Transcript Malware

Spyware, Viruses and Malware
What the fuss is all about
What is Malware?
Malware, or Malicious Code, refer to
various types of software that can cause
problems, damage, disrupt your computer.
Installed without user knowledge or
approval
Motivation for Malware
Fun/Hobby/Spreading of ideological or
political message
Experimental/Research/Proof of Concepts
Vandalism/Graffiti
Revenge
Profit/Extortion
Types of Malware
Virus
– software program
– exist on local drive
– reproduction using a host (e.g. files, emails)
– simple self-modification, encryption,
polymorphic, metamorphic
– Melissa, Chernobyl, I Love You….
Types of Malware
Worms
– stand alone software application
– reproduced by itself
– spread by exploiting vulnerabilities in
the system
– Netsky, SoBig, CodeRed, Sasser….
Types of Malware
Trojan
– disguised as legitimate software
– ActiveX, BHO, shareware, pop-ups
advertisement, pirated software
– remains hidden
– usually do not replicate itself
– Adware, Spyware, Backdoor (rootkit, zombies),
Dropper, NetBus, SubSeven, GAIN (Kazaa)
Types of Malware
Others
– Key Logger
– Dialer
– Browser Hijack
– hybrids
How did it get there?
Zero day exploits
Drive by downloads
Vulnerabilities in available services; DCOM, RPC,
p2p, lsass, etc
Default passwords
Email attachment, opened by user or email
program
p2p downloads, double extensions
How did it get there?
User Error
User has installed the malware
Social Engineering (but it said, “I love you!”)
Poor or nonexistent passwords
Countermeasures
Antivirus
– Scanning and identifying using unique pattern
of individual malware (Signature)
– searching is done based on definition of known
virus byte patterns (virus dictionary)
– some uses heuristic/pattern analysis
(suspicious behaviour)
– scan for virus, worms, spyware and adware
– Norton, McAfee, AVG, ZoneAlarm, Avast
Countermeasures
Firewall
– rule-based (filter based on ports, IP address,
application….)
– hardware/software
– network layer, application layer, application
– personal, network based
– stateless/stateful
– part of Intrusion Prevention System (IPS)
– IPFilter, pf, ipfw, Netfilter, Cisco, Dlink, McAfee,
Norton, ZoneAlarm, Windows, Avast, Jetico
Countermeasures
Education
– Educating end-users to:
• Constantly apply OS patches available
• Enable and constantly update antivirus
• Delete emails from unknown sender
• Operate in least privileged mode
• Enable a personal firewall
Removal Notes
Once malware has been identified, it is
best to remove it while in safe mode.
Some malware has additional processes
that strive to stop you from removing it.
Deleting startup locations and files while
in safe mode, you can usually restore a
system to working condition but not
necessarily trusted state.
Some notes on Malware
Remember that a machine compromised
by malware has effectively been ‘hacked’ and
that it is usually best to return the machine to
a trusted state by removing important data and
rebuilding using best practices.
Keep in mind the following;
• Change all Passwords associated with
this machine
• Hardening
• Patching