Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY THREAT REVIEW. Page 2 Agenda Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus.

Similar presentations

Presentation on theme: "SECURITY THREAT REVIEW. Page 2 Agenda Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus."— Presentation transcript:


2 Page 2 Agenda Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus Research


4 Page 4 Threats: Viruses, Worms and Other Malware Malware Different kinds of viruses and worms spread extremely rapidly First viruses for mobile phones and handheld computers found Adware and spam are crossing from an annoyance to a threat Hacking Client devices outside the firewall are prone to hacking which may grant access to corporate networks Stolen data Web is full of tools that enable hacking, spying and eavesdropping

5 Page 5 Threats: Underground Economy Using Internet Cybercrime is on the rise Often uses spyware and spam when targetting users Credit card frauds, stolen identities, access to confidential information, taking over somebody’s computer, using somebody’s computer to launch attacks or send spam, etc... Also other issues such as distributed denial of service attacks (DDoS) and web page defacements

6 Page 6 Threats: Everything Is Connected Reality is heavily connected to the data networks Physical networks (electricity, water, transportation) depend on data networks Many people using computers do not fully understand the technology behind Home users connected to the internet without personal firewall Easy targets for attacks


8 Page 8 Virus VIRUS is a computer program that replicates by attaching itself to another object Boot sector virus Attackes itself to the boot sector of a diskette Almost extinct today File virus Attaches itself to programs For example executables Macro virus Attaches itself to documents Spreads effectively through e-mail Excel macro virus ”Button” File virus ”Funlove”

9 Page 9 Worm WORM is a computer program that replicates independently by sending itself to other systems E-mail worms Spreading using e-mail technology (stealth SMTP relays) Network worms Very fast spreading Network worms connect directly over the network (using the whole TCP/IP protocol suit) Bluetooth worms

10 Page 10 Terminology REPLICATION MECHANISM is a mandatory part of every virus and worm If it doesn't have a replication mechanism, it’s by definition not a virus or worm PAYLOAD is an optional part of the virus/worm. It may do something funny or destructive

11 Page 11 Other Malware MALWARE is a common name for all kinds of unwanted software such as viruses, worms, spyware and trojans TROJAN HORSE (or trojan) is a program with hidden functionality, generally either destructive or manipulative

12 Page 12 Spyware SPYWARE is software that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party Spyware can get in a computer as a software virus or as the result of installing a new program Technically not viruses, but pose a threat to Internet users' privacy – some programs come with “spyware attached”, others just “call home” without asking.

13 Page 13 Spyware Types COOKIE is a mechanism for storing a user’s information on a local drive that websites may access PERSONALIZATION COOKIE allows users to customize pages, personalize web experience and remember passwords TRACKING COOKIE allows multiple web sites to store and access records that may contain personal information DRIVE-BY DOWNLOAD is a program which is automatically downloaded to a host without user consent or knowledge BROWSER HELPER OBJECT (BHO) is a program that runs automatically every time a browser is launched. They can track usage data and collect any information displayed on the Internet. WEB BUG (or web beacon) is a file, usually a a transparent picture, placed on a web page or in an e-mail to monitor user behaviour without consent

14 Page 14 Spyware Types BROWSER HIJACKER is an applications that attempts to take control over a user's start page or desktop icons, resetting them to conform with the attacker’s wishes SYSTEM HIJACKER is software that uses the host computer's resources to proliferate itself or use the system as a resource for other activities Acting as a spamming zombie Contributing to DDoS attacks Trojan payload KEYLOGGER (or system monitor) is designed to monitor computer activity by capturing virtually everything a user does on the computer, including recording all keystrokes PREMIUM DIALER (or expensive dialer) create a dial-up connection (without asking the user) to a high cost number


16 Page 16 Brief History of Malware: 1980’s Personal Computers introduced Information exchange on diskettes 16 bit operating systems Internet emerged Arpanet (Advanced Research Projects Agency Network) changed its name to Internet in 1987 Grew out of the first network of computers, which in the beginning connected US military bases and later also universities “Security was not an issue in Arpanet, which was a fully classified network” (Vint Cerf, father of TCP/IP) Central threats Illegal physical access to the machines Boot sector viruses Traditional file viruses Direct hacker attacks

17 Page 17 Brief History of Malware: 1990’s PC a common tool in all business areas and Internet use becomes part of everyday activities Faster internet connections and LANs allows file sharing and downloading E-mail and Microsoft Office heavily used Workforce becomes mobile as fast connections available outside office New threats New malware 32-bit file viruses, macro viruses (1995) and email worms (1999) 32-bit operating systems and applications bring more security holes Internet use enables eavesdropping Mobile units vulnerable to attacks Laptop thefts

18 Page 18 Brief History of Malware: Early 00’s Handheld computers introduced and mobile phones evolve towards handheld computers Workforce becomes even more mobile For-profit virus-writing emerges as spammers start employing malware New threats: Network worms (2001) Spam Viruses for PDA and mobile phones (2004) Spyware D-DoS Phishing

19 Page 19 Future Threats More mobile phone and Bluetooth malware Speading by sending SIS files as MMS messages, text message spamming worms (e.g. Commwarrior) Over 40 different types since June 2004 Root kits (aka stealth viruses) Flash worms Very fast spreading worm (less than 30 seconds), implemented by including a list of all likely vulnerable hosts

20 Page 20 Virus vs. Spyware Similarities Delivered via web sites, downloads and e-mail attachments Ability to capture and destroy information Ruin the system performance Differences Virus has a replication mechanism and spreads faster, spyware is usually installed by the user Virus writers are unknown (and criminal), spyware vendors are known Typically the user is made aware of spyware installations (EULA) It is not illegal to write and distribute spyware

21 Page 21 Typical Ways to Get Infected Virus Every time data is transmitted a virus may spread as well E-mail attachment account for approx. 80% of the cases, but infection may also spread through web, chat channels, peer-to-peer networks, CD-ROMs, floppies, infrared beaming, Bluetooth, etc… Worm Spread through email or find their way through security holes (vulnerabilities), without user intervention Spyware Normal web browsing and program installations Badly configured browser (allowing ActiveX, accepting cookies from 3rd parties) Free software (freeware, pirated software, adware) Some commonly trusted software comes bundled with spyware

22 Page 22 Identification Viruses & worms Must have a replication mechanism Trojans and other malware If payload, the thing that does someting annoying or destructive, is present the trojan will be removed Spyware Criteria to add software to Spyware database is based on a point system (TAC) This list is public and complying to these strict rules is important as most spyware is legal software 5 Criterias: Removal, Integration, Distribution, Behaviour, Privacy TAC number of three or higher (out of ten) required to be included in the database

23 Page 23 Example: Mydoom.A Malware type: Email worm First variant: 2004 (in the wild) Family: Mydoom Replication mechanism: Spreads over email and Kazaa Payload: Installs a backdoor and launches an DDoS attack Effect: The largest email incident in history At its worst, close to 10% of all email traffic globally was caused by Mydoom.A

24 Page 24 Example: CoolWebSearch Category: Malware Family: CoolWebSearch First variant: 2003 (in the wild) TAC level: 10 Behavior: Operates hidden Hijacks browser Redirects browsing search results Own LSP implemented Tracks users surfing habits Javascript which guesses adult pages

25 Page 25 Other Threats ROOT KIT is a set of tools used by an intruder to maintain and hide access to the system and use it for malicious purposes PHISHING means luring sensitive information (like passwords) from a victim by masquerading as someone trustworthy with a real need for such information SPAM means unsolicited bulk email, something the recipient did not ask for it and that is sent in large volumes

26 Page 26 Other Threats CRACKING (also HACKING ) is gaining direct access to a target system Wide range of methods available (stolen access information, finding open ports, known security holes, etc.) Attacks can be divided to external attacks and internal attacks Majority of attacks have an external sources, but most successful attacks come from inside the network D-DOS (aka DISTRIBUTED DENIAL OF SERVICE ) means overloading a service and thus denying legitimate users’ service


28 Page 28 Fast Reaction Times Virus and spyware software is only as good as the antivirus company's capability to provide cure for new virus outbreaks Spyware updates are not as urgent as anti-virus updates F-Secure Virus Research Team is on call 24-hours a day responding new and emerging threats (approx. 10 new viruses found every day) Two labs: Helsinki (Finland) and San Jose (USA) Virus definitions updated on average 2 times a day Automated update methods

29 Page 29 How Does the Anti-Virus Lab Work? Incoming samples Most comes in via e-mail from customers 30% comes via sample exchange from competitors A vary small part through honeypots and directly from virus writers Send samples to

30 Page 30 Average Response Times for Major Outbreaks During Q1/2004 Data source

31 Page 31 Radar Security News Anti-Virus Research issues Radar security news when new threats emerge Protection status for every reported malware Three alert levels Level 1: Worldwide virus epidemic Level 2: New virus causing large, localised infections Level 3: New virus technique or platform found

32 Page 32 Summary Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus Research

Download ppt "SECURITY THREAT REVIEW. Page 2 Agenda Main topics Central threats Terminology Malware in Action Brief history, case examples, functionality F-Secure Anti-Virus."

Similar presentations

Ads by Google