The Malware Life Cycle

The Fascinating World of Infections

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Birth User invites malware onto PC

Birth User invites malware onto PC Opens infected attachment Surfs infected web sites Downloads warez “Winrar v3 FULL VERSION with patch!.exe” “CR-WZIP8.EXE” Clicks on link in mail, tweet, IM, text message Runs infected app on social networking site Plugs in infected USB drive

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Self-protection Malware takes steps to protect itself

Self-protection Malware takes steps to protect itself Turn off anti-virus software Hide clones in places that users won’t notice Adds startup entries to registry or startup folder Block anti-virus sites Install rootkit Infect common programs: Internet Explorer, Windows Explorer, svchost

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Malware calls home for guidance Call home

Malware calls home for guidance Disguises the connection as web traffic Has internal address book with primary and fallback addresses Reports in frequently, usually several times a day

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Malware gets instructions from owner Your wish is my command

Malware gets instructions from owner Download more malware, change own signature Send PC information home Log and report web sites Monitor and steal banking credentials Turn on microphone or camera Monitor and steal network account credentials Encrypt files for ransom Whatever the bad guy wants to do Your wish is my command

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Psst! Pass it on Malware: the gift that keeps giving

Psst! Pass it on Malware: the gift that keeps giving Sends infected mail from you to addresses found on your PC From: To: Subject: Check this out! Infects writable files on network shares Installs itself on removable media Scans local network for vulnerable systems Scans Internet for vulnerable system

The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Lather, Rinse, Repeat BirthSelf-protectionCall home Your wish is my command Psst! Pass it on

Anti-virus Our Defenses

Anti-virus – Important part of Defense-In-Depth Can be a powerful defense if properly configured and used with a central server (ePO for McAfee) Very effective against known malware Can protect against suspicious behavior Rogue ; IRC connections; Scripts running from temp; Additions to startup locations; Additions to system directories; Disabling anti-virus; Installation of Browser Helper Objects (IE); and more! Our Defenses

Anti-virus – Not a cure-all Not very responsive to unknown threats Lag time of days or weeks to develop and update signatures for malware, leaving systems unprotected against emerging threats May never detect some malware Generally not very effective against unknown malware (other than mass mailers) Can be disabled by Admin users Logs are often ignored or not understood Our Defenses

ePO Tips Speaking of Logs

ePO Tips – Most interesting ePO report fields 1.Analyzer Detection Method: Was the detection On Access or during an On Demand/Fixed Disk Scan? 2.Action Taken: What happened to it? 3.Threat Target File Path: Where was it found? 4.Threat Name: What was detected? 5.Other useful fields Event Generated Time, Threat Target IPv4 Address, Threat Target Host Name, Threat Type Speaking of Logs

ePO Tips – Things to Consider 1.Look at the Analyzer Detection Method On Access? The malware was detected as it was written to or read from the disk On Demand, Managed Fixed Disk Scan? The malware got onto the PC without being detected 2.Look at the Action Taken Deleted, Cleaned, None? Speaking of Logs

ePO Tips – Things to Consider 3.Look at Target Threat File Path C:\Windows\? Probably infected, Probably admin user C:\Documents and Settings\gleduc\Application Data\? Probably infected G:\? Probably not infected, but thumb drive was IE Cache? Need to talk to the user, maybe look at the machine Speaking of Logs

Investigating a malware detection

1.Research (Google is your friend) Threat Name: Exploit-CVE Understand what it does and how it does it Java vulnerability patched in JRE 6u11 If the machine is at JRE 6u21 then ignore Investigating a malware detection

2.Check the McAfee logs on the machine C:\Docs and Settings\All Users\Application Data\McAfee\DesktopProtection\ OnAccessScanLog.txt: OAS detections, DAT version, stats OnDemandScanLog.txt: detections, type of scan, action taken AccessProtectionLog.txt: attempts to terminate McAfee, send , run programs from temp or cache directories Investigating a malware detection

Refer to Information Security Plan Escalate to ITSO if the system processes or stores Protected Information: Names with SSNs, Credit card data, Passwords, Medical data, Disability data, Combinations or name, birthdate, mother’s maiden name, last 4 of SSN, driver’s license, grades, etc., etc., etc. Be prepared to give up machine for the duration of the investigation Be prepared to rebuild machine What if it’s Infected?

Third-party application patching Our Defenses

Third-party application patching When responsive, vendors are often very quick to patch Many applications require a manual download and install to update – a big PITA if user can’t get Admin rights on system Users and sysadmins often don’t know that an update is available or whether it’s a security update IT support staff often don’t know what software is on their users’ systems If a vendor stops support a product, but users really love it, they keep using it Patch Mgt must be able to patch third-party applications! Our Defenses

The End