Malware Workshop

Document Sample
Malware Workshop Powered By Docstoc
					Malware
Workshop
  AL TUTING
atuting@ufl.edu
  March 2006
"Security is a journey not a destination"
Malware Agenda
   Policy
   Categories
   Prevention through
    education
   Malware
        Host software
        Virus outbreak scenario
        Management
        Spyware/Adware
        Hacker method scenario
   Links
                  SPICE Policy on Malware
   Robust Policy
   Main idea;
        ISM‟s responsibility to
           Ensure ALL hosts have ability to protect
            autonomously.
           Enforce the integrity of protection.


        User‟s responsibility to
              Use reasonable precautions when importing
               data
              Recognize malicious protection on devices in
               their custody
              Report any malicious event on host to ISM
   Fully compliant to the policy?
        Visit http://security.health.edu
              HSC Policies and Standards
                            Categories
   NIST defines malware
        General, as the attributes of malware are ever changing.
   Subjectively inclusive but not limited to:
        Viruses
        Worms
        Trojan Horses
        Backdoors
        Keystroke loggers
        Rootkits
        Tracking Cookies
        The list could go on and on…
   What is and what isn't malware is debatable
        Phishing, virus hoaxes
                      Awareness / History
                    Should we be concerned?
                               Incidents
                                                                                                      29,890,376



30,000,000




25,000,000




20,000,000




15,000,000


                                                                                       6,877,036
10,000,000



                                                                    1,510,619
 5,000,000          5,627          15,825          156,904




        0
             1999           2000            2001             2002               2003               2004
                                  Prevention
   Educate users to
        know the Spice policy and your unit policy.
        be aware of suspicious events
        not to attempt to bypass security controls
        not execute or download apps from untrusted sources
        Know what social engineering is
   Review host security workshop (January 2006)
        Patching/Updates
        Limit user privileges
        Host firewalls
        Disabling unneeded services
        MBSA
        CISecurity Baseline
   Review general awareness training (February 2006)
   Review the eduguides.
                    Prevention Continued
                                        Defense in depth
 Current                                                                                                                 Infrastructure
                                                                                                                               Policy
 Consistent                                                                                              WAN Firewall
                                                                                                             And           Processes
 Compliant                                                                                    Email
                                                                                                          Router ACLs
                                                                                                                           Procedures
                                                                                              Gateway     URL Filtering
                                                                                              Antivirus
                                                                                 Email
                                                                                 Server
                                                                                             Attachment
                                                                     Local      Antivirus
                                                                                              Blocking
                                                                    Network
                                                                   Connections File Server    Content
                                                   System Policy       And      Antivirus
                                                                                              Filtering
                                                                    Firewalls
                                        Personal    Processes
                                        Firewall
                            Antivirus               Procedures

              System
            Configuration
                Malware Software
   Malicious software detection is a must
    on every host.
       Protect all hosts that you are responsible
        for
       Network connected or not
          Your Malware solution must
   Prevent and Detect Virus Infection
   Have auto update configured
       Keeping Virus Scanner up-to-date and confident of the
        fact
   Be sure On-Access Scanning is done real time
       Make sure the service is running at all times
   Routinely Scan Fixed Disks
       'schedule„ off hours at least once a week
           Minimally once a month


       Adjusts as necessary on out breaks
        Malware Software Options
   Block specific ports or make rules to
    apply to a specific file or location on a
    virus outbreak
   Stop the payload of the exploit from
    affecting the targeted computer and
    prevent it from spreading
   Report to a Management Server
    Which malware vendor do you use?
   There are many vendors of Malware
    protection that may fit your needs
   Can your selected units malware
    product buy you the time needed
    between a virus outbreak and a new
    signature release?
   Avoid unnecessary additional expenses
    to the University
                  Malware Software at UF
   Symantec AntiVirus
            HSC IT Center
   Available malware software licensed to UF (software.ufl.edu)
        Linux
            McAfee LinuxShield
        Macintosh
            Virex
        Windows
            VirusScan Enterprise
        NetWare
              NetShield
   There is no extra charge for the use of McAfee software to a Unit
                   McAfee VirusScan 8.0i
   McAfee was the chosen enterprise product at UF
   Features comply with the HSC policy
   Available to faculty, students, and staff
   Has extra features but use with caution:
        Access Protection
            Adds some firewall protection to your computer
           Enabled by default


        Buffer Overflow Protection
            Prevents buffer overflows from executing code on your computer
            Enabled by default


        „Unwanted Programs Policy‟
              This will remove some spyware and adware
              Not enabled by default
        McAfee VirusScan 8.0i




Wouldn‟t it be a headache to manage the console for
   each host individually to comply with policy?
Are all of your
hosts signatures
up to date? How
do you know ?

Do your users
know how to
check?
          Response to a Virus. Example…
                Using VirusScan
   Suppose a new threat is announced
        Sans
        Avert
        Symantec Security Response
        HSC Security Group
   A rule might be used during the brief time between when a virus goes wild and
    when a new signature update is available and tested.
   We know the virus:
        typically when ran, it copies itself to the following directories:
        %windir%\system32\drvdll.exe
        %windir%\system32\drvddll.exeopen
        %windir%\system32\drvddll.exeopenopen
        %windir%\CPLSTUB.exe
McAfee V8.0i example rule creation
  Rule       Combined with   Rule
  1                          2
Suppose you‟re already hit with Bagle

    Prevent the spread
    Identify machines affected
        Rule will trigger not only when a virus tries
         to infect (create) but also when it tries to
         run (write, read, execute)
             Bagle example continued…
                (port blocking rules)
   Bagle spread through email
       The first default rule combats the email spread
       Default (Rule 0) that blocks outgoing traffic on port 25
   Prevent the virus from obtaining instructions from
    the virus author
       Create a port blocking rule that prevents incoming traffic
        on port 2535
   Prevent the virus from downloading scripts
       Included in McAfee is already (Rule 3) that prevents
        outgoing traffic on Port 80 unless the traffic is from one of
        the web browsers listed
                           Prevent
   Mass mailers and share-hoppers
       Restrict write access to incoming network connections
        with Share Blocking Rules
       “Prevent remote creation/modification/deletion of …”
   A common virus action
       Copying into the Windows directory and set a registry
        value so that they are started at either logon or when
        another application starts.
       Use rules to satisfy this
    Other uses for port blocking and file,
       share, and folder protection.
   Preventing the spread
        prevent the receipt of instructions
        use port blocking rules
   Virus‟s targeting Specific Applications
        Internet Explorer
        create specific rules that name iexplore.exe as
         the process, which prevent the creation or the
         writing of files to the %windir%‟** directory and
         the „program files\**‟ directory
              A Potential Headache
   Don‟t break functionality
       existing applications
       network connectivity
   Plan well
       Use rules in warning mode first
          Report access attempts without blocking

           access
          Monitor what impact

       Use discretion when entering in wildcards
             Autonomous Protection
   Ensure ALL hosts have ability to protect
    autonomously
   How can you Ensure?
       Use centralized management software
       University offers at no cost to unit
          ePO
          ProtectionPilot
     Autonomous Protection
            Why?



   Signatures not kept up to date
              equals
Malware software essentially useless.
    Gain control of your anti-virus
           infrastructure
   Centralize your policy enforcement and
    management
     make sure virus scanning policies are set to
      keep your systems secure and virus-free
   Deploy needed updates and software remotely
     keep anti-virus software on your systems up-
      to-date
   Deploy new rules during a virus outbreak
   Get reporting for the machines you manage
                         Software
   ePolicy Orchestrator (ePO) or Protection Pilot
          Software available to all Unit admins under the
           current license
          http://software.ufl.edu/mcafee/index3.html
   Symantec System Center Console
        HSC IT Center
   Avoid unnecessary additional expenses to the
    University
                          ePO
   Easy enough to install (guided with install wizard)
       Straightforward
   A bit complex to start with
       Terminology and the functionality
          distributed repositories
          rogue system detection sensors


          notification rules


          Etc..
                 ePO Documentation
   Heap of high-quality product documentation
            ePO quick reference card
            Walkthrough Guide
                   ePO Logging
   Lots of logging. Some of which include:
      mcscript.txt
         details script engine actions, such as

          processing updates
      updatehistory.ini
         includes details of configuration items such as

          the site last used for updates
      agent_%computername%.xml,
         this is the McAfee Agent Activity log, which

          shows policy enforcement actions.
   Logs are really useful for
    troubleshooting
    Enforce Protection Compliance
         Policy and Updates
   ePO agent manages policies for McAfee AntiVirus
        policies can be set globally or on individual clients (servers)
        also generates reports on compliance, virus detections, etc.
        The Agent manages the 'Policy' for you automatically based on what
         ePolicy Orchestrator has stored in its database for each client
   Daily updates of
        DATs
        Engines
        Service packs
        Hotfixes
        Patches
On Demand Scan & The 4715-DAT
   Deploy a DAT file after evaluation
     DATs usually gets released every one day
     Set to clean then quarantine (not delete)
   Monthly task which cleans out the
    quarantine folder after the end-of-month
    backups have run
       worse case only have to look at the last
        end-of-month backup to grab stuff
On Demand Scan & The 4715-DAT
            On Demand Scans
   Usually a weekly/monthly on-demand
    scan with full options (All files, archives
    etc.)
   Scan the quarantine folder to remove
    any found viruses
   Monthly/Weekly depends on how often
    your backups are done
        ePO Rogue System Detection
   ePO can detect rogue, non-compliant
    systems by identifying when any of these
    systems are connected the LAN
   Identify
       Might be one of yours if the name matches
   Likely to be more useful if
       HSC global AV team
       All units used ePO
ePO Rogue System Detection
                   ePO Considerations
   Consider revising the default ports during install
       ensure that the Server is not already using these ports
        for communicating with 3rd party software. ( for example,
        the World Wide Web publishing service. )
   Secure the ePolicy Orchestrator Database
   SQL/MSDE
       Change default passwords
       SQL Server 2000 security checklist
       http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.
        mspx
           Distributing the ePO Client
   Installed on department Image
       remove the agent GUID registry value from the agent
        registry key
   Push from ePO server
   Manually installed
   See login script
       Use same login script to check if ePO is installed and if
        not then install
Distribution of Software using ePO
           Distributing the ePO Client
   The best method is one that suits you
   Designed so that YOU can choose the most
    appropriate method to install the Agent in
    YOUR unit
   Nearly all communication is client ( Agent )
    driven:
       when a Policy is changed on the Server it does
        not get 'pushed' to the client, the Agent 'pulls' it
        on its next poll with the Server
               Policy Again
   What about AntiSpyware and Anti
    Adware?
        Anti-spyware and Anti-Adware
   No such thing as the best
    AntiSpyware… yet…
   In toddler stage, but growing
   Overlapping anti-spyware products
    needed
       Why?
          Anti-Spyware Adware
   All anti-spyware vendors rely on their
    user communities to submit samples of
    suspected potentially unwanted
    programs in order to grow their
    databases
            Anti-spyware Challenge
   No such thing as the best Anti-Spyware yet
       Infant stages
       over 100 anti-spyware/adware scanners available for
        download
   Each major vendor refers to spyware differently:
       McAfee uses the term Potentially Unwanted Programs,
        or PUPs
       Symantec refers to security risks
       Trend Micro uses the classification of spyware/grayware
   What about McAfee's and Symantec‟s virus
    scanners?
       Don‟t they already detect spyware/adware?
Symantec Antivirus v 9.0.0.338
                             Symantec
Symantec
       “scan for expanded threats”
           Adware, spyware, joke programs, and other risks


           The Adware/Spyware detection system is not done in

            real-time
               need to run a scan to check for adware/spyware
   Detected hotbar and gator but was unable to
    remove anything
   Seems like a really great feature idea, but a
    useless implementation
VirusScan Enterprise 8.0i
                   McAfee V8.0i
         Potentially Unwanted Programs
   Has a definition of 200 adware and
    spyware
       Ok but there are tens of thousands of
        types of adware and spyware currently
        defined, the list of 200 items checked by
        this feature are not sufficient
   Has the same short comings as
    Symantec's expanded threats
         Other Spyware and Adware:
   Hijack This
           legitimate tool for removing BHO's. Extremely non-user friendly,
            but it will allow you to remove things that nothing else will.
   Ad-Aware
           www.lavasoftusa.com
           not centrally manageable, not free for edu
   SpyBot
           http://security.kolla.de
           not centrally manageable, but you can run command line
            Windows Tasks w/ autoupdate
   SpywareGuard and SpyWareBlaster
           http://www.wilderssecurity.net
           not centrally manageable, no free auto update
        Need Enterprise Anti-spyware
   Whats Needed for a Enterprise?
       Integrated anti-virus and anti-spyware solution
       Simplified management and reporting
       Single agent and policy to deploy to client
        workstations, and integrated delivery of
        signature updates
   All of this would be nice if it existed and
    worked well
Mcafee Anti-Spyware Module




  Work‟s on EPO and ProtectionPilot
   servers
        Mcafee Anti-Spyware Module
   Integrated module with VirusScan 8.0i
   Average proactive protection
       On access stopped some spyware/adware before install
       On demand scan removed most spyware/adware left
        over
   Centralized management with ePolicy Orchestrator
   Same exceptional type reporting as VirusScan
   Updates are in the dat
             McAfee Anti-Spyware Module
                      Reviews
   Network World, Barry Nance, 09/05
        Detected 76% of spyware/adware tested
        http://www.networkworld.com/reviews/2005/091205-spyware-nr2.html
   Info Word, Keith Schultz, 09/05
        Received a very good rating, 8.2 / 10
        http://www.infoworld.com/McAfee_Anti-
         Spyware_Enterprise_Edition_Module/product_52904.html?view=1&curNode
         Id=0&index=4
   Eweek, Andrew Garcia, 07/05
        McAfee's anti-virus/anti-spyware solution is the only package we reviewed
         that's worth considering as a primary anti-spyware solution.
        http://www.eweek.com/article2/0,1895,1839202,00.asp
           Anti-Spyware Conclusion
   No doubt the major vendors will improve
    their anti-spyware capabilities
       Research, development and acquisitions
   McAfee‟s anti-spyware module
       makes sense to use as a Enterprise
        solution
   Software Licensing Services
       Currently not available
          Can be
                     Method used by a hacker
   Launches command shell
        From exploit/vulnerability
        Buffer Overflow
        Etc…
   Looks for running services
        Net start
   If has escalated privileges
        Shouldn‟t but if they do
            Remember Host Security Workshop?


        Stops anti-virus services
   Installs all tool needed
            A hacker method cont..
   ePO will restart McShield service next policy check
   Nothing checking Framework service




   Malware services completely stopped
   VirusScan now ineffective
            A hacker method cont..
   Can this prevented if the hacker has
    escalated privileges?
       Try and circumvent
       Continuous script to monitor Framework
        service?
          A hacker method cont..
• Restarts services that are stopped and
  set to start automatically




 • Or just look for the service name with DisplayName
 • Maybe make an exe out of it
                              Links
   Spice Policy
     http://security.health.ufl.edu/policies/index.shtml
   McAfee Knowledge base
        http://knowledgemap.nai.com/KanisaSupportSite/support
         central/supportcentral.do?id=m1&language=en_US
   Unofficial McAfee forums
        http://forums.mcafeehelp.com
   VirusScan Enterprise 8.0i - Best Practices Guide
        http://download.software.ufl.edu
   Previous WorkShops including Host Security
        http://security.health.ufl.edu/training/isaism.shtml
                         Links
   ePO walkthrough
     http://www.mcafee.com/us/local_content/white_p
      apers/wp_epo_walkthrough_guide.pdf
   Anti-spyware testing
     http://spywarewarrior.com/asw-test-guide.htm
   Anti-Spyware Enterprise Module 8.0 Guide
     http://www.networkassociates.com/common/med
      ia/mcafeeb2b%5Csupport%5CVSE%5CMAS800
      _Guide_EN.pdf
   Scripting
       https://www.microsoft.com/technet/scriptcenter/

				
DOCUMENT INFO