1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University
2 Computer and Internet Security JCCAA Presentation 03/14/2009 Malwares – malicious software Why do people write malwares? Financial gains, Political reasons, Personal reasons What are the other names? Trojan, Virus, Worm, Spyware, Adware, Rogue AVA What do they do? Send spam mails; steal identity, financial information and trade secrets; attack other Internet websites
3 Computer and Internet Security JCCAA Presentation 03/14/2009 Malwares – other names? Trojan Virus Worm Spyware Adware Rogue Antivirus Applications …
4 Computer and Internet Security JCCAA Presentation 03/14/2009 How does a machine get infected? Application Vulnerabilities When an application is listening on the network and it is not written securely – a remote, unauthenticated attacker could gain elevated privileges and execute arbitrary code, example: buffer-overflow User Activities Compromised administrative credentials
5 Computer and Internet Security JCCAA Presentation 03/14/2009 How to prevent malware infections? Windows and application update … Windows firewall … Antivirus applicationAntivirus application … Ignore spam mails – no curiosity, no greed Careful browsing on the Internet You can never be 100% protectedYou can never be 100% protected … zero-day exploit and piggy-back download
6 Computer and Internet Security JCCAA Presentation 03/14/2009 How to remove malware infection? Antivirus program … removes known malwares inform you about specific removal steps Seek professional help … Restore an earlier good system state system restore or ntbackup (restore) … Windows recovery console … Reinstall operating system
7 Computer and Internet Security JCCAA Presentation 03/14/2009 Why are those special recovery procedures needed? Can any antivirus application automatically clean a system 100% of the time, if it knows what the malwares executables are?
8 Computer and Internet Security JCCAA Presentation 03/14/2009 Is the system really compromised? Is the system really secure?
9 Computer and Internet Security JCCAA Presentation 03/14/2009 Malware characteristics Installs silently / deceptively Break the system when removed Starts automatically on reboot windows registry Running in the background Obscurely named / pathed Cannot be removed easily Hidden Permission, alternate data stream, rootkit
10 Computer and Internet Security JCCAA Presentation 03/14/2009 Is the system really compromised? Not when there is a malicious registry entry Not when there is a malicious executable Only when a malicious code is running... Is the system really secure? Not unless you know what are running in the system and are able to verify them
11 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus A Host Intrusion Prevention Application Why develop Orthrus? Bad security incident w/o vendor support How is it developed? What would an administrator do What are the goals? Monitoring host security and user recovery …
12 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus Download Click “Free Orthrus Download” link Orthrus Main Components Orthrus.exe Orthnote.exe Custom Event Log
13 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus Knowing what are running auto-start executables operating system modules and sub modules no user applications What are automatically removed registry entries without an executable windows exploits rootkit malwares
14 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus - Verifying an executable Trusted by Windows File Protection Trusted by Trusted Installer ownership … Digitally signed and verified … Obscurely named / pathed … Falsified extended file information … Internet lookup … Exploits
15 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus – Information collected extended file information … process history (exceptions, and warnings) … Orthrus – Information transmitted secure http protocol ( Orthrus – Information not touched identity of the user and the computer
16 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus – System Recovery last-known-clean restore point … ntbackup restore … windows recovery console
17 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus – Weakness Speed Support Verifying and permit executables manually
18 Computer and Internet Security JCCAA Presentation 03/14/2009 What if I don’t want to known and don’t want any one else to know what are running in my system Use a more secure operating system Windows VISTA, Windows 7 Windows and application security updates Windows firewall Antivirus application Ignore spam mails – no curiosity, no greed Careful browsing on the Internet
19 Computer and Internet Security JCCAA Presentation 03/14/2009 Orthrus Send questions on how to use Orthrus application to with the exact subject line “Orthrus Questions” All other inquires may be ignored
20 Computer and Internet Security JCCAA Presentation 03/14/2009 Questions ?