1 / 84

RSU Threat Training

RSU Threat Training. Sophon Ponglaksamana : Technical Account Manager. Agenda. - ไวรัสคอมพิวเตอร์คืออะไร - ประเภทของไวรัสคอมพิวเตอร์ - ช่องทางการแพร่กระจายของไวรัสคอมพิวเตอร์ - สาเหตุการติดไวรัสของเครื่องคอมพิวเตอร์ - การตรวจสอบการติดไวรัส - ไวรัสคอมพิวเตอร์เข้ามาคุกคามได้อย่างไร

Download Presentation

RSU Threat Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RSU Threat Training Sophon Ponglaksamana : Technical Account Manager

  2. Agenda -ไวรัสคอมพิวเตอร์คืออะไร - ประเภทของไวรัสคอมพิวเตอร์ - ช่องทางการแพร่กระจายของไวรัสคอมพิวเตอร์ - สาเหตุการติดไวรัสของเครื่องคอมพิวเตอร์ - การตรวจสอบการติดไวรัส - ไวรัสคอมพิวเตอร์เข้ามาคุกคามได้อย่างไร - วิธีป้องกันไวรัสคอมพิวเตอร์ - ข้อควรระวังในการเปิดไฟล์ต่างๆ เช่น email, data files

  3. Agenda - โปรแกรมสแกนไวรัส Trend micro - เครื่องมือป้องกันไวรัสจาก flash drive เช่น autorun killer, usb security, - การทำงานของซอฟต์แวร์สแกนไวรัส - การค้นหาวิธีกำจัดไวรัสจากอินเตอร์เน็ต - แนะนำเว็บไซต์กำจัดไวรัส - สาธิตเทคนิคการป้องกันและกำจัดไวรัส

  4. -ไวรัสคอมพิวเตอร์คืออะไร-ไวรัสคอมพิวเตอร์คืออะไร - ประเภทของไวรัสคอมพิวเตอร์

  5. Threat Environment Evolution to Crimeware Web Based Malware Attacks Intelligent Botnets Crimeware • Multi-Vector • Multi-Component • Web Polymorphic • Rapid Variants • Single Instance • Single Target • Regional Attacks • Silent, Hidden • Hard to Clean • Botnet Enabled Spyware Spam Mass Mailers Complexity Vulnerabilities Worm/Outbreaks 2001 2003 2004 2005 2007

  6. What are the types of virus/malware? • Joke program: A virus- like program that often manipulates the appearance of things on a computer monitor. • Trojan program: An executable program that does not replicate but instead resides on systems to perform malicious acts, such as opening ports for hackers to enter. Traditional antivirus solutions can detect and remove viruses but not Trojans, especially those already running on the system. • Virus: A program that replicates. To do so, the virus needs to attach itself to other program files and execute whenever the host program executes. • Test virus: An inert file that acts like a real virus and is detectable by virus-scanning software. Use test viruses, such as the EICAR test script , to verify that your antivirus installation scans properly. • Packers: A compressed and/ or encrypted Windows or Linux executable program, often a Trojan horse program. Compressing executables makes packer more difficult for antivirus products to detect. • Others: Virus/Malware not belonging to any of the above categories. • Generic: A potential security risk. Trend Micro considers a “generic” virus/malware a potential security risk based on its behavior and characteristics,

  7. What are the types of spyware/grayware? • Spyware : Gathers data, such as account user names and passwords, and transmits them to third parties • Adware : Displays advertisements and gathers data, such as user Web surfing preferences, used for targeting advertisements at the user through a Web browser • Dialer : Changes computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem. These are often pay-per-call or international numbers that can result in a significant expense for your organization • Joke program : Causes abnormal computer behavior, such as closing and opening the CD-ROM tray and displaying numerous message boxes • Hacking tool : Helps hackers enter computers • Remote access tool : Helps hackers remotely access and control computers • Password cracking application: Helps hackers decipher account user names and passwords • Others: Other types of potentially malicious programs

  8. - ช่องทางการแพร่กระจายของไวรัสคอมพิวเตอร์ - สาเหตุการติดไวรัสของเครื่องคอมพิวเตอร์ - ไวรัสคอมพิวเตอร์เข้ามาคุกคามได้อย่างไร

  9. Enterprise Endpoints the ultimate targets • Viruses • Trojans • Bots • Rootkits • Spyware • Adware • Key Logger • Information Stealer Web threats • Worms • Viruses • Phishing • Pharming • SPAM Messaging threats • Network worms • Hacking • DoS Network threats

  10. Web-based attacks IT Environment ChangesThreat Landscape • Exponential growth in malware • 3 new unique malware every 1 seconds • Profit drives sophistication and “quality” of malware • Web is #1 infection vector • Even legitimate sites spread malware • 90% of all new malware leverages the Web • Vulnerabilities are exploited faster • 74% of attacks emerge the same day than patches • 89% of attacks work remotely, over the network

  11. IT Environment ChangesChallenge:Traditional Approaches Fail Signature file updates take too long • Delay protection across all clients and servers • Leave a critical security gap Signature files are becoming too big • Increase impact on endpoint resources • Unpredictable increase of client size Patches cannot be deployed in time • Systems remain exposed to exploits • Average time to patch was 55 days in 2009 Unique threat samples PER HOUR

  12. Classification User User goes to six.com ONE.COM TWO.COM THREE.COM FOUR.COM FIVECOM SIX.COM Group of web sites with IFRAMES pointing to malware site IFRAME in six.com connects to mpack server Mpack server serves malicious code to user MPack Server (malware site) High Impact Threats • Compromised Website (Italian Job)

  13. Paramount Q1 2008 - 13 Host C (192.168.1.1) Gateway Host A (192.168.1.3) Host B (192.168.1.2) Host D (192.168.1.4) How ARP Works? Host A is sending an ARP request… I have 192.168.1.1 My MAC address is [Host B MAC address] Who has 192.168.1.1? Host B is sending an ARP response… Man in the middleBe Gateway now

  14. Paramount Q1 2008 - 14 Malicious user deploys TSPY_LINEAGE on the web… PE_LOOKED downloads TSPY_LINEAGE TSPY_LINEAGE gets downloaded from the web TSPY_LINEAGE steals information and sends it to malicious user Malicious user deploys PE_LOOKED to infect files and propagate via network shares WEB Web threat and PE virus relationship Network of Computers

  15. From the Trend Micro 2009 Annual Threat Report Roundup: • Social networking sites will grow as targets • Social engineering will become increasingly prevalent and clever • Unlike the global economy, the underground economy will continue to flourish

  16. Details of Black Hat Attack Passive Attack Active Attack • Google Hacking • WhoIs Query • Social Community • Offline Research • Web Crawling • Network Scanning/Mapping • Port Scanning • Vulnerability Scanning • OS Fingerprinting • Enumeration • Social Engineering • Malware Propagation • Active Exploit • Malware Placement and Execution (by the hacker) • Malware Acquisition and Execution (by the user) Line of Successful Infection • Malware Infection Behavior (File Infection, Program HiJacking, AV Retaliation, Process Termination, System Restriction, etc.) • Malicious Payload (Information Theft, Denial-of-Service, Backdoor, Agents, etc.) • Hacking Tools, Remote Access Tools • Detection Avoidance (Covert Channel, Rootkit, Polymorphism, Fast Update Mechanism, File System Manipulation, Multiple-variant deployment, Login Hijacking, Use of Normal Applications, etc.)

  17. Malware developers, anti-detection vendors, and botnet herders are becoming better at their “jobs” Cybercriminals will formulate more direct and brazen extortion tactics to gain quicker access to cash

  18. Bot masters will aim for faster monetization “Pay-per-install” business model Business as usual for botnets but heavier monetization by botnet herders

  19. Mobile threats will have more impact. • Consumer acceptance of mobile phone-based financial activity is increasing • Two distinct handset-based (albeit rudimentary) botnets were detected in 2009

  20. Compromised products come straight from the factory. • Devices that are tampered coming off the shelves are increasing • Media players • Other USB devices • Digital photo frames • Even “known good” software run the risk of being embedded with a malware component

  21. Poisoned searches More malicious scripts, less binaries Malvertisements Application vulnerabilities Web threats will continue to plague Internet users.

  22. Web threats will continue to plague Internet users. • Attack possibilities even in cloud-based scenarios • Manipulating the connection to the cloud • Attacking the cloud itself • Cloud vendor data breaches Classification

  23. Man-In-The-Middle (MITM) Attack Man-In-The-Middle • ARP Spoofing/Poisoning (active sniffing) • Poisoned ARP contains IP of destination with MAC address of the MITM • DNS Poisoning • Provides fake DNS information to redirect network traffic to malicious destination • (DNS spoofing, Proxy Server DNS poisoning, DNS cache poisoning, Pharming, etc.) • Session Hijacking • This is taking control of TCP session exchanged between two computers • This is being done by altering the sequence number of a TCP session To Real Destination Source

  24. DNS Poisoning Attack Legit Website www.google.com Poisoned DNS on the ISP side X Victim Fake Website www.g00gl3.com

  25. Social engineering will continue to play a big role in threat propagation Social networks will be ripe venues for stealing PII Cybercriminals will use social media and social networks to enter users’ “circle of trust.”

  26. Web Server Attack/Compromise • Cross-Site Scripting (XSS) • Crafted URI  <legit URL> + <injected malicious javascript> • Example: victimwebsite.com/default.asp?name=<script>evilScript()</script> • SQL Injection • Use of SQL statements to directly access the DB behind a web server • IFRAME Injection • Injection of foreign IFRAME scripts on a target victim web page • Other web application exploits that enables the attacker to do modification on the web server for the purpose of… • Redirecting users to a malicious website (disease vector) • Implementing a drive-by download

  27. Effects of Web Server Attack Website Defacement Compromised Website

  28. Denial-of-Service Attack (DoS) • DoS prevents unauthorized users from accessing a computer or network • Types DoS Attack: Smurf, Ping-of-Death, SYN flood, Teardrop, etc. • DoS involving two or mote attacking host is called distributed denial-of-service (or DDOS). DoS ATTACK Attacked Server DoS ATTACK Infected Machine Request Timed Out Request Timed Out Host Not Found Host Not Found Request Timed Out Clients

  29. SECURITY EXPOSURE EXPLOIT VULNERABILITY Exploit Packets • Exploit packet are crafted packets (that cause buffer overflow) which contain a code (payload) that takes advantage of a certain vulnerability on the target machine • Zero-Day Exploit is an exploit that is found in-the-wild before or on the same date that the vulnerability was discovered.

  30. Exploit Terminologies and Concepts An vulnerable system is a particular OS version that contains a certain version of a Windows DLL which is used by a particular application Exploit worm malwares usually have code that simulates a file server that provides the malware copy to exploited machines Malware File The worm malware contains exploit code whose main task is to cause the vulnerable application to crash Exploit The malicious routines that the exploit will perform are called shellcode which connects to the malware file server to download the malware to the system Certain versions of Windows DLL’s contain functions which are vulnerable and can be exploited

  31. Exploit Worm Operating Algorithm It will then setup a ftp/http server which will wait for requests from any exploited machine. The malware will first enumerate all machines in the network and find out the IP addresses of the connected machines. If the machine is vulnerable, then the exploit packet will cause the affected application to hang and the exploit shellcode will trigger. Infected System Exploit Exploit The exploit shellcode will connect back to the malware ftp/http server to download the malware copy to the exploited system and execute the malware in the system. 192.168.100.2 192.168.100.3

  32. Command & Control (C&C) or Backdooring Command and Control (C&C) • Backdoors has two(2) components: client and server component • Server component (acts as the Bot client/zombie) is the infecting malware that opens up backdoor communication, receives command from a C&C server, and executes them • Client component (or the hacker console) which enables the cyber criminal to send commands and takes control of the machine/s which was infected by the server component • Backdoor client system which controls so many server components or bots is called in layman’s term as “command and control” or C&C server.

  33. Information Theft Account Credentials System Information Email Cyber Theft Logged Keystrokes Browser History Application Serial Keys Email Addresses Personal/Confidential Files Victim

  34. - วิธีป้องกันไวรัสคอมพิวเตอร์ - ข้อควรระวังในการเปิดไฟล์ต่างๆ เช่น email, data files

  35. Worms IM Worm Email Worm Network Worm

  36. Malware started from a simple programcalled “Elk Cloner” It will get on all your disksIt will infiltrate your chipsYes it's Cloner!It will stick to you like glueIt will modify ram tooSend in the Cloner! • Most mobile malware threats to date cannot be called serious, however we have seen several have capabilities that are similar to information stealers on desktop systems. • WINCE_INFOJACK.A – runs on Windows CE/Mobile devices; has information stealing capabilities, as well as changing the security settings of the mobile device. • SYMBOS_YXES.A and SYMBOS_YXES.B – runs on Symbian devices; also has information stealing capabilities, .B variant can also spam user contacts on the phone

  37. Early Mobile Networking Bluetooth Hijacker

  38. The Age of Mobile Computing Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet.

  39. The latest trend is “iPhone Mania” • However, while attacks based on malicious files on mobile devices are limited, there is nothing that stops Web-based threats from working on Internet-capable mobile devices. • Examples: phishing attacks can be carried out whatever the platform. • FAKEAV alerts appear on any system, even iPhones

  40. iPhoneJailbreakingThe possibilities are endless. The worm would install a wallpaper of the British 1980's pop star Rick Astley onto the victim's iPhone, and it succeeded in infecting an estimated 21,000 victims within about a week in Australia. Dutch users of jailbroken iPhones in T-Mobile's 3G IP range began experiencing a pop-up ransomware (due to IP scanning via the internet). The popup window notifies the victim that the phone has been hacked, and then sends that victim to a website where a $5 ransom payment is demanded to remove the malware infection 

  41. FackAV Review • FakeAV official website • XpAntivirusonline.com • XPOnlinescanner.com • XPSecuritycenter.com • XPAntispyware.com • XPAntiviruspro.com • XPAntivirus2008.com • XPAntivirus-scanner.com • XPAntivirus.com • XPAntivirussite.com • FileShredder2008.com • XPDownloadings.com • CleanerMaster.com  

  42. FakeAV still alive in 2009&2010 • XPVirusProtection, TotalVirusProtection, MalwareDoc(ref: http://www.lavasoft.com/mylavasoft/company/blog/2-new-rogue-antivirus-programs) • Anti-Virus-1 (ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-anti-virus-1.html) • AntiSpyware Protector, System Guard Center, Privacy components(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-security-products.html) • SpyBurner, XpyBurner System Tuner, HDriveSweeper(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-xpyburner.html)

  43. Reality Check on FAKE AV’s Why are they reoccurring? Because the malwares are updating by the minute, website brought and spawns up in another host, malware knows they are being detected so they are innovating and we didn’t have the complete sample from the 1st visible case of the said malware since it wasn’t deemed a note worth case during the time. 43

  44. Regional Web Threats, Web Compromised SAMPLE

  45. Regional Web Threats, Web Compromised SAMPLE

  46. Malware file Hunt Down • Directory / Folder • Program Files • System32 • Windows • C:\ 46 Classification 10/27/2014

  47. Malware file Hunt Down • Date and Time stamp • Most recent file that was added or modified • Locate malware component files 4 suspected files were recently added in your system 2 of which arrived at the same time, indicating that an installer or trojan dropper had placed these files. 47 Classification 10/27/2014

  48. Malware file Hunt Down • Filename • Wrong Spelling (e.g. svchost.exe  scvhost.exe) • Double extension name (e.g. Nude_Britney.jpg.exe) • Random name 48 Classification 10/27/2014

  49. Malware file Hunt Down • File ICON • Spoofed icons • Generic icons • Shortcut Link icons found at desktop Pixilated icon of Microsoft update warning Fabricated icon of Microsoft security center Legitimate icon of Microsoft security center, but Microsoft does not use this icon for win32 / executable files. Legitimate normal files usually have unique file icon Shortcut links could also provide the file location of its executable. Icons with explicit graphics usually attracts users into clicking the icon thus allowing the execution of its executable file 49 Classification 10/27/2014

  50. Example : Virus

More Related