1 / 23

UCAR Malware incidents

UCAR Malware incidents. The Mebroot / Torpig threat. What we’re up against. Infections in ACD. Attempted compromise of a Linux machine visiting a newspaper site Successful compromise of a 2 Windows XP, 1 Vista machine Multiple infections of UCAR systems – all Windows PC’s

Download Presentation

UCAR Malware incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UCAR Malware incidents The Mebroot/Torpigthreat NCAR/ACD/NESL Computing

  2. What we’re up against

  3. Infections in ACD • Attempted compromise of a Linux machine visiting a newspaper site • Successful compromise of a 2 Windows XP, 1 Vista machine • Multiple infections of UCAR systems – all Windows PC’s • One UCAR system re-infected after it was reformatted/reinstalled • All were variants of TORPIG – all detected by monitoring network activity Cost of Infections • TIME: Security staff, System Administrators, End-user • Systems must be reformatted/reinstalled. (in ACD we’ve used new disks) • Each System must remain down for forensics for approx 1 week • In one case, a staff member complained personal information was removed from his/her control.

  4. What is infecting us… • TORPIG/MEBROOT • MEBROOT is a “root kit” (aka Sinowal or Anserin) • TORPIG is a keystroke logger What does TORPIG do? • Scans for credentials • Keystroke logging – sends to evasive but known collection sites • Knows about hundreds of banking sites; captures credentials • RSA researchers estimate TORPIG has stolen more than 300,000 bank accounts • Motivation: Financial • A problem among personal computers as well as corporate networks

  5. How does TORPIG get in?

  6. How does TORPIG get in? “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers

  7. Drive-by download • Uses scripting (Javascript, Flash) • Intelligence built into the script • Looks legitimate except for the “target” audience • Avoids certain environments (Linux, MacOS) • Must find a vulnerable application • Looks for dozens of vulnerabilities • Browsers • Java plugins • Media players (video, audio) • Adobe PDF applications

  8. The Mebroot “root kit” • The vulnerability is exploited and a “rootkit” is injected • What is a rootkit? • Software to give an intruder access to a machine • The software defends itself • against detection • against removal

  9. The Mebroot “root kit” • What is the Master Boot Record? • A machine’s BIOS passes control to the MBR at boot time • 512 bytes of code • Holds the partition table • Bootstraps the OS

  10. The Mebroot “root kit” • What does Mebroot do? • Replaces the MBR • Intercepts network and disk I/O • Mebroot passes the original MBR to the OS for any disk I/O • Making it invisible to all programs including Antivirus • “Hides” Torpig in the same way – hides hooks into the OS • Code is evolving: Much more evasive than it used to be • Mebroot can be used to “hide” future malware • Symantec Antivirus may detect the hooks – it cannot detect Mebroot

  11. Our best defense: block scripts HTML content “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers Stop Scripting, Java and Media incl Flash

  12. Blocking scripts: NoScript • NoScript is a browser plugin for Firefox • Blocks by default: • JavaScript • Java • Flash • Silverlight • Some other plugins • Whitelist • Allows you to select scripts to run for a session, or always allow • Sites may also be blacklisted with NoScript

  13. NoScript: All good things have a cost “My web page looks different!”

  14. NoScript: Decisions… Statistic gathering • 9news.com scripts: • google-analytics • coloradonewshome • revsci.net • brightcove • gannett-tv.com • others… Advertising(potential malware) Multimedia provider

  15. Rules of thumb • Allow a minimum of what will make a site useful to youSites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.)Don’t allow advertising: • Prevents drive-by downloads • Speeds up web page loading • Google analytics and Google Adsense may always be blocks by NoScript • Feel free to delete cookies

  16. Online banking • Online banking is the specific target of TORPIG • Over 300,000 known credential thefts related to banking • Even small banks are being targeted

  17. Online banking: Recommendations • USE a dedicated SEPARATE BROWSER for online banking • Better yet, a separate computer that does no other browsing • Virtual machines might work • Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud. • Use strong passwords • Convince your bank to use a one-time password token

  18. PC/Windows recommendations • Plan so your work may continue in the event of a compromise • Be ready to use a secondary machine or laptop • Reduce your risk • Keep applications updated • Install and use the SecuniaSoftware inspector http://secunia.com/vulnerability_scanning/personal/ • Be wary of fake antivirus or other popups • Report anything unusual • We’ll do our best to protect your privacy but need information to help investigate virus incidents

  19. Mac/Linux recommendations • MBR malware can just as easily compromise Linux • Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable • Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications • Situation may change: • Adobe and Java vulnerabilities affect Mac and Linux versions as well • A growing Macintosh market may make it worth exploiting

  20. Mebroot/TORPIG are only our current threat…

  21. Oregon Top 10 … We see this often at NCAR Torpig & Conficker have low detect rates because of new stealth technology like Mebroot Social networkingvirus

  22. Demonstrations • NoScriptplugin • Secunia Software Inspector (if there’s time)

  23. Thank You ! … March 17, 2010

More Related