1 / 33

The Malware Life Cycle

The Malware Life Cycle. The Fascinating World of Infections. The Circle of Life. Birth. User invites malware onto PC. Birth. User invites malware onto PC Opens infected e-mail attachment Surfs infected web sites Downloads warez “ Winrar v3 FULL VERSION with patch!.exe” “CR-WZIP8.EXE”

aderyn
Download Presentation

The Malware Life Cycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Malware Life Cycle

  2. The Fascinating World of Infections

  3. The Circle of Life

  4. Birth User invites malware onto PC

  5. Birth User invites malware onto PC • Opens infected e-mail attachment • Surfs infected web sites • Downloads warez“Winrar v3 FULL VERSION with patch!.exe”“CR-WZIP8.EXE” • Clicks on link in mail, tweet, IM, text message • Runs infected app on social networking site • Plugs in infected USB drive

  6. The Circle of Life

  7. Self-protection Malware takes steps to protect itself

  8. Self-protection Malware takes steps to protect itself • Turn off anti-virus software • Hide clones in places that users won’t notice • Adds startup entries to registry or startup folder • Block anti-virus sites • Install rootkit • Infect common programs: Internet Explorer, Windows Explorer, svchost

  9. The Circle of Life

  10. Call home Malware calls home for guidance

  11. Call home Malware calls home for guidance • Disguises the connection as web traffic • Has internal address book with primary and fallback addresses • Reports in frequently, usually several times a day

  12. The Circle of Life

  13. Your wish is my command Malware gets instructions from owner

  14. Your wish is my command Malware gets instructions from owner • Download more malware, change own signature • Send PC information home • Log and report web sites • Monitor and steal banking credentials • Turn on microphone or camera • Monitor and steal network account credentials • Encrypt files for ransom • Whatever the bad guy wants to do

  15. The Circle of Life

  16. Psst! Pass it on Malware: the gift that keeps giving

  17. Psst! Pass it on Malware: the gift that keeps giving • Sends infected mail from you to addresses found on your PC From: You@mail.sdsu.edu To: YourBuddy@uhoh.net Subject: Check this out! • Infects writable files on network shares • Installs itself on removable media • Scans local network for vulnerable systems • Scans Internet for vulnerable system

  18. The Circle of Life

  19. Lather, Rinse, Repeat

  20. Our Defenses Anti-virus

  21. Our Defenses Anti-virus – Important part of Defense-In-Depth • Can be a powerful defense if properly configured and used with a central server (ePO for McAfee) • Very effective against known malware • Can protect against suspicious behaviorRogue e-mail; IRC connections; Scripts running from temp; Additions to startup locations; Additions to system directories; Disabling anti-virus; Installation of Browser Helper Objects (IE); and more!

  22. Our Defenses Anti-virus – Not a cure-all • Not very responsive to unknown threats • Lag time of days or weeks to develop and update signatures for malware, leaving systems unprotected against emerging threats • May never detect some malware • Generally not very effective against unknown malware (other than mass mailers) • Can be disabled by Admin users • Logs are often ignored or not understood

  23. Speaking of Logs ePO Tips

  24. Speaking of Logs ePO Tips – Most interesting ePO report fields • Analyzer Detection Method: Was the detection On Access or during an On Demand/Fixed Disk Scan? • Action Taken: What happened to it? • Threat Target File Path: Where was it found? • Threat Name: What was detected? • Other useful fieldsEvent Generated Time, Threat Target IPv4 Address, Threat Target Host Name, Threat Type

  25. Speaking of Logs ePO Tips – Things to Consider • Look at the Analyzer Detection Method On Access?The malware was detected as it was written to or read from the disk On Demand, Managed Fixed Disk Scan?The malware got onto the PC without being detected • Look at the Action TakenDeleted, Cleaned, None?

  26. Speaking of Logs ePO Tips – Things to Consider • Look at Target Threat File Path C:\Windows\? Probably infected, Probably admin user C:\Documents and Settings\gleduc\Application Data\? Probably infected G:\? Probably not infected, but thumb drive was IE Cache? Need to talk to the user, maybe look at the machine

  27. Investigating a malware detection

  28. Investigating a malware detection • Research (Google is your friend) Threat Name: Exploit-CVE2008-5353 • Understand what it does and how it does it • Java vulnerability patched in JRE 6u11 • If the machine is at JRE 6u21 then ignore

  29. Investigating a malware detection • Check the McAfee logs on the machine • C:\Docs and Settings\All Users\Application Data\McAfee\DesktopProtection\ • OnAccessScanLog.txt: OAS detections, DAT version, stats • OnDemandScanLog.txt: detections, type of scan, action taken • AccessProtectionLog.txt: attempts to terminate McAfee, send e-mail, run programs from temp or cache directories

  30. What if it’s Infected? Refer to Information Security Plan • http://security.sdsu.edu • Escalate to ITSO if the system processes or stores Protected Information:Names with SSNs, Credit card data, Passwords, Medical data, Disability data, Combinations or name, birthdate, mother’s maiden name, last 4 of SSN, driver’s license, grades, etc., etc., etc. • Be prepared to give up machine for the duration of the investigation • Be prepared to rebuild machine

  31. Our Defenses Third-party application patching

  32. Our Defenses Third-party application patching • When responsive, vendors are often very quick to patch • Many applications require a manual download and install to update – a big PITA if user can’t get Admin rights on system • Users and sysadmins often don’t know that an update is available or whether it’s a security update • IT support staff often don’t know what software is on their users’ systems • If a vendor stops support a product, but users really love it, they keep using it • Patch Mgt must be able to patch third-party applications!

  33. The End

More Related