Trojans, Worms, Virri - PowerPoint PPT Presentation
1 / 34
Title:
Trojans, Worms, Virri
Description:
'on access' scan. Files are checked as they are used. 12/15/2006. 10. Dave Wade G4UGM ... Only need to get information to the user who then acts. No programs ... – PowerPoint PPT presentation
Number of Views:36
Avg rating:3.0/5.0
Title: Trojans, Worms, Virri
1
Trojans, Worms, Virri
- Dave Wade
- G4UGM
2
Malware?
- What is Malware?
- Any hostile, intrusive, or annoying software or
program code. - Includes the following-
- Virus - Infects other programs
- Trojan - Does not work as advertised
- Worm - Spreads by securty flaws or bugs
- Spyware - Reports on you actions in an unwanted
way - Adware - Makes pop-ups or alters web pages
- I would also include phishing and pharming.
3
History
- 1987 Christmas Exec Trojan
- Infiltrates Bitnet and VNET IBM networks
- 1988 Student Robert Morris unleashes a worm on
the Internet - that crashes 6,000 computers.
- Morris becomes the first person convicted under
the US Computer Fraud and Abuse Act.
4
Viruses
- Whilst the press often describe any piece of
malware as a virus really has very specific
attributes- - Spread by changing existing programs
- When run the usually infect more programs
- Despite popular myth-
- Not the oldest type of malware
- Trojans and Worms are older
- Probably not the most common
- Adware etc.
- May cause damage later when triggered or not at
all. - Other wise they would not spread
- Trigger may be date, time or event
- Some Viruses also have worm characteristics
- spread via e-mail (e.g. Melissa).
5
Viruses (cont.)
- Note that as many files/documents can contain
code, they can also be used by viruses. - Typical examples include-
- Word Documents
- Spread Sheets
- Mail Messages
- Traditional Virus scanners detect virus by
scanning files and looking for tell-tale
sequences of code
6
Trojan
- Is a program that does not work as advertised
- Screen Saver, Time Sync, Peer-to-Peer file
share - The program may actually
- Logs keystrokes and passwords
- Uses PC to send SPAM
- Launch DOS attacks on web sites
- Normally installed by the user unwittingily
7
Worms
- Programs that use computer networks to spread.
- Normally spread by exploiting security holes
- Free-standing so dont need to infect other
programs
8
Other Malware
- AdWare
- Programs that generally work as advertised but
which cause advertisments or popups to appear
on your screen. - May also tamper with content of web pages or
re-direct links to sponsering sites. - SpyWare
- Programs that report on what your computer is
doing - Especially web sites but also record login data
- May re-direct you to other web sites.
- Often coupled with Adware.
- Phishing
- Forged e-mail design to get you disclose securty
creditials. - Pharming
- Forged web site. May be sued as part of a phish.
9
Protection - Scanners
- Virus Scanners
- Obviously protect against viruses
- Usually Trojans and Worms
- But not other nasties..
- How do they work-
- Look for unique patterns in a the virus
- Alert when the pattern is detected
- In either-
- scheduled scan
- all files are checked on a schedule
- on access scan
- Files are checked as they are used
10
Limitations - I
- Patterns need to be updated frequently
- Not a problem with broadband.
- Unless you are the first to spot the virus.
- Pattern may be disguised by
- compression
- ZIP files
- Encryption -
- Passwords on word files.
- The virus itself
- Polymorphic viruses - encrypt or encode
themselves. - False positives
- Patter exists in another file, by chance that
does not have the virus.
11
Example Virus Scanners
- Not an exclusive list-
- Free
- http//free.grisoft.com/doc/2/lng/us/tpl/v5
- http//www.free-av.com/
- Paid For
- http//uk.mcafee.com/
- http//www.symantecstore.com/
- http//www.sophos.com/
12
Detecting Spyware AdWare
- Spyware and Adware scanners.
- These tend to be less reliable as often these
programs are installed by the user, and the
agreement allow them to be installed. - Some makers of adware removal programs have been
sued by adware providers. - Also the programs use a variety of techniques to
install - May be hard to un-install without damaging the
system or stopping some other item working - Newnames.net gt spyware gt Removal can stop the
network running
13
Real Time Protection
- Spyware/Adware/Trojan protection-
- Monitor key parts of the OS and warn of changes
- Internet Explorer Home Pages
- Browser plug-ins and Helpers
- Registry start-up keys
- System.ini file
- Services Data base
- Hosts file
14
Spyware Tools
- Need to be careful here.
- Many things advertised as spyware tools contain
spyware! - Also as spyware is ill defined may be harder to
spot. - In short-
- May need to run multiple tools
- May need separate scanner and checker
15
Spyware Tools (continued)
- I run two tools that provide real time
protection- - Windows Defender (www.microsoft.com/spyware)
- Winpatrol
- www.winpatrol.com
- I also use other tools
- AdAware SE a scanner
- http//www.lavasoftusa.com/products/ad-aware_se_pe
rsonal.php - HiJackThis
- http//www.majorgeeks.com/download3155.html
- Spyware Blaster
- http//www.javacoolsoftware.com/spywareblaster.htm
l
16
What is a firewall?
- A fire wall is a tool that monitors network
connections - Simple Firewall
- Monitors which protocols are in use
- So can allow http for web, but stop SMTP
- Advanced Firewall
- Monitors ports/programs
- Allow Outlook Express to send and receive e-mail
- Prevents any worms or spyware doing the same.
17
Where should we run it..
- Can run on local PC
- Means can monitor programs
- Can run on a router or router modem
- Provides perimeter defence
- Keeps out unwanted protocols such as MS file
sharing - Cant tell if an unwanted program is connecting
to an normal port
18
What are the problems?
- Many programs connect to the internet-
- Anti Virus for updates for new viruses
- Windows, Office and other programs
- Check for udates against worms etc.
- Some programs check for data
- Language translation programs
- Some check for unwanted info
- Update pop-up adverts
- Accept back door instructions
- Many firewalls will prompt the user-
- E.G.
- Should I allow MSIMN.EXE to connect on POP3?
19
Well Should we?
- YES!
- (MSIMN.EXE is Outlook Express!)
- There is currently only one free firewall
- ZoneAlarm - http//www.zonelabs.com/
- Sygate may still be available
- http//www.tucows.com/preview/213160
20
Spam Filters
- Try and detect spam
- Much harder than any of other nastys
- Only need to get information to the user who then
acts. - No programs need to run
- This means the e-mail can be
- Changed frequently
- Not even have to contain any text.
21
A latest generation SPAM
22
Message Header
- Microsoft Mail Internet Headers Version 2.0
- Received from scnmailsweeper.stockport.gov.uk
(172.16.106.9) by SCNEXCHANGE.stockport.gov.uk
with Microsoft SMTPSVC(6.0.3790.1830) - Wed, 13 Dec 2006 162850 0000
- Received from mailsweeper5.stockport.gov.uk
(MAILSWEEPER5) by scnmailsweeper.stockport.gov.uk - (Clearswift SMTPRS 5.2.5) with ESMTP id
ltT7c890fbcc0ac106a09930_at_scnmailsweeper.stockport.g
ov.ukgt for ltdave.wade_at_offertonparkparishcouncil.go
v.ukgt - Wed, 13 Dec 2006 163054 0000
- Received from smbc-fw3 (unverified) by
mailsweeper5.stockport.gov.uk - (Content Technologies SMTPRS 4.3.17) with SMTP
id ltT7c890dfadcac106a084c4_at_mailsweeper5.stockport.
gov.ukgt for ltdave.wade_at_stockport.gov.ukgt - Wed, 13 Dec 2006 162859 0000
- Received from sck (71.248.60.110)
- by pool-71-248-80-55.bltmmd.east.verizon.net
(8.13.5/8.13.5) with SMTP id kBDGX1dU037473 - Wed, 13 Dec 2006 113301 -0500
- Message-ID lt001d01c71ed3bf8d26e06e3cf847_at_sckgt
- From "Fontenot" ltbtmw_at_lethlee.dkgt
- To ltdave.wade_at_stockport.gov.ukgt
- Subject gasoline
- Date Wed, 13 Dec 2006 112219 -0500
23
www.dnsstuff.com
24
Anatomy of an E-Mail
- Note from field-
- _at_lethlee.dk
- www.dnsstuff.com
- Did an NSLOOKUP ?
- Name lethlee.dk
- Address 195.47.247.81
- Where did it really start-
- Log shows 71.248.60.110
- pool-71-248-60-110.bltmmd.east.verizon.net
- These dont match
25
Why did we accept the record.
- Its common for the addresses not to match
- Allows users to roam and have multiple e-mail
addresses. - This does make it hard to stop spam.
26
What can we do about this
- Choose an ISP with reasonable SPAM filters
- They have a big sample of SPAM so the maths work
better. - SPAM is filtered at source so you dont download
- Do need to check from time to time as there will
me false positives. - May help to use local spam filter
27
Setting up a local SPAM filter
- Manu available all less than perfect.
- They dont catch all spam
- False Positive gt Need to check spam folders
- They miss some spam
- Spammer get clever
- Use random from addresses
- Myss-spll words.
- Put words in pictures
- Add random text from web.
- Result is as above.
28
Some personal spam filters.
- SpamAssassin- http//spamassassin.apache.org/
- Not easy to use in windows
- SpamPal http//www.spampal.org/
- Uses black lists of sites
- Not all spam sites are on the black list
- Some usefull sites (Yahoo) end up on spam list.
- Usual suspects also have tools-
- Norton, Free-Av (Not Free), GriSoft etc.
29
Phish
30
Phish II
- Look at the url-
- The site it points to will be displayed in the
bar below (this one was sanitized) - http//today.slac.stanford.edu/
- This can be prevented at two places
- Most Spam Filters can block the Phish from
arriving - Firewall can block access to the dangerous site.
31
Summary
- Problem is no longer simple-
- May need to use multiple tools from multiple
suppliers for best results. - Tools may not be effective
- Preventions is better than cure.
32
Do Not
- Install programs from unknown sources
- Click on humour links indiscriminately
- Open files from un-known sources
33
Do
- Keep software up to date
- Security updates protect against worms
- Run a selection of security fixes
- Virus Scanner (ONLY ONE)
- Spyware Monitor
- Firewall
34
Any Questions?
Recommended
CrystalGraphics Presentations
