Malicious Code and Multilayer Protection

1
Malicious Code and Multilayer Protection

• Marco Righetti
• Sales/System Engineer
• marco_righetti_at_trendmicro.com

Harri Kaikkonen Channel Account Manager, Finland
Baltic harri_kaikkonen_at_trendmicro.com
2
Trend Micro who are we?

• Established in CA.,USA in 1988
• Headquartered in Tokyo, with 18 subsidiaries
• 1700 employees worldwide
• The 3rd largest AV / CS company globally
• Listed on Nasdaq (TMIC) and Tokyo Stock Exchange
  (TSE 4704)

3
Trend Micro who are we?
Source IDC Bulletin "Worldwide Antivirus
Software It's not Just a Consumer
Product Anymore" September 2001

• 33 Groupware
• 31 Fileserver
• 11 Desktop

4
New threats detected all the time

• Up to 30 new viruses every day
• New types of viruses on other platforms
• New ways of infecting
• New technologies like Bluetooth and Wireless LAN
  (802.11) could be new sources of infection
• Mobile phones
• Handheld PocketPC, Palm, Epoc
• Broadband, home computers are always on and is
  not protected

5
HTTP the new internet BAD-BOY

• A Nordic customer using HTTP gateway scanning
  detected 6000 sampels of malicious code during a
  7 month period.
• Security holes in Internet Explorer.
• Local admin in NT/W2k/XP or Win95/98/me let you
  activate Scripts, Java applets and ActiveX.
• Cross Site Scripting.

6
Some samples

• ActiveX control
• ATVX_EXPLODER
• JS_EXCEPTION.M
• Java Applets
• JAVA_APPKILLER
• JAVA_BACKDOOR.G
• JAVA_ATKTHREAD
• JAVA_BOHTTPD
• JAVA_DBLTROUBLE
• JAVA_CALCULATOR

• HTML
• HTML_SADMIND.A
• HTML_WINCRASH
• HTML_BOMB.A
• JavaScripts
• HTML_THE_FLY
• JS_GABRIELALO.A
• JAVA_JDAY.IRC
• EBAYLA

7

• 18th July, 2001 !

8
Code Sample

• Üú ôú û û 6û Hû Xû nû û û û ¾û
  Ðû àû ðû ü ü ,ü _at_ü Vü jü ü ü ü
  ü ¾ü Îü àü ìü ý ý 2ý Jý Xý pý ý
  ý ý ý Âý Òý ðý þ þ þ þ
  6þ Dþ Tþ dþ vþ þ þ þ Àþ Îþ Þþ êþ
  ÿ ÿ "ÿ .ÿ Bÿ Rÿ hÿ zÿ ÿ ªÿ Àÿ
  Üÿ èÿ öÿ 2 _at_ H V f t
  ª Ê Ø è ü (
  0 gt J R n x
  kernel32.dll GetCurrentThreadId
  DeleteCriticalSection LeaveCriticalSection
  EnterCriticalSection InitializeCriticalSection
  VirtualFree VirtualAlloc LocalFree
  LocalAlloc VirtualQuery WideCharToMultiByte
  MultiByteToWideChar lstrlenA lstrcpynA
  lstrcpyA LoadLibraryExA GetThreadLocale
  GetStartupInfoA GetProcAddress
  GetModuleHandleA GetModuleFileNameA
  GetLocaleInfoA GetLastError GetCommandLineA
  FreeLibrary FindFirstFileA FindClose
  ExitProcess WriteFile UnhandledExceptionFilter
  SetFilePointer SetEndOfFile RtlUnwind
  ReadFile RaiseException GetStdHandle
  GetFileSize GetSystemTime GetFileType
  CreateFileA CloseHandle user32.dll
  GetKeyboardType LoadStringA MessageBoxA
  CharNextA advapi32.dll RegQueryValueExA
  RegOpenKeyExA RegCloseKey oleaut32.dll
  VariantChangeTypeEx VariantCopyInd
  VariantClear SysStringLen SysFreeString
  SysReAllocStringLen SysAllocStringLen
  kernel32.dll TlsSetValue TlsGetValue
  LocalAlloc GetModuleHandleA
  GetModuleFileNameA advapi32.dll
  RegSetValueExA RegQueryValueExA
  RegOpenKeyExA RegFlushKey RegCreateKeyExA
  RegCloseKey GetUserNameA kernel32.dll
  WriteFile WinExec WaitForSingleObject
  VirtualQuery VerLanguageNameA Sleep
  SetThreadPriority SetPriorityClass
  SetFilePointer SetFileAttributesA
  SetEndOfFile RemoveDirectoryA ReadFile
  MulDiv LoadLibraryA LeaveCriticalSection
  InitializeCriticalSection GlobalUnlock
  GlobalReAlloc GlobalHandle GlobalLock
  GlobalFree GlobalFindAtomA GlobalDeleteAtom
  GlobalAlloc GlobalAddAtomA
  GetWindowsDirectoryA GetVersionExA
  GetUserDefaultLangID GetTimeZoneInformation
  GetThreadLocale GetTempPathA
  GetSystemDirectoryA GetShortPathNameA
  GetProcAddress GetModuleHandleA
  GetModuleFileNameA GetLocaleInfoA
  GetLocalTime GetLastError GetDiskFreeSpaceA
  GetDateFormatA GetCurrentThreadId
  GetCurrentThread GetCurrentProcessId
  GetCurrentProcess GetCurrentDirectoryA
  GetComputerNameA GetCPInfo GetACP
  FormatMessageA FindNextFileA FindFirstFileA
  FindClose FileTimeToLocalFileTime
  FileTimeToDosDateTime EnumCalendarInfoA
  EnterCriticalSection DeleteFileA
  DeleteCriticalSection CreateFileA
  CreateEventA CopyFileA CompareStringA
  CloseHandle mpr.dll WNetOpenEnumA
  WNetEnumResourceA gdi32.dll UnrealizeObject
  StretchBlt SetTextColor SetROP2 SetBkMode
  SetBkColor SelectPalette SelectObject
  RealizePalette MoveToEx GetTextMetricsA
  GetSystemPaletteEntries GetStockObject
  GetObjectA GetDeviceCaps GetDIBits
  GetCurrentPositionEx GetBitmapBits
  DeleteObject DeleteDC CreatePenIndirect
  CreatePalette CreateFontIndirectA
  CreateDIBitmap CreateCompatibleDC
  CreateCompatibleBitmap CreateBrushIndirect
  CreateBitmap user32.dll ReleaseDC
  MessageBoxA LoadStringA LoadIconA
  GetSystemMetrics GetSysColor GetIconInfo
  GetDC DrawIconEx DestroyWindow DestroyIcon
  CreateIcon shell32.dll ExtractIconA
  wsock32.dll WSAStartup WSAGetLastError
  gethostname getservbyname getprotobynumber
  gethostbyname socket send select recv
  ioctlsocket inet_addr htons getsockname
  getpeername connect closesocket wininet.dll
  InternetGetConnectedState
  
  B B ÌäA B

9
Code Red, The wake up call
10
Code Red Spreading

• Spread from IIS(web) server to IIS server if it
  was before the 20th in the month.
• Comitted DDoS attacks the 20th to the 28th every
  month against IP 198.137.240.91
  (www1.whitehouse.gov)
• After the 28th it was deactivated
• Next month it started again...

11
More threats
Spaming
Flooding
DoS
Mass Mailing
12
Traditional approach has changed

• 96 of corporations have deployed desktop
  antivirus software
• 4 Billion a year spent on antivirus products
• SoWhy are viruses still the 1 threat?

Desktop securityalone isnt enough!!!
13
A Need For Multi Layers Of Protection
14
Imbalance

• Imbalance Between Spending and Threat
• It is very clear that e-mail is now the major
  means of transportation for viruses. With that
  said, the internet gateway would appear to be the
  best place to install antivirus solutions that
  can check incoming and outgoing email for viruses
  and malicious code before they have a chance to
  infect the corporate network or an employees
  desktop.

Source IDCflash March 2002
15
More inbalance

• Of the total IT investment, only 4 (!) is spent
  on IT-security. (AV, content-security,
  firewalls...)
• E.g. bying A server for 10 000 to put sensitive
  information on. Only spending 400 to protect it.

16
Enterprise Protection Strategy

• Classical AV solutions losing effect
• Behavior
• We wait...
• We hear about a new security problem
• We wait for the virus thats comming for sure!
• Virus alert
• Race of what comes first. Protection or the virus
• Cleaning up
• We wait again...

17
Where do the money go?
Tomorrows Centralized Management with TMCM
Outbreak LIFECYCLE management, deployment, and
reporting
Real-time Analysis and Reporting
Proactive Attack Updates
Damage assessment and cleanup
Performance Analysis
AV and Content security Audit and Assessment
Threat-based scanning
Outbreak Management
Notification and Assurance







Corporate TCO and lost productivity
18
Control Manager

• Make EPS true
• Outbreak Prevention Service
• User accounts
• Group configuration
• SSL Encryption
• MSDE database (SQL) for all logs
• Central update of all products
• Notifications to the right people
• Automatic clean-up tools

19
Trend Micro Control Manager
20
Contact
Marco Righetti Sales/System Engineer marco_righett
i_at_trendmicro.com
Download products www.antivirus.com/download/down
load.asp
21
(No Transcript)