 Mal icious soft ware  Programs that violate one (or more) of the IA pillars  Does not (generally) refer to unintentional program bugs that violate IA pillars  Different approach to attacking a system  Not remote access network-based attacks  Can be used to enable such attacks  Victim generally installs the malware, or takes some action that results in installation  Often associated with online crime  Categorized by delivery and propagation techniques  Virus  Worm  Trojan Malware2

 Computer program that can replicate itself  “Infects” a computer without permission or knowledge of user  Attaches itself to another program or file  Usually executables  Cannot replicate unless the file is executed  Cannot spread beyond the system without human intervention Malware3

 Program  Most traditional virus type  Malicious program attached to another program file  Macro  Set of instructions embedded in documents (i.e., Word)  Analogous to a script embedded in a webpage  Executes whenever the document is opened/edited Malware4

 Cross-site Scripting  Malicious code injected into a website  Commonly seen on social media sites  Facebook, MySpace, Twitter, etc.  User views a page containing the malicious script  Script attempts to replicate itself to the user’s profile  Anyone viewing the user’s profile is also infected  Boot sector  Boot sector instructs the computer how to boot the operating system  Virus attaches itself to the boot sector code  Runs every time the computer is started Malware5

 Self-replicating, self-propagating program  Often uses networking mechanisms to propagate  Typically utilizes an exploit to gain access to a system and copy itself  Scans surrounding network looking for additional victims  Attempts to exploit them and copy itself  Other replication methods exist  Ex: autorun of removable media devices Malware6

 Derived from the Trojan Horse story in Greek mythology  Program appears to have a useful function  Also has a hidden (potentially malicious) function  Scareware example  User visits a website  Window pops up indicating they have X types of spyware/viruses on their computer  User downloads and install the advertised anti-virus program  Program indicates viruses have been removed  Also installs malware without victim’s knowledge  Often botnet software  Check your SI110 webpage Malware7

 Malware can be used to do several things  Delete files  Send files back to the attacker  Allow your computer to be used as part of a botnet  Send spam s or perform DDoS attacks  Allow your computer to be used as a springboard for another network attack  Mask the true source of the attack  Install programs  Keyloggers  Spyware  Adware  Perform screen captures  Turn on webcam/microphone Malware8

 User/administrator observes abnormal behavior of the system  Actions not initiated by user  New toolbar  Program they did not install  Browser homepage changes  Processing/network slowdown  Anti-virus scans can detect many types of malware  Signatures  Heuristics  IDS/IPS detects abnormal network traffic  Worm propagation  Firewall or gateway can incorporate malware scanners  Prevent malware from reaching the victim’s machine Malware9

 Best practices  Principle of Least Privilege  Execute all tasks with lowest permissions possible  Not all tasks require admin privileges  Separate user and administrator accounts  Keep anti-virus signatures up-to-date  Run full scan periodically  Install operating systems updates when available  Keep 3 rd party software up-to-date as well  Turn off the system when not in use  Enable auditing  Keep system physically secure  Follow/enforce usage policies  Report abnormal behavior  User training/education Malware10

  Open only from trusted sources  Verify attachments  Scan before opening/running  Beware of online scams  No one wants to give you money!!!  s asking you to verify account information  Visit website rather than following link  Online  Only visit trusted websites  Be aware of HTTP cookies - block or disable as necessary  Removable media  Disable autorun for removable media devices  Do not share removable media between networks  Follow established policies if required Malware11

Malware12

 Duqu was initiated with a spearphishing attack:  An to a company employee requesting more information with, in particular, the line "In the attached file, please see a list of requests."  The "attached file" was an innocuous- looking MS Word doc. Opening up that document is what started all the trouble. The user actually opened the door and let the attacker in when he opened that . Malware13

 The Word doc sent contained an "embedded font", meaning that the file contained within in it a block of bytes that defined what the characters used in the document should look like when displayed.  The bytes that comprise the font definition are read in and processed by OS that runs with administrator privileges; in such a way as to trick this OS code into executing shell code which ran with the highest possible privileges.  This shell code installed the Duqu malware, which then was up and running long-term on the host, regardless of whether the Word document or Word itself remained open.  Called Duqu because it created files with prefix “~DQ” Malware14

 Duqu contacted a command-and-control (C&C) server to receive instructions  In fact, the communication between C&C and the infected machine was done over HTTP and HTTPS. At least one Duqu C&C server was traced to a machine in Belgium at IP address  The C&C server loaded an extra module (piece of code) on the infected host that allowed it to attack another machine on the same network, making use of that local network access. Yet another module loaded onto the infected host by the C&C server was a key logger, which logged keystrokes and grabbed screen captures.  Once inside a privileged hosts, we have demonstrated how much ease we have to manipulate data. Malware15

Malware16

Malware17

 Contact your IT department or network administrator  Disconnect from the network  Prevent exfiltration of personal information  Limit propagation  Backup important files  Scan for malware  Treat all files and programs as infected until verified Malware18

 Recovery options  Attempt to clean the malware from the system  Some malware designed to hide from repair tools  Restore to “known good” state  Prior to malware infection  Forensics can help determine last “known good” state  Reinstall from original media  Ensure all OS and application updates are installed  Fix vulnerabilities and configure security settings before returning system to service Malware19