Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents.

Slides:



Advertisements
Similar presentations
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Internet Security CIT 1100 Chapter4.
By Hiranmayi Pai Neeraj Jain
Spyware and Adware Rick Carback 9/18/2005
TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.
TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.
US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Title: The Internet LO: Security risks. Security risks Types of risks: 1.Phishing 2.Pharming 3.Spamming 4.Spyware 5.Cookies 6.Virus.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureSurf Protect your users when surfing the Internet.
Chapter Nine Maintaining a Computer Part III: Malware.
Internet safety By Lydia Snowden.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
eScan Total Security Suite with Cloud Security
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Are macs vulnerable??. Or "We've got a problem" 655,700 Apple computers worldwide were hit by the malware and made up the world's largest known botnet.
Malware Fighting Spyware, Viruses, and Malware Ch 4.
Security Awareness ITS SECURITY TRAINING. Why am I here ? Isn’t security an IT problem ?  Technology can address only a small fraction of security risks.
Safe Computing. Computer Maintenance  Back up, Back up, Back up  External Hard Drive  CDs or DVDs  Disk Defragmenter  Reallocates files so they use.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Staying Safe Online Keep your Information Secure.
 We all know we need to stay safe while using the Internet, but we may not know just how to do that. In the past, Internet safety was mostly about.
Cosc 4765 SOPHOS Security Threat report about 2013 (and predictions for 2014)
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Fix your Computer Hold control (ctrl) while you left-click to follow the links Be wary of using other links that you find on Google as some are guaranteed.
TECHNOLOGY GUIDE THREE Protecting Your Information Assets.
Your Interactive Guide to the Digital World Discovering Computers 2012.
Online Virus Scanning The easy way, using Knoppix live CD By Carl Weisheit.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/
Presenter: Le Quoc Thanh SPYWARE ANALYSIS AND DETECTION.
By Michael P. Kassner Compromising Web sites has become cybercriminals’ favorite method to get malware installed on computers. Here are 10 ways to beef-
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
W elcome to our Presentation. Presentation Topic Virus.
Spyware, Adware & Malware JEEP HOBSON JEEP HOBSON ITE-130 ITE-130 SPRING 2007 SPRING 2007.
NETWORK SECURITY Definitions and Preventions Toby Wilson.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
Malware Fighting Spyware, Viruses, and Malware Ch 1 -3.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Remember effective ways to search +walk (includes words) Intitle:iPad Intext:ipad site:pbs.org Site:gov filetype:jpg.
Zeus Virus By: Chris Foley. Overview  What is Zeus  What Zeus Did  The FBI investigation  The virus for phones  Removal and detection  Conclusion.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Computer Security Keeping you and your computer safe in the digital world.
Intercept X Early Access Program Sophos Tester
Managing Windows Security
Malware and Computer Maintenance
Hotspot Shield Protect Your Online Identity
TECHNOLOGY GUIDE THREE
Jon Peppler, Menlo Security Channels
Riding Someone Else’s Wave with CSRF
You have Flash installed on your computer.
You have Flash installed on your computer.
Presentation transcript:

Tim Fredrick March 2010 NCAR/ACD/NESL Computing The Mebroot/Torpig threat UCAR Malware incidents

Malware Presentation 2010 What we’re up against

Malware Presentation 2010 Infections in ACD Attempted compromise of a Linux machine visiting a newspaper site Successful compromise of a 2 Windows XP, 1 Vista machine Multiple infections of UCAR systems – all Windows PC’s One UCAR system re-infected after it was reformatted/reinstalled All were variants of TORPIG – all detected by monitoring network activity Cost of Infections TIME: Security staff, System Administrators, End-user Systems must be reformatted/reinstalled. (in ACD we’ve used new disks) Each System must remain down for forensics for approx 1 week In one case, a staff member complained personal information was removed from his/her control.

Malware Presentation 2010 What is infecting us… TORPIG/MEBROOT TORPIG/MEBROOT MEBROOT is a “root kit” (aka Sinowal or Anserin) TORPIG is a keystroke logger What does TORPIG do? Scans for credentials Keystroke logging – sends to evasive but known collection sites Knows about hundreds of banking sites; captures credentials RSA researchers estimate TORPIG has stolen more than 300,000 bank accounts Motivation: Financial A problem among personal computers as well as corporate networks

Malware Presentation 2010 How does TORPIG get in?

Malware Presentation 2010 How does TORPIG get in? “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers

Malware Presentation 2010 Drive-by download Uses scripting (Javascript, Flash) Intelligence built into the script Looks legitimate except for the “target” audience Avoids certain environments (Linux, MacOS) Must find a vulnerable application Looks for dozens of vulnerabilities Browsers Java plugins Media players (video, audio) Adobe PDF applications

Malware Presentation 2010 The Mebroot “root kit” The vulnerability is exploited and a “rootkit” is injected What is a rootkit? Software to give an intruder access to a machine The software defends itself against detection against removal

Malware Presentation 2010 The Mebroot “root kit” What is the Master Boot Record? A machine’s BIOS passes control to the MBR at boot time 512 bytes of code Holds the partition table Bootstraps the OS

Malware Presentation 2010 The Mebroot “root kit” What does Mebroot do? Replaces the MBR Intercepts network and disk I/O Mebroot passes the original MBR to the OS for any disk I/O Making it invisible to all programs including Antivirus “Hides” Torpig in the same way – hides hooks into the OS Code is evolving: Much more evasive than it used to be Mebroot can be used to “hide” future malware Symantec Antivirus may detect the hooks – it cannot detect Mebroot

Malware Presentation 2010 Our best defense: block scripts “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers HTML content Stop Scripting, Java and Media incl Flash

Malware Presentation 2010 Blocking scripts: NoScript NoScript is a browser plugin for Firefox Blocks by default: JavaScript Java Flash Silverlight Some other plugins Whitelist Allows you to select scripts to run for a session, or always allow Sites may also be blacklisted with NoScript

Malware Presentation 2010 NoScript: All good things have a cost “My web page looks different!”

Malware Presentation 2010 NoScript: Decisions… 9news.com scripts: google-analytics coloradonewshome revsci.net brightcove gannett-tv.com others… Statistic gathering Advertising (potential malware) Multimedia provider

Malware Presentation 2010 Rules of thumb Allow a minimum of what will make a site useful to you Sites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.) Don’t allow advertising: Prevents drive-by downloads Speeds up web page loading Google analytics and Google Adsense may always be blocks by NoScript Feel free to delete cookies

Malware Presentation 2010 Online banking Online banking is the specific target of TORPIG Over 300,000 known credential thefts related to banking Even small banks are being targeted

Malware Presentation 2010 Online banking: Recommendations USE a dedicated SEPARATE BROWSER for online banking Better yet, a separate computer that does no other browsing Virtual machines might work Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud. Use strong passwords Convince your bank to use a one-time password token

Malware Presentation 2010 PC/Windows recommendations Plan so your work may continue in the event of a compromise Be ready to use a secondary machine or laptop Reduce your risk Keep applications updated Install and use the Secunia Software inspector Be wary of fake antivirus or other popups Report anything unusual We’ll do our best to protect your privacy but need information to help investigate virus incidents

Malware Presentation 2010 Mac/Linux recommendations MBR malware can just as easily compromise Linux Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications Situation may change: Adobe and Java vulnerabilities affect Mac and Linux versions as well A growing Macintosh market may make it worth exploiting

Malware Presentation 2010 Mebroot/TORPIG are only our current threat…

Malware Presentation 2010 … Oregon Top 10 Torpig & Conficker have low detect rates because of new stealth technology like Mebroot Social networking virus We see this often at NCAR

Malware Presentation 2010 Demonstrations NoScript plugin Secunia Software Inspector (if there’s time)

Tim Fredrick March 2010 March 17, 2010 …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.