a user's start page or
desktop icons, resetting them to
conform with the attacker’s wishes
KEYLOGGER (or system monitor) is
designed to monitor computer activity
by capturing virtually everything a
user does on the computer, including
recording all keystrokes
SYSTEM HIJACKER is software that
uses the host computer's resources to
proliferate itself or use the system as
a resource for other activities
PREMIUM DIALER (or expensive
dialer) create a dial-up connection
(without asking the user) to a high
cost number
• Acting as a spamming zombie
• Contributing to DDoS attacks
• Trojan payload
Page 14
MALWARE IN ACTION
Brief History of Malware:
1980’s
Personal Computers introduced
Central threats
• Information exchange on diskettes
• Illegal physical access to the machines
• 16 bit operating systems
• Boot sector viruses
• Traditional file viruses
Internet emerged
• Direct hacker attacks
• Arpanet (Advanced Research Projects
Agency Network) changed its name to
Internet in 1987
• Grew out of the first network of
computers, which in the beginning
connected US military bases and later
also universities
• “Security was not an issue in Arpanet,
which was a fully classified network”
(Vint Cerf, father of TCP/IP)
Page 16
Brief History of Malware:
1990’s
PC a common tool in all business
areas and Internet use becomes part
of everyday activities
• Faster internet connections and LANs
allows file sharing and downloading
• E-mail and Microsoft Office heavily
used
• Workforce becomes mobile as fast
connections available outside office
New threats
• New malware
• 32-bit file viruses, macro viruses
(1995) and email worms (1999)
• 32-bit operating systems and
applications bring more security holes
• Internet use enables eavesdropping
• Mobile units vulnerable to attacks
• Laptop thefts
Page 17
Brief History of Malware:
Early 00’s
Handheld computers introduced and
mobile phones evolve towards
handheld computers
• Workforce becomes even more mobile
For-profit virus-writing emerges as
spammers start employing malware
New threats:
• Network worms (2001)
• Spam
• Viruses for PDA and mobile phones
(2004)
• Spyware
• D-DoS
• Phishing
Page 18
Future Threats
More mobile phone and Bluetooth
malware
• Speading by sending SIS files as MMS
messages, text message spamming
worms (e.g. Commwarrior)
• Over 40 different types since June 2004
Root kits (aka stealth viruses)
Flash worms
• Very fast spreading worm (less than 30
seconds), implemented by including a list
of all likely vulnerable hosts
Page 19
Virus vs. Spyware
Similarities
Differences
• Delivered via web sites,
downloads and e-mail
attachments
• Virus has a replication mechanism
and spreads faster, spyware is
usually installed by the user
• Ability to capture and destroy
information
• Virus writers are unknown (and
criminal), spyware vendors are
known
• Ruin the system performance
• Typically the user is made
aware of spyware installations
(EULA)
• It is not illegal to write and
distribute spyware
Page 20
Typical Ways to Get Infected
Virus
• Every time data is transmitted a
virus may spread as well
• E-mail attachment account for
approx. 80% of the cases, but
infection may also spread through
web, chat channels, peer-to-peer
networks, CD-ROMs, floppies,
infrared beaming, Bluetooth, etc…
Spyware
• Normal web browsing and program
installations
• Badly configured browser
(allowing ActiveX, accepting
cookies from 3rd parties)
• Free software (freeware, pirated
software, adware)
• Some commonly trusted software
comes bundled with spyware
Worm
• Spread through email or find their
way through security holes
(vulnerabilities), without user
intervention
Page 21
Identification
Viruses & worms
• Must have a replication
mechanism
Trojans and other malware
• If payload, the thing that does
someting annoying or destructive,
is present the trojan will be
removed
Spyware
• Criteria to add software to
Spyware database is based on a
point system (TAC)
• This list is public and complying to
these strict rules is important as
most spyware is legal software
• 5 Criterias: Removal, Integration,
Distribution, Behaviour, Privacy
• TAC number of three or higher
(out of ten) required to be included
in the database
Page 22
Example: Mydoom.A
Malware type: Email worm
First variant: 2004 (in the wild)
Family: Mydoom
Replication mechanism:
• Spreads over email and Kazaa
Payload:
• Installs a backdoor and launches an DDoS attack
Effect:
• The largest email incident in history
• At its worst, close to 10% of all email traffic globally was caused by
Mydoom.A
Page 23
Example: CoolWebSearch
Category: Malware
Family: CoolWebSearch
First variant: 2003 (in the wild)
TAC level: 10
Behavior:
• Operates hidden
• Hijacks browser
• Redirects browsing search results
• Own LSP implemented
• Tracks users surfing habits
• Javascript which guesses adult
pages
Page 24
Other Threats
ROOT KIT is a set of tools used by an intruder to maintain and hide
access to the system and use it for malicious purposes
PHISHING means luring sensitive information (like passwords) from a
victim by masquerading as someone trustworthy with a real need for
such information
SPAM means unsolicited bulk email, something the recipient did not
ask for it and that is sent in large volumes
Page 25
Other Threats
CRACKING (also HACKING) is gaining direct access to a target system
• Wide range of methods available (stolen access information, finding open
ports, known security holes, etc.)
• Attacks can be divided to external attacks and internal attacks
• Majority of attacks have an external sources, but most successful attacks
come from inside the network
D-DOS (aka DISTRIBUTED DENIAL OF SERVICE) means
overloading a service and thus denying legitimate users’ service
Page 26
F-SECURE
ANTI-VIRUS RESEARCH
Fast Reaction Times
Virus and spyware software is only as good as the antivirus
company's capability to provide cure for new virus outbreaks
• Spyware updates are not as urgent as anti-virus updates
F-Secure Virus Research Team is on call 24-hours a day responding
new and emerging threats (approx. 10 new viruses found every day)
• Two labs: Helsinki (Finland) and San Jose (USA)
• Virus definitions updated on average 2 times a day
• Automated update methods
Page 28
How Does the Anti-Virus Lab Work?
Incoming samples
• Most comes in via e-mail from
customers
• 30% comes via sample exchange
from competitors
• A vary small part through
honeypots and directly from virus
writers
Send samples to
[email protected]
Page 29
Average Response Times for
Major Outbreaks During Q1/2004
0
2
4
6
Hours
8
10
12
14
F-Secure
Trend
McAfee
Symantec
Data source AV-Test.org
Page 30
Radar Security News
Anti-Virus Research issues Radar
security news when new threats
emerge
• Protection status for every reported
malware
Three alert levels
• Level 1: Worldwide virus epidemic
• Level 2: New virus causing large,
localised infections
• Level 3: New virus technique or platform
found
Page 31
Summary
Main topics
• Central threats
• Terminology
• Malware in Action
• Brief history, case examples, functionality
• F-Secure Anti-Virus Research
Page 32