20
Viruses & Malware: Effects on Enterprise Networks Diane M. Duhé July 5, 2011

Viruses & Malware: Effects On Enterprise Networks

Embed Size (px)

DESCRIPTION

Viruses & Malware: Effects On Enterprise Networks

Citation preview

Page 1: Viruses & Malware: Effects On Enterprise Networks

Viruses & Malware:

Effects on Enterprise Networks

Diane M. Duhé

July 5, 2011

Page 2: Viruses & Malware: Effects On Enterprise Networks

Abstract

Malware poses a significant threat to computer networks of all sizes.

This paper will provide a summarization of three of the key components of malware infection as it pertains to enterprise networks: Detection, Disinfection and Related Costs.

The “Detection” element comprises a synopsis of two types of malware, metamorphic and polymorphic, and discusses three popular models of heuristic, behavioral malware detection: signature-based, file emulation, and file analysis. Two new emerging models of detection, “traffic aggregation” (communication), and network vulnerability scanning are also discussed.

The papers “Disinfection” component includes an overview of the two types of system infection (memory-file- registry infectors, and memory-only infectors) and the current methods of disinfection, including malware-specific removal tools, real time scanners, cloud-based technologies, and pro’s and con’s of each.

Methods for quantifying costs of direct and indirect malware attacks, the importance of utilizing “value calculators” and creating/implementing security budgets are outlined in “The Related Costs of Malware”.

Page 3: Viruses & Malware: Effects On Enterprise Networks

Introduction

Malware, simply defined, is software that is not beneficial, and may in fact be harmful, to a computer. It poses a significant threat to all computer networks, whether large or small, public or private.

Some forms of malware; such as botnets, trojans, root kits, and spyware, are often difficult to detect and/or isolate, because they’re non-disruptive in their course of action.

This paper will provide a summarization of three of the key components of malware infection as it pertains to enterprise networks: Detection, Disinfection and Related Costs.

The term “Malware” once referred to viruses and worms, but current malware has evolved into a very selective type of tool. Malware is no longer written using amateur scripts, or using “copy and paste” methods, by “script kiddies.” Instead, highly trained programmers are authoring today’s malware, being covertly trained and supported, via political syndicates, organized crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states. [1]

What was once considered to be rebellious behavior or pranks has progressed into serious criminal activity. Malware is now used for crimes such as industrial espionage: “transmitting digital copies of trade secrets” [2] such as customer names, business plans, contracts…virtually any and all private or personal information.

As cell phones are increasingly used as mobile computing devices, and are attached to networks, they are also at risk for malware infection. They are included in this discussion as well.

In order to discuss current and emerging detection and disinfection techniques, it is necessary to have a basic understanding of how malware infection occurs and how it avoids detection in order to carry out its’ functions.

Page 4: Viruses & Malware: Effects On Enterprise Networks

Popular Methods of Infection

Exploits and “Drive-by downloads”

Although not a well-known fact, an extensive, highly developed “malware distribution network” is in existence on the internet. Its structure is tree-like, with the outer branches being the web pages that serve as “landing sites” which move users further into a trunk system of web servers, which are actually malware “distribution sites”. The Distribution Sites install malware by exploiting security holes in the machines browsers or in applications such as Adobe and JavaScript. When this type of exploit is successful, the hacker has complete control of the machine at the system level.

By using the same exploits, programs called “file droppers” can be installed. A file dropper is “a program that will continue to install malicious code”. Since it is not itself an infected file-it simply carries code- it is not detected by virus-scanning software [3].

Some droppers install applications that are able to record keystrokes, easily stealing passwords, banking information, etc. Some droppers install software that will add the PC to a larger group of exploited machines that are used as a group, for carrying out malicious actions.

The ways to increase the number of these landing sites is continuously growing.

Utilizing security patches in order to prevent infection should be used whenever possible, rather than “workarounds.”

The ideal solution to this type of infection would include identifying software vulnerabilities, developing and issuing patches, implementing them, and educating users.

Social engineering

A very common, and very old, but successful way of introducing infection is by using “Social Engineering” techniques.

Social Engineering is defined in many ways- from “The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional” to “con games performed by con artists.” [4] Social Engineering is basically a psychological, manipulative tool that is dependent upon and takes advantage of a person’s natural predisposition to be trusting. Social engineering techniques persuade unwary users to perform actions, such as clicking on links, which result in malware being downloaded and installed on their computer.

Page 5: Viruses & Malware: Effects On Enterprise Networks

.

Rogue Infection

Rogue infections are “fake” virus pop-up alerts, that are installed via a compromised web page that exploits security holes, much like “drive-by” infections. Rogues “notify” users that their computer is “infected” or that it has “critical errors”. These are realistic looking alerts and usually appear as if generated by the installed operating system. Whether the user closes the pop-up window, or clicks “cancel” or “OK”, the result is always the same: malware is installed (usually trojans). The user then continues to be prompted, via pop-ups, to purchase anti-virus software that will remove the malware. With these types of infections, network settings are often changed, proxies are installed, or homepages are redirected (“hijacked”).

Peer-to-peer (P2P), torrent and file sharing programs

When using file sharing programs, it is difficult to verify that the source of the files is trustworthy, because the users that are sharing their files remain anonymous. Many times, file sharing applications are used to pass on malicious code, such as spyware, viruses, trojans, or worms, via the shared files.

E-mail

Two common ways that email is used to deliver malware, are the use of attachments as well as the use of links within the body of the email.

The attachment may contain embedded malware. Opening the attachment will launch the malware program.

Clicking on a link contained in an email could exploit security holes in the web browser, or use exploits to activate a malware program that’s embedded in the e-mail message. Or, the link may open an infected web page that holds embedded malware.

USB devices

There were an estimated 3.75 million malware attacks via USB devices in the first quarter of 2010.[5] “ USB devices, which include portable gaming units, digital camera memory cards, cell phones, MP3 players, portable USB CD/DVD drives, FireWire and eSATA devices, and digital picture frames, are extremely susceptible to becoming carriers of malware, and reinfecting other machines.

Page 6: Viruses & Malware: Effects On Enterprise Networks

USB malware transmission begins by inserting the device into an infected machine, whereby the malicious software copies itself to all storage locations and devices -network shares, local drives, and removable media such as USB drives. By altering the autorun.inf file and copying hidden malware files to the drive, the autorun.inf file will launch and execute the malware when the portable drive is inserted into a different machine. The malware copies itself into Windows operating system files and are able to replicate every time the computer is booted.

Disabling the “auto run” feature in Windows operating system, to prevent the autorun.ini file from automatically launching ,seems like good preventative measure, but in reality, even just browsing to the root folder of an infected USB stick can still trigger the infection by taking advantage of Windows processes.[6]

Malware Types and Subsequent Detection

Malware detection has been accomplished, until very recently, mainly by using “signatures”.

Signature based malware detection requires malware to be identified by way of analysis of it’s’ code; searching for and finding code that is unique to that specific malware program. The discovered code is then used to create anti- malware software that is based on recognizing that code.

Once created, the anti-malware software must then be installed onto the computer system, and allowed to scan, detect and remove the malware. This entire process must be repeated anew for every novel instance or variant of malware. [7]

As malware continues to evolve in ways that avoid detection, it is simply not practical to continue detection in this manner, even when a single signature is constant within a large proportion of malware.

The main way that malware avoids detection by signature based antivirus scanners is by using “obfuscation”[8] which is a technique which changes malware into new and different versions of itself, all while maintaining functionality.

“Obfuscation” actually uses encryption in the main body of the malware program. Once the malware is launched, a built-in decryptor recoups the main body. Because the decryptor itself remains constant, it can be detected by antivirus scanners that have been developed to detect decryptor patterns. In this “reverse” way, the presence of the obfuscated malware is detected.

Polymorphic malware was created in response to this decryptor constancy problem. Polymorphic malware is able to create limitless encryptors, thereby increasing the difficulty for signature based scanners to detect it. There is a variation of

Page 7: Viruses & Malware: Effects On Enterprise Networks

Polymorphic malware called “Metamorphic” malware, which takes this a step further. Metamorphic malware can recognize, parse and mutate itself as it spreads, and it does not utilize encryption at all.

In response to these types of malware adaptations, proactive, heuristic, dynamic, anti-malware scanning has been developed.

Heuristic scanning compares the source code of a file to the source code of known malware. If the detected code matches a certain percentage of the known malware code, it is labeled as a possible threat.

Dynamic scanning is real-time scanning that allows code to be run in a virtual environment, or “sand-box” while it is observed.

“File Emulation” is a type of dynamic scanning that analyzes the characteristics and behavior of code in this virtual environment, and if the code behaves like malware, it is considered to actually be malware [9] and is treated as such.

“File Analysis” is a scanning method that works in real-time, (dynamic) and utilizes behavioral analysis of files in order to determine their intent (heuristic). Both of these methods (File Emulation and File Analysis) assess the effects of a particular application. They monitor for activities like replication and file overwriting. In this manner, many types of Polymorphic and Metamorphic malware can be detected with a sole behavioral specification.

 Malware that infects mobile phones is usually spread through SMS/MMS messaging and Bluetooth. Because cell phones are limited in CPU capacity as well as memory capacity and battery power, detection methods for these devices need to carry a small footprint. [10] Dynamic, heuristic scanning methods as outlined above, work best for these types of devices.

“Traffic aggregation” detection is based on the idea that malware usually infects multiple systems on a network, and that the malware communicates with external networks, (to export data, or receive commands). By analyzing network flow, identifying communications that share common characteristics (aggregates) including payload, flow to a common external network, or identifying internal hosts that share similar software platforms [11], malware infections can be detected.

Page 8: Viruses & Malware: Effects On Enterprise Networks

The final type of detection to be discussed is “Network Vulnerability Scanning.” This type of scanning is an event-driven approach that looks at network context. Network activity is monitored and triggers/alerts result from particular changes in network activity. [12]

Disinfection

The purpose of “Disinfection” is to restore the system to its’ previous state of functionality, prior to infection, ideally, without having to reinstall software.

To understand the concept of Disinfection, this section includes an overview of the two types of system infection: memory-file-registry infectors, and memory-only infectors. The disinfection method utilized will depend upon the type of malware that is infecting the system.

1. Memory-File- Registry Infectors

Memory-File- Registry Infectors use any combination of the memory, file and /or Registry in order to control the system. These infections can reside in memory as a process or service, add or modify registry entries, or modify an existing or dropped file. If the modified file resides in memory, then that complicates the process, because operating systems will not allow the deletion of a file as long as an associated process or service is residing in memory.

Memory scanners, file scanners and registry scanners are all used to detect this type of infection.

2. Memory Only Infectors

Memory only infectors don’t use files, or the registry. They exist as either a process or a service and because of that, are more difficult to detect.

Memory resident malware is the most damaging type of malware because it becomes active when a malware application, or infected program, is launched, or at system boot. It remains active until the machine is rebooted, turned off, or power to the machine is otherwise disrupted.

Page 9: Viruses & Malware: Effects On Enterprise Networks

As mentioned above, operating systems will not allow the deletion of a file as long as an associated process or service is residing in memory, so any memory resident processes associated with the malware must first be killed and/or the associated resident services stopped. Doing this takes control away from the malware, and prevents the malware from reinfecting the machine, or restoring its physical counterpart. (That is, unless the malware has started another process or service, or replicated itself before the process or service has been stopped. [13]

Disinfection Methods

Removal Tools

“Removal Tools” are popular solutions during large outbreaks of infection.

They have advantages, such as being small, quickly downloadable, and that they are executed separately from other scans.

Removal Tools are malware-specific, which is a disadvantage. Each tool will only disinfect a system of specific malware or family of malware. Another disadvantage is that often they cannot be deployed from a central location, making it nearly impossible to use them in large organizations.

Real time scanners

Real time scanners (also called resident scanners) provide automatic protection by Monitoring for suspicious activity while data is flowing into the computer or when a file is opened. It runs in active (resident) memory.[14] Because monitoring is done is real time, malware is able to be detected before it installs or propagates on the machine. When the scanner identifies a potential malware infection, it takes appropriate action by quarantining or deleting the program and alerting the user.

On-Demand Scanners

On-Demand Scanners examine the contents of the hard drive. The user can choose to examine a portion of the drive, certain types of files, for example “documents” only, or the entire drive. This type of scan is relatively slow, since every file on the machine is examined, and it tends to utilize computer resources such as memory. Once the scan is finished, additional scans will not be performed unless they have been auto-scheduled or the scanner is launched manually.

Page 10: Viruses & Malware: Effects On Enterprise Networks

“Cloud Based” Scanners

Online scanners provide an additional option for malware detection and disinfection. Many times, when a computer is infected with malware, the existing protection is disabled, or because the network settings have been reconfigured, the anti-malware software cannot update. By utilizing an online scanner, an infected machine can be diagnosed and disinfected quickly, on-the-fly. They typically have user-friendly interfaces, do not require scheduling, updating or configuring [15]. They use very few system resources because they are running via powerful servers. They have up-to-date databases and the latest file definitions.

The Related Costs of Malware

Determining and balancing the cost of malware is actually an exercise in risk analysis. The first step to determining this expense, is assigning values to all information assets. The second step is to estimate the potential loss

The assigned asset and loss values are then used to determine the single loss expectancy (SLE), which is defined as the expense of recovering from a single malware attack.

Calculating the SLE includes a summation of the following costs: [16]

The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for

updates/other related services Assigning a value to the company's data (calculated by determining how

much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails)

Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy

agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as

processing power, memory and disk space)

Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year

Page 11: Viruses & Malware: Effects On Enterprise Networks

Multiply the SLE by the ALE to determine the annual cost of malware for the business. [17]

Setting a Security Budget

After determining the annual cost of malware, it is crucial to plan an anti-malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti-malware protection.

Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions.

These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. [18]

Calculators

There are many risk calculators available online as shareware. They are easy to use, and will generate an estimate of various risks, using several of the variables mentioned above.

One such calculator was used to estimate the financial risk for a fictitious organization of 1,000 employees.

The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm, analyzed the organizations’ workplace and email environment, (using number of employees with email access, number of minutes of email usage per employee per day, and average employee salary) along with the number of IT staff, and average salary The effects of an email malware attack in regards to salary and productivity are found as follows:

It was determined that a fictitious organization of 1,000 employees earning an average e of $25/hr, and using email for approximately 30 minutes per day, would cost the company 524 hours, which translates into $13,700.00 in lost salaries per day (or $570.83 per hour)

Page 12: Viruses & Malware: Effects On Enterprise Networks

Conclusion:

Malware is comprised of several types of harmful applications. It affects networks of all sizes, and is installed via various means, many times without a users consent or knowledge. It is costly to businesses in regard to prevention as well as recovery.

Malware is no longer viewed as a prank created by script kiddies. Malware is now developed by professional programmers who are paid for their work, and is used to steal information of all kinds. New types of malware are continuously being developed in order to avoid detection.

Malware is installed on systems via several methods, some of which require user interaction and some of which do not. Educating users about means such as social engineering, and phishing is a pro-active way to help carry out prevention.

Disinfection methods have for the most part, been reactive, although new, proactive methods of detection and disinfection are being developed. Detection and disinfection can be costly.

Risk analysis and assessment must be performed and are a necessary element in assessing the necessary expenditures that a business should prepare to incur. Creating and implementing a security budget are essential in order to protect information assets, privacy, confidentiality, and the network infrastructure.

Page 13: Viruses & Malware: Effects On Enterprise Networks

References

1. George Ledin, Jr, ( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching Malware, Communications of the ACM

2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer Attacks, NYTimes.com, retrieved 05/27/2011 from: http://www.nytimes.com/2010/01/18/technology/internet/18defend.html

3. Ilsun You, Kangbin Yim, (2010) Malware Obfuscation Techniques: A Brief Survey, ACM Digital Library, retrieved on June 07, 2011 from: https://connect.spsu.edu/plugins/dl/pdf/proceedings/bwcca/2010/4236/00/,DanaInfo=.aoskjmsE345Jn0z399v9S8A2+4236a297.pdf?template=1&loginState=2&userData=Southern%2BPolytechnic%2BState%2BUniversity%253ASouthern%2BPolytechnic%2BState%2BUniversity%253AAddress%253A%2B168.28.177.10%252C%2B%255B140.98.196.192%252C%2B168.28.177.10%255D

4 Jerri Ledford, Social Engineering, Identity Theft, About.com retrieved on 06/30/11 from: http://idtheft.about.com/od/glossary/g/Social_Engineer.htm

5. Prague, Czech Republic (2010) Auto Run for malware:One out of every eight attacks comes via a USB device, Avast retrieved on 06/21/11 from: http://www.avast.com/pr-autorun-for-malware-one-out-of-every-eight-attacks-come-via-a-usb-device

6. Lumension Security Inc, Unruly USB: Devices Expose Networks to Malware, lumension.com

7.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection methods behind, NetworkWorld, retrieved on 06/06/11 from: http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html

8. http://www.webopedia.com/TERM/D/dropper.html

Page 14: Viruses & Malware: Effects On Enterprise Networks

9. Karl, (2010) USB Top Method for Spreading Malware, Computer TLC, retrieved on 06/21/11 from: http://computertlc.net/whats-hot/usb-top-method-for-spreading-malware

10. Abhijit Bose, Xin Hu ,Kang G. Shin,Taejoon Park, (2008) Behavioral Detection of Malware on Mobile Handsets, ACM Digital Library, retrieved on 06/16/11 from: https://connect.spsu.edu/10.1145/1380000/1378626/,DanaInfo=.adfnlzjx5HjmxL15v+p225-bose.pdf?ip=168.28.177.10&CFID=29653738&CFTOKEN=77369117&__acm__=1308579214_d19c9d6878a170ad7496e95dd6796ec9

11. Ting-fang Yen, Michael K. Reiter, Traffic Aggregation for Malware Detection, ACM Digital Library, retrieved on 06/03/11 from: http://portal.acm.org/citation.cfm?id=1428337

12. Yunjing Xu, Michael Bailey, Eric Vander Weele, Farnam Jahanian CANVuS: context-aware network vulnerability scanning (2010) ACM Digital Library, retrieved on 06/18/2011 from: https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1894166.1894177&coll=DL&dl=GUIDE&CFID=29653738&CFTOKEN=77369117&preflayout=flat#source

13. Jong Purisima and Vincent Tiu, System Disinfection, GovernmentSecurity.Org,Network Security Resources retrieved on 06/18/2011 from: htttp://www.governmentsecurity.org/forum/index.php?showtopic=276

14 http://support.kasperskyamericas.com/

15. Pros and Cons of Free Online Virus Scanners , ProductivtyPortfolio, retrieved on 07/02/11 from: http://www.timeatlas.com/web_sites/general/pros_and_cons_of_free_online_virus_scanners

Page 15: Viruses & Malware: Effects On Enterprise Networks

16. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware, Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-real-cost-malware/

17. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-012208/

18. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-and-benefits-of-countermeasures

Other References:

Vinod P, V.Laxmi, M.S.Gaur, Survey on Malware Detection Methods,retrieved 06/02/11 from: http://www.security.iitk.ac.in/contents/events/workshops/iitkhack09/papers/vinod.pdf

Aubrey-Derrick Schmidt · Frank Peters · Florian Lamour · Christian Scheel · Seyit Ahmet Çamtepe · ¸ Sahin Albayrak, (November 2008) Monitoring Smartphone’s for Anomaly Detection, ACM Digital Library , retrieved on 06/18/11 from: https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1503496.1503504&coll=DL&dl=GUIDE&CFID=29700256&CFTOKEN=40903672

Linda Musthaler, Google says the scope of drive-by malware is 'Significant' (Mar 3, 2008) Networkworld, retrieved on 06/5/2011 from: http://www.networkworld.com/newsletters/2008/0303techexec1.html