Malware Workshop

8/9/2019 Malware Workshop

1/62

MalwareWorkshop

AL [email protected] 2006


2/62

"Security is a journey not adestination"


3/62

Malware Agenda

Policy

Categories

Prevention througheducation

Malware

Host software

Virus outbreakscenario

Management

Spyware/Adware

Hacker methodscenario

Links


4/62

SPICE Policy on Malware

Robust Policy

Main idea;

ISMs responsibility to

Ensure ALL hosts have ability to protectautonomously.

Enforce the integrity of protection.

Users responsibility to

Use reasonable precautions when

importing data Recognize malicious protection on devices

in their custody

Report any malicious event on host toISM

Fully compliant to the policy?

Visit http://security.health.edu HSC Policies and Standards


5/62

Categories NIST defines malware

General, as the attributes of malware are ever changing.

Subjectively inclusive but not limited to:

Viruses

Worms

Trojan Horses

Backdoors

Keystroke loggers

Rootkits

Tracking Cookies

The list could go on and on

What is and what isn't malware is debatable

Phishing, virus hoaxes


6/62

Awareness / HistoryShould we be concerned?

5,627 15,825 156,904

1,510,619

6,877,036

29,890,376

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

1999 2000 2001 2002 2003 2004

Incidents


7/62

Prevention Educate users to

know the Spice policy and your unit policy.

be aware of suspicious events

not to attempt to bypass security controls not execute or download apps from untrusted sources

Know what social engineering is

Review host security workshop (January 2006)

Patching/Updates

Limit user privileges

Host firewalls

Disabling unneeded services

MBSA

CISecurity Baseline

Review general awareness training (February 2006)

Review the eduguides.


8/62


9/62

Malware Software

Malicious software detection is amust on every host.

Protect all hosts that you areresponsible for

Network connected or not


10/62


11/62

Malware Software Options

Block specific ports or make rules

to apply to a specific file orlocation on a virus outbreak

Stop the payload of the exploit

from affecting the targetedcomputer and prevent it fromspreading

Report to a Management Server


12/62

Which malware vendor do youuse?

There are many vendors of

Malware protection that may fityour needs

Can your selected units malwareproduct buy you the time needed

between a virus outbreak and anew signature release?

Avoid unnecessary additional

expenses to the University


13/62

Malware Software at UF

Symantec AntiVirus

HSC IT Center

Available malware software licensed to UF (software.ufl.edu) Linux

McAfee LinuxShield

Macintosh

Virex

Windows

VirusScan Enterprise

NetWare

NetShield

There is no extra charge for the use of McAfee software to a Unit


14/62

McAfee VirusScan 8.0i McAfee was the chosen enterprise product at UF

Features comply with the HSC policy

Available to faculty, students, and staff

Has extra features but use with caution:

Access Protection

Adds some firewall protection to your computer

Enabled by default

Buffer Overflow Protection

Prevents buffer overflows from executing code on yourcomputer

Enabled by default

Unwanted Programs Policy

This will remove some spyware and adware

Not enabled by default


15/62

McAfee VirusScan 8.0i

Wouldnt it be a headache to manage theconsole for each host individually to comply

with policy?


16/62

Are all of yourhostssignatures upto date? Howdo you know ?

Do yourusers knowhow tocheck?


17/62

Response to a Virus. ExampleUsing VirusScan

Suppose a new threat is announced

Sans

Avert Symantec Security Response

HSC Security Group

A rule might be used during the brief time between when a virus goeswild and when a new signature update is available and tested.

We know the virus:

typically when ran, it copies itself to the following directories:

%windir%\system32\drvdll.exe

%windir%\system32\drvddll.exeopen

%windir%\system32\drvddll.exeopenopen

%windir%\CPLSTUB.exe


18/62

McAfee V8.0i example rulecreation

Rule1

Rule2

Combinedwith


19/62

Suppose youre already hit withBagle

Prevent the spread

Identify machines affected

Rule will trigger not only when a virus

tries to infect (create) but also whenit tries to run (write, read, execute)


20/62

Bagle example continued(port blocking rules)

Bagle spread through email

The first default rule combats the email spread

Default (Rule 0) that blocks outgoing traffic onport 25

Prevent the virus from obtaining instructionsfrom the virus author

Create a port blocking rule that preventsincoming traffic on port 2535

Prevent the virus from downloading scripts

Included in McAfee is already (Rule 3) thatprevents outgoing traffic on Port 80 unless thetraffic is from one of the web browsers listed


21/62


22/62

Prevent Mass mailers and share-hoppers

Restrict write access to incoming networkconnections with Share Blocking Rules

Prevent remote creation/modification/deletion of

A common virus action

Copying into the Windows directory and set aregistry value so that they are started at eitherlogon or when another application starts.

Use rules to satisfy this


23/62

Other uses for port blocking andfile, share, and folder protection.

Preventing the spread

prevent the receipt of instructions use port blocking rules

Viruss targeting Specific Applications

Internet Explorer

create specific rules that nameiexplore.exe as the process, which preventthe creation or the writing of files to the%windir%** directory and the program

files\** directory


24/62

A Potential Headache

Dont break functionality

existing applications

network connectivity

Plan well

Use rules in warning mode first

Report access attempts without blockingaccess

Monitor what impact Use discretion when entering in wildcards


25/62

Autonomous Protection

Ensure ALL hosts have ability to

protect autonomously How can you Ensure?

Use centralized management

software University offers at no cost to unit

ePO

ProtectionPilot


26/62

Autonomous ProtectionWhy?

Signatures not kept up to date

equalsMalware software essentially useless.


27/62

Gain control of your anti-virusinfrastructure

Centralize your policy enforcement andmanagement

make sure virus scanning policies areset to keep your systems secure andvirus-free

Deploy needed updates and softwareremotely

keep anti-virus software on yoursystems up-to-date

Deploy new rules during a virus outbreak


28/62

Software

ePolicy Orchestrator (ePO) or ProtectionPilot

Software available to all Unit admins under thecurrent license

http://software.ufl.edu/mcafee/index3.html

Symantec System Center Console

HSC IT Center

Avoid unnecessary additional expenses tothe University


29/62

ePO Easy enough to install (guided with install

wizard)

Straightforward A bit complex to start with

Terminology and the functionality

distributed repositories

rogue system detection sensors

notification rules

Etc..


30/62


31/62

ePO Documentation

Heap of high-quality product documentation

ePO quick reference card

Walkthrough Guide


32/62


33/62

Enforce ProtectionCompliance Policy andUpdates

ePO agent manages policies for McAfee AntiVirus

policies can be set globally or on individual clients (servers) also generates reports on compliance, virus detections, etc.

The Agent manages the 'Policy' for you automatically basedon what ePolicy Orchestrator has stored in its database foreach client

Daily updates of

DATs

Engines

Service packs

Hotfixes

Patches


34/62


35/62

On Demand Scan & The 4715-DAT


36/62

On Demand Scans

Usually a weekly/monthly on-

demand scan with full options (Allfiles, archives etc.)

Scan the quarantine folder to

remove any found viruses Monthly/Weekly depends on how

often your backups are done


37/62

ePO Rogue System Detection

ePO can detect rogue, non-compliantsystems by identifying when any ofthese systems are connected the LAN

Identify

Might be one of yours if the name matches

Likely to be more useful if HSC global AV team

All units used ePO


38/62

ePO Rogue System Detection


39/62

ePO Considerations

Consider revising the default ports duringinstall

ensure that the Server is not already using theseports for communicating with 3rd party software.( for example, the World Wide Web publishingservice. )

Secure the ePolicy Orchestrator Database

SQL/MSDE

Change default passwords

SQL Server 2000 security checklist

http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/s

p3sec04.mspx


40/62

Distributing the ePO Client

Installed on department Image

remove the agent GUID registry value from theagent registry key

Push from ePO server

Manually installed

See login script Use same login script to check if ePO is installed

and if not then install


41/62

Distribution of Software usingePO


42/62


43/62

Policy Again

What about AntiSpyware and Anti

Adware?


44/62

Anti-spyware and Anti-Adware

No such thing as the best

AntiSpyware yet In toddler stage, but growing

Overlapping anti-spyware products

needed Why?


45/62

Anti-Spyware Adware

All anti-spyware vendors rely ontheir user communities to submitsamples of suspected potentiallyunwanted programs in order togrow their databases


46/62

Anti-spyware Challenge No such thing as the best Anti-Spyware yet

Infant stages

over 100 anti-spyware/adware scanners availablefor download

Each major vendor refers to spywaredifferently:

McAfee uses the term Potentially Unwanted

Programs, or PUPs Symantec refers to security risks

Trend Micro uses the classification ofspyware/grayware

What about McAfee's and Symantecs virusscanners?


47/62

Symantec Antivirus v 9.0.0.338


48/62

SymantecSymantec

scan for expanded threats

Adware, spyware, joke programs, and other

risksThe Adware/Spyware detection system is not

done in real-time need to run a scan to check for adware/spyware

Detected hotbar and gator but was unable toremove anything

Seems like a really great feature idea, but auseless implementation


49/62

VirusScan Enterprise 8.0i


50/62

McAfee V8.0iPotentially Unwanted Programs

Has a definition of 200 adware andspyware

Ok but there are tens of thousands oftypes of adware and spywarecurrently defined, the list of 200

items checked by this feature are notsufficient

Has the same short comings asSymantec's expanded threats


51/62

Other Spyware and Adware: Hijack This

legitimate tool for removing BHO's. Extremely non-userfriendly, but it will allow you to remove things thatnothing else will.

Ad-Aware

www.lavasoftusa.com

not centrally manageable, not free for edu

SpyBot

http://security.kolla.de

not centrally manageable, but you can run commandline Windows Tasks w/ autoupdate

SpywareGuard and SpyWareBlaster

http://www.wilderssecurity.net


52/62

Need Enterprise Anti-spyware

Whats Needed for a Enterprise?

Integrated anti-virus and anti-spywaresolution

Simplified management and reporting

Single agent and policy to deploy to client

workstations, and integrated delivery ofsignature updates

All of this would be nice if it existed andworked well


53/62

Mcafee Anti-Spyware Module

Works on EPO and ProtectionPilot

servers


54/62

Mcafee Anti-Spyware Module

Integrated module with VirusScan 8.0i

Average proactive protection

On access stopped some spyware/adware beforeinstall

On demand scan removed most spyware/adwareleft over

Centralized management with ePolicyOrchestrator

Same exceptional type reporting asVirusScan

Updates are in the dat


55/62

McAfee Anti-Spyware ModuleReviews Network World, BarryNance, 09/05

Detected 76% of spyware/adware tested

http://www.networkworld.com/reviews/2005/091205-spyware-nr2.html

Info Word, Keith Schultz, 09/05

Received a very good rating, 8.2 / 10

http://www.infoworld.com/McAfee_Anti-Spyware_Enterprise_Edition_Module/product_52904.html?view=1&curNodeId=0&index=4

Eweek, Andrew Garcia, 07/05

McAfee's anti-virus/anti-spyware solution is the only package wereviewed that's worth considering as a primary anti-spywaresolution.

http://www.eweek.com/article2/0,1895,1839202,00.asp


56/62

Anti-Spyware Conclusion

No doubt the major vendors willimprove their anti-spywarecapabilities

Research, development andacquisitions

McAfees anti-spyware module makes sense to use as a Enterprise

solution

Software Licensing Services


57/62

Method used by a hacker

Launches command shell

From exploit/vulnerability

Buffer Overflow Etc

Looks for running services

Net start

If has escalated privileges

Shouldnt but if they do

Remember Host Security Workshop?

Stops anti-virus services

Installs all tool needed


58/62

A hacker method cont..

ePO will restart McShield service next policycheck

Nothing checking Framework service

Malware services completely stopped

VirusScan now ineffective


59/62


60/62

A hacker method cont.. Restarts services that are stopped

and set to start automatically

Or just look for the service name withDisplayName

Maybe make an exe out of it


61/62

Links Spice Policy

http://security.health.ufl.edu/policies/index.shtml

McAfee Knowledge base

http://knowledgemap.nai.com/KanisaSupportSite/supportcentral/supportcentral.do?id=m1&language=en_US

Unofficial McAfee forums

http://forums.mcafeehelp.com VirusScan Enterprise 8.0i - Best Practices Guide

http://download.software.ufl.edu

Previous WorkShops including Host Security

http://security.health.ufl.edu/training/isaism.shtml


62/62

Links ePO walkthrough

http://www.mcafee.com/us/local_content/white_papers/wp_epo_walkthrough_guide.pd

f Anti-spyware testing

http://spywarewarrior.com/asw-test-guide.htm

Anti-Spyware Enterprise Module 8.0 Guide http://www.networkassociates.com/commo

n/media/mcafeeb2b%5Csupport%5CVSE%5CMAS800_Guide_EN.pdf

Documents

Malware Workshop