Download presentation
Presentation is loading. Please wait.
Published byKaya Dubberly Modified over 9 years ago
1
The Malware Life Cycle
2
The Fascinating World of Infections
3
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
4
Birth User invites malware onto PC
5
Birth User invites malware onto PC Opens infected e-mail attachment Surfs infected web sites Downloads warez “Winrar v3 FULL VERSION with patch!.exe” “CR-WZIP8.EXE” Clicks on link in mail, tweet, IM, text message Runs infected app on social networking site Plugs in infected USB drive
6
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
7
Self-protection Malware takes steps to protect itself
8
Self-protection Malware takes steps to protect itself Turn off anti-virus software Hide clones in places that users won’t notice Adds startup entries to registry or startup folder Block anti-virus sites Install rootkit Infect common programs: Internet Explorer, Windows Explorer, svchost
9
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
10
Malware calls home for guidance Call home
11
Malware calls home for guidance Disguises the connection as web traffic Has internal address book with primary and fallback addresses Reports in frequently, usually several times a day
12
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
13
Malware gets instructions from owner Your wish is my command
14
Malware gets instructions from owner Download more malware, change own signature Send PC information home Log and report web sites Monitor and steal banking credentials Turn on microphone or camera Monitor and steal network account credentials Encrypt files for ransom Whatever the bad guy wants to do Your wish is my command
15
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
16
Psst! Pass it on Malware: the gift that keeps giving
17
Psst! Pass it on Malware: the gift that keeps giving Sends infected mail from you to addresses found on your PC From: You@mail.sdsu.edu To: YourBuddy@uhoh.net Subject: Check this out! Infects writable files on network shares Installs itself on removable media Scans local network for vulnerable systems Scans Internet for vulnerable system
18
The Circle of Life BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
19
Lather, Rinse, Repeat BirthSelf-protectionCall home Your wish is my command Psst! Pass it on
20
Anti-virus Our Defenses
21
Anti-virus – Important part of Defense-In-Depth Can be a powerful defense if properly configured and used with a central server (ePO for McAfee) Very effective against known malware Can protect against suspicious behavior Rogue e-mail; IRC connections; Scripts running from temp; Additions to startup locations; Additions to system directories; Disabling anti-virus; Installation of Browser Helper Objects (IE); and more! Our Defenses
22
Anti-virus – Not a cure-all Not very responsive to unknown threats Lag time of days or weeks to develop and update signatures for malware, leaving systems unprotected against emerging threats May never detect some malware Generally not very effective against unknown malware (other than mass mailers) Can be disabled by Admin users Logs are often ignored or not understood Our Defenses
23
ePO Tips Speaking of Logs
24
ePO Tips – Most interesting ePO report fields 1.Analyzer Detection Method: Was the detection On Access or during an On Demand/Fixed Disk Scan? 2.Action Taken: What happened to it? 3.Threat Target File Path: Where was it found? 4.Threat Name: What was detected? 5.Other useful fields Event Generated Time, Threat Target IPv4 Address, Threat Target Host Name, Threat Type Speaking of Logs
25
ePO Tips – Things to Consider 1.Look at the Analyzer Detection Method On Access? The malware was detected as it was written to or read from the disk On Demand, Managed Fixed Disk Scan? The malware got onto the PC without being detected 2.Look at the Action Taken Deleted, Cleaned, None? Speaking of Logs
26
ePO Tips – Things to Consider 3.Look at Target Threat File Path C:\Windows\? Probably infected, Probably admin user C:\Documents and Settings\gleduc\Application Data\? Probably infected G:\? Probably not infected, but thumb drive was IE Cache? Need to talk to the user, maybe look at the machine Speaking of Logs
27
Investigating a malware detection
28
1.Research (Google is your friend) Threat Name: Exploit-CVE2008-5353 Understand what it does and how it does it Java vulnerability patched in JRE 6u11 If the machine is at JRE 6u21 then ignore Investigating a malware detection
29
2.Check the McAfee logs on the machine C:\Docs and Settings\All Users\Application Data\McAfee\DesktopProtection\ OnAccessScanLog.txt: OAS detections, DAT version, stats OnDemandScanLog.txt: detections, type of scan, action taken AccessProtectionLog.txt: attempts to terminate McAfee, send e-mail, run programs from temp or cache directories Investigating a malware detection
30
Refer to Information Security Plan http://security.sdsu.edu Escalate to ITSO if the system processes or stores Protected Information: Names with SSNs, Credit card data, Passwords, Medical data, Disability data, Combinations or name, birthdate, mother’s maiden name, last 4 of SSN, driver’s license, grades, etc., etc., etc. Be prepared to give up machine for the duration of the investigation Be prepared to rebuild machine What if it’s Infected?
31
Third-party application patching Our Defenses
32
Third-party application patching When responsive, vendors are often very quick to patch Many applications require a manual download and install to update – a big PITA if user can’t get Admin rights on system Users and sysadmins often don’t know that an update is available or whether it’s a security update IT support staff often don’t know what software is on their users’ systems If a vendor stops support a product, but users really love it, they keep using it Patch Mgt must be able to patch third-party applications! Our Defenses
33
The End
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.