Beyond Virus, Trojan and Worm- New Threats and Appropriate Responses David Perry Director of Virus...

Beyond Virus, Trojan and Worm-Beyond Virus, Trojan and Worm-New Threats and Appropriate ResponsesNew Threats and Appropriate Responses

David PerryDirector of Virus

Education,Trend Micro Inc.

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line

2

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWhat is a computer virus…?What is a computer virus…?

The original computer virus was not located on a pc

It was not on an apple It was not on a mini or mainframe It was not located on computer hardware

or software of any kind


3


It was in a work of fiction!

What is a computer virus…?What is a computer virus…?


4

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineFred Cohen, PhD, first theorized viruses


5

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRobert Morris wrote the internet worm in 1988


6

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineRUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrojan Horse programs come from the Odyssey!


7


Today, viruses are only one type of a whole menagerie of computer ills that are collectively known as malware

From spam to spyware, Trend Micro detects, prevents and protects

against all kinds of content security ills

What is a computer virus…?What is a computer virus…?


8


Broadband & Wireless/PDA Detection

Mail Server and Gateway/Proxy Scanning

Advanced Encryption and Polymorphic Scanning

Heuristic Detection & File Server Based Scanning

Emulation and Decryption

Simple String Scanning & Integrity Checking

MS-DOS WIN 3.X WIN 9X WIN 2k

WITH NOTES ON ANTIVIRUS TECHNOLOGYWITH NOTES ON ANTIVIRUS TECHNOLOGY


9

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineVirus Virus du Jourdu Jour

Boot Sector

File Infector

Macro Virus

Email Worm

Blended Threat

Virus prehistory

Elk

clo

ner,

etc

TODAY


10


NIMDACodeRed

SQLP

MSBLASTNACHI

Internet

SASSER

MSBLAST

8/11, 2003MS03-026 7/16, 2003

26 D

MS02-0397/24, 2002

SQLP

1/25, 2003

185 D

336 DNIMDA

MS00-07810/17, 2000

9/18, 2001

SASSER

5/1, 2004

17 D

MS04-011 4/13, 2004

Zero day attack brought Zero day attack brought by network virus is by network virus is

coming?coming?

Current solution cannot stop network viruses.VAIDSVPN

FireWallAV

Days required viruses to appear after vulnerability announced.

ADWARE, SPYWARE, UPWARE, ADWARE, SPYWARE, UPWARE, DOWNWARE, MEWARE, YOUWAREDOWNWARE, MEWARE, YOUWARE


12


122,000?2,000?260?

HOW MANY VIRUSES????HOW MANY VIRUSES????


13


122,000!—all viruses ever discovered including zoo (never infected anyone) samples.

2,000!—viruses discovered or reported in the wild (actually infecting computer systems)

260!—mean number of viruses in circulation at any given month

5!—number of viruses active on any single day



14


WHY AM I TELLING YOU THIS?

It has taken fifteen years for there to have ever been 1,100 ITW viruses.

In a little less than two years, there are more than TWENTY THOUSAND spyware.

That is the difference that profit motivation makes.



15

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineCan you spot the wildlist Can you spot the wildlist founders in the photo?founders in the photo?


16

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWildlist DataWildlist Data


17

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineSpyware-Adware DetectionSpyware-Adware Detection

What is Spyware? Software application that monitors a user’s computing habits

and personal information, and sends this information to third parties without the user’s authorization or knowledge

Key loggers, event loggers, cookies, screen captures or a combination of these forms

What is Adware? Software application that displays advertising banners while

the program is running Gray Area

Some users view them as useful tools or utilities, while others view them as malicious applications that should be detected.

Some companies that make Adware have attempted to sue AV companies that categorize their software as Spyware or a virus.


18

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineMalware vs. Adware = Gray AreaMalware vs. Adware = Gray Area

Malware Grey Area (Some Adware and Spyware)

Origin Virus Writers and Hackers

Legitimate Software/Application Vendors

Considered Malicious

?

Always Not always, user-dependent.

Potential legal

issues detecting

it?

No Maybe in some cases.

Default detection

Always On Default turned off. User must turn feature on themselves.


19


Anti-spyware Capability of Trend Micro IWSSAnti-spyware Capability of Trend Micro IWSS

Detects and blocks malicious/illicit spyware via standard virus pattern file

Can be set by administrator to block legitimate but unwanted spyware, adware, remote access tools, hacking tools and more - via a separate spyware pattern file

Anti-phishing feature can also block communication to spyware related URLs

SPAM and PhishingSPAM and Phishing


21

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line This Is Nigeria.This Is Nigeria.

Sir,

First, I must solicit your strictest confidence in

this transaction, this is by virtue of its nature as

being utterly confidential and top secret as you were

introduced to us in confidence through the Nigerian

Chamber of Commerce, foreign trade division.

We are top officials from the Federal Ministry of

Works and Housing (FMW&H), Federal Ministry of Finance

and the Presidency, making up the Contract Review

Panel (CRP) set up by the Federal Government of

Nigeria to review contracts awarded by the past

military administrations.


22

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWhy Is It Called Why Is It Called SPAMSPAM??


23

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineHow Can We Eliminate SPAM 100%How Can We Eliminate SPAM 100%

Switch to another medium of Switch to another medium of communications? communications?


24

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineTrend Micro SPSTrend Micro SPS

Sending Mail Servers

Postini Anti-Spam Engine

Trend Micro Gateway Product

Message Parser & Decoder

Content Analysis

Header Analysis

Internal Mail Server

End User Machines

Rule Weighting file and Engine downloads

1

2

4

3

- Anti-spam heuristic application acts on messages in real-time as they flow through the system

- MIME parts, including message content exposed to spam detection routines

- Message Parser scores each message based on statistical analysis and filter configuration and write score into message header

- MTA sorts messages based on spam score and routes based on organizational policy

1

2

3

4

Trend Micro Spam Prevention Trend Micro Spam Prevention ServiceServiceAdmin Tools & Integration APIs

Phishing is more than just SPAM


26

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 linePHISHING is a CRIME!PHISHING is a CRIME!

Phishing combines an ordinary spam confidence job with a technological ‘back end’ that can harvest passwords, credit card numbers, account numbers and more!


27


By using the actual logos, typefaces and ‘spoofed’ return addresses of the actual agencies, users are misled into divulging important information


28


Phishing is SPAM, it arrives as mass email Phishing is a Trojan Horse, it defrauds the victim Phishing is spoofed, like spam and viruses Phishing is not a virus, it is a bona fide crime!

How can we guard against Phishing, in the enterprise network, and at home…


29

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineAnti-phishing CapabilityAnti-phishing Capability

Blocks outbound transmission to malicious URLs Phishing related sites,

malicious code distribution sites, spyware sites

Helps protect against identity theft and theft of confidential company data

Complements more traditional inbound detection of phishing-related spam in Trend’s Spam Prevention Solution Lenient sensitivity settings

or tag/deliver and quarantine rules may still allow suspected phishing messages to reach the end user

New ThreatsNew Threats


31

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineNew threats coming...New threats coming...

Cell phone viruses Threats against Windows embedded devices

like POS terminal, ATM and more…

Any network enabled devices is facing threats of malware.


32

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineWindows ATMs raise security Windows ATMs raise security issues in XPe platformissues in XPe platform


33

RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 lineAntivirus for Windows Antivirus for Windows embedded devicesembedded devices

◆ MVP Appliance will protect Windows embedded devices from network viruses . It’ll reside outside of these devices as separate box.

MVP Appliance

MVP appliance will monitor packets and detect/eliminate network viruses before these get to these devices. Once it detects network virus infected packets, it'll block them to avoid virus outbreak.

Clean Packet

POS

ATM

KIOSK terminal

MFP

Trend Micro EPSTrend Micro EPS

SERVICE BASED AV


35


VulnerabilityPrevention

Vulnerability Discovered

Vulnerability Isolation

Security Policy Enforcement

Trend Micro Vulnerability Assessment

Outbreak Prevention

Malicious Code Attack

Network Outbreak Monitoring and Prevention

Virus Response

Network Virus Detection

Assessment and Restoration

Malicious Code Eliminated

Infection LocatorAutomated Cleanup

Ne

two

rkL

ay

er

Trend Micro Antivirus and Content Security Products

Ap

pli

ca

tio

nL

ay

er

Trend Micro Antivirus and Content Security Products

Ou

tbre

ak

Mg

mt.

Outbreak Prevention Services

Virus ResponseServices

Damage Cleanup Services

Centralized Outbreak Management

Enterprise Protection Strategy: Proactive Outbreak Lifecycle Management

Centralized Management = LIFECYCLE management, deployment, and reporting

Our ApprochOur Approch


36


Business UnitBusiness Unit

TrendLabs-400 researchers and growingTrendLabs-400 researchers and growing!!


37


Beyond Virus, Trojan and Worm- New Threats and Appropriate Responses David Perry Director of Virus...

Documents

Transcript of Beyond Virus, Trojan and Worm- New Threats and Appropriate Responses David Perry Director of Virus...