Upload
kashyap-ranipa
View
219
Download
0
Embed Size (px)
Citation preview
8/9/2019 Malware Workshop
1/62
MalwareWorkshop
AL [email protected] 2006
8/9/2019 Malware Workshop
2/62
"Security is a journey not adestination"
8/9/2019 Malware Workshop
3/62
Malware Agenda
Policy
Categories
Prevention througheducation
Malware
Host software
Virus outbreakscenario
Management
Spyware/Adware
Hacker methodscenario
Links
8/9/2019 Malware Workshop
4/62
SPICE Policy on Malware
Robust Policy
Main idea;
ISMs responsibility to
Ensure ALL hosts have ability to protectautonomously.
Enforce the integrity of protection.
Users responsibility to
Use reasonable precautions when
importing data Recognize malicious protection on devices
in their custody
Report any malicious event on host toISM
Fully compliant to the policy?
Visit http://security.health.edu HSC Policies and Standards
8/9/2019 Malware Workshop
5/62
Categories NIST defines malware
General, as the attributes of malware are ever changing.
Subjectively inclusive but not limited to:
Viruses
Worms
Trojan Horses
Backdoors
Keystroke loggers
Rootkits
Tracking Cookies
The list could go on and on
What is and what isn't malware is debatable
Phishing, virus hoaxes
8/9/2019 Malware Workshop
6/62
Awareness / HistoryShould we be concerned?
5,627 15,825 156,904
1,510,619
6,877,036
29,890,376
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
1999 2000 2001 2002 2003 2004
Incidents
8/9/2019 Malware Workshop
7/62
Prevention Educate users to
know the Spice policy and your unit policy.
be aware of suspicious events
not to attempt to bypass security controls not execute or download apps from untrusted sources
Know what social engineering is
Review host security workshop (January 2006)
Patching/Updates
Limit user privileges
Host firewalls
Disabling unneeded services
MBSA
CISecurity Baseline
Review general awareness training (February 2006)
Review the eduguides.
8/9/2019 Malware Workshop
8/62
8/9/2019 Malware Workshop
9/62
Malware Software
Malicious software detection is amust on every host.
Protect all hosts that you areresponsible for
Network connected or not
8/9/2019 Malware Workshop
10/62
8/9/2019 Malware Workshop
11/62
Malware Software Options
Block specific ports or make rules
to apply to a specific file orlocation on a virus outbreak
Stop the payload of the exploit
from affecting the targetedcomputer and prevent it fromspreading
Report to a Management Server
8/9/2019 Malware Workshop
12/62
Which malware vendor do youuse?
There are many vendors of
Malware protection that may fityour needs
Can your selected units malwareproduct buy you the time needed
between a virus outbreak and anew signature release?
Avoid unnecessary additional
expenses to the University
8/9/2019 Malware Workshop
13/62
Malware Software at UF
Symantec AntiVirus
HSC IT Center
Available malware software licensed to UF (software.ufl.edu) Linux
McAfee LinuxShield
Macintosh
Virex
Windows
VirusScan Enterprise
NetWare
NetShield
There is no extra charge for the use of McAfee software to a Unit
8/9/2019 Malware Workshop
14/62
McAfee VirusScan 8.0i McAfee was the chosen enterprise product at UF
Features comply with the HSC policy
Available to faculty, students, and staff
Has extra features but use with caution:
Access Protection
Adds some firewall protection to your computer
Enabled by default
Buffer Overflow Protection
Prevents buffer overflows from executing code on yourcomputer
Enabled by default
Unwanted Programs Policy
This will remove some spyware and adware
Not enabled by default
8/9/2019 Malware Workshop
15/62
McAfee VirusScan 8.0i
Wouldnt it be a headache to manage theconsole for each host individually to comply
with policy?
8/9/2019 Malware Workshop
16/62
Are all of yourhostssignatures upto date? Howdo you know ?
Do yourusers knowhow tocheck?
8/9/2019 Malware Workshop
17/62
Response to a Virus. ExampleUsing VirusScan
Suppose a new threat is announced
Sans
Avert Symantec Security Response
HSC Security Group
A rule might be used during the brief time between when a virus goeswild and when a new signature update is available and tested.
We know the virus:
typically when ran, it copies itself to the following directories:
%windir%\system32\drvdll.exe
%windir%\system32\drvddll.exeopen
%windir%\system32\drvddll.exeopenopen
%windir%\CPLSTUB.exe
8/9/2019 Malware Workshop
18/62
McAfee V8.0i example rulecreation
Rule1
Rule2
Combinedwith
8/9/2019 Malware Workshop
19/62
Suppose youre already hit withBagle
Prevent the spread
Identify machines affected
Rule will trigger not only when a virus
tries to infect (create) but also whenit tries to run (write, read, execute)
8/9/2019 Malware Workshop
20/62
Bagle example continued(port blocking rules)
Bagle spread through email
The first default rule combats the email spread
Default (Rule 0) that blocks outgoing traffic onport 25
Prevent the virus from obtaining instructionsfrom the virus author
Create a port blocking rule that preventsincoming traffic on port 2535
Prevent the virus from downloading scripts
Included in McAfee is already (Rule 3) thatprevents outgoing traffic on Port 80 unless thetraffic is from one of the web browsers listed
8/9/2019 Malware Workshop
21/62
8/9/2019 Malware Workshop
22/62
Prevent Mass mailers and share-hoppers
Restrict write access to incoming networkconnections with Share Blocking Rules
Prevent remote creation/modification/deletion of
A common virus action
Copying into the Windows directory and set aregistry value so that they are started at eitherlogon or when another application starts.
Use rules to satisfy this
8/9/2019 Malware Workshop
23/62
Other uses for port blocking andfile, share, and folder protection.
Preventing the spread
prevent the receipt of instructions use port blocking rules
Viruss targeting Specific Applications
Internet Explorer
create specific rules that nameiexplore.exe as the process, which preventthe creation or the writing of files to the%windir%** directory and the program
files\** directory
8/9/2019 Malware Workshop
24/62
A Potential Headache
Dont break functionality
existing applications
network connectivity
Plan well
Use rules in warning mode first
Report access attempts without blockingaccess
Monitor what impact Use discretion when entering in wildcards
8/9/2019 Malware Workshop
25/62
Autonomous Protection
Ensure ALL hosts have ability to
protect autonomously How can you Ensure?
Use centralized management
software University offers at no cost to unit
ePO
ProtectionPilot
8/9/2019 Malware Workshop
26/62
Autonomous ProtectionWhy?
Signatures not kept up to date
equalsMalware software essentially useless.
8/9/2019 Malware Workshop
27/62
Gain control of your anti-virusinfrastructure
Centralize your policy enforcement andmanagement
make sure virus scanning policies areset to keep your systems secure andvirus-free
Deploy needed updates and softwareremotely
keep anti-virus software on yoursystems up-to-date
Deploy new rules during a virus outbreak
8/9/2019 Malware Workshop
28/62
Software
ePolicy Orchestrator (ePO) or ProtectionPilot
Software available to all Unit admins under thecurrent license
http://software.ufl.edu/mcafee/index3.html
Symantec System Center Console
HSC IT Center
Avoid unnecessary additional expenses tothe University
8/9/2019 Malware Workshop
29/62
ePO Easy enough to install (guided with install
wizard)
Straightforward A bit complex to start with
Terminology and the functionality
distributed repositories
rogue system detection sensors
notification rules
Etc..
8/9/2019 Malware Workshop
30/62
8/9/2019 Malware Workshop
31/62
ePO Documentation
Heap of high-quality product documentation
ePO quick reference card
Walkthrough Guide
8/9/2019 Malware Workshop
32/62
8/9/2019 Malware Workshop
33/62
Enforce ProtectionCompliance Policy andUpdates
ePO agent manages policies for McAfee AntiVirus
policies can be set globally or on individual clients (servers) also generates reports on compliance, virus detections, etc.
The Agent manages the 'Policy' for you automatically basedon what ePolicy Orchestrator has stored in its database foreach client
Daily updates of
DATs
Engines
Service packs
Hotfixes
Patches
8/9/2019 Malware Workshop
34/62
8/9/2019 Malware Workshop
35/62
On Demand Scan & The 4715-DAT
8/9/2019 Malware Workshop
36/62
On Demand Scans
Usually a weekly/monthly on-
demand scan with full options (Allfiles, archives etc.)
Scan the quarantine folder to
remove any found viruses Monthly/Weekly depends on how
often your backups are done
8/9/2019 Malware Workshop
37/62
ePO Rogue System Detection
ePO can detect rogue, non-compliantsystems by identifying when any ofthese systems are connected the LAN
Identify
Might be one of yours if the name matches
Likely to be more useful if HSC global AV team
All units used ePO
8/9/2019 Malware Workshop
38/62
ePO Rogue System Detection
8/9/2019 Malware Workshop
39/62
ePO Considerations
Consider revising the default ports duringinstall
ensure that the Server is not already using theseports for communicating with 3rd party software.( for example, the World Wide Web publishingservice. )
Secure the ePolicy Orchestrator Database
SQL/MSDE
Change default passwords
SQL Server 2000 security checklist
http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/s
p3sec04.mspx
8/9/2019 Malware Workshop
40/62
Distributing the ePO Client
Installed on department Image
remove the agent GUID registry value from theagent registry key
Push from ePO server
Manually installed
See login script Use same login script to check if ePO is installed
and if not then install
8/9/2019 Malware Workshop
41/62
Distribution of Software usingePO
8/9/2019 Malware Workshop
42/62
8/9/2019 Malware Workshop
43/62
Policy Again
What about AntiSpyware and Anti
Adware?
8/9/2019 Malware Workshop
44/62
Anti-spyware and Anti-Adware
No such thing as the best
AntiSpyware yet In toddler stage, but growing
Overlapping anti-spyware products
needed Why?
8/9/2019 Malware Workshop
45/62
Anti-Spyware Adware
All anti-spyware vendors rely ontheir user communities to submitsamples of suspected potentiallyunwanted programs in order togrow their databases
8/9/2019 Malware Workshop
46/62
Anti-spyware Challenge No such thing as the best Anti-Spyware yet
Infant stages
over 100 anti-spyware/adware scanners availablefor download
Each major vendor refers to spywaredifferently:
McAfee uses the term Potentially Unwanted
Programs, or PUPs Symantec refers to security risks
Trend Micro uses the classification ofspyware/grayware
What about McAfee's and Symantecs virusscanners?
8/9/2019 Malware Workshop
47/62
Symantec Antivirus v 9.0.0.338
8/9/2019 Malware Workshop
48/62
SymantecSymantec
scan for expanded threats
Adware, spyware, joke programs, and other
risksThe Adware/Spyware detection system is not
done in real-time need to run a scan to check for adware/spyware
Detected hotbar and gator but was unable toremove anything
Seems like a really great feature idea, but auseless implementation
8/9/2019 Malware Workshop
49/62
VirusScan Enterprise 8.0i
8/9/2019 Malware Workshop
50/62
McAfee V8.0iPotentially Unwanted Programs
Has a definition of 200 adware andspyware
Ok but there are tens of thousands oftypes of adware and spywarecurrently defined, the list of 200
items checked by this feature are notsufficient
Has the same short comings asSymantec's expanded threats
8/9/2019 Malware Workshop
51/62
Other Spyware and Adware: Hijack This
legitimate tool for removing BHO's. Extremely non-userfriendly, but it will allow you to remove things thatnothing else will.
Ad-Aware
www.lavasoftusa.com
not centrally manageable, not free for edu
SpyBot
http://security.kolla.de
not centrally manageable, but you can run commandline Windows Tasks w/ autoupdate
SpywareGuard and SpyWareBlaster
http://www.wilderssecurity.net
8/9/2019 Malware Workshop
52/62
Need Enterprise Anti-spyware
Whats Needed for a Enterprise?
Integrated anti-virus and anti-spywaresolution
Simplified management and reporting
Single agent and policy to deploy to client
workstations, and integrated delivery ofsignature updates
All of this would be nice if it existed andworked well
8/9/2019 Malware Workshop
53/62
Mcafee Anti-Spyware Module
Works on EPO and ProtectionPilot
servers
8/9/2019 Malware Workshop
54/62
Mcafee Anti-Spyware Module
Integrated module with VirusScan 8.0i
Average proactive protection
On access stopped some spyware/adware beforeinstall
On demand scan removed most spyware/adwareleft over
Centralized management with ePolicyOrchestrator
Same exceptional type reporting asVirusScan
Updates are in the dat
8/9/2019 Malware Workshop
55/62
McAfee Anti-Spyware ModuleReviews Network World, BarryNance, 09/05
Detected 76% of spyware/adware tested
http://www.networkworld.com/reviews/2005/091205-spyware-nr2.html
Info Word, Keith Schultz, 09/05
Received a very good rating, 8.2 / 10
http://www.infoworld.com/McAfee_Anti-Spyware_Enterprise_Edition_Module/product_52904.html?view=1&curNodeId=0&index=4
Eweek, Andrew Garcia, 07/05
McAfee's anti-virus/anti-spyware solution is the only package wereviewed that's worth considering as a primary anti-spywaresolution.
http://www.eweek.com/article2/0,1895,1839202,00.asp
8/9/2019 Malware Workshop
56/62
Anti-Spyware Conclusion
No doubt the major vendors willimprove their anti-spywarecapabilities
Research, development andacquisitions
McAfees anti-spyware module makes sense to use as a Enterprise
solution
Software Licensing Services
8/9/2019 Malware Workshop
57/62
Method used by a hacker
Launches command shell
From exploit/vulnerability
Buffer Overflow Etc
Looks for running services
Net start
If has escalated privileges
Shouldnt but if they do
Remember Host Security Workshop?
Stops anti-virus services
Installs all tool needed
8/9/2019 Malware Workshop
58/62
A hacker method cont..
ePO will restart McShield service next policycheck
Nothing checking Framework service
Malware services completely stopped
VirusScan now ineffective
8/9/2019 Malware Workshop
59/62
8/9/2019 Malware Workshop
60/62
A hacker method cont.. Restarts services that are stopped
and set to start automatically
Or just look for the service name withDisplayName
Maybe make an exe out of it
8/9/2019 Malware Workshop
61/62
Links Spice Policy
http://security.health.ufl.edu/policies/index.shtml
McAfee Knowledge base
http://knowledgemap.nai.com/KanisaSupportSite/supportcentral/supportcentral.do?id=m1&language=en_US
Unofficial McAfee forums
http://forums.mcafeehelp.com VirusScan Enterprise 8.0i - Best Practices Guide
http://download.software.ufl.edu
Previous WorkShops including Host Security
http://security.health.ufl.edu/training/isaism.shtml
8/9/2019 Malware Workshop
62/62
Links ePO walkthrough
http://www.mcafee.com/us/local_content/white_papers/wp_epo_walkthrough_guide.pd
f Anti-spyware testing
http://spywarewarrior.com/asw-test-guide.htm
Anti-Spyware Enterprise Module 8.0 Guide http://www.networkassociates.com/commo
n/media/mcafeeb2b%5Csupport%5CVSE%5CMAS800_Guide_EN.pdf