Securing Against MalwareSecuring Against Malware
Nick Hall and Fred BaumhardtNick Hall and Fred Baumhardt
Security Technology ArchitectsSecurity Technology Architects
Microsoft EMEAMicrosoft EMEA
AgendaAgenda
History of VirusesHistory of Viruses
Current ThreatsCurrent Threats
Future…?Future…?
What is Microsoft Doing?What is Microsoft Doing?
ThiefThief
SpySpy
AuthorAuthor
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialist
Microsoft ExecutionMicrosoft Execution
The AttackersThe AttackersThe AttackersThe Attackers
TrespasserTrespasser
Largest Area Largest Area By $$ LostBy $$ Lost
Fastest Fastest Growing Growing SegmentSegment
Largest Segment By Largest Segment By $$ Spent On Defense$$ Spent On Defense
Largest Largest Area By Area By VolumeVolume
VandalVandal
PhishingPhishing
..this is actually the legitimate site you are returned to.
Virus InformationVirus Information
Viruses: speed is dependent on the vectorViruses: speed is dependent on the vector
File viruses took months to years to spread widelyFile viruses took months to years to spread widely
Macro viruses took weeks to monthsMacro viruses took weeks to months
Mass Mailers took daysMass Mailers took days
Code Red took about 12 hoursCode Red took about 12 hours
Klez went around the world in 2.5 hoursKlez went around the world in 2.5 hours
SQL Slammer affected the world in about 10 minutesSQL Slammer affected the world in about 10 minutes
Source: ICSA Virus Prevalence Survey 2003Source: ICSA Virus Prevalence Survey 2003
““Just how fast is instant messaging?”Just how fast is instant messaging?”
"We advise customers to contact their anti-virus software provider and obtain "We advise customers to contact their anti-virus software provider and obtain
the latest signatures for the virus, which should now be available.“the latest signatures for the virus, which should now be available.“
W32/Kelvir – Slowed down a network by putting additional traffic on it, it did W32/Kelvir – Slowed down a network by putting additional traffic on it, it did
not create backdoors, install keyloggers, or steal money from brokerage not create backdoors, install keyloggers, or steal money from brokerage
accounts. accounts. BUT THE NEXT ONE MIGHT !!!!BUT THE NEXT ONE MIGHT !!!!
You're You're 10 times10 times more likely to click on a URL that comes from someone on more likely to click on a URL that comes from someone on
your buddy list than something that comes in over email”your buddy list than something that comes in over email”
Viruses Over IMViruses Over IM
SpywareSpyware
www.ISpyNow.comwww.ISpyNow.com
www.keykatcher.comwww.keykatcher.com
Spies per Consumer PCSpies per Consumer PC
Oct to Dec 2005Oct to Dec 2005
UK 21.6UK 21.6
Norway 20.3Norway 20.3
Sweden: 19.1Sweden: 19.1
Lithuania 17.2Lithuania 17.2
Slovenia 15.7Slovenia 15.7
Source: BBC websiteSource: BBC website
Worms are Anonymous – they don’t carry your Worms are Anonymous – they don’t carry your password database….password database….
Pathogens Break protocol rules – you wrote a Pathogens Break protocol rules – you wrote a buffer for 72 characters – attacker sent you 182buffer for 72 characters – attacker sent you 182
Worms send clients something they didn’t ask forWorms send clients something they didn’t ask for
Authenticate Traffic – Stops foreign InfectionAuthenticate Traffic – Stops foreign Infection
Enforce Protocol Rules at the Network Device – Enforce Protocol Rules at the Network Device – things that break are droppedthings that break are dropped
Don’t process traffic that you didn’t ask for, Don’t process traffic that you didn’t ask for, understand protocols and know what to expectunderstand protocols and know what to expect
Worm Malware TheoryWorm Malware Theory
Future…?Future…?
Creation of a Superbug (usually worm propagating)?Creation of a Superbug (usually worm propagating)?
Vector is changing. i.e. music, videoVector is changing. i.e. music, video
The attackers themselves are changingThe attackers themselves are changing
““New World” virus writersNew World” virus writers
New threats like “Spear Fishing"New threats like “Spear Fishing"
SPAMSPAM
Is it Malware ?Is it Malware ?
Nuisance or Pain ?Nuisance or Pain ?
Same mindset to AV ?Same mindset to AV ?
4 Million mails, generate 4 responses with 1 person buying (well in 4 Million mails, generate 4 responses with 1 person buying (well in the US anyway !!!)the US anyway !!!)
Going away…………..You decide?Going away…………..You decide?
What is Microsoft Doing ?What is Microsoft Doing ?
Individual usersIndividual users BusinessesBusinesses
Windows Services HardeningWindows Services Hardening
Windows Firewall with advanced security Windows Firewall with advanced security
Reduced administrative privilegesReduced administrative privileges
User Account ProtectionUser Account Protection
Internet Explorer 7 with Protected ModeInternet Explorer 7 with Protected Mode
Secure Start-upSecure Start-up
Integrated Anti-MalwareIntegrated Anti-Malware
Control over removable device installationControl over removable device installation
Restart manager to reduce rebootsRestart manager to reduce reboots
Security Center enhancementsSecurity Center enhancements
ActiveX Opt-in puts users in controlActiveX Opt-in puts users in control
Phising FilterPhising Filter
Simple and EasySimple and Easy
ComprehensiveComprehensive
AutomatedAutomated
EvolvingEvolving
Protection PlusProtection Plus
Performance PlusPerformance Plus
Backup & RestoreBackup & Restore
Help and SupportHelp and Support
Design Principles Product Features
“Windows OneCare is the comprehensive PC health service for consumers that continuously and automatically manages vital
computer tasks to help protect and maintain your PC”
Prioritizes data Prioritizes data to help focus to help focus resources on resources on
the right issuesthe right issues
Maximizes the Maximizes the value of value of existing existing
investments investments
Guards against Guards against current and current and emerging emerging
malware threatsmalware threats
Provides businesses the control they need to protect Provides businesses the control they need to protect against current and emerging malware threatsagainst current and emerging malware threats
Live Live Communications Communications
ServerServer
SharePoint SharePoint ServerServer
Exchange ServersExchange Servers
ISA ISA ServerServer
Windows SMTP Windows SMTP ServerServer
VirusesViruses
WormsWorms
IM and IM and DocumentsDocuments
AntigeAntigenn
AntigeAntigenn
AntigeAntigenn
AntigeAntigenn
E-E-mailmail
AntigeAntigenn
caching
Content filtering
application publishing
advanced application layer firewall
caching
content filtering
application publishing
advanced application layer firewall / vpn
Transport and CAS/UM are rewritten in managed codeTransport and CAS/UM are rewritten in managed code
Encryption of all links among E12 servers by default if Encryption of all links among E12 servers by default if encryption can be supportedencryption can be supported
Emails between two E12 organizations can be Emails between two E12 organizations can be encrypted over the Internet without end-user S/MIMEencrypted over the Internet without end-user S/MIME
SMTP Gateway Throttling SMTP Gateway Throttling
Much enhanced Anti-spam protection in addition to Much enhanced Anti-spam protection in addition to Ex2003 IMFEx2003 IMF
Microsoft Exchange Hosted Microsoft Exchange Hosted ServicesServices
Real-time threat prevention featuresReal-time threat prevention features
Multi-layer anti-spam and anti-virusMulti-layer anti-spam and anti-virus
Customized content and policy enforcementCustomized content and policy enforcement
E-mail retention for help with compliance and e-discoveryE-mail retention for help with compliance and e-discovery
Customized report generation for help demonstrating complianceCustomized report generation for help demonstrating compliance
Fully indexed, searchable archiveFully indexed, searchable archive
Full e-mail encryption Full e-mail encryption
No public and private key managementNo public and private key management
Gateway, policy-based e-mail encryptionGateway, policy-based e-mail encryption
Uninterrupted e-mail accessibilityUninterrupted e-mail accessibility
Rapid recovery from unplanned disasters and network outagesRapid recovery from unplanned disasters and network outages
Thirty-day rolling historical e-mail storeThirty-day rolling historical e-mail store
Remove most Remove most prevalent prevalent
viruses viruses Remove all Remove all known viruses known viruses
Real-time Real-time antivirusantivirus
Remove all Remove all known known
spywarespywareReal-time Real-time antispywareantispyware
Central Central reporting and reporting and
alertingalertingCustomizationCustomization
MicrosoftMicrosoftClientClient
Protection Protection
FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES
MSRT MSRT Windows Windows DefenderDefender
Windows Windows Live Safety Live Safety
Center Center
Windows Windows OneCare OneCare
Live Live
IT IT Infrastructure Infrastructure
IntegrationIntegration
Important DatesImportant DatesQ2 06 Q2 06
Exchange Hosted ServicesExchange Hosted Services
Antigen V 9.0 for Exchange, SMTP & AEMAntigen V 9.0 for Exchange, SMTP & AEM
Microsoft Client Protection – BetaMicrosoft Client Protection – Beta
Antigen for E12 – BetaAntigen for E12 – Beta
Windows OneCareWindows OneCare
Q3 06 Q3 06
Antigen V 9.0 for IM, SharePointAntigen V 9.0 for IM, SharePoint
ISA 2006 - RTMISA 2006 - RTM
Q4 06 Q4 06
Microsoft Client ProtectionMicrosoft Client Protection
Antigen for E12Antigen for E12
ISA 2006 - RTMISA 2006 - RTMQ1 07Q1 07
Q1 07 Q1 07
Windows VistaWindows Vista
Antigen for ISAAntigen for ISA
© 2005-06 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.