advertisement

How Malware Works - Understanding Software Vulnerabilities

50 %
50 %
advertisement
Information about How Malware Works - Understanding Software Vulnerabilities
Technology

Published on February 14, 2014

Author: BunmiSowande

Source: slideshare.net

Description

Most computer viruses use software vulnerabilities to get installed. This is a brief look at the risk software vulnerabilities pose.
advertisement

How malware works: Software Vulnerabilities 30th October 2013 – 11am (UK) Bunmi Sowande bunmi.Sowande@f-secure.com +44 (0) 7818 515 687

Agenda • Introduction – F-Secure • Security in the news • Malware – how you get infected • Software vulnerabilities • Anatomy of a cyber crime • Software publishers fight back • We will protect you – F-Secure’s 8 layers of protection • F-Secure Software Updater

Praised by Analysts The Forrester Wave™: Endpoint Security, Q1 2013 Forrester Research Inc. gave us the highest score among all vendors for our product roadmap and strategy. We received top ranking scores on our performance and satisfaction, in addition to our advanced antimalware technologies.

Awarded Protection Prestigious Best Protection awards by AV-Test “We are proud to congratulate the entire F-Secure team for receiving the AVtest Best Protection Award 2012” “Out of all corporate endpoint protection products reviewed, FSecure Client Security offered by far the best protection.” Andreas Marx, CEO of AV-TEST Andreas Marx, CEO of AVTEST

Awarded Protection Top Ranked Protection year after year! Top Rated Protection since 2006!

Awarded Protection Certified and awarded by numerous 3rd parties!

Comprehensive Protection Providing 360 protection from all threats Protection Service for Business Business Suite In-House IT Policy Manager Management as a Service Internet Gatekeeper Messaging Security Gateway PSB Portal Out-sourced IT Server Security Client Security Email and Server Security Mobile Security Linux Security AV for Workstations PSB Server Security PSB Email and Server Security PSB Workstation Security Protection Service for Email PSB Mobile Security

SECURITY IN THE NEWS

SECURITY IN THE NEWS

SECURITY IN THE NEWS

SECURITY IN THE NEWS

Malware Attack Vectors INFECTED CONTAMINATED CONTAMINATED MALICIOUS LINK ADVERTISEMENT WEBSITE ATTACHMENT TO MALWARE An otherwise legitimate website A legitimate website is An authentic looking email An email from a seemingly is infected though hostile compromised by an attacker deceives the end-user to open trusted or legitimate source advertisements originating from and consequently contaminated a seemingly genuine deceives the end-user to follow non-website related by inserting malicious content attachment, which contains an a link to an external website independent 3rd party adinto it, which then infects every integrated malware. Which which contains malicious agencies, which then visitor going to the site. through software vulnerability software that infects every contaminates visitors by or exploit gains access to the visitor going to the site. exploiting software system. vulnerabilities.

Malware Attack – What Next? VULNERABILITY BACKDOOR ACCESS But due to a vulnerability from outdated software, an integrated malware payload is installed. Malware contacts remote server and deploys additional malware, ensuring multiple backdoor and remote access. With access secured, the attacker aims to escalate privileges in order to gain further access in the network.

Malware Attack – What Next? DATA ESCAPE With access to most confidential parts and files of the network, the criminal identifies most valuable data and starts sending it to external staging servers. Valuable data is then extracted and send forward. Attacker destroys evidence and hides tracks, but might leave a backdoor for further access.

Karmina Senior Analyst WHAT IS A SOFTWARE VULNERABILITY? Software bug or defect that allows your device to be compromised. Security (an intersection of 3 elements): • a system susceptibility or flaw • attacker access to the flaw • and attacker capability to exploit the flaw

Vulnerabilities by Numbers Top 10 Vendors Vendor No. of vulnerabilities 2012 Oracle Apple Mozilla Microsoft IBM Google Adobe Cisco HP Apache 2011 424 ↑ 270 ↑ 262 195 ↑ 169 ↓ 110 154 ↑ 150 ↓ 143 137 ↓ 134 ↓ 189 74 ↓ 55 ↑ 144 246 244 299 135 44 Source: National Vulnerability Database (http://nvd.nist.gov/)

Vulnerabilities by Numbers Most Targeted Applications Operating Systems Operating System No. of vulnerabilities 2012 2011 Apple iOS Microsoft Windows Server 2003 Microsoft XP Microsoft Windows 2008 Microsoft Windows Vista Microsoft Windows 7 Cisco IOS Linux Kernel Oracle Solaris VMware ESXi VMware ESX Cisco IOS XE Citrix Xen Apple Mac OS X Apple Mac OS X Server 86 45 42 48 41 42 36 45 47 12 11 9 33 21 17 ↑ ↓ ↓ ↓ ↓ ↓ ↑ ↓ ↑ ↑ ↑ ↓ ↑ ↓ ↓ 35 105 96 101 91 98 36 45 47 7 7 13 3 69 66 Application Mozilla FireFox Mozilla Thunderbird Mozilla SeaMonkey Google Chrome Mozilla Firefox ESR Mozilla Thunderbird ESR Apple iTunes Apple Safari Adobe Flash Player Oracle Java Adobe Air Adobe Flash Player for Android Ffmpeg Microsoft Internet Explorer Adobe Shockwave Player Adobe Reader No. of vulnerabil ities 2012 159 144 143 125 115 109 102 85 66 58 54 53 42 41 27 25 2011 ↑ ↑ ↑ ↓ ↑ ↑ ↑ ↑ ↑ ↑ ↓ ↓ ↓ 97 63 63 275 78 45 63 37 27 10 45 38 65 Source: National Vulnerability Database (http://nvd.nist.gov/)

Is Windows Update based Patch Management Enough?

Vulnerability Types RCE EOP DOS Leak

Vulnerability Types -RCE • RCE – Remote Code Execution • Runs code without authorisation or authentication • “Drive by installations” • Code is designed as data • Documents, emails and websites can be used

Vulnerability Types - EOP • EOP – Elevation of Privilege • Allows attacker to either gain higher privileges or impersonate another user with higher privileges • Usually targets the “admin” or “root” account • Combined with RCE, allows an attacker to install malware on one or more systems

Vulnerability Types – DOS • DOS – Denial of Service • Makes a device or system unavailable to intended users • Uses or creates software bottlenecks • Excessive CPU usage, memory leaks, disk I/O, slow or long LDAP searches, database calls or large join operations. • Motives for DOS • Protestors, hacktivists • Industrial espionage • Distraction from criminal activity

Vulnerability Types – Leaks Leaks (or information disclosure) • Enables an attacker to gain valuable information • Memory dumps, log files, network traffic • Mobile Phone Apps – unencrypted data • Invisible to the user

Gregory Senior Software Engineer ZERO – DAY: An attack that exploits a previously unknown vulnerability APT – Advanced Persistent Threat – Targeted attack aimed at specific organisations • Governments • Financial institutions • Medical organisations

Veli-Jussi Director, Security Products ANATOMY OF A CRIME - RSA Source: RSA http://blogs.rsa.com/anatomy-of-an-attack/

Anatomy of a crime – RSA – March 2011 Source: RSA http://blogs.rsa.com/anatomy-of-an-attack/ 201 RE 1 C 1 2 3 PHISHING EMPLOYEE VULNERABILITY Attacker sent two „spear phishing‟ emails during the course of two-day period. The email, titled 2011 Recruitment Plan, related well with the ongoing recruitment process in the company. Emails were sent to two small groups of employees without particularly high profile or target value. It was crafted well enough to trick one employee to retrieve it from their Junk mail folder, and open the attached excel file. The attached excel file contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability. (CVE-2011-0609)

Anatomy of a crime - RSA 4 REMOTE ACCESS Having the backdoor secured, the attacker installed a remote administration tool called „Poison Ivy‟, which allowed the attacker to remotely control the computer. 5 SENSITIVE DATA $66.3 Million With remote access Direct bottom-line established, the attacker cost of investigating leveraged the original and monitoring of credentials in gaining entry to corporate customer more „strategic‟ systems and transactions employees with access to sensitive data. Data was then extracted and aggregated to an internal staging server. 6 EVASION & EXIT From there, data was send to an external staging server at a compromised machine – and subsequently pulled by the attacker. Traces and data was removed from the compromised host to remove any traces.

Rasomware – Targeting SMB’s and home users

Rasomware – Targeting SMB’s and home users

Rasomware – Targeting SMB’s and home users

Blackhole Exploit Kit • Off the shelf malware tool – currently most prevalent web threat • Targets web users through out of date browsers to install malware • Once infected, the attacker can see what other vulnerabilities can be exploited

87% of corporate computers miss critical software updates. 13 13 25 49 Missing updates 0 1-4 5-9 >10

Software Publishers fight back • • • • Microsoft – Patch Tuesday SAP + Adobe – Patch Tuesday Oracle – Quarterly patches Apple

Software publishers fight back • Bug Bounty Programs

Software publishers fight back • T-Shirt Gate - Yahoo !

How can you protect yourself? • Patch regularly, patch quickly • Reduce your attack surface • Less (software) is more • Avoid vulnerable software – Java, in particular • Get an anti virus program – keep it up to date! • Have a strong security policy and enforce it • “Educate Rob” – user education. You are only as strong as your weakest link.

How can you protect yourself? • Patch regularly, patch quickly • Reduce your attack surface • Less (software) is more • Avoid vulnerable software – Java, in particular • Get an anti virus program – keep it up to date! • Have a strong security policy and enforce it • “Educate Rob” – user education. You are only as strong as your weakest link.

How can you protect yourself? • 95% of all attack attempts can be attributed to just 5 vulnerabilities • 1 vulnerability in Windows, 4 in Java • 3 of the top 5 were less than 6 months old, the most prevalent is 2 years old and was top vulnerability in 2012

Comprehensive Protection Providing you with 8 layers of protection 1. URL/WEB ACCESS FILTERING 2. HTTP PROTOCOL SCANNING 3. EXPLOIT DETECTION 4. CLOUD REPUTATION QUERIES 5. SANDBOXING AND BEHAVIOURAL ANALYSIS 6. REAL-TIME SCANNING 7. MEMORY SCANNING 8. RUNTIME HEURISTICS Corporate Client Security Server Security Email and Server Security PSB Workstation Security PSB Email and Server Security Consumer Internet Security 2014 Mobile F-Secure Mobile Security

Software Updater is unique Unique automatic deployment of security updates Patch management not just for Windows but also for 3rd party products Best detection, automatic updates and integrated management for an affordable package price

Software Updater Combining operational efficiency and security Out-of-date 3rd party software is a significant security risk, yet expensive to update without Software Updater! … = Significant Cost Savings! Can be deployed in less than one hour.

Software updater supported applications .NET Framework 7-Zip Access Access Database Engine Access Runtime Acrobat Distiller Acrobat Elements Acrobat Reader Adobe Acrobat Adobe AIR Adobe Flash Adobe Flash Player Plugin Adobe Reader Adobe Reader MUI Adobe Shockwave Player Apache Apache Tomcat Apple Application Support Apple iTunes Apple QuickTime AT&T Global Network Client Audacity BizTalk Server BlackBerry Desktop Manager BlackBerry Server for Exchange Business Contact Manager for Outlook CCleaner CDBurnerXP Citrix Group Policy Management Citrix MetaFrame XP Citrix Online Plugin Citrix Password Manager Console Citrix Presentation Server Citrix Single Sign-On Console Citrix XenApp Commerce Server Content Management Server CoreFTP DirectX Excel Microsoft Office Excel Viewer Exchange Exchange System Manager FileZilla Firefox Flash Player Plugin Foxit Reader Microsoft FrontPage Server Extensions Gimp Google Chrome Google Picasa Google Talk Groove Host Integration Server HP System Management Homepage Hyper-V InfoPath Internet Explorer Internet Information Server Internet Information Services ISA Server Java Development Kit LibreOffice MDAC Microsoft Antigen for SMTP Gateways Microsoft AntiXSS Microsoft CAPICOM Microsoft Digital Image Microsoft Expression Blend Microsoft Expression Design Microsoft Expression Encoder Microsoft Expression Media Microsoft Expression Studio Microsoft Expression Web Microsoft FAST Search Server 2010 for Sharepoint Microsoft Forefront Client Security Microsoft Forefront Endpoint Protection Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Microsoft Forefront Threat Management Gateway Windows Journal Viewer Microsoft Lync Microsoft Lync Server Microsoft Office Microsoft Office Communications Server Microsoft Office Communicator Microsoft Office Converter Pack Microsoft Office File Validation Add-In Microsoft Office Groove Server Microsoft Office InfoPath Microsoft Office Outlook Microsoft Office Pinyin IME Microsoft Office Project Server Microsoft Office Search Server Microsoft Office SharePoint Server Microsoft Office Small Business Accounting Microsoft Office Visual Web Developer Microsoft Office Web Apps Application Server Components Microsoft Outlook Express Microsoft Project Web Front End Server Microsoft Report Viewer Redistributable Microsoft Search Server Services For Unix Microsoft SharePoint Microsoft Silverlight Microsoft Step By Step Interactive Training Microsoft System Center Configuration Manager Microsoft Systems Management Server MICROSOFT UNIFIED ACCESS GATEWAY Microsoft Virtual Machine (VM) Microsoft Virtual PC Microsoft Virtual Server Microsoft Visual C++ Redistributable Microsoft Visual Studio Microsoft Visual Studio Tools for Applications Microsoft Windows Defender Microsoft Windows Live OneCare Microsoft Word Server Microsoft Works 6-9 Converter MozyHome MozyPro MSComctl Analysis Services MSN Messenger MSXML NetChk Protect Notepad++ Office Microsoft Office OneNote Opera Oracle OpenOffice.Org Outlook Outlook Express Outlook TimeZoneMove Pidgin PowerPoint PowerPoint Viewer Producer for PowerPoint Microsoft Project Proofing Tools Publisher RealPlayer RealVNC Safari Salesforce Chatter Desktop SeaMonkey Sharepoint Designer Microsoft SharePoint Team Services Sharepoint Workspace Shavlik NetChk Protect SkyDrive Pro Skype Skype Business Small Business Server SNA Server Snapshot Viewer for Microsoft Access SQL Server SQL Server Desktop Engine (MSDE) Sun Java Runtime Environment Thunderbird TortoiseSVN http://www.f-secure.com/en/web/business_global/swup UltraVNC Virtual CloneDrive Visio Visio Viewer Visual Basic Visual Basic for Applications SDK Visual C++ Redistributable Visual FoxPro Visual Studio .NET VLC Media Player VMware Player VMware Workstation Winamp Windows Server Windows Windows Embedded Standard Windows Home Server Windows Storage Server Windows Hyper-V Server Windows Internal Database Windows Live Messenger Windows Mail Windows Media Encoder Windows Media Player Windows Media Services Windows Messenger MSN MESSENGER Windows Movie Maker Windows Search Windows SharePoint Services Windows Small Business Server Windows Storage Server Windows Web Server WinRAR WinZip SQL Server Desktop Engine (Windows) Word Word Viewer WSUS Zimbra Desktop

F-Secure DeepGuard 5 – EXPLOIT DETECTION … DG 5.0 monitors the most commonly exploited software Protects against threats such as “Red October" If the software starts to behave suspiciously, DeepGuard stops the exploit Special logic for handling document exploits

F-Secure DeepGuard Sandboxing and Behavioural Analysis Proactive behaviour-based protection against emerging threats Unknown Program Executes Behavior Analysis Reputation Check Event Analysis DeepGuard is our behaviour analysis feature, providing you with a last line of defence against unknown malware

DeepGuard 5 vs IE Zero-Day Exploit CVE-2013-3893

CLOUD REPUTATION QUERIES Real Time Protection Network “ Quite a few protection features gain their bleeding edge with cloud-based operations and this requires connection to the F-Secure cloud.

URL/WEB ACCESS FILTERING F-Secure Browsing Protection While browsing the internet, it is nice to see where you could safely go… And when your user takes a wrong turn, we are there to stop them.

HTTP PROTOCOL SCANNING Network Interceptor Framework (NIF) No more browser plugins All HTTP, IMAP4, POP3 and SMTP traffic scanned Firewall - Network Traffic Control POP F-Secure Firewall controls all network traffic to and from your workstation Unknown HTTP Email

F-Secure Reseller/Partner Technical Training day coming soon 6th December 2013 Slough Copthorne Hotel Places limited - contact me for details 07818 515 687 bunmi.Sowande@f-secure.com

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

How Malware Works - Find Science & Technology Articles ...

Understanding Malware - How Malware Works. ... I dig deeper into how malware works. ... the anti-virus software is not running the latest ...
Read more

Malware - Wikipedia, the free encyclopedia

Malware, short for malicious software, ... Common vulnerabilities are assigned CVE IDs and ... Real-time protection from malware works identically to ...
Read more

Microsoft Malware Protection Center - Exploit malware family

Exploits use vulnerabilities in common software to give ... to exploit the way the software works and ... exploit attacks work with other malware.
Read more

How antivirus software works: Is it worth it? - TechRepublic

How antivirus software works: ... look for vulnerabilities in software. ... by this type of antivirus software. Anomaly-based malware detection can be ...
Read more

System Vulnerability and Exploits | Kaspersky Lab US

Eliminating System Vulnerability. ... where technology helps us to achieve our work and ... to Exploits and Vulnerabilities. Who Creates Malware?
Read more

Understanding Java Code and Malware | Malwarebytes Labs

Java archive "jar" contains multiple exploits but also has an encrypted malware payload. OFFICIAL ... to do a little prep work. ... Malware in a .JAR ...
Read more

Featured Articles

Zeroing In on Malware ... have been shown to reduce the incidence of software vulnerabilities, ... and resources when planning and performing their work.
Read more

Software Vulnerabilities | LinkedIn

Software Vulnerabilities. Articles, experts, ... Software Test Consultant for Greenland Technologies at at... Education B.A. Northwestern University, ...
Read more