Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies

Published byBrook Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies"— Presentation transcript:

1 Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies stephlam@microsoft.com http://blogs.technet.com/steve_lamb Copyright © 2005 Mark Russinovich

2 Scope What this talk covers: – Types of malware – How malware propagates and works – How to detect and prevent malware What it doesn’t: – Phishing – Product reviews and comparisons – General security information – How to write malware

3 Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion

4 Is Anyone After You?

5 Know Your Adversary

6 Spyware is Rampant We’ve all cleaned malware off the computers of family and friends EarthLink found an average of 28 spyware programs on their customer systems Spyware is cause of 2 of every 5 home user and 1 out of every 4 corporate customer service calls

7 The Growing Threat 1 1 Symantec March 2005 Internet Security Threat Report 1403 new vulnerabilities discovered in Q304/Q105 – 13% increase over previous 6 months – 97% rated as moderately or highly severe – 80% remotely exploitable – 70% “easy” to exploit 7630 new worms and viruses discovered in 2H04 – 64% increase over previous 6 months 54% of malware created in 2H04 exposes confidential information – Up from 44% in the previous 6 months

8 There’s a Sense of Complacency Many users expect to get spyware and adware as part of freeware Lots of unpatched systems – The top five reported exploited corporate computer vulnerabilities have had patches available for months – According to CERT, 95% of security breaches use known vulnerabilities – As of March 2005 less than ¼ of corporate Windows XP users had applied SP2

9 Interferes with productivity Causes a constant support burden Opens the door to financial and corporate data theft It’s a matter of time before there’s a major terrorist incident in cyberspace Understanding malware is the key to fighting it Fighting Malware: A Top Priority

10 Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion

11 Definitions Adware: – Software that delivers ads through banners and popups Spyware: – Gathers information without consent – Sends the information to 3rd parties without notification – Changes behavior, look, or feel without consent – Spyware is often combined with adware Trojan: – Malware disguised as harmless software

12 How It Gets Delivered By e-mail invitation or attractive attachment – Fake Microsoft security bulletins – See http://www.microsoft.com/security/incident/authenticate_mail.mspxhttp://www.microsoft.com/security/incident/authenticate_mail.mspx – Pictures Piggy-backed on software installs

13 Drive-by downloads – Users get tricked by misleading Active X certificates – IE in Windows XP SP2 has clearer notifications Popups and other tricks – Lots of third-party popup blockers – IE in Windows XP SP2 has a blocker – Banners and “pop-overs” can still trick users How It Gets Delivered (cont’d)

14 Preventing Spyware, Adware and Trojans Disable all active content in IE – This can prevent certain sites from working – For example, Windowsupdate.com Always click close window button (‘X’) in popup window to close Only download from reputable sites that certify software as being virus free Use antispyware

15 Antispyware Antispyware utilities, like antivirus, both scan for and block spyware Scanning relies on: – A spyware signature database – File scanning – A remediation database – It’s an after-the-fact solution Spyware blocking relies on detecting spyware installation when it happens

16 Inside Spyware Blocking Microsoft Antispyware (MSAS) includes “real-time protection”:

17 MSAS scans spyware startup points in the file system and registry every 10 seconds MSAS Real-Time Protection

18 MSAS Blocking When it sees a new entry it pops up a notification window Choosing “block” results in MSAS deleting the new entry

19 Manual Cleaning You should know how to identify potential malware and clean it – AS only addresses known spyware – AS can be attacked directly by spyware – A system might not have AS Tools for cleaning and investigating what’s running and what’s configured to run (all from www.sysinternals.com)www.sysinternals.com – Autoruns – Process Explorer – Sigcheck

20 Investigating Autostarts Windows XP Msconfig (Start->Run->Msconfig) falls short when it comes to identifying autostarting applications – It knows about few locations – It provides little information

21 Autoruns Shows every place in the system that can be configured to run something at boot & logon – Services – Tasks – Explorer and IE addins (toolbars, browser helper objects, …) Shows full path and version information of startup image Easy Web search Easy to focus on non-Microsoft code (Hide Signed Microsoft Entries) Can also show empty locations – Informational only Includes command-line version – Easy to script – Collect profile of systems in network

22 Autoruns (cont’d)

23 Investigating Processes Task Manager provides little information about images that are running

24 Process Explorer Allows deep exploration of processes – Process tree – Command-line – Full path – Version information – Strings – Code signing verification – Loaded DLLs – Window finder – Easy Web search Suspicious processes: – No description or company name – Live in Windows directory – No icon – Strange URLs in the strings Includes process comment support for baselining

25 Process Explorer (cont’d)

26 Cleaning Identify malware processes with Process Explorer – Suspend and then kill them Identify malware autostarts with Autoruns – Remove them Delete malware files and directories from disk

27 Cleaning a Malware Infestation with… Microsoft antispyware Autoruns Process Explorer

28 Code Signing All (well, most) Microsoft code is digitally signed – Hash of file is signed with Microsoft’s private key – Signature is checked by decrypting signed hash with the public key Autoruns and Process Explorer both check signatures Use Sigcheck to scan executable images for signatures – Scan your entire system (at least \Windows) – Investigate all unsigned images – Maybe check signed image signers as well…

29 sigcheck -e -u -s c:\ Sigcheck Command to display information on unsigned executable images:

30 The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion Agenda

31 Definitions Virus – Recursively replicates itself Worm – Virus that replicates on the network, usually automatically (mass mailer worms are an exception) – I’ll use “virus” to refer to both viruses and worms Exploit – Code that targets one or more security vulnerabilities to gain access to a system Payload – Virus body Zero-Day attack – Virus that exploits undisclosed vulnerability

32 Antivirus Scans files for viruses Scanning relies on: – A spyware signature database – File scanning – Include virtual machine technology to unpack/unencrypt virus code – A remediation database – Either quarantine or clean viruses – It’s an after-the-fact solution On-access scanning detects viruses in newly created files

33 Application Antivirus Filter driver AntivirusService File System Driver signaturedatabase kernelmode usermode Inside On-Access Scanning 1. AV filter intercepts application file open 2. Stops the I/O and lets service scan the file 3. If the file contains a virus that can’t be cleaned AV quarantines and blocks open

34 Preventing Viruses AV is dependent on signatures – Small outbreak might never get signature – Window of exposure between virus outbreak and signature update Alternate prevention mechanisms are mandatory – Firewalls and intrusion prevention – Restrictions on what code executes – Buffer overflow prevention

35 Major Virus Outbreaks Melissa – March 1999 – First major Windows network worm – Spread as mass mailer that infected Word documents with a macro virus Code Red – July 2001 – Exploited IIS buffer overflow vulnerability – Infected 250,000 systems in 9 hours – Planned DoS of www.whitehouse.govwww.whitehouse.gov Nimda – September 2001 – 12 different propagation mechanisms – Fastest and most effective worm to date

36 Major Virus Outbreaks (cont’d) Slapper – September 2002 – Injects through Apache SSL buffer overflow – Builds peer-to-peer network for massive DoS attack SQL Slammer – January 2003 – Exploits SQL Server buffer overflow – Causes network flood Blaster – August 2003 – Exploits DCOM RPC buffer overflow – Executes DoS on Windowsupdate.com Zotob – August 2005 – Exploits the following Microsoft Windows vulnerabilities: – Plug and Play Buffer Overflow, Message Queuing Remote Buffer Overflow, Workstation Service Remote Buffer Overflow, ASN.1 Library Bit String Processing Variant Heap Corruption

37 Function 1 Function 2 BufferBuffer Higher Addresses Return Address (Function 1) Stack of Function 2 Virus Data CodeCodeCodeCode Function 1 Function 2 Virus Buffer Overflow The common theme of almost all major virus outbreaks is buffer overflow

38 Buffer Overflow Protection Visual Studio.NET includes /GS flag – Inserts “canary” on stack that is checked on each function exit for integrity – Requires code recompilation – All OS code is compiled with this flag Windows XP SP2 and Windows Server 2003 SP1 support Data Execution Prevention (DEP) – Prevents code from executing in a memory page not specifically marked as executable – Stops exploits that rely on getting code executed

39 Data Execution Prevention Relies on hardware ability to mark pages as non executable – AMD calls it NX (“No Execute”) – Intel calls it XD (“Execute Disable”) Processor support: – Intel Itanium had this in 2001, but Windows didn’t support it until now – AMD64 was the next to support it – Then, AMD added Sempron (32-bit processor with NX support) – Intel added it first with their 64-bit extension chips (Xeon/Pentium 4s with EM64T) – More recently, Intel added it to their 32-bit processor line (anything ending in “J”)

40 Attempts to execute code in a page marked no execute result in: – User mode: access violation exception – Kernel mode: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY bugcheck (blue screen) Memory that needs to be executable must be marked as such using page protection bits Data Execution Prevention (cont’d)

41 DEP is off for user applications on Windows XP, but on for Server 2003 Can be configured under performance options Even on processors without hardware DEP, some limited protection implemented for exception handlers DEP on 32-bit Windows

42 DEP on 64-bit Windows Always applied to all 64-bit processes and device drivers – Protects user and kernel stacks, paged pool, session pool 32-bit processes depend on configuration settings

43 Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion

44 The Evolution of Malware Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove Rootkits are a fast evolving technology to achieve these goals – Cloaking technology applied to malware – Not malware by itself – Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm Rootkit history – Appeared as stealth viruses – One of the first known PC viruses, Brain, was stealth – First “rootkit” appeared on SunOS in 1994 – Replacement of core system utilities (ls, ps, etc.) to hide malware processes

45 Cloaking Modern rootkits can cloak: – Processes – Services – TCP/IP ports – Files – Registry keys – User accounts Several major rootkit technologies – User-mode API filtering – Kernel-mode API filtering – Kernel-mode data structure manipulation – Process hijacking Visit www.rootkit.com for rootkit tools and informationwww.rootkit.com

46 Attack user-mode system query APIs Con: can be bypassed by going directly to kernel-mode APIs Pro: can infect unprivileged user accounts Examples: HackerDefender, Afx Taskmgr.exe Ntdll.dll Explorer.exe, Malware.exe, Winlogon.exe Rootkit Explorer.exe, Winlogon.exe user mode kernel mode User-Mode API Filtering

47 Attack kernel-mode system query APIs Cons: – Requires admin privilege to install – Difficult to write Pro: very thorough cloak Example: NT Rootkit Taskmgr.exe Ntdll.dll user mode kernel mode Rootkit Explorer.exe, Winlogon.exe Explorer.exe, Malware.exe, Winlogon.exe Kernel-Mode API Filtering

48 Also called Direct Kernel Object Manipulation Attacks active process data structure – Query API doesn’t see the process – Kernel still schedules process’ threads Cons: – Requires admin privilege to install – Can cause crashes – Detection already developed Pro: more advanced variations possible Example: FU Explorer.exeMalware.exeWinlogon.exe Active Processes Kernel-Mode Data Structure Manipulation

49 Hide inside a legitimate process Con: doesn’t survive reboot Pro: extremely hard to detect Example: Code Red Explorer.exe Malware Process Hijacking

50 Detecting Rootkits All cloaks have holes – Leave some APIs unfiltered – Have detectable side effects – Can’t cloak when OS is offline Rootkit detection attacks holes – Cat-and-mouse game – Several examples – Microsoft Research Strider/Ghostbuster – RKDetect – Sysinternals RootkitRevealer – F-Secure BlackLight

51 Perform a directory listing online and compare with secure alternate OS boot (see http://research.microsoft.com/rootkit/ )http://research.microsoft.com/rootkit/ – Offline OS is Windows PE, ERD Commander, BartPE dir /s /ah * > dirscan.txt windiff dirscanon.txt dirscanoff.txt This won’t detect non-persistent rootkits that save to disk during shutdown Simple Rootkit Detection

52 RootkitRevealer Rootkit Windows API Raw file system, Raw Registry hive Filtered Windows API omits malware files and keys Malware files and keys are visible in raw scan RootkitRevealer RootkitRevealer (RKR) runs online RKR tries to bypass rootkit to uncover cloaked objects – All detectors listed do the same – RKR scans HKLM\Software, HKLM\System and the file system – Performs Windows API scan and compares with raw data structure scan

53 Demo HackerDefender – HackerDefender before and after view of file system – Detecting HackerDefender with RootkitRevealer

54 RootkitRevealer Limitations Rootkits have already attacked RKR directly by not cloaking when scanned – RKR is given true system view – Windows API scan looks like raw scan SysInternals have modified RKR to be a harder to detect by rootkits – RKR is adopting rootkit techniques itself – Rootkit authors will continue to find ways around RKR’s cloak – It’s a game nobody can win

55 Unless you have specific uninstall instructions from an authoritative source: Don’t rely on “rename” functionality offered by some rootkit detectors – It might not have detected all a rootkit’s components – The rename might not be effective Reformat the system and reinstall Windows! Dealing with Rootkits

56 The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion Agenda

57 Running as Non-Admin Benefits of running as non-admin (also called limited user): – System files and settings can’t be compromised – System-level security (like AV) can’t be disabled – Kernel-mode rootkits won’t install – User-mode rootkits will only cloak malware in the account in which they are installed – Can’t install keystroke loggers – System can be reliably scanned and cleaned from an admin account – Much more… Warning: the Power Users group is effectively an administrator

58 How to Run as Non-Admin Cons of running as non-admin – Many system tasks require admin privilege or membership – Some legacy and line-of-business apps require admin privilege or membership Aaron Margosis’ web log presents ways to deal with admin-only applications – http://blogs.msdn.com/aaron%5Fmargosis http://blogs.msdn.com/aaron%5Fmargosis Two tools facilitate non-admin: – RunAs – Allows you to run a single app in an admin account – Apps won’t have access to network resources – Apps won’t have access to your profile – MakeMeAdmin – Aaron’s tool – Temporarily adds your account to the Administrators group – Overcomes RunAs limitations

59 Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion

60 Defense-in-Depth Fighting malware is a battle that’s just heating up To deal effectively with malware you need to employ defense-in-depth: – External firewalls – Firewalled internal zones – Antivirus and antispyware – Patch management – No execute-supported hardware – Accounts that run as limited user

61 Your Feedback is Important! Please Fill Out your evaluation forms for this Session

62 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Thanks to Mark Russinovich ( Chief Software Architect Winternals Software mark@sysinternals.commark@sysinternals.com) who wrote this presentation for TechEd EMEA 2005 mark@sysinternals.com

Download ppt "Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.

Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Computer Viruses. Where the name came from This is a phrase coined from biology to describe a piece of software that behaves very much like a real virus.

Computer Viruses. Where the name came from This is a phrase coined from biology to describe a piece of software that behaves very much like a real virus.
GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

Similar presentations

Ads by Google