SlideShare ist ein Scribd-Unternehmen logo

Sirt roundtable malicious-emailtrendmicro

Als PPT, PDF herunterladen
Sumit Tambe
Sumit Tambe

MaliciousEmailTrendMicr & concept explained easily

Technologie
1 von 27
Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu August 14, 2009
Agenda  Recent malicious email attachments  What happened?  Why was it so effective?  How can we defend against these attacks?  Trend Micro OfficeScan 10  Trend Micro Security for Macs  Q&A 2
What happened?  Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment  Many more reports soon followed from around the world implicating many K-State IP addresses  Many K-Staters started reporting receipt of the malicious emails too  4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days  113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked  5:45pm – posted info/warning to IT security threats blog3
What happened?  Four different emails with the following subjects:  Shipping update for your Amazon.com order 254-78546325-658742  You have received A Hallmark E-Card!  Jessica would like to be your friend on hi5!  Your friend invited you to twitter!  Three (somewhat) different attachments:  Shipping documents.zip  Postcard.zip  Invitation card.zip  At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension):  “attachment.pdf .exe”  “attachment.htm .exe”  “attachment.chm .exe” 4
What happened?  New variant of malware so Trend Micro OfficeScan did not detect it.  10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t.  11:52pm – warning email sent to profacstaff and classified mailing lists  July 14, 8:00am – virustotal.com reports 29 of 41 AV products identify the malware (not Trend Micro) www.virustotal.com/analisis/... 5
What happened?  July 14, 9:00am – finally get samples uploaded to Trend Micro  11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available  2:00pm – bandage pattern file pushed out to OfficeScan clients  Production pattern file released later that evening which detects the malware  397 instances detected/deleted by TMOS since July 13  IT Tuesday article posted about it itnews.itac.k-state.edu/2009/07/malicious...  July 29 and August 7 - similar attacks with new variants of the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware 6
Malware Characteristics  Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies  Modified registry to run every time the computer boots  Copied itself to mounted file systems, including USB flash drives  Copied itself to common P2P file sharing folders, masquerading as enticing software downloads 7
Malware Characteristics  Sample P2P folders used:  %ProgramFiles%ICQShared Folder  %ProgramFiles%GroksterMy Grokster  %ProgramFiles%EMuleIncoming  %ProgramFiles%MorpheusMy Shared Folder  %ProgramFiles%LimeWireShared  Sample enticing software downloads:  Ad-aware 2009.exe  Adobe Photoshop CS4 crack.exe  Avast 4.8 Professional.exe  Kaspersky Internet Security 2009 keygen.exe  LimeWire Pro v4.18.3.exe  Microsoft Office 2007 Home and Student keygen.exe  Norton Anti-Virus 2009 Enterprise Crack.exe  Total Commander7 license+keygen.exe  Windows 2008 Enterprise Server VMWare Virtual Machine.exe  Perfect keylogger family edition with crack.exe  … and about 25 more 8
Why was it so effective?  Used familiar services  Amazon.com  Hallmark eCard greeting  Twitter  Sensual enticement (“Jessica would like to be your friend on hi5!”)  Somewhat believable replicas of legitimate emails  Sent it to lots of people (bound to hit someone who just ordered something from amazon.com, or is having a birthday)  Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces  New variant that spread quickly so initial infections missed by antivirus protection  I was too slow submitting samples to Trend (better the second and third time around)  Malware/attachment filtering in Zimbra did not stop it  Been a long time since attack came by email attachment so people caught off-guard 9
What can we do? 10  Users need to learn to recognize scams  Hallmark, amazon.com, etc. do not send info in attachments  Don’t open attachment unless you are expecting it and have verified with sender  Think before you click  Be paranoid!
11 Malicious Hallmark E-Card
12 Legitimate Hallmark E-Card
13 Malicious Amazon Shipping Notice
14 Legitimate Amazon Shipping Notice
15 Malicious Twitter Invitation
What can we do? 16  Better malware filtering in e-mail  Need to work more closely with Zimbra/Yahoo  Submit malware samples sooner (we’re doing that now)  Trend Micro OfficeScan 10…
Trend Micro OfficeScan 10  Major upgrade from current version 8 (where did version 9 go?!)  Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”)  But it appears to provide real value:  Faster deployment of pattern file updates  Smaller client footprint  Windows 7 support (not officially supported in OfficeScan 8)  More options for re-scheduling missed scheduled scans  Better Active Directory integration  Better control of removable devices like USB drives  Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 17
Trend Micro OfficeScan 10  “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning  Client uses pattern info stored on local or global servers rather than having to store everything on every client computer  Updates pattern files hourly instead of daily  Smaller pattern files on the client, less network bandwidth used to deploy pattern files  Some heuristic-based detection  Can still do conventional scanning for systems with limited Internet access 18
Trend Micro OfficeScan 10  Better options for dealing with missed scheduled scan  Postpone a schedule scan before it begins  Stop and Resume a current active schedule scan  Resume a missed schedule scan  Automatically skip schedule scan when Laptop Battery is below certain %  Automatically stop schedule scan when it lasts over a certain amount of period. 19
Trend Micro OfficeScan 10  Device Access Control  Sysadmins can control use of removable drives  Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 20
Trend Micro OfficeScan 10  The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed  To prevent OSCE applications being injected with malware and impact business operation  Feature provides the ability to protect OfficeScan files / file types within folders from being modified  Protect OfficeScan system processes to prevent unauthorized shut-down  Protect OfficeScan system registries from unauthorized modification 21
Trend Micro OfficeScan 10  TMOS 10 concerns  Is a major upgrade so needs to thorough testing  Uncertainty about use of SmartScan vs. conventional scan  Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files  Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0  1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000- 8,000 clients for latter) – called “Integrated Scan Server”  No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22
Trend Micro OfficeScan 10  TMOS 10 plans  Is available now, been out for a while (service pack 1 in beta)  Needs more testing – campus sysadmins encouraged to test  Central TMOS 10 server for testing sometime...  SIRT will plan coordinated rollout for campus (can be pushed from the server)  No timeline at this point, but advantages warrant a somewhat aggressive schedule, as does release of Windows 7 in late October 23
Trend Micro Security for Macs  K-State’s license for Symantec AV for Macs expires October 27, 2009  No budget for renewal or replacement  TM Security for Macs (TMSM) new product from Trend Micro, included in our campus site license  Barring a show-stopper problem, we will switch to TMSM this fall 24
Trend Micro Security for Macs  Features/Advantages:  No additional cost  Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.)  Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform  Supports MacOS 10.4 and 10.5 on Intel and PowerPC processors  Includes Web Reputation Services to help prevent users from visiting known malicious web sites  Covered by current Silver Premium Support contract  Single vendor for all AV product  No additional cost 25
Trend Micro Security for Macs  Timeline:  Version 1.5 in beta test now  Being tested pretty extensively at K-State  Fixed known issues we had with v1.0  Production release available to K-State after August 25  Switch by October 27, or semester break for imaged labs (SAV will continue to work)  New Macs should install Symantec now but plan to switch 26
What’s on your mind? 27

Empfohlen

Introduction trend micro malicious email
Introduction trend micro malicious emailIntroduction trend micro malicious email
Introduction trend micro malicious emailAndrew Wong
 
SCGOV Report
SCGOV ReportSCGOV Report
SCGOV ReportColin Harvey
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Todd Deshane
 
Network Threats
Network ThreatsNetwork Threats
Network ThreatsDan Oblak
 
Program security
Program securityProgram security
Program securityG Prachi
 
M
MM
Mmonikamca
 
Lecture 11 B Security
Lecture 11 B SecurityLecture 11 B Security
Lecture 11 B SecuritySur College of Applied Sciences
 
Lecture 3
Lecture 3Lecture 3
Lecture 3Education
 

Empfohlen

Introduction trend micro malicious email
Introduction trend micro malicious emailIntroduction trend micro malicious email
Introduction trend micro malicious emailAndrew Wong
 
SCGOV Report
SCGOV ReportSCGOV Report
SCGOV ReportColin Harvey
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Todd Deshane
 
Network Threats
Network ThreatsNetwork Threats
Network ThreatsDan Oblak
 
Program security
Program securityProgram security
Program securityG Prachi
 
M
MM
Mmonikamca
 
Lecture 11 B Security
Lecture 11 B SecurityLecture 11 B Security
Lecture 11 B SecuritySur College of Applied Sciences
 
Lecture 3
Lecture 3Lecture 3
Lecture 3Education
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Securitydkp205
 
Computer Security B
Computer Security BComputer Security B
Computer Security BCarolyn Brockman
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Computer security b
Computer security bComputer security b
Computer security bCarolyn Brockman
 
Computer security
Computer securityComputer security
Computer securityCarolyn Brockman
 
Final Project _Smart Utilities
Final Project _Smart UtilitiesFinal Project _Smart Utilities
Final Project _Smart UtilitiesPasan Alagiyawanna
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Critical thinking 2
Critical thinking 2Critical thinking 2
Critical thinking 2qnorman
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber CrimeJessore University of Science & Technology, Jessore.
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...UltraUploader
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 
Microsoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay SaferMicrosoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay SaferOklahoma Dept. Mental Health
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Viruses andthreats@dharmesh
Viruses andthreats@dharmeshViruses andthreats@dharmesh
Viruses andthreats@dharmeshDharmesh Kumar Sharma
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Denise Bailey
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesVikas Chandwani
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from virusesar-rifke.com
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Lists
ListsLists
ListsSumit Tambe
 
Twar05003 win hec05
Twar05003 win hec05Twar05003 win hec05
Twar05003 win hec05Sumit Tambe
 

Weitere ähnliche Inhalte

Was ist angesagt?

091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Securitydkp205
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Final Project _Smart Utilities
Final Project _Smart UtilitiesFinal Project _Smart Utilities
Final Project _Smart UtilitiesPasan Alagiyawanna
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Critical thinking 2
Critical thinking 2Critical thinking 2
Critical thinking 2qnorman
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...UltraUploader
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 
Microsoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay SaferMicrosoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay SaferOklahoma Dept. Mental Health
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Denise Bailey
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesVikas Chandwani
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from virusesar-rifke.com
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 

Was ist angesagt? (20)

091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
 
Computer Security B
Computer Security BComputer Security B
Computer Security B
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
Computer security b
Computer security bComputer security b
Computer security b
 
Computer security
Computer securityComputer security
Computer security
 
Final Project _Smart Utilities
Final Project _Smart UtilitiesFinal Project _Smart Utilities
Final Project _Smart Utilities
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Critical thinking 2
Critical thinking 2Critical thinking 2
Critical thinking 2
 
A to z of Cyber Crime
A to z of Cyber CrimeA to z of Cyber Crime
A to z of Cyber Crime
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
 
Microsoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay SaferMicrosoft Office How The 2007 System Helps You To Stay Safer
Microsoft Office How The 2007 System Helps You To Stay Safer
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Viruses andthreats@dharmesh
Viruses andthreats@dharmeshViruses andthreats@dharmesh
Viruses andthreats@dharmesh
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
 
Network Environments
Network EnvironmentsNetwork Environments
Network Environments
 
14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses14 household ways to protect your computer from viruses
14 household ways to protect your computer from viruses
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 

Andere mochten auch

Twar05003 win hec05
Twar05003 win hec05Twar05003 win hec05
Twar05003 win hec05Sumit Tambe
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003Sumit Tambe
 
Tips tricks052003
Tips tricks052003Tips tricks052003
Tips tricks052003Sumit Tambe
 
Swine flu f inal
Swine flu f inalSwine flu f inal
Swine flu f inalSumit Tambe
 
Discoverer online training 10g r2
Discoverer online training 10g r2Discoverer online training 10g r2
Discoverer online training 10g r2Sumit Tambe
 

Andere mochten auch (13)

Lists
ListsLists
Lists
 
Twar05003 win hec05
Twar05003 win hec05Twar05003 win hec05
Twar05003 win hec05
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003
 
Tips tricks052003
Tips tricks052003Tips tricks052003
Tips tricks052003
 
Us bdrv tips2
Us bdrv tips2Us bdrv tips2
Us bdrv tips2
 
Ch1
Ch1Ch1
Ch1
 
Swine flu f inal
Swine flu f inalSwine flu f inal
Swine flu f inal
 
Discoverer online training 10g r2
Discoverer online training 10g r2Discoverer online training 10g r2
Discoverer online training 10g r2
 
Ch03
Ch03Ch03
Ch03
 
Arc ims tips
Arc ims tipsArc ims tips
Arc ims tips
 
Dna structure
Dna structureDna structure
Dna structure
 
9idwh
9idwh9idwh
9idwh
 

Ähnlich wie Sirt roundtable malicious-emailtrendmicro

Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersSomyos U.
 
Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)PT Datacomm Diangraha
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityUltraUploader
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Business Continuity 2009
Business Continuity 2009Business Continuity 2009
Business Continuity 2009OS-Cubed, Inc.
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Syed Ubaid Ali Jafri
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
Computer Security: Worms
Computer Security: WormsComputer Security: Worms
Computer Security: WormsSabidur Rahman
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 

Ähnlich wie Sirt roundtable malicious-emailtrendmicro (20)

Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Ransomware
RansomwareRansomware
Ransomware
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Information security
Information securityInformation security
Information security
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Business Continuity 2009
Business Continuity 2009Business Continuity 2009
Business Continuity 2009
 
Computer crimes
Computer crimesComputer crimes
Computer crimes
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
NWSLTR_Volume8_Issue1
NWSLTR_Volume8_Issue1NWSLTR_Volume8_Issue1
NWSLTR_Volume8_Issue1
 
Computer Security: Worms
Computer Security: WormsComputer Security: Worms
Computer Security: Worms
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
Information security
Information securityInformation security
Information security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 

Kürzlich hochgeladen

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Sirt roundtable malicious-emailtrendmicro

  • 1. Recent Malicious Email Attack Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu August 14, 2009
  • 2. Agenda  Recent malicious email attachments  What happened?  Why was it so effective?  How can we defend against these attacks?  Trend Micro OfficeScan 10  Trend Micro Security for Macs  Q&A 2
  • 3. What happened?  Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment  Many more reports soon followed from around the world implicating many K-State IP addresses  Many K-Staters started reporting receipt of the malicious emails too  4:22pm - started blocking infected computers; continued detecting/blocking infected computers for three more days  113 infected computers blocked, others detected by sysadmins and rebuilt w/o getting blocked  5:45pm – posted info/warning to IT security threats blog3
  • 4. What happened?  Four different emails with the following subjects:  Shipping update for your Amazon.com order 254-78546325-658742  You have received A Hallmark E-Card!  Jessica would like to be your friend on hi5!  Your friend invited you to twitter!  Three (somewhat) different attachments:  Shipping documents.zip  Postcard.zip  Invitation card.zip  At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension):  “attachment.pdf .exe”  “attachment.htm .exe”  “attachment.chm .exe” 4
  • 5. What happened?  New variant of malware so Trend Micro OfficeScan did not detect it.  10:45pm - I tried to submit samples to Trend Micro. Thought it worked, but found out in the morning it didn’t.  11:52pm – warning email sent to profacstaff and classified mailing lists  July 14, 8:00am – virustotal.com reports 29 of 41 AV products identify the malware (not Trend Micro) www.virustotal.com/analisis/... 5
  • 6. What happened?  July 14, 9:00am – finally get samples uploaded to Trend Micro  11:40am – Trend reports malware identified as WORM_AGENTO.BY, “bandage” pattern file available  2:00pm – bandage pattern file pushed out to OfficeScan clients  Production pattern file released later that evening which detects the malware  397 instances detected/deleted by TMOS since July 13  IT Tuesday article posted about it itnews.itac.k-state.edu/2009/07/malicious...  July 29 and August 7 - similar attacks with new variants of the malware; submitted samples to Trend faster with about a 2 hour turnaround for pattern file that detects the malware 6
  • 7. Malware Characteristics  Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies  Modified registry to run every time the computer boots  Copied itself to mounted file systems, including USB flash drives  Copied itself to common P2P file sharing folders, masquerading as enticing software downloads 7
  • 8. Malware Characteristics  Sample P2P folders used:  %ProgramFiles%ICQShared Folder  %ProgramFiles%GroksterMy Grokster  %ProgramFiles%EMuleIncoming  %ProgramFiles%MorpheusMy Shared Folder  %ProgramFiles%LimeWireShared  Sample enticing software downloads:  Ad-aware 2009.exe  Adobe Photoshop CS4 crack.exe  Avast 4.8 Professional.exe  Kaspersky Internet Security 2009 keygen.exe  LimeWire Pro v4.18.3.exe  Microsoft Office 2007 Home and Student keygen.exe  Norton Anti-Virus 2009 Enterprise Crack.exe  Total Commander7 license+keygen.exe  Windows 2008 Enterprise Server VMWare Virtual Machine.exe  Perfect keylogger family edition with crack.exe  … and about 25 more 8
  • 9. Why was it so effective?  Used familiar services  Amazon.com  Hallmark eCard greeting  Twitter  Sensual enticement (“Jessica would like to be your friend on hi5!”)  Somewhat believable replicas of legitimate emails  Sent it to lots of people (bound to hit someone who just ordered something from amazon.com, or is having a birthday)  Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces  New variant that spread quickly so initial infections missed by antivirus protection  I was too slow submitting samples to Trend (better the second and third time around)  Malware/attachment filtering in Zimbra did not stop it  Been a long time since attack came by email attachment so people caught off-guard 9
  • 10. What can we do? 10  Users need to learn to recognize scams  Hallmark, amazon.com, etc. do not send info in attachments  Don’t open attachment unless you are expecting it and have verified with sender  Think before you click  Be paranoid!
  • 16. What can we do? 16  Better malware filtering in e-mail  Need to work more closely with Zimbra/Yahoo  Submit malware samples sooner (we’re doing that now)  Trend Micro OfficeScan 10…
  • 17. Trend Micro OfficeScan 10  Major upgrade from current version 8 (where did version 9 go?!)  Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”)  But it appears to provide real value:  Faster deployment of pattern file updates  Smaller client footprint  Windows 7 support (not officially supported in OfficeScan 8)  More options for re-scheduling missed scheduled scans  Better Active Directory integration  Better control of removable devices like USB drives  Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 17
  • 18. Trend Micro OfficeScan 10  “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning  Client uses pattern info stored on local or global servers rather than having to store everything on every client computer  Updates pattern files hourly instead of daily  Smaller pattern files on the client, less network bandwidth used to deploy pattern files  Some heuristic-based detection  Can still do conventional scanning for systems with limited Internet access 18
  • 19. Trend Micro OfficeScan 10  Better options for dealing with missed scheduled scan  Postpone a schedule scan before it begins  Stop and Resume a current active schedule scan  Resume a missed schedule scan  Automatically skip schedule scan when Laptop Battery is below certain %  Automatically stop schedule scan when it lasts over a certain amount of period. 19
  • 20. Trend Micro OfficeScan 10  Device Access Control  Sysadmins can control use of removable drives  Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 20
  • 21. Trend Micro OfficeScan 10  The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed  To prevent OSCE applications being injected with malware and impact business operation  Feature provides the ability to protect OfficeScan files / file types within folders from being modified  Protect OfficeScan system processes to prevent unauthorized shut-down  Protect OfficeScan system registries from unauthorized modification 21
  • 22. Trend Micro OfficeScan 10  TMOS 10 concerns  Is a major upgrade so needs to thorough testing  Uncertainty about use of SmartScan vs. conventional scan  Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files  Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0  1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000- 8,000 clients for latter) – called “Integrated Scan Server”  No tool yet to export/import config form TMOS 8 server to TMOS 10 environment, but they’re working on it. 22
  • 23. Trend Micro OfficeScan 10  TMOS 10 plans  Is available now, been out for a while (service pack 1 in beta)  Needs more testing – campus sysadmins encouraged to test  Central TMOS 10 server for testing sometime...  SIRT will plan coordinated rollout for campus (can be pushed from the server)  No timeline at this point, but advantages warrant a somewhat aggressive schedule, as does release of Windows 7 in late October 23
  • 24. Trend Micro Security for Macs  K-State’s license for Symantec AV for Macs expires October 27, 2009  No budget for renewal or replacement  TM Security for Macs (TMSM) new product from Trend Micro, included in our campus site license  Barring a show-stopper problem, we will switch to TMSM this fall 24
  • 25. Trend Micro Security for Macs  Features/Advantages:  No additional cost  Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.)  Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform  Supports MacOS 10.4 and 10.5 on Intel and PowerPC processors  Includes Web Reputation Services to help prevent users from visiting known malicious web sites  Covered by current Silver Premium Support contract  Single vendor for all AV product  No additional cost 25
  • 26. Trend Micro Security for Macs  Timeline:  Version 1.5 in beta test now  Being tested pretty extensively at K-State  Fixed known issues we had with v1.0  Production release available to K-State after August 25  Switch by October 27, or semester break for imaged labs (SAV will continue to work)  New Macs should install Symantec now but plan to switch 26
  • 27. What’s on your mind? 27