RSU Threat Training

Copyright 2009 Trend Micro Inc.Classification 04/20/23 1

RSU Threat Training

Sophon Ponglaksamana : Technical Account Manager


Agenda

-ไวรั�สคอมพิวเตอรั ค�ออะไรั- ปรัะเภทของไวรั�สคอมพิวเตอรั - ช่�องทางการัแพิรั�กรัะจายของไวรั�สคอมพิวเตอรั - สาเหต�การัตดไวรั�สของเครั��องคอมพิวเตอรั - การัตรัวจสอบการัตดไวรั�ส- ไวรั�สคอมพิวเตอรั เข!ามาค�กคามได!อย�างไรั- วธี#ป$องก�นไวรั�สคอมพิวเตอรั - ข!อควรัรัะว�งในการัเป'ดไฟล์ ต�างๆ เช่�น email, data files


Agenda

- โปรัแกรัมสแกนไวรั�ส Trend micro- เครั��องม�อป$องก�นไวรั�สจาก flash drive เช่�น autorun killer, usb security,- การัท,างานของซอฟต แวรั สแกนไวรั�ส- การัค!นหาวธี#ก,าจ�ดไวรั�สจากอนเตอรั เน.ต- แนะน,าเว.บไซต ก,าจ�ดไวรั�ส- สาธีตเทคนคการัป$องก�นแล์ะก,าจ�ดไวรั�ส


-ไวรั�สคอมพิวเตอรั ค�ออะไรั- ปรัะเภทของไวรั�สคอมพิวเตอรั

Copyright 2009 Trend Micro Inc.

Threat Environment Evolution to Crimeware

2001

Co

mp

lexi

ty

2003 2004 2005 2007

Crimeware

Spyware

SpamMass Mailers

IntelligentBotnets

Web BasedMalware Attacks

• Multi-Vector• Multi-Component

• Web

Polymorphic• Rapid Variants• Single Instance• Single Target• Regional Attacks• Silent, Hidden • Hard to Clean• Botnet Enabled

VulnerabilitiesWorm/Outbreaks


What are the types of virus/malware?• Joke program: A virus- like program that often manipulates the

appearance of things on a computer monitor.

• Trojan program: An executable program that does not replicate but instead resides on systems to perform malicious acts, such as opening ports for hackers to enter. Traditional antivirus solutions can detect and remove viruses but not Trojans, especially those already running on the system.

• Virus: A program that replicates. To do so, the virus needs to attach itself to other program files and execute whenever the host program executes.

• Test virus: An inert file that acts like a real virus and is detectable by virus-scanning software. Use test viruses, such as the EICAR test script , to verify that your antivirus installation scans properly.

• Packers: A compressed and/ or encrypted Windows or Linux executable program, often a Trojan horse program. Compressing executables makes packer more difficult for antivirus products to detect.

• Others: Virus/Malware not belonging to any of the above categories.

• Generic: A potential security risk. Trend Micro considers a “generic” virus/malware a potential security risk based on its behavior and characteristics,


What are the types of spyware/grayware?

• Spyware : Gathers data, such as account user names and passwords, and transmits them to third parties

• Adware : Displays advertisements and gathers data, such as user Web surfing preferences, used for targeting advertisements at the user through a Web browser

• Dialer : Changes computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem. These are often pay-per-call or international numbers that can result in a significant expense for your organization

• Joke program : Causes abnormal computer behavior, such as closing and opening the CD-ROM tray and displaying numerous message boxes

• Hacking tool : Helps hackers enter computers

• Remote access tool : Helps hackers remotely access and control computers

• Password cracking application: Helps hackers decipher account user names and passwords

• Others: Other types of potentially malicious programs


- ช่�องทางการัแพิรั�กรัะจายของไวรั�สคอมพิวเตอรั - สาเหต�การัตดไวรั�สของเครั��องคอมพิวเตอรั - ไวรั�สคอมพิวเตอรั เข!ามาค�กคามได!อย�างไรั


Enterprise Endpoints the ultimate targets

Web threats

• Viruses• Trojans• Bots• Rootkits• Spyware• Adware• Key Logger• Information Stealer

Messaging threats

• Worms• Viruses• Phishing• Pharming• SPAM

Network threats• Network worms• Hacking• DoS


IT Environment ChangesThreat Landscape

• Exponential growth in malware– 3 new unique malware every 1 seconds– Profit drives sophistication and “quality” of malware

• Web is #1 infection vector– Even legitimate sites spread malware– 90% of all new malware leverages the Web

• Vulnerabilities are exploited faster– 74% of attacks emerge the same day than patches– 89% of attacks work remotely, over the network

Web-based attacks


57 205 7991,484

2,3973,881

6,279

10,160

16,438

26,598

2007 2009 2011 2013 2015

Signature file updates take too long • Delay protection across all clients and servers• Leave a critical security gap

Signature files are becoming too big • Increase impact on endpoint resources• Unpredictable increase of client size

Patches cannot be deployed in time• Systems remain exposed to exploits• Average time to patch was 55 days in 2009

Unique threat samples PER HOUR

IT Environment ChangesChallenge: Traditional Approaches Fail


04/20/23Classification

High Impact Threats

• Compromised Website (Italian Job)

MPack Server(malware site)

ONE.COM TWO.COM THREE.COM FOUR.COM FIVECOM SIX.COM

Group of web sites with IFRAMES pointing to malware site

UserUser goes to six.com

IFRAME in six.com connects to mpack server

Mpack server serves malicious code to user

Copyright 2009 Trend Micro Inc.Paramount Q1 2008 - 13

Host A (192.168.1.3)

Host C (192.168.1.1)

Gateway

Host B (192.168.1.2)

Host D (192.168.1.4)

How ARP Works?

Who has 192.168.1.1?

Host A is sending an ARP request…

I have 192.168.1.1 My MAC address is [Host B MAC address]

Host B is sending an ARP response…

Man in the middle

Be Gateway now

Copyright 2009 Trend Micro Inc.Paramount Q1 2008 - 14

Web threat and PE virus relationship

WEB Malicious user deploys TSPY_LINEAGE on the web…

Malicious user deploys PE_LOOKED to infect files and propagate via network shares

Network of Computers

PE_LOOKED downloads TSPY_LINEAGE

TSPY_LINEAGE gets downloaded from the web

TSPY_LINEAGE steals information and sends it to malicious user

Copyright 2009 Trend Micro Inc. 15Classification

From the Trend Micro 2009 Annual Threat Report Roundup:

• Social networking sites will grow as targets

• Social engineering will become increasingly prevalent and clever

• Unlike the global economy, the underground economy will continue to flourish


Passive Attack Active Attack

Classification 04/20/23 16

Details of Black Hat Attack

• Google Hacking• WhoIs Query• Social Community• Offline Research

• Web Crawling• Network Scanning/Mapping• Port Scanning• Vulnerability Scanning• OS Fingerprinting• Enumeration• Social Engineering

• Malware Propagation

• Malware Acquisition and Execution (by the user)

• Active Exploit• Malware Placement and Execution (by the hacker)

• Malware Infection Behavior (File Infection, Program HiJacking, AV Retaliation, Process Termination, System Restriction, etc.)• Malicious Payload (Information Theft, Denial-of-Service, Backdoor, Agents, etc.)• Hacking Tools, Remote Access Tools

• Detection Avoidance (Covert Channel, Rootkit, Polymorphism, Fast Update Mechanism, File System Manipulation, Multiple-variant deployment, Login Hijacking, Use of Normal Applications, etc.)

Line of Successful Infection


Cybercriminals will formulate more direct and brazen extortion tactics to gain quicker access to cash

• Malware developers, anti-detection vendors, and botnet herders are becoming better at their “jobs”


Business as usual for botnets but heavier monetization by botnet herders

• Bot masters will aim for faster monetization

• “Pay-per-install” business model

Copyright 2009 Trend Micro Inc. 19

Mobile threats will have more impact.

• Consumer acceptance of mobile phone-based financial activity is increasing

• Two distinct handset-based (albeit rudimentary) botnets were detected in 2009


Compromised products come straight from the factory.

• Devices that are tampered coming off the shelves are increasing – Media players– Other USB devices– Digital photo frames

• Even “known good” software run the risk of being embedded with a malware component


Web threats will continue to plague Internet users.

• Poisoned searches

• More malicious scripts, less binaries

• Malvertisements

• Application vulnerabilities


Web threats will continue to plague Internet users.

• Attack possibilities even in cloud-based scenarios

- Manipulating the connection to the cloud

- Attacking the cloud itself

- Cloud vendor data breaches


Man-In-The-Middle (MITM) Attack

• ARP Spoofing/Poisoning (active sniffing)– Poisoned ARP contains IP of destination with MAC address of the MITM

• DNS Poisoning– Provides fake DNS information to redirect network traffic to malicious destination– (DNS spoofing, Proxy Server DNS poisoning, DNS cache poisoning, Pharming, etc.)

• Session Hijacking– This is taking control of TCP session exchanged between two computers– This is being done by altering the sequence number of a TCP session

Man-In-The-Middle

Source To Real Destination

Copyright 2009 Trend Micro Inc.Classification 04/20/23

DNS Poisoning Attack

Fake Website Fake Website www.g00gl3.comwww.g00gl3.com

Victim

Poisoned DNS on the ISP side

Legit Website Legit Website www.google.comwww.google.com


Cybercriminals will use social media and social networks to enter users’ “circle of trust.”

• Social engineering will continue to play a big role in threat propagation

• Social networks will be ripe venues for stealing PII


Web Server Attack/Compromise

• Cross-Site Scripting (XSS)– Crafted URI <legit URL> + <injected malicious javascript>– Example: victimwebsite.com/default.asp?name=<script>evilScript()</script>

• SQL Injection– Use of SQL statements to directly access the DB behind a web server

• IFRAME Injection– Injection of foreign IFRAME scripts on a target victim web page

• Other web application exploits that enables the attacker to do modification on the web server for the purpose of…

– Redirecting users to a malicious website (disease vector)– Implementing a drive-by download

Copyright 2009 Trend Micro Inc.Classification 04/20/23

Effects of Web Server AttackWebsite Defacement

Compromised Website


Denial-of-Service Attack (DoS)

• DoS prevents unauthorized users from accessing a computer or network

• Types DoS Attack: Smurf, Ping-of-Death, SYN flood, Teardrop, etc.

• DoS involving two or mote attacking host is called distributed denial-of-service (or DDOS).

Infected Machine

Attacked Server

Clients

DoS ATTACK

DoS ATTACK

Request Timed Out

Host Not Found

Request Timed OutHost Not Found

Request Timed Out


Exploit Packets

• Exploit packet are crafted packets (that cause buffer overflow) which contain a code (payload) that takes advantage of a certain vulnerability on the target machine

• Zero-Day Exploit is an exploit that is found in-the-wild before or on the same date that the vulnerability was discovered.

SECURITY EXPOSURE

VULNERABILITY

VULNERABILITY

EXPLOIT

Copyright 2009 Trend Micro Inc.04/20/23 30

Exploit Terminologies and ConceptsAn vulnerable system is a particular OS version that contains a certain version of a Windows

DLL which is used by a particular application

An vulnerable system is a particular OS version that contains a certain version of a Windows

DLL which is used by a particular application

Certain versions of Windows DLL’s contain

functions which are vulnerable and can be

exploited

Certain versions of Windows DLL’s contain

functions which are vulnerable and can be

exploited

Malware FileMalware File

Exploit

Exploit worm malwares usually have code that simulates a file server

that provides the malware copy to

exploited machines

Exploit worm malwares usually have code that simulates a file server

that provides the malware copy to

exploited machinesThe worm malware contains exploit code whose main task is to cause the vulnerable application to crash

The worm malware contains exploit code whose main task is to cause the vulnerable application to crash

The malicious routines that the exploit will perform are called shellcode which

connects to the malware file server to download

the malware to the system

The malicious routines that the exploit will perform are called shellcode which

connects to the malware file server to download

the malware to the system

Copyright 2009 Trend Micro Inc.04/20/23 31

Exploit Worm Operating Algorithm

Exploit

Exploit

192.168.100.2

192.168.100.3

The malware will first enumerate all machines in the network and find out the IP addresses of

the connected machines.

The malware will first enumerate all machines in the network and find out the IP addresses of

the connected machines.Infected System

It will then setup a ftp/http server which will

wait for requests from any exploited machine.

It will then setup a ftp/http server which will

wait for requests from any exploited machine.

If the machine is vulnerable, then the

exploit packet will cause the affected application to hang and the exploit shellcode will trigger.

If the machine is vulnerable, then the

exploit packet will cause the affected application to hang and the exploit shellcode will trigger.

The exploit shellcode will connect back to the

malware ftp/http server to download the malware copy to the exploited system and execute the malware in the

system.

The exploit shellcode will connect back to the

malware ftp/http server to download the malware copy to the exploited system and execute the malware in the

system.


Command & Control (C&C) or Backdooring

Command and Control (C&C)

• Backdoors has two(2) components: client and server component

• Server component (acts as the Bot client/zombie) is the infecting malware that opens up backdoor communication, receives command from a C&C server, and executes them

• Client component (or the hacker console) which enables the cyber criminal to send commands and takes control of the machine/s which was infected by the server component

• Backdoor client system which controls so many server components or bots is called in layman’s term as “command and control” or C&C server.


Information Theft

Victim

Cyber TheftLogged Keystrokes

Email

Personal/Confidential Files

Email Addresses

System Information

Application Serial Keys

Account Credentials

Browser History


- วธี#ป$องก�นไวรั�สคอมพิวเตอรั - ข!อควรัรัะว�งในการัเป'ดไฟล์ ต�างๆ เช่�น email, data files


Worms

Email Worm

IM Worm

Network Worm


Malware started from a simple programMalware started from a simple programcalled “Elk Cloner”called “Elk Cloner”


• Most mobile malware threats to date cannot be called serious, however we have seen several have capabilities that are similar to information stealers on desktop systems.

• WINCE_INFOJACK.A – runs on Windows CE/Mobile devices; has information stealing capabilities, as well as changing the security settings of the mobile device.

• SYMBOS_YXES.A and SYMBOS_YXES.B – runs on Symbian devices; also has information stealing capabilities, .B variant can also spam user contacts on the phone

It will get on all your disksIt will infiltrate your chipsYes it's Cloner!It will stick to you like glueIt will modify ram tooSend in the Cloner!


Early Mobile NetworkingEarly Mobile Networking


Bluetooth Hijacker


The Age of Mobile ComputingThe Age of Mobile Computing

Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet.


The latest trend is “iPhone Mania”The latest trend is “iPhone Mania”


• However, while attacks based on malicious files on mobile devices are limited, there is nothing that stops Web-based threats from working on Internet-capable mobile devices.

• Examples: phishing attacks can be carried out whatever the platform.

• FAKEAV alerts appear on any system, even iPhones


iPhone JailbreakingiPhone JailbreakingThe possibilities are endless.


Dutch users of jailbroken iPhones in T-Mobile's 3G IP range began experiencing a pop-up ransomware (due to IP scanning via the internet). The popup window notifies the victim that the phone has been hacked, and then sends that victim to a website where a $5 ransom payment is demanded to remove the malware infection

The worm would install a wallpaper of the British 1980's pop star Rick Astley onto the victim's iPhone, and it succeeded in infecting an estimated 21,000 victims within about a week in Australia.


FackAV Review

• FakeAV official website– XpAntivirusonline.com– XPOnlinescanner.com– XPSecuritycenter.com– XPAntispyware.com– XPAntiviruspro.com– XPAntivirus2008.com– XPAntivirus-scanner.com– XPAntivirus.com– XPAntivirussite.com– FileShredder2008.com– XPDownloadings.com

– CleanerMaster.com


FakeAV still alive in 2009&2010

• XPVirusProtection, TotalVirusProtection, MalwareDoc(ref: http://www.lavasoft.com/mylavasoft/company/blog/2-new-rogue-antivirus-programs)

• Anti-Virus-1

(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-anti-virus-1.html)

• AntiSpyware Protector, System Guard Center, Privacy components(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-security-products.html)

• SpyBurner, XpyBurner System Tuner, HDriveSweeper(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-xpyburner.html)


Reality Check on FAKE AV’s

112/04/20

43

Why are they reoccurring? Because the malwares are updating by the minute, website brought and spawns up in another host, malware knows they are being detected so they are innovating and we didn’t have the complete sample from the 1st visible case of the said malware since it wasn’t deemed a note worth case during the time.


Regional Web Threats, Web Compromised SAMPLE


Regional Web Threats, Web Compromised SAMPLE


Malware file Hunt Down

• Directory / Folder– Program Files– System32– Windows– C:\



• Date and Time stamp– Most recent file that was added or modified– Locate malware component files

4 suspected files were recently added in your system

2 of which arrived at the same time,indicating that an installer or trojandropper had placed these files.



• Filename– Wrong Spelling (e.g. svchost.exe scvhost.exe)

– Double extension name (e.g. Nude_Britney.jpg.exe)

– Random name



• File ICON– Spoofed icons

– Generic icons

– Shortcut Link icons found at desktop

Pixilated icon of Microsoft update warning

Fabricated icon of Microsoft security center

Legitimate icon of Microsoft security center, but Microsoftdoes not use this icon for win32 / executable files.

Legitimate normal files usually have unique file icon

Shortcut links could also provide the file location of its executable.Icons with explicit graphics usually attracts users into clicking the iconthus allowing the execution of its executable file


Example : Virus


WORM_DOWNAD.ADTo get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Initial samples received on: Dec 30, 2008

Vulnerability used: (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Payload 1: Downloads files

Payload 2: Connects to a URL


WORM_DOWNAD.AD

Replication channel1. Via MS08-067

vulnerability exploit

2. Via network shares, by attacking the admin password to the share

3. Via removable storage

4. Via Internet

Victim• Unpatched Windows

• Account with weak password

• Enable autorun on windows (enable by default)

• User with internet access

• Highly dependant on Pattern solutions


PE_SALITY.M Behavior Details

• Deletes entries under "Safeboot" key—possibly to prevent users from doing anything in safe mode


Example : FakeAV


Example : FakeAV


Example : FakeAV


The Security Challenge

• Malware threats are now being deployed in multiple variants deployed in multiple variants at the same time by using sophisticated packing (compression) and encryption technology (this is the reason behind the rapid growth of undetected malware volume in-the-wild)

• Malware threats are now implementing “active update” mechanism now implementing “active update” mechanism (i.e. malware binaries are being updated every less than an hour)

• Threats are now using legit channel now using legit channel to attack/infect such as using HTTP and port 80 which are not advisable to block

• Malware threats are attacking and disabling security and antivirus attacking and disabling security and antivirus productsproducts

• Malware threats are using advanced stealth techniques are using advanced stealth techniques (i.e. rootkits) to avoid detection

• Threats are using 0-day exploits to attack/infect using 0-day exploits to attack/infect (0-day exploits are normally unblockable)


- โปรัแกรัมสแกนไวรั�ส Trend micro- การัท,างานของซอฟต แวรั สแกนไวรั�ส


OSCE client


Scan Flows Scan Flows – detailed– detailed


Internal Document

Proof of Concept – Basic setup

• This is a basic diagram of OfficeScan which can show most of the features as POC

Copyright 2009 Trend Micro Inc.62

Client Console Scan Tab

From the Scan tab you can:

• Select the drives and directories you want to manually scan

• Begin a manual scan– Scanning will use settings

configured in client console with privileges or OfficeScan management console

• Run Damage Cleanup Services (DCS)


Client Console Scan Results Tab

From the Scan Results tab you can:

• View the results from the most recent manual scan

• View statistics about the most recent manual scan


Client Console Log Report Tab

From the Log Report tab you can:

• View logs about the virus activities on your computer

• Manage logs and assess your computer’s protection


Additional Functions

Real-time Monitor

• Real-time scan status– Last file scanned– Last virus found

• Scan Statistics– Total number of files

scanned– Number of infected filed

• Scheduled Scan Settings– When scan is scheduled

to run


Example scan results






- เครั��องม�อป$องก�นไวรั�สจาก flash drive เช่�น autorun killer, usb security


USB Scan


- การัค!นหาวธี#ก,าจ�ดไวรั�สจากอนเตอรั เน.ต- แนะน,าเว.บไซต ก,าจ�ดไวรั�ส- สาธีตเทคนคการัป$องก�นแล์ะก,าจ�ดไวรั�ส


http://us.trendmicro.com/us/trendwatch/


http://free.antivirus.com/clean-up-tools/


http://housecall.trendmicro.com/index.html


http://free.antivirus.com/clean-up-tools/


http://about-threats.trendmicro.com/


http://about-threats.trendmicro.com/Search.aspx?language=us&p=worm_downad.ad


http://about-threats.trendmicro.com/malware.aspx?language=us&name=WORM_DOWNAD.AD


Sysclean1. ทำ��ก�รสร��งโฟลเดอร�ส��หร�บโปรแกรม Sysclean บนคอมพิ�วเตอร�2. ด�วน�โหลด Sysclean จ�ก

http://www.trendmicro.com/ftp/products/tsc/sysclean.com ไปไว�ทำ��โฟลเดอร� ทำ��ได�สร��งไว�

3. ทำ��ก�รด�วน�โหลดไฟล�• Control Pattern (lptxxx.zip) จาก

http://www.trendmicro.com/download/pattern-cpr.asp


Sysclean• ท,าการัแตกไฟล์ ไว!ท#�โฟล์เดอรั ท#�ได!สรั!างไว!

4. ให!ป'ดโปรัแกรัมท�/งหมดท#�ได!เป'ดไว! แล์ะท,าการัรั�นโปรัแกรัม Sysclean.com


Sysclean5. ทำ��ก�รร�นโปรแกรม Sysclean.com และ Click Scan


Sysclean6. Sysclean จะทำ��ก�ร Scan Virus และ Spyware


- แจ!งไปท#�ส,าน�กบรัการัเทคโนโล์ย#สารัสนเทศ- ตดต�อเบอรั : 5648/5649-Email : [email protected]

แจ!งป1ญหาไวรั�ส


Documents

RSU Threat Training