Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer [email protected] August 14, 2009
Download ReportTranscript Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer [email protected] August 14, 2009
Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer [email protected] August 14, 2009 Agenda Recent malicious email attachments What happened? Why was it so effective? How can we defend against these attacks? Trend Micro OfficeScan 10 Trend Micro Security for Macs Q&A 2 What happened? Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment Many more reports soon followed from around the world implicating many K-State IP addresses Many K-Staters started reporting receipt of the malicious emails too 4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days 113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked 5:45pm – posted info/warning to IT security threats blog 3 What happened? Four different emails with the following subjects: Three (somewhat) different attachments: Shipping update for your Amazon.com order 254-78546325-658742 You have received A Hallmark E-Card! Jessica would like to be your friend on hi5! Your friend invited you to twitter! Shipping documents.zip Postcard.zip Invitation card.zip At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): “attachment.pdf “attachment.htm “attachment.chm .exe” .exe” .exe” 4 What happened? New variant of malware so Trend Micro OfficeScan did not detect it. 10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t. 11:52pm – warning email sent to profacstaff and classified mailing lists July 14, 8:00am – virustotal.com reports 29 of 41 AV products identify the malware (not Trend Micro) www.virustotal.com/analisis/... 5 What happened? July 14, 9:00am – finally get samples uploaded to Trend Micro 11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available 2:00pm – bandage pattern file pushed out to OfficeScan clients Production pattern file released later that evening which detects the malware 397 instances detected/deleted by TMOS since July 13 IT Tuesday article posted about it itnews.itac.k-state.edu/2009/07/malicious... July 29 and August 7 - similar attacks with new variants of the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware 6 Malware Characteristics Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies Modified registry to run every time the computer boots Copied itself to mounted file systems, including USB flash drives Copied itself to common P2P file sharing folders, masquerading as enticing software downloads 7 Malware Characteristics Sample P2P folders used: %ProgramFiles%\ICQ\Shared Folder %ProgramFiles%\Grokster\My Grokster %ProgramFiles%\EMule\Incoming %ProgramFiles%\Morpheus\My Shared Folder %ProgramFiles%\LimeWire\Shared Sample enticing software downloads: Ad-aware 2009.exe Adobe Photoshop CS4 crack.exe Avast 4.8 Professional.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Microsoft Office 2007 Home and Student keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Total Commander7 license+keygen.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Perfect keylogger family edition with crack.exe … and about 25 more 8 Why was it so effective? Used familiar services Amazon.com Hallmark eCard greeting Twitter Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered something from amazon.com, or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces New variant that spread quickly so initial infections missed by antivirus protection I was too slow submitting samples to Trend (better the second and third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people caught off-guard 9 What can we do? Users need to learn to recognize scams Hallmark, amazon.com, etc. do not send info in attachments Don’t open attachment unless you are expecting it and have verified with sender Think before you click Be paranoid! 10 Malicious Hallmark E-Card 11 Legitimate Hallmark E-Card 12 Malicious Amazon Shipping Notice 13 Legitimate Amazon Shipping Notice 14 Malicious Twitter Invitation 15 What can we do? Better malware filtering in e-mail Need to work more closely with Zimbra/Yahoo Submit malware samples sooner (we’re doing that now) Trend Micro OfficeScan 10… 16 Trend Micro OfficeScan 10 Major upgrade from current version 8 (where did version 9 go?!) Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”) But it appears to provide real value: Faster deployment of pattern file updates Smaller client footprint Windows 7 support (not officially supported in OfficeScan 8) More options for re-scheduling missed scheduled scans Better Active Directory integration Better control of removable devices like USB drives Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 17 Trend Micro OfficeScan 10 “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning Client uses pattern info stored on local or global servers rather than having to store everything on every client computer Updates pattern files hourly instead of daily Smaller pattern files on the client, less network bandwidth used to deploy pattern files Some heuristic-based detection Can still do conventional scanning for systems with limited Internet access 18 Trend Micro OfficeScan 10 Better options for dealing with missed scheduled scan Postpone a schedule scan before it begins Stop and Resume a current active schedule scan Resume a missed schedule scan Automatically skip schedule scan when Laptop Battery is below certain % Automatically stop schedule scan when it lasts over a certain amount of period. 19 Trend Micro OfficeScan 10 Device Access Control Sysadmins can control use of removable drives Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 20 Trend Micro OfficeScan 10 The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed To prevent OSCE applications being injected with malware and impact business operation Feature provides the ability to protect OfficeScan files / file types within folders from being modified Protect OfficeScan system processes to prevent unauthorized shut-down Protect OfficeScan system registries from unauthorized modification 21 Trend Micro OfficeScan 10 TMOS 10 concerns Is a major upgrade so needs to thorough testing Uncertainty about use of SmartScan vs. conventional scan Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0 1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,0008,000 clients for latter) – called “Integrated Scan Server” No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22 Trend Micro OfficeScan 10 TMOS 10 plans Is available now, been out for a while (service pack 1 in beta) Needs more testing – campus sysadmins encouraged to test Central TMOS 10 server for testing sometime... SIRT will plan coordinated rollout for campus (can be pushed from the server) No timeline at this point, but advantages warrant a somewhat aggressive schedule, as does release of Windows 7 in late October 23 Trend Micro Security for Macs K-State’s license for Symantec AV for Macs expires October 27, 2009 No budget for renewal or replacement TM Security for Macs (TMSM) new product from Trend Micro, included in our campus site license Barring a show-stopper problem, we will switch to TMSM this fall 24 Trend Micro Security for Macs Features/Advantages: No additional cost Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.) Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform Supports MacOS 10.4 and 10.5 on Intel and PowerPC processors Includes Web Reputation Services to help prevent users from visiting known malicious web sites Covered by current Silver Premium Support contract Single vendor for all AV product 25 No additional cost Trend Micro Security for Macs Timeline: Version 1.5 in beta test now Being tested pretty extensively at K-State Fixed known issues we had with v1.0 Production release available to K-State after August 25 Switch by October 27, or semester break for imaged labs (SAV will continue to work) New Macs should install Symantec now but plan to switch 26 What’s on your mind? 27