Mais conteúdo relacionado Semelhante a Malware mitigation (20) Mais de Ramsés Gallego (14) Malware mitigation1. Devise a strategy to mitigate malware
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified
General Manager
Entel Security & Risk Management
rgallego@entel.es
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
2. Agenda
• Malware: what is it really?
• Different types of malware
• We are under attack... but how? And why?
• Let me show you
• Strategy on how to mitigate those risks
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
3. Malware: what is it really?
• Malware is software designed to infiltrate or damage a computer system
without the owner's informed consent. The expression is a general term used by
computer professionals to mean a variety of forms of hostile, intrusive, or
annoying software or program code
• Software is considered malware based on the perceived intent of the creator rather
than any particular features. Malware includes computer viruses, worms, trojan
horses, most rootkits, spyware, dishonest adware, crimeware and other
malicious and unwanted software
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
4. A bigger problem than we think
• Malware is now economically motivated and backed by organized
crime and foreign interest
• The development of highly critical malware such as targeted attacks is
also on the rise
• The level of sophistication behind malware makes it extremely difficult
for traditional solutions to detect and remove
• There are many bot networks to de-fraud business models and
consumers through sophisticated social engineering
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
5. It’s not for fun... It’s money!
• Consumers are now the prime target for ID Theft and other on-line
fraud
• Traditional signature based anti-virus solutions have become
useless to these new sophisticated attacks
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
6. Understanding the Risk
The Market Value of Sensitive Data
980€-4.900€ 147€
Trojan to steal account Birth certificate
information
98€
490€
Social Security card
Credit Card Number
with PIN
6€-24€
78-294€
Credit card number
Billing data
6€
147€ PayPal account
Driver's license logon and password
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
7. Overview of crimeware families
Crimeware is broken down into several categories
• Banking Trojans
Limbo
PayRob.A
Sinowal
Aifone.A
Banbra Variants
• Keyloggers (Banbra, Cimuz)
• Bots (Clickbot.a, Botnet.A, Aifone.A)
• Phishing (Barclays, PayPal)
• Targeted Trojans
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
8. What is spyware?
• Spyware is software installed on a computer that gathers information without the user's
knowledge and relays that information to advertisers or other 3rd parties
• Several subcategories of spyware:
–Adware
• Advertising-supported software that displays pop-up advertisements whenever the program is running. Often
collect personal information and web surfing habits
–System monitors
• Programs that capture everything you do on your computer, from keystrokes, emails and chat room dialogue, to
which sites you visit and which programs you run
–Trojan horses
• Malicious programs that appear harmless but steal or destroy data or provide unauthorised external access
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
9. How spyware infiltrates
• People don’t purposefully and knowingly install spyware
–Can be included with applications you want to install, such as peer-to-peer clients or
desktop utilities
–Some silently load when you visit a seemingly-innocent Web page (‘The Ghost in the
browser’)
• Installed silently in the background – most users never know their
computers are infected
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
10. Spyware threats organizations
• Wastes computing resources
–Sends back information periodically, often daily
–Consumes an organisation’s bandwidth
• Exposes proprietary information
–It could send files to a competitor’s server
–It could monitor e-mail and send out the contents
• Poses serious security risks
–It could send emails on behalf of the user
–It could provide a spy or hacker with a backdoor into the systems
–It could change documents and specifications on systems to damage research or other
projects
• May introduce compliance risks
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
11. How botnets are used to commit financial fraud
• A bot network consists of a “controller” and compromised zombie PCs. There have been
cases of bot networks containing up to 1.5 Million zombie PCs like in the Dutch botnet case
• The bots that infect systems can perform several actions such as relay spam, launch
malware and perform ID theft
• Some of the common methods for bot infection is through websites that contain exploits
and vulnerabilities that actively transmit malware to the PC visiting the site.
• Components can also be downloaded such as ActiveX controls, etc that will then deal with
the rest of the infection process
• Social engineering techniques also exist to infect systems through spam, phishing and
other content. Once a PC has become infected it can receive remote commands from the
“bot master” remotely
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
12. And they are using new methods
• Botnets are beginning to use P2P networks to gain control
of more computers
• Researchers were previously able to shut down a botnet
by targeting its Command & Control center (and IRC
channel or website). Hackers are now using P2P networks
to connect bots in a more “horizontal,” peer manner, which
makes shutting down the botnets much more difficult
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
13. The problem of keylogging
• Keyloggers are programs that run in the background recording
all keystrokes and which may also send those keystrokes
(potentially including passwords or confidential information) to
an external party
• 2 types of Keylogger programs:
–Commercial
–Viral (included as part of blended threat with Worm, Trojan Horse, BOT, etc..
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
19. Sophisticated Social Engineering
• Common social engineering techniques:
– Spear-Phishing and other highly targeted scams
– Spam with exploits
– Phishing emails that direct users to web-sites with hidden Trojans
– Malware through IM channels
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
20. No real bank would do this!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
21. Infection strategies used by hackers
• Common infection strategies used by hackers
–A web site is physically hacked and seeded with Trojans (i.e.
Superbowl website case)
–Phishing emails with exploits
–Malware through IM channels
–Malware attached to freeware and shareware
–Malware in the form of video codecs
–Infection through botnets
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
22. Overview of Targeted Attacks
• Characteristics of Targeted Attacks:
– Involve “Highly Critical” malware tailored towards attacking a specific target (i.e. Bank Of
America)
– Such malware target a specific set of confidential information to capture and send to a 3rd
party
– Targeted attacks always involve a hacker hired to design malware to bypass specific defenses
– Attacks are very localized; therefore, distribution is limited. In most cases AV labs do not
receive a sample which results in no signature file
– Current security solutions will not detect the malware because the hacker has prepared
against commonly used AV programs
– Hackers are using sophisticated stealth techniques such as rootkits to hide the presence of
malware
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
23. Information? Ready available!
• IT departments know about sites...but so do all the other
departments!
–Question is…do we know who, when, where and how?
–More importantly…do we have the means to stop it?
• Information is easy to find! (27,000,000 results returned on
Google when the search term ‘How To Hack’ is used)
• Hacking tools can be easy to use
–Some don’t require any programming skills at all! (Keyloggers
can come with nice user interfaces, such as ‘The Perfect
Keylogger’) with a ‘Next’, ‘Next’, ‘Next’ install!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
24. …step-by-step guides available!
• You no longer need to go underground or to university to learn
how to become a successful hacker!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
25. …step-by-step guides available!
• You no longer need to go underground or to university to learn
how to become a successful hacker!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
27. Do it yourself! Incredible!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
28. Example - Denial of Service
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
29. Example - Denial of Service
• You visit a web site and click
on a link
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
30. Example - Denial of Service
• You visit a web site and click
on a link
• A few seconds later, many
applications start to run in the
computer
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
31. Example - Denial of Service
• You visit a web site and click
on a link
• A few seconds later, many
applications start to run in the
computer
• You can only close the
program to prevent the attack.
The machine does not work
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
33. Example - Redirection of sites
• You connect to online banking to
see your accounts
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
34. Example - Redirection of sites
• You connect to online banking to
see your accounts
• A hostile applet sends an
identical page
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
35. Example - Redirection of sites
• You connect to online banking to
see your accounts
• A hostile applet sends an
identical page
• You introduce your credentials
while a hacker is receiving them
or they are being sent to an
Internet directory
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
36. Example - Sending files in background
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
37. Example - Sending files in background
• A postcard is received by email
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
38. Example - Sending files in background
• A postcard is received by email
• An applet executes an animation
• That applet is copying the last
Word document and is sending it
in the background to the Internet
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
39. Example - Harm exectutables
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
40. Example - Harm exectutables
• There is type of attack
that seems to be from
known companies who
invite to install the last
security patch or Service
Pack
• The executable file is a
Trojan or malicious code
that puts our
environment at risk
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
41. Example - Phising and scam
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
42. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
43. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
44. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
45. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
46. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
•In this case, the ‘help’ options include the download of an Excel file to
be sent by fax
•A real and legal organization would never do this….
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
47. Example - Phising and scam
• Pakistan Earthquake – We found the URL http://
pakistanhelp.com
• We analyzed it and we saw that there were signs of
phising
•In this case, the ‘help’ options include the download of an Excel file to
be sent by fax
•A real and legal organization would never do this….
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
50. Strategy: Protect every vector
Secure Content Manager
Firewall
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
51. Strategy: Protect every vector
Antivirus/
Antispyware
Secure Content Manager
Firewall
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
52. Strategy: Protect every vector
Antivirus/
Antispyware
Secure Content Manager
Firewall
VPN
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
53. Strategy: Protect every vector
Antivirus/
Data Leak Prevention
Antispyware
Secure Content Manager
Firewall
VPN
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
54. Strategy: Consider other approaches
Internet
• Effectiveness vs. Efficiency
• SaaS approach
• UTM devices
• More than one solution will leverage
your security
• Education, education, education
• Centralised management
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
55. Objective: Keep the bad guys out!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
56. Objective: Keep the bad guys out!
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
57. THANK YOU
Devise a strategy to mitigate malware
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified
General Manager
Entel Security & Risk Management
rgallego@entel.es
© 2008 ISACA. All rights reserved
Wednesday, March 25, 2009
Notas do Editor
For another way to look at the growing problem of data loss, consider the black market value for various forms of stolen identities…
$980-$4,900 Trojan program to steal online account information
$490 Credit Card Number with PIN
$78-$294 Billing data, including account number, address, Social Security number, home address, and birthdate
$147 Driver's license
$147 Birth certificate
$98 Social Security card
$6-$24 Credit card number with security code and expiration date
$6 PayPal account logon and password
*****www.informationweek.com*****
Extra data points
$40 standard credit card number
$120 signature card (one step beyond platinum and corporate)
Or 100 in mixed batch for $30 each
R
R
R
R