1 / 32

Threats of Computing in a Virus-Filled World

Threats of Computing in a Virus-Filled World. or, how I stopped worrying and learned to love the worm…. Dr. John Johnson, CISSP. The Joys of Computing in 2003. 65,336 PC viruses discovered to date 4,129 IT vulnerabilities in 2002 [ http://www.bullguard.com/antivirus/news_184.aspx ]

stacey
Download Presentation

Threats of Computing in a Virus-Filled World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threats of Computing in a Virus-Filled World or, how I stopped worrying and learned to love the worm…. Dr. John Johnson, CISSP

  2. The Joys of Computing in 2003 • 65,336 PC viruses discovered to date • 4,129 IT vulnerabilities in 2002 [http://www.bullguard.com/antivirus/news_184.aspx] • 40 Critical Microsoft Vulnerabilities by Oct. • “Millions Reported in Damage Last Year Due to Viruses” • “MSBlast Continues to Spread” • “Sobig.C – The Tip of the Iceberg” • “IE users defenceless to trojan attack” • “Broadband severely increases security risk”

  3. Agenda • I’ll talk about the problem and give some examples. • I’ll give some ideas to deal with viruses in both the corporate and home environments. • I’ll give some Best Practice suggestions. • I’ll give some WWW resources. • I’ll try to take as many questions as I can before the drinking starts!

  4. CSI/FBI Computer Crime Survey 2003 (Virus Loss) 2003 CSI/FBI Computer Crime Survey, www.gocsi.orgbased on 47% of the 530 responses that could quantify these losses

  5. Terminology VIRUS HOAXES & CHAIN LETTERS WORM MASS-MAILER TROJANS, BACKDOORS & ZOMBIES BLENDED THREAT SPYWARE/ADWARE SPAM

  6. VIRUS • Definition: (loose) Self-replicating program • History: • Malicious viruses didn’t arise until the 1980s. • Fewer than 5 viruses in 1987 • Boot Sector Viruses – infecting diskettes • Macro Viruses – use a macro language and spread via applications like Microsoft Word (first cross platform virus)There are now > 10,000 macro viruses worldwide. • Who Writes Them? No longer just the teenager, now the profile is 14-30s Male, looking to feel empowered

  7. HOAXES & CHAIN LETTERS • Definition: Hoaxes and Chain letters are sometimes just jokes, sometimes annoying, and sometimes dangerous • Social Engineering: Often these email messages are a great waste of time and bandwidth, with people sending them to all of their friends. Sometimes, they convince the user to actually delete files (like the JBDGMGR “teddy bear” hoax). • With a misconfigured email system, the confusion alone can cause many replies which then route to all the users on a mailing list, and the noise can take days to die down. • Some antivirus programs treat these like viruses and quarantine them.

  8. WORM • Definition: A worm is a self-replicating program that propagates from host to host. • History: Originally, a sector map would show worm-like errors from a misbehaving code. The name stuck and came to describe viruses that act on their own using more and more sophistication,exploiting technology and vulnerabilities.The first worms were helpful tasks,and malicious worms have becomethe most dangerous kind of viralthreat.

  9. MASS-MAILER • Definition:Mass-mailers exploit vulnerabilities in the way email programs work, like Microsoft Outlook, to gather email addresses and spread to all the users they can find via email. These messages look like they came from a friend (social engineering), so they are often opened and executed. Some will auto-execute, exploiting an operating system vulnerability as well.

  10. LoveLetter • The ‘I Love You’ Virus hit in May, 2000. • This was my first BIG virus crisis! • It started with an innocent letter, appealing to lonely email readers (social engineering). The subject was “I Love You”, and the payload was a VBS script that, when executed, quickly spread in email to all the users in your address book, and wormed its way through fileshares, destroying image files. • At least 82 variants of this worm were discovered. The latest is VBS.LoveLetter.CN, dated May 31, 2001.

  11. TROJANS, BACKDOORS & ZOMBIES • Definition:These spread as viruses and worms, and include hidden code that will allow a remote user to access the computer or use the computer to attack another. • As an example, be wary of any screensavers my son might send you! It may contain netcat, a program that allows him to remote control your computer, see your screen, open your CD drawer and play with your mouse. • Not all are so kind. Some will use your computer as a launching point in a multi-layered attack against another target. They can use you as a zombie in a Distributed Denial of Service (DDoS) attack.

  12. BLENDED THREATS • Definition:A blended threat will use network vulnerabilities (often known widely for many months) along with virus or worm vectors to quickly spread to many hosts. • History:In 2001, Code Red came out late in the summer. It was the first virus that spread using a published vulnerability in IIS on Windows NT and Windows 2000. • Blended threats are the fastest growing and most dangerous type of virus threat to date. Within minutes, vulnerable computers across the world can become infected (depending on the vulnerability.) • Response to Blended Threats requires both antivirus tools and network tools (to monitor and control – such as IDS and routers).

  13. Code Red • History:In 2001, Code Red came out late in the summer. (The name came from the team at eEye that discovered it, as they were spending many long hours drinking Mountain Dew Code Red.) • The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service, exploiting this vulnerability and propagating as a worm. Code Red performed a denial of service on whitehouse.gov. • Code Red II, quickly followed on the heels of Code Red. It was more destructive, but used the same buffer overflow vulnerability. Code Red II contained a trojan file, and modified system files.

  14. Nimda • History:Nimda (admin spelled backwards) followed closely on the heels of Code Red. It was first discovered 9/18/01. • Nimda used a vulnerability in MIME types to auto-execute and become memory-resident. Therefore, a machine that was unpatched, could become infected even if it had antivirus. • Sends itself by email. • Searches for open network shares. • Attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers. • Is a virus infecting both local files and files on remote network shares. • Several variants of Nimda came out subsequently.

  15. Blaster • History:The Blaster virus came out in August this year. It was a real big pain too! • It used a recent exploit announced (DCOM RPC) by Microsoft. • It also looked for open TFTP shares. • This virus used common ports that Microsoft also uses for filesharing. • It also attempted a Denial of Service against Microsoft. • It tried to download a trojan and install it. • Several variations on the theme followed.

  16. SQL Slammer • History:This virus exploited a known SQL injection vulnerability. • This virus spread to 90% of all the vulnerable (exposed) hosts on the Internet in just 10 minutes. • Once infected, a computer sent out attempts to infect subsequent computers with the same virus. • An unintended side effect was the Denial of Service generated by the tremendous amount of network traffic. • ATM systems, and other major corporations were shut down until they had filters in place on their routers and firewalls. • The only way to fully stop a virus like SQL Slammer or Blaster is to patch all vulnerable machines.

  17. SPYWARE/ADWARE • History:These are annoying and often you don’t even know they are running, or what they are reporting. • They can include hidden programs to spy on your activities. • They can be simple marketing gimmicks (gator.exe), • Or they can be annoying and alter your browser and cause pop-ups. • They can even be used to steal passwords. • Sometimes these get installed when you download a free program off the Internet. Always be careful what you download and what you click on. You may agree to install something by clicking on the EULA without realizing it.

  18. SPAM • History:We all know what SPAM is, and it ain’t all that tasty! • SPAM is annoying, unsolicited email. • Often the spammer generates a subject that looks legitimate, or a FROM address that looks like someone you might know. It might say MOM or JOHN, and may refer to something that looks like you already discussed in a previous email. • Sometimes they try to use the Authority card, and pose as an update from Microsoft or Dell. • Most people report over a third of their email is now SPAM (and growing!) • SPAM costs businesses an estimated $11.9B/year in 2003.

  19. SPAM Fighting • How you might fight the SPAM… • Don’t open anything from anyone you don’t know. • Don’t answer SPAM – it tells them that you exist. • At home, buy a spam filtering program and update it. • At work, or ask your ISP to install spam filtering. Content filtering can block certain adult material, as well as messages that appear suspicious. (This can also destroy legitimate emails.) • At work, use a web proxy to avoid downloading “web bugs”. • At work, subscribe to a Black Hole List. • Register online for FTC No Spam Registry. (legal?)

  20. SPAM Resources • Realtime Blackhole Listhttp://www.mail-abuse.org/rbl • Boycott Internet Spamhttp://spam.abuse.net • Network Abuse Clearinghousehttp://www.abuse.net • Forum for Responsible and Ethical Emailhttp://www.spamfree.org

  21. Now, How can I keep my data with everyone about me losing theirs? Take a deep breath. It’s not so bad.(It could be a lot worse!) What does this mean for the corporation? What does this mean for the home user?

  22. The Corporate Threat • Game Plan: • Defense in Depth! • Firewalls • DMZ for Internet exposed applications • Web Proxy • Content Filtering (web, smtp, ftp…) • Client Antivirus, Email Antivirus, SMTP Gateway Antivirus • Intrusion Detection • Access Controls on Remote Access/Wireless • Security Awareness • A Good Security Team! • Documentation and tested response

  23. On the Homefront • “I’m not really a computer expert…” • You don’t have to be. Have confidence. Know when to ask an expert, and don’t be shy! • Be extra careful if you have kids and/or broadband. • Fork over the money and buy ANTIVIRUS! • Keep your antivirus UPDATED! • Keep your computer patched!(If you don’t own a PC you have a lot less to worry about!) • Get SPAM filtering software / Pop-up blocking • If you’re on broadband, you should have a firewall too.

  24. On the Homefront • Virus Protection - BUY a copy of a good antivirus program (like Symantec, McAfee, Trend, Panda...)Available for all platforms. If you like the online scanner below, you can purchase a commercial version from their site for around $30 with a 1- year subscription. - Keep it updated AT LEAST once a week. Try to set it to autocheck at a convenient time so you don't forget. The paid subscription lets you auto-update. If you don't pay after it expires, you can still get virus updates manually from the vendor website, in most cases. - Here is a link to a page I made to check on the latest virus news: http://www.cybermaze.com/security/virstat.html - Here are some links to FREE ONLINE resources for scanning your PC. + Symantec (PC): http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym (you can perform a virus scan, or check for vulnerabilities) + Trend Micro (PC): http://housecall.trendmicro.com/ + Panda (PC): http://www.pandasoftware.com/activescan/com/activescan_principal.htm + McAfee (PC): http://us.mcafee.com/root/mfs/default.asp

  25. On the Homefront • SPAM -There is nothing worse than having a TON of junk mail in your inbox when you check it. You may not check mail every day, which makes it even more of a chore to deal with the glut of SPAM. - When you get junk mail, you will generally know it is not from someone you know. If you are in doubt, just DELETE the message. Don't take the risk of opening unsolicited email. - Even though you can sometimes opt out of SPAM mailing lists by following the instructions at the bottom of the message, more often than not you are letting the SPAMMER know you are there, and they will send you more SPAM. So, don't reply to SPAM. - Until there is some miracle way of opting out of it altogether, you will need to invest in a SPAM blocking program. While there are filtering options in some email systems, they are weak and it is worth a few bucks to buy a program that will filter SPAM and have a subscription to keep updated with new filters. Here are some options: + McAfee/Spamkiller (PC, $30): http://us.mcafee.com/root/package.asp?pkgid=156 + Matterform/Spamfire (Mac only for now, $25/$40): http://www.matterform.com/ + CoffeeCup PC - haven't tried, but good reviews, $30): http://www.tucows.com/preview/295552.html + SpamWeed for POP3(bayesian spam filter, should learn and improve over time - haven't tried but looks good, $30): http://www.tucows.com/preview/318216.html

  26. On the Homefront • Ad-Ware Dealing with Ad-Ware/Malware (the stuff that gets installed when you download another program or visit a website that reports on what you do) - This is primarily a PC problem, so these tools are exclusively for the PC. - Here are links to a couple FREE software packages that you can use to scan for any adware that might be installed on your system (i.e. Gator, etc.): + Ad-aware (PC, FREE): http://www.lavasoft.de/support/download/ + Spybot (PC, FREE): http://www.safer-networking.org/

  27. On the Homefront • Pop-up Blocking There are several vendors that have tools to block pop-ups. Always be careful that you don't install spyware in the process of downloading a neat toolbar to block pop-ups. Here are some I like. They may also have additional functionality, like Google searching, etc. (Mozilla might be the only pop-up blocker for classic MacOS users.) + Google Toolbar (PC, FREE): http://toolbar.google.com/ + You might also try running Mozilla, instead of Internet Explorer: http://www.mozilla.org/ + On MacOS X, use Safari, it will block pop-ups: http://www.apple.com/safari/ + CoffeeCup Pop-up Blocker ($20): http://www.tucows.com/preview/289024.html

  28. On the Homefront • Vulnerability Patching It is vital that your PC remain patched from critical security vulnerabilities. This Windows site will check your computer for missing patches, you should keep the security patches updated, but may decide not to install other large patches that are not "critical security patches". [Note: Most new operating systems offer the ability to auto-patch your system, you may decide this is your best option, and that way you won't forget. FOR MAC USERS: You can also use the control panel to look for "software updates" on the Mac... this site is for the savvy MacOS X user. In general, the Mac is much less vulnerable to viruses than the PC.] Some of the recent "blended" threats, like Blaster, will infect ANY unpatched computer that is vulnerable if left long enough on the Internet. Even if you have the latest antivirus. Remember that antivirus is NOT a 100% solution anymore. + Microsoft(PC): http://windowsupdate.microsoft.com/ + Apple(MacOS X) Security Updates: http://docs.info.apple.com/article.html?artnum=61798

  29. The Future • In the future, the Internet will extend its reach into your home and every aspect of your life. • Viruses and threats will become commonplace. • Vendors will need to ship computers with default deny, instead of default allow. • If you keep updated and practice safe computing,you will probably stay safe and keep your data in the chaos.

  30. RESOURCES • CERT: http://www.cert.org/other_sources/viruses.html • VMyths: http://www.vmyths.com/ • Computer Secutiry Institute: http://www.gocsi.com/ • John’s Security Page: http://www.cybermaze.com/security/index2.html • A Virus Tutorial: http://www.cknow.com/vtutor/ • NIST: http://cs-www.ncsl.nist.gov/virus/ • X-Force (ISS): http://xforce.iss.net/ • Microsoft Updates: http://windowsupdate.microsoft.com • You may also go to a good online software site, like http://www.tucows.com/ and go under your operating system (Windows, Mac, Linux) and then click on Internet to pull up tons of freeware and software titles if you don't find something that you like in my list above.

  31. Questions?

More Related