Post on 15-Dec-2015
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
SECURITY AT HOME
R Kevin Chapman Student Computing CoordinatorDave Flynn UNIX Systems AdministratorRich Graves Senior UNIX and Security Administrator
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
So you want to get infected…
What are your options? What are they?
How do you go about it? Really
What are the benefits? Reactive tools and measures
But seriously folks…
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Malware for beginners
Virus Trojan Worm Adware Spyware Rootkit BotNet Phishing
What are your options?
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Virus
What is it? Malicious program that attaches itself to
a legitimate file or program (the Host). Infects machine when host file is run or opened. Typically cannot run itself, needs human intervention.
What does it do? Harmless as presenting “I’m here!” Dangerous as deleting files. Trigger immediately or wait for instructions or
wait for a specific date.
How does it spread? Via any files that move between computers (e.g. email). Once on machine, looks for files to infect. Relies on user transmission of those files.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Trojan
What is it? Disguises itself as useful software or legitimate files. Typically cannot run itself, needs human intervention.
What does it do? Harmless as changing icons on your desktop. Dangerous as opening “back doors” to the machine.
How does it spread? Purely human intervention; “invited” onto system. Cannot replicate itself. Opening files or images…
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Example: Vundo /Virtumonde
What is it? A Trojan with many variants
How it spreads? From a website linked from email. Advertises itself as an anti-malware tool.
What does it do? Pop-up advertising for bogus antivirus tools. Redirect Google searches. Disable security programs. And a lot more...
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Worm
What is it? Malicious program that spreads itself without a
Host. Designed to duplicate and spread via network.
What does it do? Can cause network problems (heavy traffic). Acts of vandalism are rare but possible. Will often open “back doors” to the machine.
How does it spread? Replicates itself on the same machine. Capable of spreading itself often via email. Via network, often through their own back doors.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Example: Conficker
What is it? A worm with five or more variants.
How does it spread? Windows security flaw. USB devices (via autorun). Via network connections.
What does it do? Currently checks hundreds of websites for updates. Open back doors for new versions or other infections. Antivirus or Windows Update sites unavailable. User accounts may be locked out. Spambot & Scareware.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Adware
What is it? Normally legitimately installed software. Free software paid for by the advertisements
(to recoup development costs).
What does it do? Downloads and/or displays ads on your machine. Provides a free version of software.
How does it spread? Downloaded and installed deliberately by user. May note sites you visit and display
corresponding advertisements (SpyWare).
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Spyware
What is it? Any program that monitors your behavior:
e.g. surfing habits, sites visited.
How it spreads? Piggy-backs on other software;
not as a virus as it’s often intentional. Can operate like a Trojan e.g. fake security
software. Tricks users into bypassing security.
What it does? Record and deliver info you enter online. Can install software, redirect browser.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Rootkit
What is it? Program(s) which hide deep on your system. Replaces system files which then hide processes.
How it spreads? Spread as Viruses or Trojans (not Worms). Rarely spreads itself any further once infected.
What does it do? Allows unauthorized access to your machine. Sniffers, keyloggers, zombie computer.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
BotNet
What is it? Spyware that records personal data. Refers to a collection of machines.
How it spreads? Spread via Trojans or like Worms Scan local environment to find vulnerable
machines
What does it do? Very low-key – it wants to remain hidden. Gathers information and relays it (e.g. banking). Used for identity theft, compromise online accts.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Phishing
What is it? Attempt to gain personal information such as
passwords or account information fraudulentlye.g. Email masquerading as bank representative.
How? Majority of attempts happen via email. Also Instant Messaging, Social Networking. Refer to websites that look like the original.
What does it do? Gain access to account, or identity theft
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Vectors• Email• Software vulnerabilities• USB keys, network drives,
other mechanisms for transferring files
• Malicious or compromised websites
How to get infected
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
• Bad or suspicious links• Especially in HTML email, what a link
says might not be where it’s actually going.
• Dangerous attachments• Can contain malware itself, which might
or might not be caught by antivirus tools• Attachments are very dangerous. As a
rule of thumb, don’t open one unless you know exactly who sent it and what it contains.
• Phishing• ‘Spanish Prisoner’ schemes• Tricking a user into giving away personal
or financial information.
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
From: Internal Revenue Service [mailto:admin@irs.gov]
Sent: Wednesday, March 01, 2006 12:45 PM
To: john.doe@jdoe.com
Subject: IRS Notification - Please Read This .
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $63.80. Please submit the tax refund request and allow us 6-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Regards,Internal Revenue Service
Example of a phishing email
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
• Old versions of IE and Firefox are vulnerable to attack.
• Browser plugins are popular targets because they often don’t get updated• Adobe• Quicktime• Java• Flash
For Firefox: https://www.mozilla.com/plugincheck/
• Operating system security holes• Vista SMBv2, for example
Software Vulnerabilities
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Legitimate websites can contain dangerous links or harmful code:
• Facebook (stolen passwords)• Forums, blogs, etc.• Security holes in webservers• Bad advertisements / popups
Search engines can be tricked
Some attacks can happen without any interaction from you!
• Sometimes called drive-by downloads• Usually associated with a browser or
plugin vulnerability
Malicious / Compromised Websites
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Automatic infections: Worms, drive-by downloads, etc
• Can infect your machine instantly and without user interaction
• Typically a result of unpatched or vulnerable software
• The best defense is to make sure you’re using up to date software, particularly web browser and other web-related tools.
• Suffers from zero-day syndrome, by which we mean that software vulnerabilities are sometimes only discovered when malware that exploits it begins to spread.
Recap
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Many modern forms of malware rely on tricking the user:
• Phishing• Trojans• Malicious websites, advertisements,
popups• Email attachments
Sometimes classified as social engineering attacks.
These cannot infect your machine automatically; the best defense is to learn to recognize likely malware and then ignore / delete / avoid it.
Recap
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
•Phished email password used to send spam within 1 hour•If bank information is stolen:
• So is your money• Your account can be used to transfer money
overseas
•If your Facebook account is taken, it will be used to:
• Identify other potential victims• Spread “Koobface” and similar trojans• Scare your friends into sending money to “rescue” you
If your computer is trojaned...
Your Role in Criminal Activity
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
•“Rootkits” lie to antivirus software about what files exist•The computer, now owned by the criminals, will be used to monitor your activities and attack others
It’s Not Your Computer Anymore
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
•ColdwellBanker.com: Gumblar trojan•Tennis.com: Gumblar, a few weeks before the French Open•CW.edu and Berklee.edu, behaving Gumblar-like today•NYTimes.com: bad ad 9/13, http://tinyurl.com/oopsnyt•PEZCyclingNews.com: noon yesterday, via ad network
Kaspersky: 0.64% of the web serves up malware
Who Can Help Infect You?
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
10%Proportion of Adobe Reader installations on Carleton administrative desktops that are current. The other 90% are vulnerable to Gumblar-style attacks.
0Number of computers worldwide with a version of Adobe Reader that can handle new attacks starting December 11th.
How Vulnerable Are You?
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
•Create and use a limited-privilege account• Demo
•Use up-to-date antivirus• Carleton’s McAfee (licensed for home use)• Microsoft Security Essentials (free for home
use)
•Set a Fraud Alert at AnnualCreditReport.com• Instructs lenders not to open new credit
accounts in your name unless your identity has been verified
• Prevents you (for example) from opening a department-store credit card on the spot
3 Easy Ways to Be Safer
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Turn off JavaScript in Adobe Reader•Demo
Safer Computing, continued
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
If you use Firefox•Update Firefox to 3.6•Consider the NoScript extension, NoScript.net
If you have Vista/Windows 7, but not NoScript•Internet Explorer 8 is probably safer
Safer Computing, continued
0101001101100101011000110111010101110010011010010111010001111001001000000100000101110100001000000100100001101111011011010110010100100000001001110011000000111001
Help from Secunia.com on software updates•Try the PSI utility from secunia.com
Safer Computing, continued