Spyware, Viruses and Malware

What the fuss is all about

Malware, or Malicious Code, refer tovarious types of software that can causeproblems, damage, disrupt your computer.

Installed without user knowledge orapproval

What is Malware?

Motivation for Malware

Fun/Hobby/Spreading of ideological orpolitical message

Experimental/Research/Proof of Concepts

Vandalism/Graffiti

Revenge

Profit/Extortion

Types of Malware

Virus– software program– exist on local drive– reproduction using a host (e.g. files, emails)– simple self-modification, encryption, polymorphic, metamorphic– Melissa, Chernobyl, I Love You….

Types of Malware

Worms– stand alone software application– reproduced by itself– spread by exploiting vulnerabilities in the system– Netsky, SoBig, CodeRed, Sasser….

Types of Malware

Trojan– disguised as legitimate software – ActiveX, BHO, shareware, pop-ups advertisement, pirated software– remains hidden– usually do not replicate itself– Adware, Spyware, Backdoor (rootkit, zombies), Dropper, NetBus, SubSeven, GAIN (Kazaa)

Types of Malware

Others– Key Logger– Dialer– Browser Hijack– hybrids

How did it get there?

Zero day exploits

Drive by downloads

Vulnerabilities in available services; DCOM, RPC,p2p, lsass, etc

Default passwords

Email attachment, opened by user or emailprogram

p2p downloads, double extensions

How did it get there?

User Error

User has installed the malware

Social Engineering (but it said, “I love you!”)

Poor or nonexistent passwords

Countermeasures

Antivirus

– Scanning and identifying using unique pattern of individual malware (Signature)– searching is done based on definition of known virus byte patterns (virus dictionary)– some uses heuristic/pattern analysis (suspicious behaviour)– scan for virus, worms, spyware and adware– Norton, McAfee, AVG, ZoneAlarm, Avast

Countermeasures

Firewall

– rule-based (filter based on ports, IP address, application….)– hardware/software– network layer, application layer, application– personal, network based– stateless/stateful– part of Intrusion Prevention System (IPS)– IPFilter, pf, ipfw, Netfilter, Cisco, Dlink, McAfee, Norton, ZoneAlarm, Windows, Avast, Jetico

Countermeasures

Education

– Educating end-users to: • Constantly apply OS patches available • Enable and constantly update antivirus • Delete emails from unknown sender • Operate in least privileged mode • Enable a personal firewall

Once malware has been identified, it isbest to remove it while in safe mode.

Some malware has additional processesthat strive to stop you from removing it.

Deleting startup locations and files whilein safe mode, you can usually restore asystem to working condition but notnecessarily trusted state.

Removal Notes

Some notes on Malware

Remember that a machine compromisedby malware has effectively been ‘hacked’ andthat it is usually best to return the machine toa trusted state by removing important data andrebuilding using best practices.

Keep in mind the following;• Change all Passwords associated with this machine• Hardening• Patching