R Kevin ChapmanStudent Computing Coordinator Dave FlynnUNIX Systems Administrator Rich GravesSenior UNIX and Security Administrator
So you want to get infected… What are your options? What are they? How do you go about it? Really What are the benefits? Reactive tools and measures But seriously folks…
Malware for beginners Virus Trojan Worm Adware Spyware Rootkit BotNet Phishing What are your options?
Virus What is it? Malicious program that attaches itself to a legitimate file or program (the Host). Infects machine when host file is run or opened. Typically cannot run itself, needs human intervention. What does it do? Harmless as presenting “I’m here!” Dangerous as deleting files. Trigger immediately or wait for instructions or wait for a specific date. How does it spread? Via any files that move between computers (e.g. ). Once on machine, looks for files to infect. Relies on user transmission of those files.
Trojan What is it? Disguises itself as useful software or legitimate files. Typically cannot run itself, needs human intervention. What does it do? Harmless as changing icons on your desktop. Dangerous as opening “back doors” to the machine. How does it spread? Purely human intervention; “invited” onto system. Cannot replicate itself. Opening files or images…
Example: Vundo / Virtumonde What is it? A Trojan with many variants How it spreads? From a website linked from . Advertises itself as an anti-malware tool. What does it do? Pop-up advertising for bogus antivirus tools. Redirect Google searches. Disable security programs. And a lot more...
Worm What is it? Malicious program that spreads itself without a Host. Designed to duplicate and spread via network. What does it do? Can cause network problems (heavy traffic). Acts of vandalism are rare but possible. Will often open “back doors” to the machine. How does it spread? Replicates itself on the same machine. Capable of spreading itself often via . Via network, often through their own back doors.
Example: Conficker What is it? A worm with five or more variants. How does it spread? Windows security flaw. USB devices (via autorun). Via network connections. What does it do? Currently checks hundreds of websites for updates. Open back doors for new versions or other infections. Antivirus or Windows Update sites unavailable. User accounts may be locked out. Spambot & Scareware.
Adware What is it? Normally legitimately installed software. Free software paid for by the advertisements (to recoup development costs). What does it do? Downloads and/or displays ads on your machine. Provides a free version of software. How does it spread? Downloaded and installed deliberately by user. May note sites you visit and display corresponding advertisements (SpyWare).
Spyware What is it? Any program that monitors your behavior: e.g. surfing habits, sites visited. How it spreads? Piggy-backs on other software; not as a virus as it’s often intentional. Can operate like a Trojan e.g. fake security software. Tricks users into bypassing security. What it does? Record and deliver info you enter online. Can install software, redirect browser.
Rootkit What is it? Program(s) which hide deep on your system. Replaces system files which then hide processes. How it spreads? Spread as Viruses or Trojans (not Worms). Rarely spreads itself any further once infected. What does it do? Allows unauthorized access to your machine. Sniffers, keyloggers, zombie computer.
BotNet What is it? Spyware that records personal data. Refers to a collection of machines. How it spreads? Spread via Trojans or like Worms Scan local environment to find vulnerable machines What does it do? Very low-key – it wants to remain hidden. Gathers information and relays it (e.g. banking). Used for identity theft, compromise online accts.
Phishing What is it? Attempt to gain personal information such as passwords or account information fraudulently e.g. masquerading as bank representative. How? Majority of attempts happen via . Also Instant Messaging, Social Networking. Refer to websites that look like the original. What does it do? Gain access to account, or identity theft
Vectors Software vulnerabilities USB keys, network drives, other mechanisms for transferring files Malicious or compromised websites How to get infected
Bad or suspicious links Especially in HTML , what a link says might not be where it’s actually going. Dangerous attachments Can contain malware itself, which might or might not be caught by antivirus tools Attachments are very dangerous. As a rule of thumb, don’t open one unless you know exactly who sent it and what it contains. Phishing ‘Spanish Prisoner’ schemes Tricking a user into giving away personal or financial information.
From: Internal Revenue Service Sent: Wednesday, March 01, :45 PM To: Subject: IRS Notification - Please Read This. After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $ Please submit the tax refund request and allow us 6-9 days in order to process it. A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please click here Regards,Internal Revenue Service Example of a phishing
Old versions of IE and Firefox are vulnerable to attack. Browser plugins are popular targets because they often don’t get updated Adobe Quicktime Java Flash For Firefox: https://www.mozilla.com/plugincheck/ Operating system security holes Vista SMBv2, for example Software Vulnerabilities
Legitimate websites can contain dangerous links or harmful code: Facebook (stolen passwords) Forums, blogs, etc. Security holes in webservers Bad advertisements / popups Search engines can be tricked Some attacks can happen without any interaction from you! Sometimes called drive-by downloads Usually associated with a browser or plugin vulnerability Malicious / Compromised Websites
Automatic infections: Worms, drive-by downloads, etc Can infect your machine instantly and without user interaction Typically a result of unpatched or vulnerable software The best defense is to make sure you’re using up to date software, particularly web browser and other web-related tools. Suffers from zero-day syndrome, by which we mean that software vulnerabilities are sometimes only discovered when malware that exploits it begins to spread. Recap
Many modern forms of malware rely on tricking the user: Phishing Trojans Malicious websites, advertisements, popups attachments Sometimes classified as social engineering attacks. These cannot infect your machine automatically; the best defense is to learn to recognize likely malware and then ignore / delete / avoid it. Recap
Phished password used to send spam within 1 hour If bank information is stolen: So is your money Your account can be used to transfer money overseas If your Facebook account is taken, it will be used to: Identify other potential victims Spread “Koobface” and similar trojans Scare your friends into sending money to “rescue” you If your computer is trojaned... Your Role in Criminal Activity
“Rootkits” lie to antivirus software about what files exist The computer, now owned by the criminals, will be used to monitor your activities and attack others It’s Not Your Computer Anymore
ColdwellBanker.com: Gumblar trojan Tennis.com: Gumblar, a few weeks before the French Open CW.edu and Berklee.edu, behaving Gumblar-like today NYTimes.com: bad ad 9/13, PEZCyclingNews.com: noon yesterday, via ad network Kaspersky: 0.64% of the web serves up malware Who Can Help Infect You?
% Proportion of Adobe Reader installations on Carleton administrative desktops that are current. The other 90% are vulnerable to Gumblar-style attacks. 0 Number of computers worldwide with a version of Adobe Reader that can handle new attacks starting December 11 th. How Vulnerable Are You?
Create and use a limited-privilege account Demo Use up-to-date antivirus Carleton’s McAfee (licensed for home use) Microsoft Security Essentials (free for home use) Set a Fraud Alert at AnnualCreditReport.com Instructs lenders not to open new credit accounts in your name unless your identity has been verified Prevents you (for example) from opening a department- store credit card on the spot 3 Easy Ways to Be Safer
If you use Firefox Update Firefox to 3.6 Consider the NoScript extension, NoScript.net If you have Vista/Windows 7, but not NoScript Internet Explorer 8 is probably safer Safer Computing, continued
Help from Secunia.com on software updates Try the PSI utility from secunia.com Safer Computing, continued