Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Malware Life Cycle. The Fascinating World of Infections.

Published byKaya Dubberly Modified over 9 years ago

Similar presentations

Presentation on theme: "The Malware Life Cycle. The Fascinating World of Infections."— Presentation transcript:

1 The Malware Life Cycle

2 The Fascinating World of Infections

3 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

4 Birth User invites malware onto PC

5 Birth User invites malware onto PC Opens infected e-mail attachment Surfs infected web sites Downloads warez “Winrar v3 FULL VERSION with patch!.exe” “CR-WZIP8.EXE” Clicks on link in mail, tweet, IM, text message Runs infected app on social networking site Plugs in infected USB drive

6 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

7 Self-protection Malware takes steps to protect itself

8 Self-protection Malware takes steps to protect itself Turn off anti-virus software Hide clones in places that users won’t notice Adds startup entries to registry or startup folder Block anti-virus sites Install rootkit Infect common programs: Internet Explorer, Windows Explorer, svchost

9 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

10 Malware calls home for guidance Call home

11 Malware calls home for guidance Disguises the connection as web traffic Has internal address book with primary and fallback addresses Reports in frequently, usually several times a day

12 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

13 Malware gets instructions from owner Your wish is my command

14 Malware gets instructions from owner Download more malware, change own signature Send PC information home Log and report web sites Monitor and steal banking credentials Turn on microphone or camera Monitor and steal network account credentials Encrypt files for ransom Whatever the bad guy wants to do Your wish is my command

15 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

16 Psst! Pass it on Malware: the gift that keeps giving

17 Psst! Pass it on Malware: the gift that keeps giving Sends infected mail from you to addresses found on your PC From: You@mail.sdsu.edu To: YourBuddy@uhoh.net Subject: Check this out! Infects writable files on network shares Installs itself on removable media Scans local network for vulnerable systems Scans Internet for vulnerable system

18 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

19 Lather, Rinse, Repeat BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

20 Anti-virus Our Defenses

21 Anti-virus – Important part of Defense-In-Depth Can be a powerful defense if properly configured and used with a central server (ePO for McAfee) Very effective against known malware Can protect against suspicious behavior Rogue e-mail; IRC connections; Scripts running from temp; Additions to startup locations; Additions to system directories; Disabling anti-virus; Installation of Browser Helper Objects (IE); and more! Our Defenses

22 Anti-virus – Not a cure-all Not very responsive to unknown threats Lag time of days or weeks to develop and update signatures for malware, leaving systems unprotected against emerging threats May never detect some malware Generally not very effective against unknown malware (other than mass mailers) Can be disabled by Admin users Logs are often ignored or not understood Our Defenses

23 ePO Tips Speaking of Logs

24 ePO Tips – Most interesting ePO report fields 1.Analyzer Detection Method: Was the detection On Access or during an On Demand/Fixed Disk Scan? 2.Action Taken: What happened to it? 3.Threat Target File Path: Where was it found? 4.Threat Name: What was detected? 5.Other useful fields Event Generated Time, Threat Target IPv4 Address, Threat Target Host Name, Threat Type Speaking of Logs

25 ePO Tips – Things to Consider 1.Look at the Analyzer Detection Method On Access? The malware was detected as it was written to or read from the disk On Demand, Managed Fixed Disk Scan? The malware got onto the PC without being detected 2.Look at the Action Taken Deleted, Cleaned, None? Speaking of Logs

26 ePO Tips – Things to Consider 3.Look at Target Threat File Path C:\Windows\? Probably infected, Probably admin user C:\Documents and Settings\gleduc\Application Data\? Probably infected G:\? Probably not infected, but thumb drive was IE Cache? Need to talk to the user, maybe look at the machine Speaking of Logs

27 Investigating a malware detection

28 1.Research (Google is your friend) Threat Name: Exploit-CVE2008-5353 Understand what it does and how it does it Java vulnerability patched in JRE 6u11 If the machine is at JRE 6u21 then ignore Investigating a malware detection

29 2.Check the McAfee logs on the machine C:\Docs and Settings\All Users\Application Data\McAfee\DesktopProtection\ OnAccessScanLog.txt: OAS detections, DAT version, stats OnDemandScanLog.txt: detections, type of scan, action taken AccessProtectionLog.txt: attempts to terminate McAfee, send e-mail, run programs from temp or cache directories Investigating a malware detection

30 Refer to Information Security Plan http://security.sdsu.edu Escalate to ITSO if the system processes or stores Protected Information: Names with SSNs, Credit card data, Passwords, Medical data, Disability data, Combinations or name, birthdate, mother’s maiden name, last 4 of SSN, driver’s license, grades, etc., etc., etc. Be prepared to give up machine for the duration of the investigation Be prepared to rebuild machine What if it’s Infected?

31 Third-party application patching Our Defenses

32 Third-party application patching When responsive, vendors are often very quick to patch Many applications require a manual download and install to update – a big PITA if user can’t get Admin rights on system Users and sysadmins often don’t know that an update is available or whether it’s a security update IT support staff often don’t know what software is on their users’ systems If a vendor stops support a product, but users really love it, they keep using it Patch Mgt must be able to patch third-party applications! Our Defenses

33 The End

Download ppt "The Malware Life Cycle. The Fascinating World of Infections."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:

Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.

Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.

Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.
Viruses, Worms, Spyware, and Other Perils of an On- Line World Computer Services Tech Talk September 23, 2003.

Viruses, Worms, Spyware, and Other Perils of an On- Line World Computer Services Tech Talk September 23, 2003.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Using Anti-virus Software A SeniorNet Workshop SeniorNet is a service program of the Lutheran Service Society of Western Pennsylvania.

Using Anti-virus Software A SeniorNet Workshop SeniorNet is a service program of the Lutheran Service Society of Western Pennsylvania.

Similar presentations

Ads by Google