spyware, viruses and malware what the fuss is all about
TRANSCRIPT
Spyware, Viruses and Malware
What the fuss is all about
Malware, or Malicious Code, refer tovarious types of software that can causeproblems, damage, disrupt your computer.
Installed without user knowledge orapproval
What is Malware?
Motivation for Malware
Fun/Hobby/Spreading of ideological orpolitical message
Experimental/Research/Proof of Concepts
Vandalism/Graffiti
Revenge
Profit/Extortion
Types of Malware
Virus– software program– exist on local drive– reproduction using a host (e.g. files, emails)– simple self-modification, encryption, polymorphic, metamorphic– Melissa, Chernobyl, I Love You….
Types of Malware
Worms– stand alone software application– reproduced by itself– spread by exploiting vulnerabilities in the system– Netsky, SoBig, CodeRed, Sasser….
Types of Malware
Trojan– disguised as legitimate software – ActiveX, BHO, shareware, pop-ups advertisement, pirated software– remains hidden– usually do not replicate itself– Adware, Spyware, Backdoor (rootkit, zombies), Dropper, NetBus, SubSeven, GAIN (Kazaa)
Types of Malware
Others– Key Logger– Dialer– Browser Hijack– hybrids
How did it get there?
Zero day exploits
Drive by downloads
Vulnerabilities in available services; DCOM, RPC,p2p, lsass, etc
Default passwords
Email attachment, opened by user or emailprogram
p2p downloads, double extensions
How did it get there?
User Error
User has installed the malware
Social Engineering (but it said, “I love you!”)
Poor or nonexistent passwords
Countermeasures
Antivirus
– Scanning and identifying using unique pattern of individual malware (Signature)– searching is done based on definition of known virus byte patterns (virus dictionary)– some uses heuristic/pattern analysis (suspicious behaviour)– scan for virus, worms, spyware and adware– Norton, McAfee, AVG, ZoneAlarm, Avast
Countermeasures
Firewall
– rule-based (filter based on ports, IP address, application….)– hardware/software– network layer, application layer, application– personal, network based– stateless/stateful– part of Intrusion Prevention System (IPS)– IPFilter, pf, ipfw, Netfilter, Cisco, Dlink, McAfee, Norton, ZoneAlarm, Windows, Avast, Jetico
Countermeasures
Education
– Educating end-users to: • Constantly apply OS patches available • Enable and constantly update antivirus • Delete emails from unknown sender • Operate in least privileged mode • Enable a personal firewall
Once malware has been identified, it isbest to remove it while in safe mode.
Some malware has additional processesthat strive to stop you from removing it.
Deleting startup locations and files whilein safe mode, you can usually restore asystem to working condition but notnecessarily trusted state.
Removal Notes
Some notes on Malware
Remember that a machine compromisedby malware has effectively been ‘hacked’ andthat it is usually best to return the machine toa trusted state by removing important data andrebuilding using best practices.
Keep in mind the following;• Change all Passwords associated with this machine• Hardening• Patching