Presentation on theme: "Threats of Computing in a Virus-Filled World or, how I stopped worrying and learned to love the worm…. Dr. John Johnson, CISSP."— Presentation transcript:
Threats of Computing in a Virus-Filled World or, how I stopped worrying and learned to love the worm…. Dr. John Johnson, CISSP
The Joys of Computing in 2003 65,336 PC viruses discovered to date 4,129 IT vulnerabilities in 2002 [http://www.bullguard.com/antivirus/news_184.aspx]http://www.bullguard.com/antivirus/news_184.aspx 40 Critical Microsoft Vulnerabilities by Oct. Millions Reported in Damage Last Year Due to Viruses MSBlast Continues to Spread Sobig.C – The Tip of the Iceberg IE users defenceless to trojan attack Broadband severely increases security risk
Agenda Ill talk about the problem and give some examples. Ill give some ideas to deal with viruses in both the corporate and home environments. Ill give some Best Practice suggestions. Ill give some WWW resources. Ill try to take as many questions as I can before the drinking starts!
CSI/FBI Computer Crime Survey 2003 (Virus Loss) 2000200120022003 Low $ 100 100040 High $ 10M20M9M6M Avg $ 180k244k283k200k Total $ 29M45M50M27M 2003 CSI/FBI Computer Crime Survey, www.gocsi.org based on 47% of the 530 responses that could quantify these losses
VIRUS Definition: (loose) Self-replicating program History: Malicious viruses didnt arise until the 1980s. Fewer than 5 viruses in 1987 Boot Sector Viruses – infecting diskettes Macro Viruses – use a macro language and spread via applications like Microsoft Word (first cross platform virus) There are now > 10,000 macro viruses worldwide. Who Writes Them? No longer just the teenager, now the profile is 14-30s Male, looking to feel empowered
HOAXES & CHAIN LETTERS Definition: Hoaxes and Chain letters are sometimes just jokes, sometimes annoying, and sometimes dangerous Social Engineering: Often these email messages are a great waste of time and bandwidth, with people sending them to all of their friends. Sometimes, they convince the user to actually delete files (like the JBDGMGR teddy bear hoax). With a misconfigured email system, the confusion alone can cause many replies which then route to all the users on a mailing list, and the noise can take days to die down. Some antivirus programs treat these like viruses and quarantine them.
WORM Definition: A worm is a self-replicating program that propagates from host to host. History: Originally, a sector map would show worm- like errors from a misbehaving code. The name stuck and came to describe viruses that act on their own using more and more sophistication, exploiting technology and vulnerabilities. The first worms were helpful tasks, and malicious worms have become the most dangerous kind of viral threat.
MASS-MAILER Definition: Mass-mailers exploit vulnerabilities in the way email programs work, like Microsoft Outlook, to gather email addresses and spread to all the users they can find via email. These messages look like they came from a friend (social engineering), so they are often opened and executed. Some will auto-execute, exploiting an operating system vulnerability as well.
LoveLetter The I Love You Virus hit in May, 2000. This was my first BIG virus crisis! It started with an innocent letter, appealing to lonely email readers (social engineering). The subject was I Love You, and the payload was a VBS script that, when executed, quickly spread in email to all the users in your address book, and wormed its way through fileshares, destroying image files. At least 82 variants of this worm were discovered. The latest is VBS.LoveLetter.CN, dated May 31, 2001.
TROJANS, BACKDOORS & ZOMBIES Definition: These spread as viruses and worms, and include hidden code that will allow a remote user to access the computer or use the computer to attack another. As an example, be wary of any screensavers my son might send you! It may contain netcat, a program that allows him to remote control your computer, see your screen, open your CD drawer and play with your mouse. Not all are so kind. Some will use your computer as a launching point in a multi-layered attack against another target. They can use you as a zombie in a Distributed Denial of Service (DDoS) attack.
BLENDED THREATS Definition: A blended threat will use network vulnerabilities (often known widely for many months) along with virus or worm vectors to quickly spread to many hosts. History: In 2001, Code Red came out late in the summer. It was the first virus that spread using a published vulnerability in IIS on Windows NT and Windows 2000. Blended threats are the fastest growing and most dangerous type of virus threat to date. Within minutes, vulnerable computers across the world can become infected (depending on the vulnerability.) Response to Blended Threats requires both antivirus tools and network tools (to monitor and control – such as IDS and routers).
Code Red History: In 2001, Code Red came out late in the summer. (The name came from the team at eEye that discovered it, as they were spending many long hours drinking Mountain Dew Code Red.) The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service, exploiting this vulnerability and propagating as a worm. Code Red performed a denial of service on whitehouse.gov. Code Red II, quickly followed on the heels of Code Red. It was more destructive, but used the same buffer overflow vulnerability. Code Red II contained a trojan file, and modified system files.
Nimda History: Nimda (admin spelled backwards) followed closely on the heels of Code Red. It was first discovered 9/18/01. Nimda used a vulnerability in MIME types to auto-execute and become memory-resident. Therefore, a machine that was unpatched, could become infected even if it had antivirus. Sends itself by email. Searches for open network shares. Attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers. Is a virus infecting both local files and files on remote network shares. Several variants of Nimda came out subsequently.
Blaster History: The Blaster virus came out in August this year. It was a real big pain too! It used a recent exploit announced (DCOM RPC) by Microsoft. It also looked for open TFTP shares. This virus used common ports that Microsoft also uses for filesharing. It also attempted a Denial of Service against Microsoft. It tried to download a trojan and install it. Several variations on the theme followed.
SQL Slammer History: This virus exploited a known SQL injection vulnerability. This virus spread to 90% of all the vulnerable (exposed) hosts on the Internet in just 10 minutes. Once infected, a computer sent out attempts to infect subsequent computers with the same virus. An unintended side effect was the Denial of Service generated by the tremendous amount of network traffic. ATM systems, and other major corporations were shut down until they had filters in place on their routers and firewalls. The only way to fully stop a virus like SQL Slammer or Blaster is to patch all vulnerable machines.
SPYWARE/ADWARE History: These are annoying and often you dont even know they are running, or what they are reporting. They can include hidden programs to spy on your activities. They can be simple marketing gimmicks (gator.exe), Or they can be annoying and alter your browser and cause pop-ups. They can even be used to steal passwords. Sometimes these get installed when you download a free program off the Internet. Always be careful what you download and what you click on. You may agree to install something by clicking on the EULA without realizing it.
SPAM History: We all know what SPAM is, and it aint all that tasty! SPAM is annoying, unsolicited email. Often the spammer generates a subject that looks legitimate, or a FROM address that looks like someone you might know. It might say MOM or JOHN, and may refer to something that looks like you already discussed in a previous email. Sometimes they try to use the Authority card, and pose as an update from Microsoft or Dell. Most people report over a third of their email is now SPAM (and growing!) SPAM costs businesses an estimated $11.9B/year in 2003.
SPAM Fighting How you might fight the SPAM… Dont open anything from anyone you dont know. Dont answer SPAM – it tells them that you exist. At home, buy a spam filtering program and update it. At work, or ask your ISP to install spam filtering. Content filtering can block certain adult material, as well as messages that appear suspicious. (This can also destroy legitimate emails.) At work, use a web proxy to avoid downloading web bugs. At work, subscribe to a Black Hole List. Register online for FTC No Spam Registry. (legal?)
SPAM Resources Realtime Blackhole List http://www.mail-abuse.org/rbl http://www.mail-abuse.org/rbl Boycott Internet Spam http://spam.abuse.net http://spam.abuse.net Network Abuse Clearinghouse http://www.abuse.net http://www.abuse.net Forum for Responsible and Ethical Email http://www.spamfree.org http://www.spamfree.org
Now, How can I keep my data with everyone about me losing theirs? Take a deep breath. Its not so bad. (It could be a lot worse!) What does this mean for the corporation? What does this mean for the home user?
The Corporate Threat Game Plan: Defense in Depth! Firewalls DMZ for Internet exposed applications Web Proxy Content Filtering (web, smtp, ftp…) Client Antivirus, Email Antivirus, SMTP Gateway Antivirus Intrusion Detection Access Controls on Remote Access/Wireless Security Awareness A Good Security Team! Documentation and tested response
On the Homefront Im not really a computer expert… You dont have to be. Have confidence. Know when to ask an expert, and dont be shy! Be extra careful if you have kids and/or broadband. Fork over the money and buy ANTIVIRUS! Keep your antivirus UPDATED! Keep your computer patched!(If you dont own a PC you have a lot less to worry about!) Get SPAM filtering software / Pop-up blocking If youre on broadband, you should have a firewall too.
On the Homefront Virus Protection - BUY a copy of a good antivirus program (like Symantec, McAfee, Trend, Panda...)Available for all platforms. If you like the online scanner below, you can purchase a commercial version from their site for around $30 with a 1- year subscription. - Keep it updated AT LEAST once a week. Try to set it to autocheck at a convenient time so you don't forget. The paid subscription lets you auto-update. If you don't pay after it expires, you can still get virus updates manually from the vendor website, in most cases. - Here is a link to a page I made to check on the latest virus news: http://www.cybermaze.com/security/virstat.html - Here are some links to FREE ONLINE resources for scanning your PC. + Symantec (PC): http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym (you can perform a virus scan, or check for vulnerabilities) + Trend Micro (PC): http://housecall.trendmicro.com/http://housecall.trendmicro.com/ + Panda (PC): http://www.pandasoftware.com/activescan/com/activescan_principal.htm + McAfee (PC): http://us.mcafee.com/root/mfs/default.asphttp://us.mcafee.com/root/mfs/default.asp
On the Homefront SPAM -There is nothing worse than having a TON of junk mail in your inbox when you check it. You may not check mail every day, which makes it even more of a chore to deal with the glut of SPAM. - When you get junk mail, you will generally know it is not from someone you know. If you are in doubt, just DELETE the message. Don't take the risk of opening unsolicited email. - Even though you can sometimes opt out of SPAM mailing lists by following the instructions at the bottom of the message, more often than not you are letting the SPAMMER know you are there, and they will send you more SPAM. So, don't reply to SPAM. - Until there is some miracle way of opting out of it altogether, you will need to invest in a SPAM blocking program. While there are filtering options in some email systems, they are weak and it is worth a few bucks to buy a program that will filter SPAM and have a subscription to keep updated with new filters. Here are some options: + McAfee/Spamkiller (PC, $30): http://us.mcafee.com/root/package.asp?pkgid=156 http://us.mcafee.com/root/package.asp?pkgid=156 + Matterform/Spamfire (Mac only for now, $25/$40): http://www.matterform.com/ http://www.matterform.com/ + CoffeeCup PC - haven't tried, but good reviews, $30): http://www.tucows.com/preview/295552.html http://www.tucows.com/preview/295552.html + SpamWeed for POP3(bayesian spam filter, should learn and improve over time - haven't tried but looks good, $30): http://www.tucows.com/preview/318216.html http://www.tucows.com/preview/318216.html
On the Homefront Ad-Ware Dealing with Ad-Ware/Malware (the stuff that gets installed when you download another program or visit a website that reports on what you do) - This is primarily a PC problem, so these tools are exclusively for the PC. - Here are links to a couple FREE software packages that you can use to scan for any adware that might be installed on your system (i.e. Gator, etc.): + Ad-aware (PC, FREE): http://www.lavasoft.de/support/download/ + Spybot (PC, FREE): http://www.safer-networking.org/http://www.safer-networking.org/
On the Homefront Pop-up Blocking There are several vendors that have tools to block pop-ups. Always be careful that you don't install spyware in the process of downloading a neat toolbar to block pop-ups. Here are some I like. They may also have additional functionality, like Google searching, etc. (Mozilla might be the only pop-up blocker for classic MacOS users.) + Google Toolbar (PC, FREE): http://toolbar.google.com/http://toolbar.google.com/ + You might also try running Mozilla, instead of Internet Explorer: http://www.mozilla.org/http://www.mozilla.org/ + On MacOS X, use Safari, it will block pop-ups: http://www.apple.com/safari/ + CoffeeCup Pop-up Blocker ($20): http://www.tucows.com/preview/289024.html
On the Homefront Vulnerability Patching It is vital that your PC remain patched from critical security vulnerabilities. This Windows site will check your computer for missing patches, you should keep the security patches updated, but may decide not to install other large patches that are not "critical security patches". [Note: Most new operating systems offer the ability to auto-patch your system, you may decide this is your best option, and that way you won't forget. FOR MAC USERS: You can also use the control panel to look for "software updates" on the Mac... this site is for the savvy MacOS X user. In general, the Mac is much less vulnerable to viruses than the PC.] Some of the recent "blended" threats, like Blaster, will infect ANY unpatched computer that is vulnerable if left long enough on the Internet. Even if you have the latest antivirus. Remember that antivirus is NOT a 100% solution anymore. + Microsoft(PC): http://windowsupdate.microsoft.com/http://windowsupdate.microsoft.com/ + Apple(MacOS X) Security Updates: http://docs.info.apple.com/article.html?artnum=61798
The Future In the future, the Internet will extend its reach into your home and every aspect of your life. Viruses and threats will become commonplace. Vendors will need to ship computers with default deny, instead of default allow. If you keep updated and practice safe computing,you will probably stay safe and keep your data in the chaos.
RESOURCES CERT: http://www.cert.org/other_sources/viruses.htmlhttp://www.cert.org/other_sources/viruses.html VMyths: http://www.vmyths.com/http://www.vmyths.com/ Computer Secutiry Institute: http://www.gocsi.com/http://www.gocsi.com/ Johns Security Page: http://www.cybermaze.com/security/index2.html http://www.cybermaze.com/security/index2.html A Virus Tutorial: http://www.cknow.com/vtutor/http://www.cknow.com/vtutor/ NIST: http://cs-www.ncsl.nist.gov/virus/http://cs-www.ncsl.nist.gov/virus/ X-Force (ISS): http://xforce.iss.net/http://xforce.iss.net/ Microsoft Updates: http://windowsupdate.microsoft.comhttp://windowsupdate.microsoft.com You may also go to a good online software site, like http://www.tucows.com/ and go under your operating system (Windows, Mac, Linux) and then click on Internet to pull up tons of freeware and software titles if you don't find something that you like in my list above. http://www.tucows.com/