in a Virus-Filled World

guideflannelServers

Dec 4, 2013 (3 years and 7 months ago)

99 views

Threats of Computing
in a Virus
-
Filled World

or, how I stopped worrying and

learned to love the worm….


Dr. John Johnson, CISSP

The Joys of Computing in 2003

65,336 PC viruses discovered to date

4,129 IT vulnerabilities in 2002
[
http://www.bullguard.com/antivirus/news_184.aspx
]

40
Critical

Microsoft Vulnerabilities by Oct.

“Millions Reported in Damage Last Year Due
to Viruses”

“MSBlast Continues to Spread”

“Sobig.C


The Tip of the Iceberg”

“IE users defenceless to trojan attack”

“Broadband severely increases security risk”

Agenda

I’ll talk about the problem and give some examples.


I’ll give some ideas to deal with viruses in both the
corporate and home environments.


I’ll give some Best Practice suggestions.


I’ll give some WWW resources.


I’ll try to take as many questions as I can before the
drinking starts!

CSI/FBI Computer Crime
Survey 2003 (Virus Loss)

2000

2001

2002

2003

Low $

100

100

1000

40

High $

10M

20M

9M

6M

Avg $

180k

244k

283k

200k

Total $

29M

45M

50M

27M

2003 CSI/FBI Computer Crime Survey, www.gocsi.org

based on 47% of the 530 responses that could quantify these losses

Terminology

VIRUS

HOAXES & CHAIN LETTERS

WORM

MASS
-
MAILER

TROJANS, BACKDOORS & ZOMBIES

BLENDED THREAT

SPYWARE/ADWARE

SPAM

VIRUS

Definition: (loose) Self
-
replicating program

History:


Malicious viruses didn’t arise until the 1980s.


Fewer than 5 viruses in 1987


Boot Sector Viruses



infecting diskettes


Macro Viruses



use a macro language and spread via
applications like Microsoft Word (first cross platform virus)

There are now > 10,000 macro viruses worldwide.


Who Writes Them
? No longer just the teenager, now the
profile is 14
-
30s Male, looking to feel empowered

HOAXES & CHAIN
LETTERS

Definition:

Hoaxes and Chain letters are sometimes just jokes,
sometimes annoying, and sometimes dangerous


Social Engineering:

Often these email messages are a great
waste of time and bandwidth, with people sending them to all of
their friends. Sometimes, they convince the user to actually
delete files (like the JBDGMGR “teddy bear” hoax).


With a misconfigured email system, the confusion alone can
cause many replies which then route to all the users on a
mailing list, and the noise can take days to die down.


Some antivirus programs treat these like viruses and quarantine
them.

WORM

Definition:

A worm is a self
-
replicating program that
propagates from host to host.

History:

Originally, a sector map would show worm
-
like errors from a misbehaving code. The name stuck
and came to describe viruses that act on their own
using more and more sophistication,

exploiting technology and vulnerabilities.

The first worms were helpful tasks,

and malicious worms have become

the most dangerous kind of viral

threat.

MASS
-
MAILER

Definition:


Mass
-
mailers exploit vulnerabilities in the way email
programs work, like Microsoft Outlook, to gather
email addresses and spread to all the users they can
find via email. These messages look like they came
from a friend (social engineering), so they are often
opened and executed. Some will auto
-
execute,
exploiting an operating system vulnerability as well.

LoveLetter

The

I Love You


Virus hit in May, 2000.


This was my first BIG virus crisis!


It started with an innocent letter, appealing to lonely email
readers (social engineering). The subject was

I Love You

, and
the payload was a VBS script that, when executed, quickly
spread in email to all the users in your address book, and
wormed its way through fileshares, destroying image files.


At least 82 variants of this worm were discovered. The latest is
VBS.LoveLetter.CN, dated May 31, 2001.

TROJANS, BACKDOORS &
ZOMBIES

Definition:

These spread as viruses and worms,
and include hidden code that will allow a remote user
to access the computer or use the computer to attack
another.

As an example,

be wary of any screensavers my son
might send you! It may contain netcat, a program that
allows him to remote control your computer, see your
screen, open your CD drawer and play with your
mouse.

Not all are so kind.

Some will use your computer as a
launching point in a multi
-
layered attack against
another target. They can use you as a
zombie

in a
Distributed Denial of Service

(DDoS) attack.

BLENDED THREATS

Definition:

A blended threat will use network vulnerabilities
(often known widely for many months) along with virus or worm
vectors to quickly spread to many hosts.

History:

In 2001, Code Red came out late in the summer. It
was the first virus that spread using a published vulnerability in
IIS on Windows NT and Windows 2000.

Blended threats are the fastest growing and most dangerous
type of virus threat to date. Within minutes, vulnerable
computers across the world can become infected (depending on
the vulnerability.)

Response to Blended Threats requires both antivirus tools and
network tools (to monitor and control


such as IDS and
routers).

Code Red

History:

In 2001, Code Red came out late in the summer. (The
name came from the team at eEye that discovered it, as they
were spending many long hours drinking
Mountain Dew Code
Red
.)


The CodeRed Worm affects Microsoft Index Server 2.0 and
the Windows 2000 Indexing service, exploiting this
vulnerability and propagating as a worm. Code Red
performed a denial of service on whitehouse.gov.



Code Red II, quickly followed on the heels of Code Red. It
was more destructive, but used the same buffer overflow
vulnerability. Code Red II contained a trojan file, and
modified system files.

Nimda

History:

Nimda (admin spelled backwards) followed closely on
the heels of Code Red. It was first discovered 9/18/01.


Nimda used a vulnerability in MIME types to auto
-
execute
and become memory
-
resident. Therefore, a machine that
was unpatched, could become infected even if it had
antivirus.


Sends itself by email.


Searches for open network shares.


Attempts to copy itself to unpatched or already vulnerable
Microsoft IIS web servers.


Is a virus infecting both local files and files on remote
network shares.


Several variants of Nimda came out subsequently.

Blaster

History:

The Blaster virus came out in August this year. It was
a real big pain too!


It used a recent exploit announced (DCOM RPC) by
Microsoft.


It also looked for open TFTP shares.


This virus used common ports that Microsoft also uses for
filesharing.


It also attempted a Denial of Service against Microsoft.


It tried to download a trojan and install it.


Several variations on the theme followed.

SQL Slammer

History:

This virus exploited a known SQL injection
vulnerability.



This virus spread to 90% of all the vulnerable (exposed)
hosts on the Internet in just 10 minutes.


Once infected, a computer sent out attempts to infect
subsequent computers with the same virus.


An unintended side effect was the Denial of Service
generated by the tremendous amount of network traffic.


ATM systems, and other major corporations were shut down
until they had filters in place on their routers and firewalls.


The only way to fully stop a virus like SQL Slammer or
Blaster is to patch all vulnerable machines.

SPYWARE/ADWARE

History:

These are annoying and often you don’t even know
they are running, or what they are reporting.



They can include hidden programs to spy on your activities.


They can be simple marketing gimmicks (gator.exe),


Or they can be annoying and alter your browser and cause
pop
-
ups.


They can even be used to steal passwords.


Sometimes these get installed when you download a free
program off the Internet. Always be careful what you
download and what you click on. You may agree to install
something by clicking on the EULA without realizing it.

SPAM

History:

We all know what SPAM is, and it ain’t all that tasty!


SPAM is annoying, unsolicited email.


Often the spammer generates a subject that looks legitimate,
or a FROM address that looks like someone you might
know. It might say MOM or JOHN, and may refer to
something that looks like you already discussed in a
previous email.


Sometimes they try to use the Authority card, and pose as
an update from Microsoft or Dell.


Most people report over a third of their email is now SPAM
(and growing!)


SPAM costs businesses an estimated $11.9B/year in 2003.

SPAM Fighting

How you might fight the SPAM…


Don’t open anything from anyone you don’t know.


Don’t answer SPAM


it tells them that you exist.


At home, buy a spam filtering program and update it.


At work, or ask your ISP to install spam filtering. Content
filtering can block certain adult material, as well as
messages that appear suspicious. (This can also destroy
legitimate emails.)


At work, use a web proxy to avoid downloading “web bugs”.


At work, subscribe to a Black Hole List.


Register online for FTC No Spam Registry. (legal?)

SPAM Resources

Realtime Blackhole List

http://www.mail
-
abuse.org/rbl

Boycott Internet Spam

http://spam.abuse.net

Network Abuse Clearinghouse

http://www.abuse.net

Forum for Responsible and Ethical Email

http://www.spamfree.org

Now, How can I keep my data with
everyone about me losing theirs?

Take a deep breath. It’s not so bad.

(It could be a lot worse!)


What does this mean for the corporation?


What does this mean for the home user?

The Corporate Threat

Game Plan:


Defense in Depth!


Firewalls


DMZ for Internet exposed applications


Web Proxy


Content Filtering (web, smtp, ftp…)


Client Antivirus, Email Antivirus, SMTP Gateway
Antivirus


Intrusion Detection


Access Controls on Remote Access/Wireless


Security Awareness


A Good Security Team!


Documentation and tested response

On the Homefront

“I’m not really a computer expert…”


You don’t have to be. Have confidence. Know when to ask
an expert, and don’t be shy!


Be extra careful if you have kids and/or broadband.


Fork over the money and buy ANTIVIRUS!


Keep your antivirus UPDATED!


Keep your computer patched!(If you don’t own a PC you
have a lot less to worry about!)


Get SPAM filtering software / Pop
-
up blocking


If you’re on broadband, you should have a firewall too.

On the Homefront

Virus Protection


-

BUY a copy of a good antivirus program (like Symantec, McAfee, Trend,
Panda...)Available for all platforms. If you like the online scanner below, you can
purchase a commercial version from their site for around $30 with a 1
-

year
subscription.


-

Keep it updated AT LEAST once a week. Try to set it to autocheck at a
convenient time so you don't forget. The paid subscription lets you auto
-
update. If
you don't pay after it expires, you can still get virus updates manually from the
vendor website, in most cases.


-

Here is a link to a page I made to check on the latest virus news:




http://www.cybermaze.com/security/virstat.html


-

Here are some links to FREE ONLINE resources for scanning your PC.


+ Symantec (PC):

http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym

(you can perform a virus scan, or check for vulnerabilities)


+ Trend Micro (PC):
http://housecall.trendmicro.com/


+ Panda (PC):

http://www.pandasoftware.com/activescan/com/activescan_principal.htm


+ McAfee (PC):
http://us.mcafee.com/root/mfs/default.asp

On the Homefront

SPAM


-
There is nothing worse than having a TON of junk mail in your inbox when you check it. You
may not check mail every day, which makes it even more of a chore to deal with the glut of
SPAM.


-

When you get junk mail, you will generally know it is not from someone you know. If you are
in doubt, just DELETE the message. Don't take the risk of opening unsolicited email.


-

Even though you can sometimes opt out of SPAM mailing lists by following the instructions
at the bottom of the message, more often than not you are letting the SPAMMER know you
are there, and they will send you more SPAM. So, don't reply to SPAM.


-

Until there is some miracle way of opting out of it altogether, you will need to invest in a
SPAM blocking program. While there are filtering options in some email systems, they are
weak and it is worth a few bucks to buy a program that will filter SPAM and have a
subscription to keep updated with new filters. Here are some options:



+ McAfee/Spamkiller (PC, $30):
http://us.mcafee.com/root/package.asp?pkgid=156


+ Matterform/Spamfire (Mac only for now, $25/$40):
http://www.matterform.com/


+ CoffeeCup PC
-

haven't tried, but good reviews, $30):


http://www.tucows.com/preview/295552.html


+ SpamWeed for POP3(bayesian spam filter, should learn and improve over
time
-

haven't tried but looks good, $30):
http://www.tucows.com/preview/318216.html

On the Homefront

Ad
-
Ware


Dealing with Ad
-
Ware/Malware (the stuff that gets installed when you
download another program or visit a website that reports on what you
do)


-

This is primarily a PC problem, so these tools are


exclusively for the PC.


-

Here are links to a couple FREE software packages that you


can use to scan for any adware that might be installed on


your system (i.e. Gator, etc.):



+ Ad
-
aware (PC, FREE):


http://www.lavasoft.de/support/download/



+ Spybot (PC, FREE):
http://www.safer
-
networking.org/

On the Homefront

Pop
-
up Blocking


There are several vendors that have tools to block pop
-
ups. Always be
careful that you don't install spyware in the process of downloading a
neat toolbar to block pop
-
ups. Here are some I like. They may also have
additional functionality, like Google searching, etc. (Mozilla might be the
only pop
-
up blocker for classic MacOS users.)



+ Google Toolbar (PC, FREE):
http://toolbar.google.com/




+ You might also try running Mozilla, instead of Internet Explorer:


http://www.mozilla.org/



+ On MacOS X, use Safari, it will block pop
-
ups:


http://www.apple.com/safari/



+ CoffeeCup Pop
-
up Blocker ($20):


http://www.tucows.com/preview/289024.html

On the Homefront

Vulnerability Patching

It is vital that your PC remain patched from critical security vulnerabilities. This
Windows site will check your computer for missing patches, you should keep the
security patches updated, but may decide not to install other large patches that
are not "critical security patches".


[Note: Most new operating systems offer the ability to auto
-
patch your system, you
may decide this is your best option, and that way you won't forget.

FOR MAC USERS: You can also use the control panel to look for "software updates"
on the Mac... this site is for the savvy MacOS X user. In general, the Mac is much
less vulnerable to viruses than the PC.]


Some of the recent "blended" threats, like Blaster, will infect ANY unpatched
computer that is vulnerable if left long enough on the Internet. Even if you have
the latest antivirus. Remember that antivirus is NOT a 100% solution anymore.




+ Microsoft(PC):
http://windowsupdate.microsoft.com/



+ Apple(MacOS X) Security Updates:


http://docs.info.apple.com/article.html?artnum=61798

The Future

In the
future
, the Internet will extend its reach
into your home and every aspect of your life.

Viruses and threats will become
commonplace.

Vendors will need to ship computers with
default
deny
, instead of default
allow.

If you keep updated and practice
safe
computing,
you will
probably

stay safe and
keep your data in the chaos.

RESOURCES

CERT:
http://www.cert.org/other_sources/viruses.html

VMyths:
http://www.vmyths.com/

Computer Secutiry Institute:
http://www.gocsi.com/

John’s Security Page:
http://www.cybermaze.com/security/index2.html

A Virus Tutorial:
http://www.cknow.com/vtutor/

NIST:
http://cs
-
www.ncsl.nist.gov/virus/

X
-
Force (ISS):
http://xforce.iss.net/

Microsoft Updates:
http://windowsupdate.microsoft.com

You may also go to a good online software site, like
http://www.tucows.com/

and go under your operating system
(Windows, Mac, Linux) and then click on Internet to pull up tons of
freeware and software titles if you don't find something that you
like in my list above.

Questions?