Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 Eset All rights reserved. Proactive Malware Defense in diverse networks Andrew Lee CISSP CTO Eset Software.

Similar presentations


Presentation on theme: "Copyright © 2005 Eset All rights reserved. Proactive Malware Defense in diverse networks Andrew Lee CISSP CTO Eset Software."— Presentation transcript:

1 Copyright © 2005 Eset All rights reserved. Proactive Malware Defense in diverse networks Andrew Lee CISSP CTO Eset Software

2 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Overview Education Understanding Malware Defense in Depth Technology Sources of Information

3 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Educatio n Education of the user is key to the success of any anti-malware defense strategy. Initial inertia Familiarity with issues Ownership of responsibilty Someone else's problem Buy in Financial Policy Strategic recognition Finding good sources of Information

4 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Malware overview Types of Malware Viruses Worms Macros Scripts (VBS/Loveletter) File Infectors Boot sector viruses Trojans Password Stealers Jokes Remote Access / Backdoors Keyloggers Malicious deleters/corruptor Spyware / Adware Phishing / Scams / Hoaxes A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. A Trojan (or Trojan Horse) is a program that masquerades as something other than it is, for instance, a file purporting to be a game which actually opens up the computer to remote access. Spyware is software that is installed (often without the knowledge of the computer user), that records information about the users online habits, and reports it back to a controller – often used to target advertising and popups to be sent to the machine Phishing, scams and hoaxes are special forms of malware that come under the banner of “mind viruses” or social engineering

5 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Hoaxes –Technical Sounding Jargon –Credibility by association –Plays on Altruism –Scare stories / urban legends –Better safe than sorry Phishing –Intended for criminal fraudulent purposes –Usually to gain access to banking/CC/PayPal details –Uses Social Engineering methods –Good phishes will be very hard to identify –Imitate target sites as closely as possible –Some viruses have now started using this –Very costly to banks – in some cases shut down online banking Scams –Online versions of fraudulent operations

6 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Dear All WARNING MESSAGE received from the dad of one of my daughter's friends about a virus contracted from a message from France please act NOW - I found it on my 'C' drive. I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:- The objective of this is to warm all Hotmail users about a new virus that is spreading by MSM Messenger and by address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system. The virus can be cleaned before it deletes the files from your system. In order to eliminate it it is just necessary to take the following steps:- 1. Go to Start. Click "Search" 2. In the "Files or Folders option" write the name jdbgmgr.exe 3. Be sure that you are searching in the drive "C" 4. Click "find now" 5. If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON 6. Right click and delete it (it will go to the Recycle bin) 7. Go to the Recycle bin and delete it or empty the recycle bin IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE. Hoax

7 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Dear PayPal member, PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information. We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this (see attachment) and follow the instructions. Please do not send your personal information through , as it will not be as secure. IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now. DO NOT REPLY TO THIS MESSAGE VIA ! This mail is sent by an automated message system and the reply will not be received. Thank you for using PayPal. Attached file: Phishi ng

8 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Scams INTERNATIONAL/PRIZE AWARD DEPT REF:PL2/209318/09 BATCH:18/103/HME. Attn: Winner We are pleased to inform you of the result of the Lottery Winners International programs held on the 07/03/2005. Your address attached to ticket number with serial number , batch number ,lottery ref number and drew lucky numbers which consequently won in the 1st category, you have therefore been approved for a lump sum pay out of US$1.500, (0NE MILLION FIVE HUNDRED THOUSAND United States dollars) CONGRATULATIONS!!! Due to mix up of some numbers and names, we ask that you keep your winning information confidential until your claims has been processed and your money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants. All participants were selected through a computer ballot system drawn from over 40,000 company and 20,000,000 individual addresses and names from all over the world. This promotional program takes place every year. This lottery was promoted and sponsored by Association of software producers. we hope with part of your winning,you will take part in our next year US$20 million international lottery. To file for your claim, please contact our fiducial agent: ============================================================== Mr. Micheal Boldman GULF ATLANTIC S.A Amsterdam Netherlands. Tel: ==============================================================

9 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Current and future threats Current Threats Worms Trojans / Botnets Diallers Backdoors Bots Spyware/Adware/Riskware Future evolution Mobile Technology Browser delivered malware Criminal exploitation

10 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Problems of diversity Speed of spread vs Speed of detection Window of vulnerability Rapid release and spread of new threats Response time is longer than acceptable System update time is often not factored in Reactive technology is not adequate Non traditional methods of delivery – spam runs etc More ephemeral malware Can be targeted at a particular system/vulnerability Diverse networks and ‘ad-hocracies’ are more vulnerable. Diverse and non-standardized networks increase the attack surface and can hide breeding grounds for rapid malware outbreaks.

11 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Features of malware attacks Speed of spread vs Speed of detection Window of vulnerability Rapid release and spread of new threats Response time is longer than acceptable Reactive technology is not adequate Non traditional methods of delivery – spam runs etc Can be targeted at a particular system/vulnerability Diverse networks and ‘ad-hocracies’ are more vulnerable. A critical factor in any network deployment of traditional anti-malware software is how fast the product can be updated. If the spread of the threat is faster than the time-to-update, then the risk is unmitigated.

12 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 w e p r o t e c t y o u r d i g i t a l w o r l d s Critical stages of outbreak showing windows of vulnerability Low level threat > 100 mpm Rapidly rising threat mpm mpm Full epidemic – mpm I hour 2 hours3 hours 4 hours

13 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Defense in Depth Connected Users Exploding Perimeter PDA's / mobile phones Laptops Home / Remote Always on DSL/Cable Uncontrolled networks Gateways Desktop Servers Network Devices Switches NAS / SAN Copy Solutions Webmail P2P IRC

14 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Technology Responsiveness Proactive malware prevention – heuristic capabilities Support Time to update Detection rates Manageability Visibility Flexibility Performance Network Speed User compliance Server Speed Gateway overload DoS from virus scanning Bounces and ancillary traffic

15 Secure IT 2005 w e p r o t e c t y o u r d i g i t a l w o r l d s Heuristic defined Virus detection technique in which unknown software code is examined to decide whether it is malware Implementation through emulation, virtual PC and code analysis Detects new unknown viruses in order to prevent infection during the initial outbreak Heuristic

16 Secure IT 2005 w e p r o t e c t y o u r d i g i t a l w o r l d s Advanced Heuristics Benefits: Instantly blocking new viruses the moment they are released in the wild Efficiency (August 2004 WildCore): Total number of samples: 381 Samples detected by Advanced Heuristics: 244 Samples detected by Standard Heuristics: 92 Total number of unique samples Detection rate using detected by heuristics: 336 heuristics = 88.18%

17 Copyright © 2005 Eset All rights reserved. Andrew Lee Secure IT 2005 Technology Issues User Compliance Interference with workflow Slows things down Stability Interoperability Total Cost of Ownership Return on Investment Cost of Training Cost of failure Compliance issues Manageability Ongoing costs

18 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Scanning Throughput * *based on Virus Bulletin testing

19 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Low Reliability or Expertise of source Use common sense - likely poor info Reliable information Number of sources Reasonable reliability - but worth checking Cross-reference sources - do further research Low High The information assessment matrix Information Quality & Reliability

20 Secure IT 2005 w e p r o t e c t y o u r d i g i t a l w o r l d s virus-radar.com Granular table and graph reporting Free data and report access Real time virus warning Searchable virus descriptions database On-line report archive Real time virus prevalence statistics

21 w e p r o t e c t y o u r d i g i t a l w o r l d s Secure IT 2005 Summary Education – The more you know, the better protected you and your users will be Understand the enemy – malware is a wide topic, and it pays to understand the what it can do (and what it can’t) Use technology that offers your context the best overall protection, at all points possible. Stay informed


Download ppt "Copyright © 2005 Eset All rights reserved. Proactive Malware Defense in diverse networks Andrew Lee CISSP CTO Eset Software."

Similar presentations


Ads by Google