Malware mitigation

Devise a strategy to mitigate malware

Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified
General Manager
Entel Security & Risk Management
rgallego@entel.es

© 2008 ISACA. All rights reserved

Wednesday, March 25, 2009

Agenda

• Malware: what is it really?
• Different types of malware

• We are under attack... but how? And why?
• Let me show you

• Strategy on how to mitigate those risks



Malware: what is it really?
• Malware is software designed to infiltrate or damage a computer system
without the owner's informed consent. The expression is a general term used by
computer professionals to mean a variety of forms of hostile, intrusive, or
annoying software or program code

• Software is considered malware based on the perceived intent of the creator rather
than any particular features. Malware includes computer viruses, worms, trojan
horses, most rootkits, spyware, dishonest adware, crimeware and other
malicious and unwanted software



A bigger problem than we think

• Malware is now economically motivated and backed by organized
crime and foreign interest

• The development of highly critical malware such as targeted attacks is
also on the rise

• The level of sophistication behind malware makes it extremely difficult
for traditional solutions to detect and remove

• There are many bot networks to de-fraud business models and
consumers through sophisticated social engineering



It’s not for fun... It’s money!

• Consumers are now the prime target for ID Theft and other on-line
fraud
• Traditional signature based anti-virus solutions have become
useless to these new sophisticated attacks



Understanding the Risk
The Market Value of Sensitive Data

980€-4.900€ 147€
Trojan to steal account Birth certificate
information

98€
490€
Social Security card
Credit Card Number
with PIN

6€-24€
78-294€
Credit card number
Billing data

6€
147€ PayPal account
Driver's license logon and password



Overview of crimeware families
Crimeware is broken down into several categories

• Banking Trojans
Limbo
PayRob.A
Sinowal
Aifone.A
Banbra Variants

• Keyloggers (Banbra, Cimuz)
• Bots (Clickbot.a, Botnet.A, Aifone.A)
• Phishing (Barclays, PayPal)
• Targeted Trojans



What is spyware?
• Spyware is software installed on a computer that gathers information without the user's
knowledge and relays that information to advertisers or other 3rd parties

• Several subcategories of spyware:
–Adware
• Advertising-supported software that displays pop-up advertisements whenever the program is running. Often
collect personal information and web surfing habits

–System monitors
• Programs that capture everything you do on your computer, from keystrokes, emails and chat room dialogue, to
which sites you visit and which programs you run

–Trojan horses
• Malicious programs that appear harmless but steal or destroy data or provide unauthorised external access



How spyware infiltrates
• People don’t purposefully and knowingly install spyware
–Can be included with applications you want to install, such as peer-to-peer clients or
desktop utilities
–Some silently load when you visit a seemingly-innocent Web page (‘The Ghost in the
browser’)

• Installed silently in the background – most users never know their
computers are infected



Spyware threats organizations
• Wastes computing resources
–Sends back information periodically, often daily
–Consumes an organisation’s bandwidth

• Exposes proprietary information
–It could send files to a competitor’s server
–It could monitor e-mail and send out the contents

• Poses serious security risks
–It could send emails on behalf of the user
–It could provide a spy or hacker with a backdoor into the systems
–It could change documents and specifications on systems to damage research or other
projects

• May introduce compliance risks



How botnets are used to commit financial fraud

• A bot network consists of a “controller” and compromised zombie PCs. There have been
cases of bot networks containing up to 1.5 Million zombie PCs like in the Dutch botnet case

• The bots that infect systems can perform several actions such as relay spam, launch
malware and perform ID theft

• Some of the common methods for bot infection is through websites that contain exploits
and vulnerabilities that actively transmit malware to the PC visiting the site.

• Components can also be downloaded such as ActiveX controls, etc that will then deal with
the rest of the infection process

• Social engineering techniques also exist to infect systems through spam, phishing and
other content. Once a PC has become infected it can receive remote commands from the
“bot master” remotely


And they are using new methods

• Botnets are beginning to use P2P networks to gain control
of more computers

• Researchers were previously able to shut down a botnet
by targeting its Command & Control center (and IRC
channel or website). Hackers are now using P2P networks
to connect bots in a more “horizontal,” peer manner, which
makes shutting down the botnets much more difficult



The problem of keylogging
• Keyloggers are programs that run in the background recording
all keystrokes and which may also send those keystrokes
(potentially including passwords or confidential information) to
an external party

• 2 types of Keylogger programs:

–Commercial
–Viral (included as part of blended threat with Worm, Trojan Horse, BOT, etc..



Commercial Keylogger - Example



Sophisticated Social Engineering

• Common social engineering techniques:

– Spear-Phishing and other highly targeted scams
– Spam with exploits
– Phishing emails that direct users to web-sites with hidden Trojans
– Malware through IM channels



No real bank would do this!



Infection strategies used by hackers

• Common infection strategies used by hackers

–A web site is physically hacked and seeded with Trojans (i.e.
Superbowl website case)
–Phishing emails with exploits
–Malware through IM channels
–Malware attached to freeware and shareware
–Malware in the form of video codecs
–Infection through botnets



Overview of Targeted Attacks

• Characteristics of Targeted Attacks:
– Involve “Highly Critical” malware tailored towards attacking a specific target (i.e. Bank Of
America)
– Such malware target a specific set of confidential information to capture and send to a 3rd
party
– Targeted attacks always involve a hacker hired to design malware to bypass specific defenses
– Attacks are very localized; therefore, distribution is limited. In most cases AV labs do not
receive a sample which results in no signature file
– Current security solutions will not detect the malware because the hacker has prepared
against commonly used AV programs
– Hackers are using sophisticated stealth techniques such as rootkits to hide the presence of
malware



Information? Ready available!
• IT departments know about sites...but so do all the other
departments!
–Question is…do we know who, when, where and how?
–More importantly…do we have the means to stop it?

• Information is easy to find! (27,000,000 results returned on
Google when the search term ‘How To Hack’ is used)

• Hacking tools can be easy to use
–Some don’t require any programming skills at all! (Keyloggers
can come with nice user interfaces, such as ‘The Perfect
Keylogger’) with a ‘Next’, ‘Next’, ‘Next’ install!


…step-by-step guides available!

• You no longer need to go underground or to university to learn
how to become a successful hacker!



Do it yourself! Incredible!



Example - Denial of Service




• You visit a web site and click
on a link




on a link

• A few seconds later, many
applications start to run in the
computer




on a link

• A few seconds later, many
applications start to run in the
computer

• You can only close the
program to prevent the attack.
The machine does not work



Example - Redirection of sites




• You connect to online banking to
see your accounts




see your accounts

• A hostile applet sends an
identical page




see your accounts

• A hostile applet sends an
identical page

• You introduce your credentials
while a hacker is receiving them
or they are being sent to an
Internet directory



Example - Sending files in background




• A postcard is received by email




• A postcard is received by email

• An applet executes an animation

• That applet is copying the last
Word document and is sending it
in the background to the Internet



Example - Harm exectutables



Example - Harm exectutables

• There is type of attack
that seems to be from
known companies who
invite to install the last
security patch or Service
Pack

• The executable file is a
Trojan or malicious code
that puts our
environment at risk



Example - Phising and scam




• Pakistan Earthquake – We found the URL http://
pakistanhelp.com




pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising




pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
•In this case, the ‘help’ options include the download of an Excel file to
be sent by fax
•A real and legal organization would never do this….



Strategy: Protect every vector




Firewall




Secure Content Manager

Firewall




Antivirus/
Antispyware


Firewall




Antivirus/
Antispyware


Firewall

VPN




Antivirus/
Data Leak Prevention
Antispyware


Firewall

VPN



Strategy: Consider other approaches

Internet

• Effectiveness vs. Efficiency
• SaaS approach
• UTM devices
• More than one solution will leverage
your security
• Education, education, education
• Centralised management



Objective: Keep the bad guys out!



THANK YOU
Devise a strategy to mitigate malware
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified
General Manager
Entel Security & Risk Management
rgallego@entel.es



Malware mitigation

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (10)

Similar a Malware mitigation

Similar a Malware mitigation (20)

Más de Ramsés Gallego

Más de Ramsés Gallego (14)

Último

Último (20)

Malware mitigation

Notas del editor