1 / 32

SECURITY THREAT REVIEW

SECURITY THREAT REVIEW. Agenda. Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus Research. CENTRAL THREATS. Threats: Viruses, Worms and Other Malware. Malware

lola
Download Presentation

SECURITY THREAT REVIEW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY THREAT REVIEW

  2. Agenda • Main topics • Central threats • Terminology • Malware in Action • Brief history, case examples, functionality • F-Secure Anti-Virus Research

  3. CENTRAL THREATS

  4. Threats:Viruses, Worms and Other Malware • Malware • Different kinds of viruses and worms spread extremely rapidly • First viruses for mobile phones and handheld computers found • Adware and spam are crossing from an annoyance to a threat • Hacking • Client devices outside the firewall are prone to hacking which may grant access to corporate networks • Stolen data • Web is full of tools that enable hacking, spying and eavesdropping

  5. Threats:Underground Economy Using Internet • Cybercrime is on the rise • Often uses spyware and spam when targetting users • Credit card frauds, stolen identities, access to confidential information, taking over somebody’s computer, using somebody’s computer to launch attacks or send spam, etc... • Also other issues such as distributed denial of service attacks (DDoS) and web page defacements

  6. Threats:Everything Is Connected • Reality is heavily connected to the data networks • Physical networks (electricity, water, transportation) depend on data networks • Many people using computers do not fully understand the technology behind • Home users connected to the internet without personal firewall • Easy targets for attacks

  7. TERMINOLOGY

  8. Virus • VIRUS is a computer program that replicates by attaching itself to another object • Boot sector virus • Attackes itself to the boot sector of a diskette • Almost extinct today • File virus • Attaches itself to programs • For example executables • Macro virus • Attaches itself to documents • Spreads effectively through e-mail Excel macro virus ”Button” File virus ”Funlove”

  9. Worm • WORM is a computer program that replicates independently by sending itself to other systems • E-mail worms • Spreading using e-mail technology (stealth SMTP relays) • Network worms • Very fast spreading • Network worms connect directly over the network (using the whole TCP/IP protocol suit) • Bluetooth worms

  10. Terminology • REPLICATION MECHANISM is a mandatory part of every virus and worm • If it doesn't have a replication mechanism, it’s by definition not a virus or worm • PAYLOAD is an optional part of the virus/worm. It may do something funny or destructive

  11. Other Malware • MALWARE is a common name for all kinds of unwanted software such as viruses, worms, spyware and trojans • TROJAN HORSE (or trojan) is a program with hidden functionality, generally either destructive or manipulative

  12. Spyware • SPYWARE is software that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party • Spyware can get in a computer as a software virus or as the result of installing a new program • Technically not viruses, but pose a threat to Internet users' privacy – some programs come with “spyware attached”, others just “call home” without asking.

  13. COOKIEis a mechanism for storing a user’s information on a local drive that websites may access PERSONALIZATION COOKIE allows users to customize pages, personalize web experience and remember passwords TRACKING COOKIE allows multiple web sites to store and access records that may contain personal information DRIVE-BY DOWNLOADis a program which is automatically downloaded to a host without user consent or knowledge BROWSER HELPER OBJECT(BHO) is a program that runs automatically every time a browser is launched. They can track usage data and collect any information displayed on the Internet. WEB BUG (or web beacon) is a file, usually a a transparent picture, placed on a web page or in an e-mail to monitor user behaviour without consent Spyware Types

  14. BROWSER HIJACKER is an applications that attempts to take control over a user's start page or desktop icons, resetting them to conform with the attacker’s wishes SYSTEM HIJACKER is software that uses the host computer's resources to proliferate itself or use the system as a resource for other activities Acting as a spamming zombie Contributing to DDoS attacks Trojan payload KEYLOGGER (or system monitor) is designed to monitor computer activity by capturing virtually everything a user does on the computer, including recording all keystrokes PREMIUM DIALER (or expensive dialer) create a dial-up connection (without asking the user) to a high cost number Spyware Types

  15. MALWARE IN ACTION

  16. Personal Computers introduced Information exchange on diskettes 16 bit operating systems Internet emerged Arpanet (Advanced Research Projects Agency Network) changed its name to Internet in 1987 Grew out of the first network of computers, which in the beginning connected US military bases and later also universities “Security was not an issue in Arpanet, which was a fully classified network” (Vint Cerf, father of TCP/IP) Central threats Illegal physical access to the machines Boot sector viruses Traditional file viruses Direct hacker attacks Brief History of Malware: 1980’s

  17. PC a common tool in all business areas and Internet use becomes part of everyday activities Faster internet connections and LANs allows file sharing and downloading E-mail and Microsoft Office heavily used Workforce becomes mobile as fast connections available outside office New threats New malware 32-bit file viruses, macro viruses (1995) and email worms (1999) 32-bit operating systems and applications bring more security holes Internet use enables eavesdropping Mobile units vulnerable to attacks Laptop thefts Brief History of Malware: 1990’s

  18. Handheld computers introduced and mobile phones evolve towards handheld computers Workforce becomes even more mobile For-profit virus-writing emerges as spammers start employing malware New threats: Network worms (2001) Spam Viruses for PDA and mobile phones (2004) Spyware D-DoS Phishing Brief History of Malware: Early 00’s

  19. Future Threats • More mobile phone and Bluetooth malware • Speading by sending SIS files as MMS messages, text message spamming worms (e.g. Commwarrior) • Over 40 different types since June 2004 • Root kits (aka stealth viruses) • Flash worms • Very fast spreading worm (less than 30 seconds), implemented by including a list of all likely vulnerable hosts

  20. Similarities Delivered via web sites, downloads and e-mail attachments Ability to capture and destroy information Ruin the system performance Differences Virus has a replication mechanism and spreads faster, spyware is usually installed by the user Virus writers are unknown (and criminal), spyware vendors are known Typically the user is made aware of spyware installations (EULA) It is not illegal to write and distribute spyware Virus vs. Spyware

  21. Virus Every time data is transmitted a virus may spread as well E-mail attachment account for approx. 80% of the cases, but infection may also spread through web, chat channels, peer-to-peer networks, CD-ROMs, floppies, infrared beaming, Bluetooth, etc… Worm Spread through email or find their way through security holes (vulnerabilities), without user intervention Spyware Normal web browsing and program installations Badly configured browser (allowing ActiveX, accepting cookies from 3rd parties) Free software (freeware, pirated software, adware) Some commonly trusted software comes bundled with spyware Typical Ways to Get Infected

  22. Viruses & worms Must have a replication mechanism Trojans and other malware If payload, the thing that does someting annoying or destructive, is present the trojan will be removed Spyware Criteria to add software to Spyware database is based on a point system (TAC) This list is public and complying to these strict rules is important as most spyware is legal software 5 Criterias: Removal, Integration, Distribution, Behaviour, Privacy TAC number of three or higher (out of ten) required to be included in the database Identification

  23. Example: Mydoom.A • Malware type: Email worm • First variant: 2004 (in the wild) • Family: Mydoom • Replication mechanism: • Spreads over email and Kazaa • Payload: • Installs a backdoor and launches an DDoS attack • Effect: • The largest email incident in history • At its worst, close to 10% of all email traffic globally was caused by Mydoom.A

  24. Example: CoolWebSearch • Category: Malware • Family: CoolWebSearch • First variant: 2003 (in the wild) • TAC level: 10 • Behavior: • Operates hidden • Hijacks browser • Redirects browsing search results • Own LSP implemented • Tracks users surfing habits • Javascript which guesses adult pages

  25. Other Threats • ROOT KITis a set of tools used by an intruder to maintain and hide access to the system and use it for malicious purposes • PHISHING means luring sensitive information (like passwords) from a victim by masquerading as someone trustworthy with a real need for such information • SPAM means unsolicited bulk email, something the recipient did not ask for it and that is sent in large volumes

  26. Other Threats • CRACKING (also HACKING) is gaining direct access to a target system • Wide range of methods available (stolen access information, finding open ports, known security holes, etc.) • Attacks can be divided to external attacks and internal attacks • Majority of attacks have an external sources, but most successful attacks come from inside the network • D-DOS (aka DISTRIBUTED DENIAL OF SERVICE) means overloading a service and thus denying legitimate users’ service

  27. F-SECURE ANTI-VIRUS RESEARCH

  28. Fast Reaction Times • Virus and spyware software is only as good as the antivirus company's capability to provide cure for new virus outbreaks • Spyware updates are not as urgent as anti-virus updates • F-Secure Virus Research Team is on call 24-hours a day responding new and emerging threats (approx. 10 new viruses found every day) • Two labs: Helsinki (Finland) and San Jose (USA) • Virus definitions updated on average 2 times a day • Automated update methods

  29. How Does the Anti-Virus Lab Work? • Incoming samples • Most comes in via e-mail from customers • 30% comes via sample exchange from competitors • A vary small part through honeypots and directly from virus writers • Send samples to vsamples@f-secure.com

  30. 0 2 4 6 Hours 8 10 12 14 F-Secure Trend McAfee Symantec Average Response Times forMajor Outbreaks During Q1/2004 Data source AV-Test.org

  31. Radar Security News • Anti-Virus Research issues Radar security news when new threats emerge • Protection status for every reported malware • Three alert levels • Level 1: Worldwide virus epidemic • Level 2: New virus causing large, localised infections • Level 3: New virus technique or platform found

  32. Summary • Main topics • Central threats • Terminology • Malware in Action • Brief history, case examples, functionality • F-Secure Anti-Virus Research

More Related