Recent Malicious Email AttackTrend Micro UpdatesSIRT IT Security Roundtable

Harvard TownsendChief Information Security Officerharv@ksu.eduAugust 14, 2009

Agenda

Recent malicious email attachments What happened? Why was it so effective? How can we defend against these attacks?

Trend Micro OfficeScan 10 Trend Micro Security for Macs Q&A

2

What happened?

Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment

Many more reports soon followed from around the world implicating many K-State IP addresses

Many K-Staters started reporting receipt of the malicious emails too

4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days

113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked

5:45pm – posted info/warning to IT security threats blog3

What happened?

Four different emails with the following subjects: Shipping update for your Amazon.com order 254-78546325-658742 You have received A Hallmark E-Card! Jessica would like to be your friend on hi5! Your friend invited you to twitter!

Three (somewhat) different attachments: Shipping documents.zip Postcard.zip Invitation card.zip

At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe” “attachment.htm .exe” “attachment.chm .exe”

4

What happened?

New variant of malware so Trend Micro OfficeScan did not detect it.

10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t.

11:52pm – warning email sent to profacstaff and classified mailing lists

July 14, 8:00am – virustotal.com reports 29 of 41 AV products identify the malware (not Trend Micro)www.virustotal.com/analisis/...

5

What happened?

July 14, 9:00am – finally get samples uploaded to Trend Micro

11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available

2:00pm – bandage pattern file pushed out to OfficeScan clients

Production pattern file released later that evening which detects the malware

397 instances detected/deleted by TMOS since July 13 IT Tuesday article posted about it

itnews.itac.k-state.edu/2009/07/malicious... July 29 and August 7 - similar attacks with new variants of

the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware

6

Malware Characteristics

Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies

Modified registry to run every time the computer boots

Copied itself to mounted file systems, including USB flash drives

Copied itself to common P2P file sharing folders, masquerading as enticing software downloads

7

Malware Characteristics Sample P2P folders used:

%ProgramFiles%\ICQ\Shared Folder %ProgramFiles%\Grokster\My Grokster %ProgramFiles%\EMule\Incoming %ProgramFiles%\Morpheus\My Shared Folder %ProgramFiles%\LimeWire\Shared

Sample enticing software downloads: Ad-aware 2009.exe Adobe Photoshop CS4 crack.exe Avast 4.8 Professional.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Microsoft Office 2007 Home and Student keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Total Commander7 license+keygen.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Perfect keylogger family edition with crack.exe … and about 25 more

8

Why was it so effective? Used familiar services

Amazon.com Hallmark eCard greeting Twitter

Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered

something from amazon.com, or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment

by padding the name with lots of spaces New variant that spread quickly so initial infections missed by

antivirus protection I was too slow submitting samples to Trend (better the second and

third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people

caught off-guard 9

What can we do?

10

Users need to learn to recognize scams Hallmark, amazon.com, etc. do not send

info in attachments Don’t open attachment unless you are

expecting it and have verified with sender Think before you click Be paranoid!

11

MaliciousHallmarkE-Card

12

LegitimateHallmarkE-Card

13

MaliciousAmazonShippingNotice

14

LegitimateAmazonShippingNotice

15

MaliciousTwitterInvitation

What can we do?

16

Better malware filtering in e-mail Need to work more closely with

Zimbra/Yahoo Submit malware samples sooner

(we’re doing that now) Trend Micro OfficeScan 10…

Trend Micro OfficeScan 10 Major upgrade from current version 8 (where did version 9

go?!) Ripe with marketing hype (“Cloud-Client Architecture”, “Smart

Protection Network”, “Global Threat Intelligence”) But it appears to provide real value:

Faster deployment of pattern file updates Smaller client footprint Windows 7 support (not officially supported in OfficeScan 8) More options for re-scheduling missed scheduled scans Better Active Directory integration Better control of removable devices like USB drives Protection of the OfficeScan program itself (prevents malware

from altering OfficeScan files, processes and registry entries)

17

Trend Micro OfficeScan 10 “In-the-cloud” scanning (“SmartScan”) vs.

conventional scanning Client uses pattern info stored on local or global

servers rather than having to store everything on every client computer

Updates pattern files hourly instead of daily Smaller pattern files on the client, less network

bandwidth used to deploy pattern files Some heuristic-based detection Can still do conventional scanning for systems

with limited Internet access18

Trend Micro OfficeScan 10 Better options for dealing with missed scheduled scan

Postpone a schedule scan before it begins Stop and Resume a current active schedule scan Resume a missed schedule scan Automatically skip schedule scan when Laptop Battery is

below certain % Automatically stop schedule scan when it lasts over a

certain amount of period.

19

Trend Micro OfficeScan 10 Device Access Control

Sysadmins can control use of removable drives Examples: Removable Thumb Drives, Firewire Hard Drives,

PC-Cards, Media Players.

20

Trend Micro OfficeScan 10 The Trend Micro Unauthorized Change

Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed To prevent OSCE applications being injected with

malware and impact business operation Feature provides the ability to protect OfficeScan

files / file types within folders from being modified Protect OfficeScan system processes to prevent

unauthorized shut-down Protect OfficeScan system registries from

unauthorized modification21

Trend Micro OfficeScan 10 TMOS 10 concerns

Is a major upgrade so needs to thorough testing Uncertainty about use of SmartScan vs. conventional

scan Significant CPU utilization every hour on Local Scan

Server when it downloads and processes new pattern files

Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0

1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000-8,000 clients for latter) – called “Integrated Scan Server”

No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22

Trend Micro OfficeScan 10 TMOS 10 plans

Is available now, been out for a while (service pack 1 in beta)

Needs more testing – campus sysadmins encouraged to test

Central TMOS 10 server for testing sometime... SIRT will plan coordinated rollout for campus

(can be pushed from the server) No timeline at this point, but advantages warrant

a somewhat aggressive schedule, as does release of Windows 7 in late October

23

Trend Micro Security for Macs

K-State’s license for Symantec AV for Macs expires October 27, 2009

No budget for renewal or replacement TM Security for Macs (TMSM) new

product from Trend Micro, included in our campus site license

Barring a show-stopper problem, we will switch to TMSM this fall

24

Trend Micro Security for Macs Features/Advantages:

No additional cost Managed product (can push pattern file updates,

manage configuration, centralized reporting, etc.) Managed as plug-in to current Windows OfficeScan

servers, so have common mgmt platform Supports MacOS 10.4 and 10.5 on Intel and

PowerPC processors Includes Web Reputation Services to help prevent

users from visiting known malicious web sites Covered by current Silver Premium Support

contract Single vendor for all AV product No additional cost 25

Trend Micro Security for Macs

Timeline: Version 1.5 in beta test now Being tested pretty extensively at K-State

Fixed known issues we had with v1.0 Production release available to K-State after

August 25 Switch by October 27, or semester break for

imaged labs (SAV will continue to work) New Macs should install Symantec now

but plan to switch

26

What’s on your mind?

27