Malware Workshop

Document Sample
Malware Workshop Powered By Docstoc
  March 2006
"Security is a journey not a destination"
Malware Agenda
   Policy
   Categories
   Prevention through
   Malware
        Host software
        Virus outbreak scenario
        Management
        Spyware/Adware
        Hacker method scenario
   Links
                  SPICE Policy on Malware
   Robust Policy
   Main idea;
        ISM‟s responsibility to
           Ensure ALL hosts have ability to protect
           Enforce the integrity of protection.

        User‟s responsibility to
              Use reasonable precautions when importing
              Recognize malicious protection on devices in
               their custody
              Report any malicious event on host to ISM
   Fully compliant to the policy?
        Visit
              HSC Policies and Standards
   NIST defines malware
        General, as the attributes of malware are ever changing.
   Subjectively inclusive but not limited to:
        Viruses
        Worms
        Trojan Horses
        Backdoors
        Keystroke loggers
        Rootkits
        Tracking Cookies
        The list could go on and on…
   What is and what isn't malware is debatable
        Phishing, virus hoaxes
                      Awareness / History
                    Should we be concerned?






 5,000,000          5,627          15,825          156,904

             1999           2000            2001             2002               2003               2004
   Educate users to
        know the Spice policy and your unit policy.
        be aware of suspicious events
        not to attempt to bypass security controls
        not execute or download apps from untrusted sources
        Know what social engineering is
   Review host security workshop (January 2006)
        Patching/Updates
        Limit user privileges
        Host firewalls
        Disabling unneeded services
        MBSA
        CISecurity Baseline
   Review general awareness training (February 2006)
   Review the eduguides.
                    Prevention Continued
                                        Defense in depth
 Current                                                                                                                 Infrastructure
 Consistent                                                                                              WAN Firewall
                                                                                                             And           Processes
 Compliant                                                                                    Email
                                                                                                          Router ACLs
                                                                                              Gateway     URL Filtering
                                                                     Local      Antivirus
                                                                   Connections File Server    Content
                                                   System Policy       And      Antivirus
                                        Personal    Processes
                            Antivirus               Procedures

                Malware Software
   Malicious software detection is a must
    on every host.
       Protect all hosts that you are responsible
       Network connected or not
          Your Malware solution must
   Prevent and Detect Virus Infection
   Have auto update configured
       Keeping Virus Scanner up-to-date and confident of the
   Be sure On-Access Scanning is done real time
       Make sure the service is running at all times
   Routinely Scan Fixed Disks
       'schedule„ off hours at least once a week
           Minimally once a month

       Adjusts as necessary on out breaks
        Malware Software Options
   Block specific ports or make rules to
    apply to a specific file or location on a
    virus outbreak
   Stop the payload of the exploit from
    affecting the targeted computer and
    prevent it from spreading
   Report to a Management Server
    Which malware vendor do you use?
   There are many vendors of Malware
    protection that may fit your needs
   Can your selected units malware
    product buy you the time needed
    between a virus outbreak and a new
    signature release?
   Avoid unnecessary additional expenses
    to the University
                  Malware Software at UF
   Symantec AntiVirus
            HSC IT Center
   Available malware software licensed to UF (
        Linux
            McAfee LinuxShield
        Macintosh
            Virex
        Windows
            VirusScan Enterprise
        NetWare
              NetShield
   There is no extra charge for the use of McAfee software to a Unit
                   McAfee VirusScan 8.0i
   McAfee was the chosen enterprise product at UF
   Features comply with the HSC policy
   Available to faculty, students, and staff
   Has extra features but use with caution:
        Access Protection
            Adds some firewall protection to your computer
           Enabled by default

        Buffer Overflow Protection
            Prevents buffer overflows from executing code on your computer
            Enabled by default

        „Unwanted Programs Policy‟
              This will remove some spyware and adware
              Not enabled by default
        McAfee VirusScan 8.0i

Wouldn‟t it be a headache to manage the console for
   each host individually to comply with policy?
Are all of your
hosts signatures
up to date? How
do you know ?

Do your users
know how to
          Response to a Virus. Example…
                Using VirusScan
   Suppose a new threat is announced
        Sans
        Avert
        Symantec Security Response
        HSC Security Group
   A rule might be used during the brief time between when a virus goes wild and
    when a new signature update is available and tested.
   We know the virus:
        typically when ran, it copies itself to the following directories:
        %windir%\system32\drvdll.exe
        %windir%\system32\drvddll.exeopen
        %windir%\system32\drvddll.exeopenopen
        %windir%\CPLSTUB.exe
McAfee V8.0i example rule creation
  Rule       Combined with   Rule
  1                          2
Suppose you‟re already hit with Bagle

    Prevent the spread
    Identify machines affected
        Rule will trigger not only when a virus tries
         to infect (create) but also when it tries to
         run (write, read, execute)
             Bagle example continued…
                (port blocking rules)
   Bagle spread through email
       The first default rule combats the email spread
       Default (Rule 0) that blocks outgoing traffic on port 25
   Prevent the virus from obtaining instructions from
    the virus author
       Create a port blocking rule that prevents incoming traffic
        on port 2535
   Prevent the virus from downloading scripts
       Included in McAfee is already (Rule 3) that prevents
        outgoing traffic on Port 80 unless the traffic is from one of
        the web browsers listed
   Mass mailers and share-hoppers
       Restrict write access to incoming network connections
        with Share Blocking Rules
       “Prevent remote creation/modification/deletion of …”
   A common virus action
       Copying into the Windows directory and set a registry
        value so that they are started at either logon or when
        another application starts.
       Use rules to satisfy this
    Other uses for port blocking and file,
       share, and folder protection.
   Preventing the spread
        prevent the receipt of instructions
        use port blocking rules
   Virus‟s targeting Specific Applications
        Internet Explorer
        create specific rules that name iexplore.exe as
         the process, which prevent the creation or the
         writing of files to the %windir%‟** directory and
         the „program files\**‟ directory
              A Potential Headache
   Don‟t break functionality
       existing applications
       network connectivity
   Plan well
       Use rules in warning mode first
          Report access attempts without blocking

          Monitor what impact

       Use discretion when entering in wildcards
             Autonomous Protection
   Ensure ALL hosts have ability to protect
   How can you Ensure?
       Use centralized management software
       University offers at no cost to unit
          ePO
          ProtectionPilot
     Autonomous Protection

   Signatures not kept up to date
Malware software essentially useless.
    Gain control of your anti-virus
   Centralize your policy enforcement and
     make sure virus scanning policies are set to
      keep your systems secure and virus-free
   Deploy needed updates and software remotely
     keep anti-virus software on your systems up-
   Deploy new rules during a virus outbreak
   Get reporting for the machines you manage
   ePolicy Orchestrator (ePO) or Protection Pilot
          Software available to all Unit admins under the
           current license
   Symantec System Center Console
        HSC IT Center
   Avoid unnecessary additional expenses to the
   Easy enough to install (guided with install wizard)
       Straightforward
   A bit complex to start with
       Terminology and the functionality
          distributed repositories
          rogue system detection sensors

          notification rules

          Etc..
                 ePO Documentation
   Heap of high-quality product documentation
            ePO quick reference card
            Walkthrough Guide
                   ePO Logging
   Lots of logging. Some of which include:
      mcscript.txt
         details script engine actions, such as

          processing updates
      updatehistory.ini
         includes details of configuration items such as

          the site last used for updates
      agent_%computername%.xml,
         this is the McAfee Agent Activity log, which

          shows policy enforcement actions.
   Logs are really useful for
    Enforce Protection Compliance
         Policy and Updates
   ePO agent manages policies for McAfee AntiVirus
        policies can be set globally or on individual clients (servers)
        also generates reports on compliance, virus detections, etc.
        The Agent manages the 'Policy' for you automatically based on what
         ePolicy Orchestrator has stored in its database for each client
   Daily updates of
        DATs
        Engines
        Service packs
        Hotfixes
        Patches
On Demand Scan & The 4715-DAT
   Deploy a DAT file after evaluation
     DATs usually gets released every one day
     Set to clean then quarantine (not delete)
   Monthly task which cleans out the
    quarantine folder after the end-of-month
    backups have run
       worse case only have to look at the last
        end-of-month backup to grab stuff
On Demand Scan & The 4715-DAT
            On Demand Scans
   Usually a weekly/monthly on-demand
    scan with full options (All files, archives
   Scan the quarantine folder to remove
    any found viruses
   Monthly/Weekly depends on how often
    your backups are done
        ePO Rogue System Detection
   ePO can detect rogue, non-compliant
    systems by identifying when any of these
    systems are connected the LAN
   Identify
       Might be one of yours if the name matches
   Likely to be more useful if
       HSC global AV team
       All units used ePO
ePO Rogue System Detection
                   ePO Considerations
   Consider revising the default ports during install
       ensure that the Server is not already using these ports
        for communicating with 3rd party software. ( for example,
        the World Wide Web publishing service. )
   Secure the ePolicy Orchestrator Database
       Change default passwords
       SQL Server 2000 security checklist
           Distributing the ePO Client
   Installed on department Image
       remove the agent GUID registry value from the agent
        registry key
   Push from ePO server
   Manually installed
   See login script
       Use same login script to check if ePO is installed and if
        not then install
Distribution of Software using ePO
           Distributing the ePO Client
   The best method is one that suits you
   Designed so that YOU can choose the most
    appropriate method to install the Agent in
    YOUR unit
   Nearly all communication is client ( Agent )
       when a Policy is changed on the Server it does
        not get 'pushed' to the client, the Agent 'pulls' it
        on its next poll with the Server
               Policy Again
   What about AntiSpyware and Anti
        Anti-spyware and Anti-Adware
   No such thing as the best
    AntiSpyware… yet…
   In toddler stage, but growing
   Overlapping anti-spyware products
       Why?
          Anti-Spyware Adware
   All anti-spyware vendors rely on their
    user communities to submit samples of
    suspected potentially unwanted
    programs in order to grow their
            Anti-spyware Challenge
   No such thing as the best Anti-Spyware yet
       Infant stages
       over 100 anti-spyware/adware scanners available for
   Each major vendor refers to spyware differently:
       McAfee uses the term Potentially Unwanted Programs,
        or PUPs
       Symantec refers to security risks
       Trend Micro uses the classification of spyware/grayware
   What about McAfee's and Symantec‟s virus
       Don‟t they already detect spyware/adware?
Symantec Antivirus v
       “scan for expanded threats”
           Adware, spyware, joke programs, and other risks

           The Adware/Spyware detection system is not done in

               need to run a scan to check for adware/spyware
   Detected hotbar and gator but was unable to
    remove anything
   Seems like a really great feature idea, but a
    useless implementation
VirusScan Enterprise 8.0i
                   McAfee V8.0i
         Potentially Unwanted Programs
   Has a definition of 200 adware and
       Ok but there are tens of thousands of
        types of adware and spyware currently
        defined, the list of 200 items checked by
        this feature are not sufficient
   Has the same short comings as
    Symantec's expanded threats
         Other Spyware and Adware:
   Hijack This
           legitimate tool for removing BHO's. Extremely non-user friendly,
            but it will allow you to remove things that nothing else will.
   Ad-Aware
           not centrally manageable, not free for edu
   SpyBot
           not centrally manageable, but you can run command line
            Windows Tasks w/ autoupdate
   SpywareGuard and SpyWareBlaster
           not centrally manageable, no free auto update
        Need Enterprise Anti-spyware
   Whats Needed for a Enterprise?
       Integrated anti-virus and anti-spyware solution
       Simplified management and reporting
       Single agent and policy to deploy to client
        workstations, and integrated delivery of
        signature updates
   All of this would be nice if it existed and
    worked well
Mcafee Anti-Spyware Module

  Work‟s on EPO and ProtectionPilot
        Mcafee Anti-Spyware Module
   Integrated module with VirusScan 8.0i
   Average proactive protection
       On access stopped some spyware/adware before install
       On demand scan removed most spyware/adware left
   Centralized management with ePolicy Orchestrator
   Same exceptional type reporting as VirusScan
   Updates are in the dat
             McAfee Anti-Spyware Module
   Network World, Barry Nance, 09/05
        Detected 76% of spyware/adware tested
   Info Word, Keith Schultz, 09/05
        Received a very good rating, 8.2 / 10
   Eweek, Andrew Garcia, 07/05
        McAfee's anti-virus/anti-spyware solution is the only package we reviewed
         that's worth considering as a primary anti-spyware solution.
           Anti-Spyware Conclusion
   No doubt the major vendors will improve
    their anti-spyware capabilities
       Research, development and acquisitions
   McAfee‟s anti-spyware module
       makes sense to use as a Enterprise
   Software Licensing Services
       Currently not available
          Can be
                     Method used by a hacker
   Launches command shell
        From exploit/vulnerability
        Buffer Overflow
        Etc…
   Looks for running services
        Net start
   If has escalated privileges
        Shouldn‟t but if they do
            Remember Host Security Workshop?

        Stops anti-virus services
   Installs all tool needed
            A hacker method cont..
   ePO will restart McShield service next policy check
   Nothing checking Framework service

   Malware services completely stopped
   VirusScan now ineffective
            A hacker method cont..
   Can this prevented if the hacker has
    escalated privileges?
       Try and circumvent
       Continuous script to monitor Framework
          A hacker method cont..
• Restarts services that are stopped and
  set to start automatically

 • Or just look for the service name with DisplayName
 • Maybe make an exe out of it
   Spice Policy
   McAfee Knowledge base
   Unofficial McAfee forums
   VirusScan Enterprise 8.0i - Best Practices Guide
   Previous WorkShops including Host Security
   ePO walkthrough
   Anti-spyware testing
   Anti-Spyware Enterprise Module 8.0 Guide
   Scripting