Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents."— Presentation transcript:

1 Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents

2 Malware Presentation 2010 What we’re up against

3 Malware Presentation 2010 Infections in ACD Attempted compromise of a Linux machine visiting a newspaper site Successful compromise of a 2 Windows XP, 1 Vista machine Multiple infections of UCAR systems – all Windows PC’s One UCAR system re-infected after it was reformatted/reinstalled All were variants of TORPIG – all detected by monitoring network activity Cost of Infections TIME: Security staff, System Administrators, End-user Systems must be reformatted/reinstalled. (in ACD we’ve used new disks) Each System must remain down for forensics for approx 1 week In one case, a staff member complained personal information was removed from his/her control.

4 Malware Presentation 2010 What is infecting us… TORPIG/MEBROOT TORPIG/MEBROOT MEBROOT is a “root kit” (aka Sinowal or Anserin) TORPIG is a keystroke logger What does TORPIG do? Scans for credentials Keystroke logging – sends to evasive but known collection sites Knows about hundreds of banking sites; captures credentials RSA researchers estimate TORPIG has stolen more than 300,000 bank accounts Motivation: Financial A problem among personal computers as well as corporate networks

5 Malware Presentation 2010 How does TORPIG get in?

6 Malware Presentation 2010 How does TORPIG get in? “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers

7 Malware Presentation 2010 Drive-by download Uses scripting (Javascript, Flash) Intelligence built into the script Looks legitimate except for the “target” audience Avoids certain environments (Linux, MacOS) Must find a vulnerable application Looks for dozens of vulnerabilities Browsers Java plugins Media players (video, audio) Adobe PDF applications

8 Malware Presentation 2010 The Mebroot “root kit” The vulnerability is exploited and a “rootkit” is injected What is a rootkit? Software to give an intruder access to a machine The software defends itself against detection against removal

9 Malware Presentation 2010 The Mebroot “root kit” What is the Master Boot Record? A machine’s BIOS passes control to the MBR at boot time 512 bytes of code Holds the partition table Bootstraps the OS

10 Malware Presentation 2010 The Mebroot “root kit” What does Mebroot do? Replaces the MBR Intercepts network and disk I/O Mebroot passes the original MBR to the OS for any disk I/O Making it invisible to all programs including Antivirus “Hides” Torpig in the same way – hides hooks into the OS Code is evolving: Much more evasive than it used to be Mebroot can be used to “hide” future malware Symantec Antivirus may detect the hooks – it cannot detect Mebroot

11 Malware Presentation 2010 Our best defense: block scripts “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers HTML content Stop Scripting, Java and Media incl Flash

12 Malware Presentation 2010 Blocking scripts: NoScript NoScript is a browser plugin for Firefox Blocks by default: JavaScript Java Flash Silverlight Some other plugins Whitelist Allows you to select scripts to run for a session, or always allow Sites may also be blacklisted with NoScript

13 Malware Presentation 2010 NoScript: All good things have a cost “My web page looks different!”

14 Malware Presentation 2010 NoScript: Decisions… 9news.com scripts: google-analytics coloradonewshome revsci.net brightcove gannett-tv.com others… Statistic gathering Advertising (potential malware) Multimedia provider

15 Malware Presentation 2010 Rules of thumb Allow a minimum of what will make a site useful to you Sites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.) Don’t allow advertising: Prevents drive-by downloads Speeds up web page loading Google analytics and Google Adsense may always be blocks by NoScript Feel free to delete cookies

16 Malware Presentation 2010 Online banking Online banking is the specific target of TORPIG Over 300,000 known credential thefts related to banking Even small banks are being targeted

17 Malware Presentation 2010 Online banking: Recommendations USE a dedicated SEPARATE BROWSER for online banking Better yet, a separate computer that does no other browsing Virtual machines might work Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud. Use strong passwords Convince your bank to use a one-time password token

18 Malware Presentation 2010 PC/Windows recommendations Plan so your work may continue in the event of a compromise Be ready to use a secondary machine or laptop Reduce your risk Keep applications updated Install and use the Secunia Software inspector http://secunia.com/vulnerability_scanning/personal/ Be wary of fake antivirus or other popups Report anything unusual We’ll do our best to protect your privacy but need information to help investigate virus incidents

19 Malware Presentation 2010 Mac/Linux recommendations MBR malware can just as easily compromise Linux Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications Situation may change: Adobe and Java vulnerabilities affect Mac and Linux versions as well A growing Macintosh market may make it worth exploiting

20 Malware Presentation 2010 Mebroot/TORPIG are only our current threat…

21 Malware Presentation 2010 … Oregon Top 10 Torpig & Conficker have low detect rates because of new stealth technology like Mebroot Social networking virus We see this often at NCAR

22 Malware Presentation 2010 Demonstrations NoScript plugin Secunia Software Inspector (if there’s time)

23 Tim Fredrick March 2010 March 17, 2010 …

Download ppt "Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents."

Similar presentations

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Internet Security CIT 1100 Chapter4.

Internet Security CIT 1100 Chapter4.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Spyware and Adware Rick Carback 9/18/2005

Spyware and Adware Rick Carback 9/18/2005
TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.
TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.
US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.

US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Title: The Internet LO: Security risks. Security risks Types of risks: 1.Phishing 2.Pharming 3.Spamming 4.Spyware 5.Cookies 6.Virus.

Title: The Internet LO: Security risks. Security risks Types of risks: 1.Phishing 2.Pharming 3.Spamming 4.Spyware 5.Cookies 6.Virus.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security

Similar presentations

Ads by Google