Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Malware Life Cycle. The Fascinating World of Infections.

Similar presentations


Presentation on theme: "The Malware Life Cycle. The Fascinating World of Infections."— Presentation transcript:

1 The Malware Life Cycle

2 The Fascinating World of Infections

3 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

4 Birth User invites malware onto PC

5 Birth User invites malware onto PC Opens infected attachment Surfs infected web sites Downloads warez “Winrar v3 FULL VERSION with patch!.exe” “CR-WZIP8.EXE” Clicks on link in mail, tweet, IM, text message Runs infected app on social networking site Plugs in infected USB drive

6 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

7 Self-protection Malware takes steps to protect itself

8 Self-protection Malware takes steps to protect itself Turn off anti-virus software Hide clones in places that users won’t notice Adds startup entries to registry or startup folder Block anti-virus sites Install rootkit Infect common programs: Internet Explorer, Windows Explorer, svchost

9 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

10 Malware calls home for guidance Call home

11 Malware calls home for guidance Disguises the connection as web traffic Has internal address book with primary and fallback addresses Reports in frequently, usually several times a day

12 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

13 Malware gets instructions from owner Your wish is my command

14 Malware gets instructions from owner Download more malware, change own signature Send PC information home Log and report web sites Monitor and steal banking credentials Turn on microphone or camera Monitor and steal network account credentials Encrypt files for ransom Whatever the bad guy wants to do Your wish is my command

15 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

16 Psst! Pass it on Malware: the gift that keeps giving

17 Psst! Pass it on Malware: the gift that keeps giving Sends infected mail from you to addresses found on your PC From: To: Subject: Check this out! Infects writable files on network shares Installs itself on removable media Scans local network for vulnerable systems Scans Internet for vulnerable system

18 The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

19 Lather, Rinse, Repeat BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

20 Anti-virus Our Defenses

21 Anti-virus – Important part of Defense-In-Depth Can be a powerful defense if properly configured and used with a central server (ePO for McAfee) Very effective against known malware Can protect against suspicious behavior Rogue ; IRC connections; Scripts running from temp; Additions to startup locations; Additions to system directories; Disabling anti-virus; Installation of Browser Helper Objects (IE); and more! Our Defenses

22 Anti-virus – Not a cure-all Not very responsive to unknown threats Lag time of days or weeks to develop and update signatures for malware, leaving systems unprotected against emerging threats May never detect some malware Generally not very effective against unknown malware (other than mass mailers) Can be disabled by Admin users Logs are often ignored or not understood Our Defenses

23 ePO Tips Speaking of Logs

24 ePO Tips – Most interesting ePO report fields 1.Analyzer Detection Method: Was the detection On Access or during an On Demand/Fixed Disk Scan? 2.Action Taken: What happened to it? 3.Threat Target File Path: Where was it found? 4.Threat Name: What was detected? 5.Other useful fields Event Generated Time, Threat Target IPv4 Address, Threat Target Host Name, Threat Type Speaking of Logs

25 ePO Tips – Things to Consider 1.Look at the Analyzer Detection Method On Access? The malware was detected as it was written to or read from the disk On Demand, Managed Fixed Disk Scan? The malware got onto the PC without being detected 2.Look at the Action Taken Deleted, Cleaned, None? Speaking of Logs

26 ePO Tips – Things to Consider 3.Look at Target Threat File Path C:\Windows\? Probably infected, Probably admin user C:\Documents and Settings\gleduc\Application Data\? Probably infected G:\? Probably not infected, but thumb drive was IE Cache? Need to talk to the user, maybe look at the machine Speaking of Logs

27 Investigating a malware detection

28 1.Research (Google is your friend) Threat Name: Exploit-CVE Understand what it does and how it does it Java vulnerability patched in JRE 6u11 If the machine is at JRE 6u21 then ignore Investigating a malware detection

29 2.Check the McAfee logs on the machine C:\Docs and Settings\All Users\Application Data\McAfee\DesktopProtection\ OnAccessScanLog.txt: OAS detections, DAT version, stats OnDemandScanLog.txt: detections, type of scan, action taken AccessProtectionLog.txt: attempts to terminate McAfee, send , run programs from temp or cache directories Investigating a malware detection

30 Refer to Information Security Plan Escalate to ITSO if the system processes or stores Protected Information: Names with SSNs, Credit card data, Passwords, Medical data, Disability data, Combinations or name, birthdate, mother’s maiden name, last 4 of SSN, driver’s license, grades, etc., etc., etc. Be prepared to give up machine for the duration of the investigation Be prepared to rebuild machine What if it’s Infected?

31 Third-party application patching Our Defenses

32 Third-party application patching When responsive, vendors are often very quick to patch Many applications require a manual download and install to update – a big PITA if user can’t get Admin rights on system Users and sysadmins often don’t know that an update is available or whether it’s a security update IT support staff often don’t know what software is on their users’ systems If a vendor stops support a product, but users really love it, they keep using it Patch Mgt must be able to patch third-party applications! Our Defenses

33 The End


Download ppt "The Malware Life Cycle. The Fascinating World of Infections."

Similar presentations


Ads by Google