Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIM310. 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’ 4) BOTNET attacks seen at multiple.

Published byRandall Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "SIM310. 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’ 4) BOTNET attacks seen at multiple."— Presentation transcript:

1 SIM310

2

3

4

5 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’ 4) BOTNET attacks seen at multiple entry points 5) BOTNET also serves to ‘recruit’ additional BOTs 3) BOTNET use granted

6

7

8

9 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

10 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

11 Firewall & Configuration Management Malware Response “MMPC Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

12 HANDLE hFile; hFile = CreateFile(L"NewVirus.exe", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);... push 40000000h push offset string L"NewVirus.exe” call dword ptr [__imp__CreateFileW@28] cmp esi,esp... push 40000000h push offset string L"NewVirus.exe” call dword ptr [DT_CreateFile] cmp esi,esp DT

13 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

14 Filesystem FileCreate FileOpen FileModify FileDelete FileRename Filesystem FileCreate FileOpen FileModify FileDelete FileRename Registry RegistryKeyCreate RegistrySetValue RegistryKeyDelete RegistryValueDelete RegistryKeyRename Registry RegistryKeyCreate RegistrySetValue RegistryKeyDelete RegistryValueDelete RegistryKeyRename Network IRC Network IRC Other ModuleLoad ProcessCreate OpenProcess ProcessTerminate DriverLoad BootSectorChange RemoteThreadInject RawWrite Other ModuleLoad ProcessCreate OpenProcess ProcessTerminate DriverLoad BootSectorChange RemoteThreadInject RawWrite Good for detecting droppers and file infectors Good for ASEPS and detecting tampering with software keys and configuration. Good for detecting process infectors and exploits Good for detecting process infectors and exploits Good for detecting rootkit installers Good for detecting IRC bots

15 FILTER for EVENTS: Ignore if the program the process is running has a clean file reputation (Or driver in the kernel tampering case.) FILTER for EVENTS: Ignore if the program the process is running has a clean file reputation (Or driver in the kernel tampering case.)

16

17 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Vulnerability Shielding

18 demo

19 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

20

21

22

23 demo

24

25 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

26 demo

27 Firewall & Configuration Management Malware Response “MMPC” Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Anti-Rootkit Network Vulnerability Shielding

28 Anti-Rootkit Generics and Heuristics Real-time Protection Behavior Monitoring Dynamic Signature Service Malware Response Network Vulnerability Shielding

29

30 Convergence of Management and Security Built on System Center Configuration Manager 2012 Advanced protection with lower impact on productivity New Enhancements Simplified hierarchy model Role Based Access Control Definition Updates and automatic approval rules through ConfigMgr Improved alert timings Evaluation Options FEP 2012 Beta available now: http://www.microsoft.com/fep Join Community Evaluation Program (included in ConfigMgr CEP) https://connect.microsoft.com/site1211

31

32 www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

33

34 Scan the Tag to evaluate this session now on myTechEd Mobile

35

36

Download ppt "SIM310. 1) “Malware Author’ grows BOTNET & makes available to “buyers” 2) Access is purchased via ‘MarketPlace’ 4) BOTNET attacks seen at multiple."

Similar presentations

WSV405. IPv6 Ready Logo Program www.ipv6ready.org.

WSV405. IPv6 Ready Logo Program
SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,

SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
SIM311. Built on top of Microsoft ® System Center Configuration ManagerBuilt on top of Microsoft ® System Center Configuration Manager Supports all.

SIM311. Built on top of Microsoft ® System Center Configuration ManagerBuilt on top of Microsoft ® System Center Configuration Manager Supports all.
SIM317 Built on top of Microsoft ® System Center Configuration ManagerBuilt on top of Microsoft ® System Center Configuration Manager Supports all.

SIM317 Built on top of Microsoft ® System Center Configuration ManagerBuilt on top of Microsoft ® System Center Configuration Manager Supports all.
SIM201. Announcing… copyright chappellseminars.com some hosts comply; RST = closed no = response open some hosts comply; RST = closed no = response.

SIM201. Announcing… copyright chappellseminars.com some hosts comply; RST = closed no = response open some hosts comply; RST = closed no = response.
WSV304 Manual Deployment High cost Fully Automated Low cost.

WSV304 Manual Deployment High cost Fully Automated Low cost.
OSP303. demo Status Bar Notification.

OSP303. demo Status Bar Notification.
SIM344. 2 Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.

SIM Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.
DBI331. Cube Measure Group Measure Partition Cube Dimension Dimension Attribute Relationship Hierarchy Level Cube Attribute Cube Hierarchy Measure.

DBI331. Cube Measure Group Measure Partition Cube Dimension Dimension Attribute Relationship Hierarchy Level Cube Attribute Cube Hierarchy Measure.
DBI209 demo Deploy & Future Proof Monitor & Manage Share & Collaborate Mash-up & Analyze Connect & ProvisionFind & Access.

DBI209 demo Deploy & Future Proof Monitor & Manage Share & Collaborate Mash-up & Analyze Connect & ProvisionFind & Access.
DBI330. Use the SSRS Execution Log, capture SSAS trace Look for peak times Gather workload usage How many more users? Double estimate just in.

DBI330. Use the SSRS Execution Log, capture SSAS trace Look for peak times Gather workload usage How many more users? Double estimate just in.
WCL209. GA3/23GA3/23 Manage & Secure PCs Anywhere All you need is an internet connection The Best Windows Experience Standardize your OS on the latest.

WCL209. GA3/23GA3/23 Manage & Secure PCs Anywhere All you need is an internet connection The Best Windows Experience Standardize your OS on the latest.
DBI405. Agenda Reporting Services Scale Out Architecture Report Catalog Best Practices Scale Out Deployment Best Practices Performance Optimization.

DBI405. Agenda Reporting Services Scale Out Architecture Report Catalog Best Practices Scale Out Deployment Best Practices Performance Optimization.
SIM346. General information about the software application.

SIM346. General information about the software application.
DEV314. Entity Data Model demo Entity Data Model.

DEV314. Entity Data Model demo Entity Data Model.
DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.

DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.
SIM361. Services Cloud Deployment Fabric Hyper-V Bare Metal Provisioning Hyper-V, VMware, Citrix XenServer Hyper-V, VMware, Citrix XenServer Network Management.

SIM361. Services Cloud Deployment Fabric Hyper-V Bare Metal Provisioning Hyper-V, VMware, Citrix XenServer Hyper-V, VMware, Citrix XenServer Network Management.
WCL309. Demo.

WCL309. Demo.

Similar presentations

Ads by Google