Malware

Workshop
AL TUTING
atuting@ufl.edu
March 2006
"Security is a journey not a
destination"
Malware Agenda

Policy

Categories

Prevention through
education

Malware
 Host software
 Virus outbreak
scenario
 Management
 Spyware/Adware
 Hacker method
scenario

Links
 SPICE Policy on Malware

Robust Policy

Main idea;
 ISM’s responsibility to

Ensure ALL hosts have ability to protect
autonomously.

Enforce the integrity of protection.
 User’s responsibility to

Use reasonable precautions when
importing data

Recognize malicious protection on
devices in their custody

Report any malicious event on host to
ISM

Fully compliant to the policy?
 Visit http://security.health.edu

HSC Policies and Standards
 Categories

NIST defines malware
 General, as the attributes of malware are ever changing.

Subjectively inclusive but not limited to:
 Viruses
 Worms
 Trojan Horses
 Backdoors
 Keystroke loggers
 Rootkits
 Tracking Cookies
 The list could go on and on…

What is and what isn't malware is debatable
 Phishing, virus hoaxes
 Awareness / History
Should we be concerned?
Incidents
29,890,376

30,000,000

25,000,000

20,000,000

15,000,000

6,877,036
10,000,000

1,510,619
5,000,000 5,627 15,825 156,904

0
1999 2000 2001 2002 2003 2004
 Prevention

Educate users to
 know the Spice policy and your unit policy.
 be aware of suspicious events
 not to attempt to bypass security controls
 not execute or download apps from untrusted sources
 Know what social engineering is

Review host security workshop (January 2006)
 Patching/Updates
 Limit user privileges
 Host firewalls
 Disabling unneeded services
 MBSA
 CISecurity Baseline

Review general awareness training (February 2006)

Review the eduguides.
 Prevention Continued
Defense in depth

Current Infrastructure
Policy
WAN Firewall

Consistent And Processes
Router ACLs

Compliant Email
Gateway Procedures
URL Filtering
Antivirus
Email
Server
Attachment
Local Antivirus
Blocking
Network
Connections File Server Content
System Policy And Antivirus
Filtering
Firewalls
Personal Processes
Firewall
Antivirus Procedures

System
Configuration
 Malware Software
 Malicious software detection is a
must on every host.
 Protect all hosts that you are
responsible for
 Network connected or not
 Your Malware solution must

Prevent and Detect Virus Infection

Have auto update configured
 Keeping Virus Scanner up-to-date and confident
of the fact

Be sure On-Access Scanning is done real time
 Make sure the service is running at all times

Routinely Scan Fixed Disks
 'schedule‘ off hours at least once a week

Minimally once a month
 Adjusts as necessary on out breaks
 Malware Software Options
 Block specific ports or make rules to
apply to a specific file or location on
a virus outbreak
 Stop the payload of the exploit from
affecting the targeted computer and
prevent it from spreading
 Report to a Management Server
 Which malware vendor do you
use?

There are many vendors of Malware
protection that may fit your needs

Can your selected units malware
product buy you the time needed
between a virus outbreak and a new
signature release?

Avoid unnecessary additional
expenses to the University
 Malware Software at UF

Symantec AntiVirus

HSC IT Center

Available malware software licensed to UF (software.ufl.edu)
 Linux

McAfee LinuxShield
 Macintosh

Virex
 Windows

VirusScan Enterprise
 NetWare

NetShield

There is no extra charge for the use of McAfee software to a Unit
 McAfee VirusScan 8.0i

McAfee was the chosen enterprise product at UF

Features comply with the HSC policy

Available to faculty, students, and staff

Has extra features but use with caution:
 Access Protection

Adds some firewall protection to your computer

Enabled by default
 Buffer Overflow Protection

Prevents buffer overflows from executing code on your
computer

Enabled by default
 ‘Unwanted Programs Policy’

This will remove some spyware and adware

Not enabled by default
 McAfee VirusScan 8.0i

Wouldn’t it be a headache to manage the

console for each host individually to comply
with policy?
Are all of your
hosts
signatures up
to date? How
do you know ?
Do your
users know
how to
check?
 Response to a Virus. Example…
Using VirusScan

Suppose a new threat is announced
 Sans
 Avert
 Symantec Security Response
 HSC Security Group

A rule might be used during the brief time between when a virus goes
wild and when a new signature update is available and tested.

We know the virus:
 typically when ran, it copies itself to the following directories:
 %windir%\system32\drvdll.exe
 %windir%\system32\drvddll.exeopen
 %windir%\system32\drvddll.exeopenopen
 %windir%\CPLSTUB.exe
McAfee V8.0i example rule
Rule
creation
Combined Rule
1 with 2
Suppose you’re already hit with
Bagle
 Prevent the spread
 Identify machines affected
 Rule will trigger not only when a virus
tries to infect (create) but also when
it tries to run (write, read, execute)
 Bagle example continued…
(port blocking rules)

Bagle spread through email
 The first default rule combats the email spread
 Default (Rule 0) that blocks outgoing traffic on port
25

Prevent the virus from obtaining instructions
from the virus author
 Create a port blocking rule that prevents incoming
traffic on port 2535

Prevent the virus from downloading scripts
 Included in McAfee is already (Rule 3) that prevents
outgoing traffic on Port 80 unless the traffic is from
one of the web browsers listed
 Prevent

Mass mailers and share-hoppers
 Restrict write access to incoming network
connections with Share Blocking Rules
 “Prevent remote creation/modification/deletion of …”

A common virus action
 Copying into the Windows directory and set a
registry value so that they are started at either logon
or when another application starts.
 Use rules to satisfy this
Other uses for port blocking and
file, share, and folder protection.

Preventing the spread
 prevent the receipt of instructions
 use port blocking rules

Virus’s targeting Specific Applications
 Internet Explorer
 create specific rules that name iexplore.exe
as the process, which prevent the creation or
the writing of files to the %windir%’**
directory and the ‘program files\**’ directory
 A Potential Headache

Don’t break functionality
 existing applications
 network connectivity

Plan well
 Use rules in warning mode first

Report access attempts without blocking
access

Monitor what impact
 Use discretion when entering in wildcards
 Autonomous Protection
 Ensure ALL hosts have ability to
protect autonomously
 How can you Ensure?
 Use centralized management software
 University offers at no cost to unit
 ePO
 ProtectionPilot
 Autonomous Protection
Why?

Signatures not kept up to date

equals
Malware software essentially useless.
Gain control of your anti-virus
infrastructure
 Centralize your policy enforcement and
management
make sure virus scanning policies are
set to keep your systems secure and
virus-free
 Deploy needed updates and software
remotely
keep anti-virus software on your
systems up-to-date
 Deploy new rules during a virus outbreak
 Software

ePolicy Orchestrator (ePO) or Protection
Pilot

Software available to all Unit admins under the
current license

http://software.ufl.edu/mcafee/index3.html

Symantec System Center Console

HSC IT Center

Avoid unnecessary additional expenses to
the University
 ePO
 Easy enough to install (guided with install
wizard)
 Straightforward
 A bit complex to start with
 Terminology and the functionality
 distributed repositories
 rogue system detection sensors

 notification rules

 Etc..
 ePO Documentation
 Heap of high-quality product documentation
 ePO quick reference card
 Walkthrough Guide
 ePO Logging

Lots of logging. Some of which include:
 mcscript.txt

details script engine actions, such as
processing updates
 updatehistory.ini

includes details of configuration items
such as the site last used for updates
 agent_%computername%.xml,

this is the McAfee Agent Activity log,
which shows policy enforcement actions.

Logs are really useful for
troubleshooting
 Enforce Protection
Compliance Policy and

Updates
ePO agent manages policies for McAfee AntiVirus
 policies can be set globally or on individual clients (servers)
 also generates reports on compliance, virus detections, etc.
 The Agent manages the 'Policy' for you automatically based
on what ePolicy Orchestrator has stored in its database for
each client

Daily updates of
 DATs
 Engines
 Service packs
 Hotfixes
 Patches
On Demand Scan & The 4715-
DAT

Deploy a DAT file after evaluation
 DATs usually gets released every one day
 Set to clean then quarantine (not delete)

Monthly task which cleans out the
quarantine folder after the end-of-
month backups have run
 worse case only have to look at the last
end-of-month backup to grab stuff
On Demand Scan & The 4715-
DAT
 On Demand Scans
 Usually a weekly/monthly on-
demand scan with full options (All
files, archives etc.)
 Scan the quarantine folder to
remove any found viruses
 Monthly/Weekly depends on how
often your backups are done
ePO Rogue System Detection

ePO can detect rogue, non-compliant
systems by identifying when any of
these systems are connected the LAN

Identify
 Might be one of yours if the name matches

Likely to be more useful if
 HSC global AV team
 All units used ePO
ePO Rogue System Detection
 ePO Considerations

Consider revising the default ports during install
 ensure that the Server is not already using these
ports for communicating with 3rd party software. ( for
example, the World Wide Web publishing service. )

Secure the ePolicy Orchestrator Database

SQL/MSDE
 Change default passwords
 SQL Server 2000 security checklist
 http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3se
c04.mspx
 Distributing the ePO Client
 Installed on department Image
 remove the agent GUID registry value from the
agent registry key
 Push from ePO server
 Manually installed
 See login script
 Use same login script to check if ePO is installed
and if not then install
Distribution of Software using
ePO
 Distributing the ePO Client

The best method is one that suits you

Designed so that YOU can choose the
most appropriate method to install the
Agent in YOUR unit

Nearly all communication is client
( Agent ) driven:
 when a Policy is changed on the Server it
does not get 'pushed' to the client, the
Agent 'pulls' it on its next poll with the
Server
 Policy Again
 What about AntiSpyware and Anti
Adware?
 Anti-spyware and Anti-Adware
 No such thing as the best
AntiSpyware… yet…
 In toddler stage, but growing
 Overlapping anti-spyware products
needed
 Why?
 Anti-Spyware Adware
 All anti-spyware vendors rely on
their user communities to submit
samples of suspected potentially
unwanted programs in order to
grow their databases
 Anti-spyware Challenge

No such thing as the best Anti-Spyware yet
 Infant stages
 over 100 anti-spyware/adware scanners available
for download

Each major vendor refers to spyware
differently:
 McAfee uses the term Potentially Unwanted
Programs, or PUPs
 Symantec refers to security risks
 Trend Micro uses the classification of
spyware/grayware

What about McAfee's and Symantec’s virus
Symantec Antivirus v 9.0.0.338
 Symantec
Symantec
 “scan for expanded threats”

Adware, spyware, joke programs, and other risks

The Adware/Spyware detection system is not
done in real-time
 need to run a scan to check for adware/spyware

Detected hotbar and gator but was unable to
remove anything

Seems like a really great feature idea, but a
useless implementation
VirusScan Enterprise 8.0i
 McAfee V8.0i
Potentially Unwanted Programs

Has a definition of 200 adware and
spyware
 Ok but there are tens of thousands of
types of adware and spyware
currently defined, the list of 200
items checked by this feature are not
sufficient

Has the same short comings as
Symantec's expanded threats
 Other Spyware and Adware:
 Hijack This
 legitimate tool for removing BHO's. Extremely non-user
friendly, but it will allow you to remove things that
nothing else will.
 Ad-Aware
 www.lavasoftusa.com
 not centrally manageable, not free for edu
 SpyBot
 http://security.kolla.de
 not centrally manageable, but you can run command line
Windows Tasks w/ autoupdate
 SpywareGuard and SpyWareBlaster
 http://www.wilderssecurity.net
 Need Enterprise Anti-spyware
 Whats Needed for a Enterprise?
 Integrated anti-virus and anti-spyware
solution
 Simplified management and reporting
 Single agent and policy to deploy to client
workstations, and integrated delivery of
signature updates
 All of this would be nice if it existed and
worked well
Mcafee Anti-Spyware Module

Work’s on EPO and ProtectionPilot

servers
 Mcafee Anti-Spyware Module

Integrated module with VirusScan 8.0i

Average proactive protection
 On access stopped some spyware/adware before
install
 On demand scan removed most spyware/adware left
over

Centralized management with ePolicy
Orchestrator

Same exceptional type reporting as VirusScan

Updates are in the dat
 McAfee Anti-Spyware Module
Reviews

Network World, Barry Nance,  09/05
 Detected 76% of spyware/adware tested
 http://www.networkworld.com/reviews/2005/091205-spyware-nr2.
html

Info Word, Keith Schultz, 09/05
 Received a very good rating, 8.2 / 10
 http://www.infoworld.com/McAfee_Anti-Spyware_Enterprise_Edition
_Module/product_52904.html?view=1&curNodeId=0&index=4

Eweek, Andrew Garcia, 07/05
 McAfee's anti-virus/anti-spyware solution is the only package we
reviewed that's worth considering as a primary anti-spyware
solution.
 http://www.eweek.com/article2/0,1895,1839202,00.asp
 Anti-Spyware Conclusion

No doubt the major vendors will
improve their anti-spyware
capabilities
 Research, development and
acquisitions

McAfee’s anti-spyware module
 makes sense to use as a Enterprise
solution

Software Licensing Services
 Method used by a hacker

Launches command shell
 From exploit/vulnerability
 Buffer Overflow
 Etc…

Looks for running services
 Net start

If has escalated privileges
 Shouldn’t but if they do

Remember Host Security Workshop?
 Stops anti-virus services

Installs all tool needed
 A hacker method cont..

ePO will restart McShield service next policy
check

Nothing checking Framework service


Malware services completely stopped

VirusScan now ineffective
 A hacker method cont..
 Can this prevented if the hacker
has escalated privileges?
 Try and circumvent
 Continuous script to monitor
Framework service?
 A hacker method cont..
• Restarts services that are stopped and set to start automatically

• Or just look for the service name with

DisplayName
• Maybe make an exe out of it
 Links

Spice Policy
 http://security.health.ufl.edu/policies/index.shtml

McAfee Knowledge base
 http://knowledgemap.nai.com/KanisaSupportSite/s
upportcentral/supportcentral.do?
id=m1&language=en_US

Unofficial McAfee forums
 http://forums.mcafeehelp.com

VirusScan Enterprise 8.0i - Best Practices Guide
 http://download.software.ufl.edu

Previous WorkShops including Host Security
 http://security.health.ufl.edu/training/isaism.shtml
 Links

ePO walkthrough
 http://www.mcafee.com/us/local_content/w
hite_papers/wp_epo_walkthrough_guide.pd
f

Anti-spyware testing
 http://spywarewarrior.com/asw-test-guide.
htm

Anti-Spyware Enterprise Module 8.0 Guide
 http://www.networkassociates.com/commo
n/media/mcafeeb2b%5Csupport%5CVSE
%5CMAS800_Guide_EN.pdf

Scripting