1 / 33

Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008

This presentation from the University of California, Berkeley covers the challenges of combating stealth malware and botnets in the context of higher education. Topics include network background, security concerns, existing protections, FireEye deployment, infection examples, and future challenges. The focus is on addressing security issues in a large academic network to protect against evolving cyber threats. The importance of proactive security measures in the face of increasing cybercrime targeting educational institutions is emphasized.

alicecampuzano
Download Presentation

Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Combating Stealth Malware and Botnets in Higher EducationEducause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences

  2. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Overview • EECS Network Background • Security Concerns • Existing Protections • FireEye Deployment • Infection Examples • Futures and Challenges

  3. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES EECS Network Background • EECS is Large Department • Serves More Than • 4000 Undergrads • 500 Grad Students • 100 Faculty • 200 Staff • Network Largely Separate From Rest Of UCB

  4. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Security Concerns • Security A Constant Issue • Berkeley Often A Target • Security Is Now An Arms Race • Hackers Have Moved From Notoriety To Crime • More Concern About Compliance

  5. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Security Concerns • Mobile Devices A Big Concern • Boom In WiFi • Over The Air Traffic Often Insecure • Less Enterprise Control Over User Owned Devices • EECS Uses Internal And External WLANs • Zero Day Concerns

  6. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Existing Protections • Enterprise Firewall • Less Effective In An “Open” Academic Net • A/V • A Struggle To Keep Up To Date • IDS • A Lot of False Positives • Host Based Firewalls • Anti-Spam Appliances

  7. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES FireEye Deployment • Targeted Primarily At Wireless Traffic • Out Of Band Solution • Very Important For EECS • Completely Clientless • Also Very Important • Wireless Data Mirrored To Two Appliances

  8. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES FireEye Deployment • Appliances Run Traffic Against “Virtual Victim” Clients • Positive Infection Can Result In Alerts Or Blocks • Dynamic Updates From Botwall Network

  9. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  10. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Infection Examples Spam Bots

  11. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Clients Receive Malware Rustock

  12. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Rustock • Spam Mail Bot • Installs a Rootkit • Installs a SPAM module • Uses Encryption • Can Install any Arbitrary Code • Flexible & Easy to Update Ken Chiang, Levi Lloyd Sandia National lab

  13. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botted Clients Send Spam

  14. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  15. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  16. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Trojan.farfli

  17. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Discovered: July 29, 2007 Updated: July 29, 2007 8:51:54 AM Also Known As: TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 It then hooks or patches ZwSetValueKey to prevent other threats or security risks overwriting the Start Page registry entry.If it finds a specific Web browser installed, it modifies files so that when a user performs a search it is conducted via the Baidu URL with the specific affiliate name: (Excerpt From Symantec)

  18. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet IRC Channel Join Trojan-Downloader.QQHelper

  19. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  20. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES • User or Malware Connects to: • http://www.yahoo550.com/image/logo.jpg?queryid=21kXXXXj412 • User connects to the site with a specific query id • The site sent the browser a file called logo.jpg • Really a UPX packed malware executable • The browser installed the exe • Begin the Bot communication on IRC. 

  21. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet_W32/Small.HSG

  22. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  23. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES

  24. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet_W32/Small.HSG • Trojan-Downloader:W32/Small.HSG downloads and runs a file that is detected as Trojan-Downloader.Win32.Agent.HQL. Normally arrives as a dropped file by other malware or is downloaded unsuspectingly by the user from a malicious website. • Once running on the system, this trojan will download a file from the following website: http://ymq.a2000150.wrs.mcboo.com/[Removed] The downloaded file will then be stored as: %Windows%\17PHolmes2000150.exe

  25. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Futures And Challenges • Move Appliances To Network Edge • Capture Both Wireless And Wired Traffic • Mirroring Or Span Difficulties • Use Gigamon Data Access Switch • Explore OSPF Null Routing To Block Traffic To Botnets • More Mobile Platforms

  26. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Summary • Our Existing Protections No Longer Adequate • Botnet Traffic Was Previously Difficult To Detect • Botnet Detection Gives Us A New Weapon To Battle Stealth Malware

  27. UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Questions?

More Related