UCAR Malware incidents
-
Upload
fletcher-maddox -
Category
Documents
-
view
25 -
download
0
description
Transcript of UCAR Malware incidents
Tim FredrickMarch 2010
NCAR/ACD/NESL Computing
The Mebroot/Torpig threat
UCAR Malware incidents
Malware Presentation 2010
What we’re up against
Malware Presentation 2010
Infections in ACD• Attempted compromise of a Linux machine visiting a newspaper site• Successful compromise of a 2 Windows XP, 1 Vista machine• Multiple infections of UCAR systems – all Windows PC’s• One UCAR system re-infected after it was reformatted/reinstalled• All were variants of TORPIG – all detected by monitoring network activity
Cost of Infections• TIME: Security staff, System Administrators, End-user• Systems must be reformatted/reinstalled. (in ACD we’ve used new disks)• Each System must remain down for forensics for approx 1 week• In one case, a staff member complained personal information was
removed from his/her control.
Malware Presentation 2010
What is infecting us…• TORPIG/MEBROOT
• MEBROOT is a “root kit” (aka Sinowal or Anserin)• TORPIG is a keystroke logger
What does TORPIG do?• Scans for credentials• Keystroke logging – sends to evasive but known collection sites• Knows about hundreds of banking sites; captures credentials• RSA researchers estimate TORPIG has stolen more than 300,000
bank accounts• Motivation: Financial• A problem among personal computers as well as corporate networks
Malware Presentation 2010
How does TORPIG get in?
Malware Presentation 2010
How does TORPIG get in?
“Malware community”Buys ads – look legitimate
when viewed by Google, but inject scripts when viewed by
other browsers
Malware Presentation 2010
Drive-by download
• Uses scripting (Javascript, Flash)
• Intelligence built into the script• Looks legitimate except for the “target” audience• Avoids certain environments (Linux, MacOS)
• Must find a vulnerable application• Looks for dozens of vulnerabilities• Browsers• Java plugins• Media players (video, audio)• Adobe PDF applications
Malware Presentation 2010
The Mebroot “root kit”
• The vulnerability is exploited and a “rootkit” is injected
• What is a rootkit?• Software to give an intruder access to a machine• The software defends itself
• against detection• against removal
Malware Presentation 2010
The Mebroot “root kit”
What is the Master Boot Record?• A machine’s BIOS passes control to the MBR at boot time• 512 bytes of code• Holds the partition table• Bootstraps the OS
Malware Presentation 2010
The Mebroot “root kit”
What does Mebroot do?• Replaces the MBR• Intercepts network and disk I/O• Mebroot passes the original MBR to the OS for any disk I/O
• Making it invisible to all programs including Antivirus• “Hides” Torpig in the same way – hides hooks into the OS• Code is evolving: Much more evasive than it used to be• Mebroot can be used to “hide” future malware
• Symantec Antivirus may detect the hooks – it cannot detect Mebroot
Malware Presentation 2010
Our best defense: block scripts
“Malware community”Buys ads – look legitimate
when viewed by Google, but inject scripts when viewed by
other browsers
HTMLcontent
Stop Scripting, Java andMedia incl Flash
Malware Presentation 2010
Blocking scripts: NoScript
• NoScript is a browser plugin for Firefox
• Blocks by default:• JavaScript• Java• Flash• Silverlight• Some other plugins
• Whitelist• Allows you to select scripts to run for a session, or always allow
• Sites may also be blacklisted with NoScript
Malware Presentation 2010
NoScript: All good things have a cost
“My web page looks different!”
Malware Presentation 2010
NoScript: Decisions…
9news.com scripts:• google-analytics• coloradonewshome• revsci.net• brightcove• gannett-tv.com• others…
Statistic gathering
Advertising(potential malware)
Multimedia provider
Malware Presentation 2010
Rules of thumb
Allow a minimum of what will make a site useful to you
Sites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.)
Don’t allow advertising:• Prevents drive-by downloads• Speeds up web page loading• Google analytics and Google Adsense may always be blocks by NoScript
Feel free to delete cookies
Malware Presentation 2010
Online banking
• Online banking is the specific target of TORPIG• Over 300,000 known credential thefts related to banking• Even small banks are being targeted
Malware Presentation 2010
Online banking: Recommendations
• USE a dedicated SEPARATE BROWSER for online banking• Better yet, a separate computer that does no other browsing• Virtual machines might work
• Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud.
• Use strong passwords
• Convince your bank to use a one-time password token
Malware Presentation 2010
PC/Windows recommendations
• Plan so your work may continue in the event of a compromise• Be ready to use a secondary machine or laptop
• Reduce your risk• Keep applications updated• Install and use the Secunia Software inspector
http://secunia.com/vulnerability_scanning/personal/ • Be wary of fake antivirus or other popups
• Report anything unusual• We’ll do our best to protect your privacy but need
information to help investigate virus incidents
Malware Presentation 2010
Mac/Linux recommendations
• MBR malware can just as easily compromise Linux• Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable
• Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications
• Situation may change:• Adobe and Java vulnerabilities affect Mac and Linux versions as well• A growing Macintosh market may make it worth exploiting
Malware Presentation 2010
Mebroot/TORPIG are only our current threat…
Malware Presentation 2010
…
39
2621
17 1713 12
7 6 5
051015202530354045
Top 10 Malware Dec 2009
Oregon Top 10
Torpig & Conficker have low detect rates because of new
stealth technology like Mebroot
Social networking
virus
We see this often at NCAR
Malware Presentation 2010
Demonstrations
• NoScript plugin
• Secunia Software Inspector (if there’s time)
Tim FredrickMarch 2010
March 17, 2010
…