1 / 34

Trojans, Worms, Virri

Trojans, Worms, Virri. Dave Wade G4UGM. Malware?. What is Malware? Any hostile, intrusive, or annoying software or program code. Includes the following:- Virus - Infects other programs Trojan - Does not work as advertised Worm - Spreads by securty flaws or bugs

shawn
Download Presentation

Trojans, Worms, Virri

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trojans, Worms, Virri Dave Wade G4UGM

  2. Malware? • What is Malware? • Any hostile, intrusive, or annoying software or program code. • Includes the following:- • Virus - Infects other programs • Trojan - Does not work as advertised • Worm - Spreads by securty flaws or bugs • Spyware - Reports on you actions in an unwanted way • Adware - Makes pop-ups or alters web pages I would also include “phishing” and “pharming”…. 2

  3. History 1987 – Christmas Exec Trojan • Infiltrates Bitnet and VNET IBM networks 1988 – Student Robert Morris unleashes a worm on the Internet • that crashes 6,000 computers. • Morris becomes the first person convicted under the US Computer Fraud and Abuse Act. 3

  4. Viruses • Whilst the press often describe any piece of malware as a “virus” really has very specific attributes:- • Spread by changing existing programs • When run the usually infect more programs • Despite popular myth:- • Not the oldest type of malware • Trojans and Worms are older • Probably not the most common • Adware etc. • May cause damage later when “triggered” or not at all. • Other wise they would not spread • “Trigger” may be date, time or event • Some Viruses also have “worm” characteristics • spread via e-mail (e.g. Melissa). 4

  5. Viruses (cont.) • Note that as many files/documents can contain code, they can also be used by viruses. • Typical examples include:- • Word Documents • Spread Sheets • Mail Messages • Traditional Virus scanners detect virus by scanning files and looking for tell-tale sequences of code 5

  6. Trojan • Is a program that does not work as advertised • Screen Saver, “Time Sync”, Peer-to-Peer file share • The program may actually • Logs keystrokes and passwords • Uses PC to send SPAM • Launch DOS attacks on web sites • Normally installed by the user unwittingily 6

  7. Worms • Programs that use computer networks to spread. • Normally spread by exploiting security holes • Free-standing so don’t need to infect other programs 7

  8. Other Malware • AdWare • Programs that generally work as advertised but which cause advertisments or “popups” to appear on your screen. • May also tamper with content of web pages or re-direct links to sponsering sites. • SpyWare • Programs that report on what your computer is doing • Especially web sites but also record login data • May re-direct you to other web sites. • Often coupled with Adware. • Phishing • Forged e-mail design to get you disclose securty creditials. • Pharming • Forged web site. May be sued as part of a phish. 8

  9. Protection - Scanners • Virus Scanners • Obviously protect against viruses • Usually Trojans and Worms • But not other nasties.. • How do they work:- • Look for unique patterns in a the virus • Alert when the pattern is detected • In either:- • scheduled scan • all files are checked on a schedule • “on access” scan • Files are checked as they are used 9

  10. Limitations - I • Patterns need to be updated frequently • Not a problem with broadband. • Unless you are the first to spot the virus. • Pattern may be disguised by • compression • ZIP files • Encryption :- • Passwords on word files. • The virus itself • Polymorphic viruses :- encrypt or encode themselves. • False positives • Patter exists in another file, by chance that does not have the virus. 10

  11. Example Virus Scanners • Not an exclusive list:- • Free • http://free.grisoft.com/doc/2/lng/us/tpl/v5 • http://www.free-av.com/ • Paid For • http://uk.mcafee.com/ • http://www.symantecstore.com/ • http://www.sophos.com/ 11

  12. Detecting Spyware & AdWare • Spyware and Adware scanners. • These tend to be less reliable as often these programs are installed by the user, and the agreement allow them to be installed. • Some makers of adware removal programs have been sued by adware providers. • Also the programs use a variety of techniques to install • May be hard to un-install without damaging the system or stopping some other item working • Newnames.net => spyware => Removal can stop the network running 12

  13. Real Time Protection • Spyware/Adware/Trojan protection:- • Monitor key parts of the OS and warn of changes • Internet Explorer Home Pages • Browser plug-ins and Helpers • Registry start-up keys • System.ini file • Services Data base • Hosts file 13

  14. Spyware Tools • Need to be careful here. • Many things advertised as spyware tools contain spyware! • Also as spyware is “ill defined” may be harder to spot. • In short:- • May need to run multiple tools • May need separate scanner and checker 14

  15. Spyware Tools (continued) • I run two tools that provide real time protection:- • Windows Defender (www.microsoft.com/spyware) • Winpatrol • www.winpatrol.com • I also use other tools • AdAware SE – a scanner • http://www.lavasoftusa.com/products/ad-aware_se_personal.php • HiJackThis • http://www.majorgeeks.com/download3155.html • Spyware Blaster • http://www.javacoolsoftware.com/spywareblaster.html 15

  16. What is a firewall? • A fire wall is a tool that monitors network connections • Simple Firewall • Monitors which protocols are in use • So can allow http for web, but stop SMTP • Advanced Firewall • Monitors ports/programs • Allow Outlook Express to send and receive e-mail • Prevents any worms or spyware doing the same. 16

  17. Where should we run it.. • Can run on local PC • Means can monitor programs • Can run on a router or router modem • Provides “perimeter” defence • Keeps out unwanted protocols such as MS file sharing • Can’t tell if an unwanted program is connecting to an “normal port” 17

  18. What are the problems? • Many programs connect to the internet:- • Anti Virus for updates for new viruses • Windows, Office and other programs • Check for udates against worms etc. • Some programs check for data • Language translation programs • Some check for unwanted info • Update pop-up adverts • Accept back door instructions • Many firewalls will prompt the user:- • E.G. “Should I allow MSIMN.EXE to connect on POP3?” 18

  19. Well Should we? YES! (MSIMN.EXE is Outlook Express!) • There is currently only one free firewall • ZoneAlarm - http://www.zonelabs.com/ • Sygate may still be available • http://www.tucows.com/preview/213160 19

  20. Spam Filters • Try and detect spam • Much harder than any of other nastys • Only need to get information to the user who then acts. • No programs need to run • This means the e-mail can be • Changed frequently • Not even have to contain any text. 20

  21. A latest generation SPAM 21

  22. Message Header Microsoft Mail Internet Headers Version 2.0 Received: from scnmailsweeper.stockport.gov.uk ([172.16.106.9]) by SCNEXCHANGE.stockport.gov.uk with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:28:50 +0000 Received: from mailsweeper5.stockport.gov.uk (MAILSWEEPER5) by scnmailsweeper.stockport.gov.uk (Clearswift SMTPRS 5.2.5) with ESMTP id <T7c890fbcc0ac106a09930@scnmailsweeper.stockport.gov.uk> for <dave.wade@offertonparkparishcouncil.gov.uk>; Wed, 13 Dec 2006 16:30:54 +0000 Received: from smbc-fw3 (unverified) by mailsweeper5.stockport.gov.uk (Content Technologies SMTPRS 4.3.17) with SMTP id <T7c890dfadcac106a084c4@mailsweeper5.stockport.gov.uk> for <dave.wade@stockport.gov.uk>; Wed, 13 Dec 2006 16:28:59 +0000 Received: from sck ([71.248.60.110]) by pool-71-248-80-55.bltmmd.east.verizon.net (8.13.5/8.13.5) with SMTP id kBDGX1dU037473; Wed, 13 Dec 2006 11:33:01 -0500 Message-ID: <001d01c71ed3$bf8d26e0$6e3cf847@sck> From: "Fontenot" <btmw@lethlee.dk> To: <dave.wade@stockport.gov.uk> Subject: gasoline Date: Wed, 13 Dec 2006 11:22:19 -0500 22

  23. www.dnsstuff.com 23

  24. Anatomy of an E-Mail • Note from field:- “@lethlee.dk” • www.dnsstuff.com • Did an NSLOOKUP ? Name: lethlee.dk Address: 195.47.247.81 • Where did it really start:- • Log shows “71.248.60.110” • pool-71-248-60-110.bltmmd.east.verizon.net • These don’t match 24

  25. Why did we accept the record. • Its common for the addresses not to match • Allows users to roam and have multiple e-mail addresses. • This does make it hard to stop spam. 25

  26. What can we do about this • Choose an ISP with reasonable SPAM filters • They have a big sample of SPAM so the maths work better. • SPAM is filtered at source so you don’t download • Do need to check from time to time as there will me false positives. • May help to use local spam filter 26

  27. Setting up a local SPAM filter • Manu available all less than perfect. • They don’t catch all spam • “False Positive” => Need to check spam folders • They miss some spam • Spammer get clever • Use random from addresses • Myss-sp€ll words. • Put words in pictures • Add random text from web. • Result is as above. 27

  28. Some personal spam filters. • SpamAssassin:- http://spamassassin.apache.org/ • Not easy to use in windows • SpamPal http://www.spampal.org/ • Uses black lists of sites • Not all spam sites are on the black list • Some usefull sites (Yahoo) end up on spam list. • Usual suspects also have tools:- • Norton, Free-Av (Not Free), GriSoft etc. 28

  29. Phish 29

  30. Phish II • Look at the url:- • The site it points to will be displayed in the bar below (this one was “sanitized”) • http://today.slac.stanford.edu/ • This can be prevented at two places • Most Spam Filters can block the Phish from arriving • Firewall can block access to the dangerous site. 30

  31. Summary • Problem is no longer simple:- • May need to use multiple tools from multiple suppliers for best results. • Tools may not be effective • Preventions is better than cure. 31

  32. Do Not • Install programs from unknown sources • Click on humour links indiscriminately • Open files from un-known sources 32

  33. Do • Keep software up to date • Security updates protect against worms • Run a selection of security fixes • Virus Scanner (ONLY ONE) • Spyware Monitor • Firewall 33

  34. Any Questions? 34

More Related