Information Security Training on Malware. Revised March 29, 2016

Transcription

1 Information Security Training on Malware Revised March 29,

2 Outline Introduction Goal Malware defined Types of Malware Recognizing Malware How to prevent Malware 2

3 Introduction Welcome to LSUHSC-NO s Information Security online tutorial on Malware! ALL employees, students, and affiliates of the University who use the LSU Computer infrastructure in the course of their work or studies are required to complete this training on an annual basis. 3

4 Goal The primary goal of this tutorial is to help raise awareness on how to recognize malicious software and take proper action to prevent its disruptive effects. LSU cannot protect the confidentiality, integrity, and availability of its information without the informed participation and support of EVERYONE!!! YOU are the last line of defense in identifying and eliminating malicious software. Training is the key to that defense so it is important that you complete your compliance training in a timely manner. 4

5 What is Malware? Malware (short for MALicious software) is any software designed to infiltrate a computer system and perform actions without the user's informed consent. It can enter your PC as the result of clicking on infected web pages, pop-up ads, toolbars, games, attachments, or any other normal computer activity. 5

6 Motivation for Malware Pranks Spamming (unsolicited junk ) Stealing data Fraud (bank, credit card, etc.) Vandalism Extortion 6

7 What Can Happen if YOUR Computer Becomes Infected with Malware Spy on your surfing habits Steal your passwords by logging your keystrokes Steal your identity Read your Cause irreversible destruction to your current applications, files and data Can infect others by attaching itself to your outgoing correspondence 7

8 Identity Theft The action of one person revealing his/her user ID & password threatens other innocent members of LSUHSC and subject them to Identity Theft. Identity thieves may rent an apartment, obtain credit, or establish a telephone account. Consumers victimized by Identity Theft may lose out on job opportunities, or be denied loans for education, housing, or cars because of negative information on their credit reports. Victims are cheated out of millions of dollars and spend months to years repairing damage to their good name and credit record. 8

9 KNOW YOUR ENEMY! Examples of Malware include: Viruses Worms Spyware Keystroke loggers Trojans Rootkits Scareware Ransomware, etc. 9

10 Viruses & Worms Viruses are programs that install themselves on a PC or laptop without the user s knowledge or consent. Viruses can be transmitted as attachments to an e- mail or in a downloaded file, by clicking on a link to an infected website or be present on a diskette or CD. A worm is a virus that replicates itself by resending itself as an attachment or as part of a network message. They usually take advantage of security holes in the operating system or software package. 10

11 Virus Infects UPS Stores In August 2014, United Parcel Service announced that customers of UPS Stores in 24 states may have had their credit card information exposed by a computer virus. An investigation revealed that information on approximately 100,000 transactions had been compromised. 11

12 Spyware Spyware is the class of programs that: Monitor your computer usage habits and report them back to a company that stores this information in a database for marketing purposes. Are installed with little or no notification during the installation of another program or while browsing the Internet. Open advertising windows when browsing the Internet. 12

13 Keystroke Loggers There are 2 types: Hardware Keystroke Loggers- hardware devices installed between your keyboard and computer. Software Keystroke Loggers- software programs that log every keystroke typed and transmit them back to their home base. 13

14 Keystroke Logger Leads to Health Data Breach at KY Hospital On September 16, 2015, Muhlenberg Community Hospital was notified by the FBI of a keylogger cyberattack which lead to a health data breach. An investigation revealed that a software keylogger had been installed on several hospital computers and may have been on the computers as early as January

15 Health Data Breach at KY Hospital (cont.) Data compromised included patient: Names Addresses Telephone number Dates of birth Social Security numbers Driver s license/state identification numbers Health plan information Financial account numbers Credit card information Employment information Compromised employee and contractor information included: Credentialing information Drug Enforcement Administration numbers National Provider Identifiers State license numbers Usernames Passwords 15

16 A Rootkit is software that enables continued privileged access to a computer while actively hiding its presence from the user by subverting normal operating system processes. 16

17 Rootkits Rootkits are made up of one or more programs designed to perform any of the following functions: Obtain administrator privileges on the system Create a backdoor to allow the cybercriminal easy administrative access whenever he desires Delete any log entries or other records that may reveal the existence of the rootkit to the legitimate owner of the system Report user ID s and passwords 17

18 Cybercriminals USE Rootkits To: Launch attacks on websites or networks Send spam s Distribute copyrighted materials such as music, videos, or commercial software Steal passwords to other online accounts Harvest user habits 18

19 Chinese Cybercriminals Breached Google Play To Infect Android Devices In August 2015, a group of Chinese hackers uploaded a Brain Test app to the Google Play store. The app installed a rootkit which allowed the app to reinstall itself after the user deleted the app. The rootkit included a backdoor to allow its creators to install further malware. Somewhere between 200,000 and 1 million devices were believed to be infected. The rootkit can only be removed by re-flashing the device. 19

20 Trojans Like their Greek namesake, Trojans are programs that appear to be one type of program (e.g. a screensaver) but are hiding additional functions of which the legitimate user is completely unaware. These functions can include: Giving administrator access to the cybercriminal author of the Trojan. Reporting everything viewed on your screen or typed on your keyboard (e.g., passwords) to another computer on the Internet. Running additional programs on your computer. 20

21 40 Million Credit Card Accounts Exposed in Attack on CardSystems Solutions In June 2005, hackers compromised CardSystems Solutions database using an SQL Trojan attack. This attack inserted code into the database every few days through a browser page, placing data in a zip file and sending out via the Internet s File Transfer Protocol. Hackers gained access to names, accounts numbers, and verification codes of 40 million credit card users. 21

22 Hybrid Malware Different kinds of malware can be combined to create programs with new capabilities. For example, the replicating features of a virus can be combined with remote control features of a Trojan and the administrative functions of a rootkit to create a program that spreads like a virus, then phones home for instructions, then causes the victims computer to carry out those instructions. 22

23 A recent development in Hybrid Malware is Ransomware. The goal of Ransomware is NOT to steal your data but hold it hostage. The hacker uses one of the previously discussed methods to install an encryption program on your PC. Once all the files are encrypted, the encryption keys are transmitted to the hacker and a message similar to the following is displayed: 23

24 Ransomware Message 24

25 Ransomware Facts Encryption utilizes very sophisticated algorithms that are impossible to crack. While older versions of Ransomware had vulnerabilities that could be used to crack the encryption, hackers have corrected these flaws in the latest versions. Any drive that is mapped to the computer as a letter (e.g. D:\ drive ) will be encrypted. Payment will usually be demanded in Bitcoin. Hackers are generally prompt in providing the decryption keys once payment is made. Payment encourages further attacks. 25

26 Hospital Pays $17,000 for Ransomware Encryption Key On February 5, 2016, employees of Hollywood Presbyterian Medical Center in Los Angeles reported being unable to get onto the hospital's network. The malware blocked access to certain systems, including the hospital s electronic medical record, as well as electronic communications. The hospital staff had to revert to paper for all operations/communications. After trying for ten days to defeat the encryption, hospital executives agreed to pay the ransom of 40 bitcoin. (approx. $17,000). 26

27 Zero Day Malware Zero Day Malware is new. Anti-virus and spyware scanner programs that depend solely on signature recognition cannot provide any protection. In recent years, foreign governments and organized crime have joined the ranks of malware programmers. This has tremendously increased the resources available for researching and developing new types of malware. As a result, the occurrences of new malware are increasing at an alarming rate. The STUXNET virus that infected computers used in Iranian nuclear plants contained exploits for four previously unknown vulnerabilities in Microsoft s Windows operating system. 27

28 Signs YOUR Computer Has Malware You start seeing an excessive amount of pop-up ads Reduced performance (your computer seems slow or freezes up) Windows opening by themselves Missing data Unusual toolbars added to your web browser Your account sends out messages to your contact list that you did not send, etc. Contact your computer supporter or the Helpdesk if you suspect that your computer has malware installed. 28

29 Suspicious A Suspicious includes: any you receive with an attachment any you receive from someone you don t recognize Steps to combat malware from infecting your computer by include: disabling auto-preview and the preview panel in your client setting your client to read all mail in plain text saving all attachments to your computer and scanning them with your antivirus product before opening them The following is an example of an designed to trick you into installing malware on your computer. 29

30 Suspicious Example Subpoena in case # FUZ Wednesday, April 16, :38 AM From: "United States District Court" AO 88(Rev.11/94) Subpoena in a Civil Case Issued by the UNITED STATES DISTRICT COURT Issued to: Name Omitted Business Name Omitted Phone No. Omitted SUBPOENA IN A CIVIL CASE Case number: FUZ United States District Court YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specifiied below. Place: United States Courthouse 880 Front Street San Diego, California Date and Time: May 9,2008 9:00 a.m. PST Room: Grand Jury Room room 5217 Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los Angeles, CA Please download the entire document on this matter(follow this link) and print it for your record. This subpoena shall remain in effect until you are granted leave to depart by the court or by an officer on behalf of the court. Any organisation not a party to this suit thas is subponaed for the taking of a deposition shall designate one or more offcers, directors, or managing agents, or other persons to testify on its behalf, and may set forth, for each person designated, the matters on wich the person will testify. Federal Rules of Civil Procedures,20(b)(6). Failure to appear at the time and place indicated may result in a contempt of court citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct any questions to the person requesting you to appear: City Prosecutor. 30

31 Suspicious (cont.) Frequently s will try to trick the recipient into installing malware by posing as a law enforcement or other government agency (in this example the U.S. District Court ). The may include official-looking insignia. The will inform the recipient of some event (e.g. You have been sued. ) and direct the recipient to open an attachment or click on a link for more information. 31

32 Suspicious (cont.) The malware will take the form of either: An attachment that, when selected, will install the malware on the victim s computer. A link that, when selected, will direct the browser to an infected website which will install the malware. 32

33 How To Identify Suspicious s Does the demand makes sense? Are you familiar with the parties in the case? Do you have knowledge of the issue before the court? Would a City Prosecutor be issuing a subpoena for a U.S. District Court? There are no names of court officers. Subpoenas are usually served in person or by certified mail, not . 33

34 How To Identify Suspicious s (cont.) Does the link make sense? The refers to U.S. government websites use the.gov domain so a legitimate link would be subpoena@uscourts.gov 34

35 How To Identify Suspicious s (cont.) Review the Attachment(s) -- Most attachments of official documents will have a.pdf or.tif extension (e.g. subpoena.pdf ). More rarely.doc or.rtf are used (e.g. subpoena.rtf ). Extensions such as.zip,.exe, or.com could be disguising malware (e.g. subpeona.zip ). Double Extensions such as.doc.zip or.xls.exe could be disguising malware. (e.g. subpoena.doc.exe ). Look for Problems with the content of -- Like misspelled words and/or grammatical errors. 35

36 How To Identify Suspicious s (cont.) Other Actions -- Go to the FBI e-scam website to see if they have a notice on an similar to the one in question. Send the suspicious as an attachment to spam@lsuhsc.edu Under NO circumstances should you use any links or open any attachments in a Suspicious ! 36

37 Infected Websites Malware can also infect websites. Any unprotected computer that browses an infected website will become infected. Even well-known and respected websites such as the NewYorkTimes.com and bbc.com have been infected. 37

38 Scareware Scareware is a message designed to scare you into installing malware on your system. The following are examples of actual Scareware Messages (slides 39-41). 38

39 This Scareware is designed to look like a Windows error message. Fortunately, all this program does is separate the user from $40 of his hard earned money. The best course of action is to power off your system without shutting down. 39

40 This Scareware appears when surfing an infected website. It appears to be a warning from your anti-virus program. The message is a fake. However, clicking on ANY of the buttons (including the x in the upper right corner) will cause malware to be installed on your system. The best course of action is to power off your system without shutting down. 40

41 Antivirus XP Scareware is designed to look like a message from the Windows XP Security Center. Clicking on ANY of the buttons (including the x in the upper right corner) will cause malware to be installed on your system. The best course of action is to power off your system without shutting down. 41

42 How To Identify a Scareware Message Ask yourself the following questions: Does the message refer to some catastrophic event? (e.g. Your registry is damaged! or Your computer is infected ) Does it instruct you to go to an unfamiliar website? (e.g. NOT microsoft.com or lsuhsc.edu) Does it instruct you to download and install a program? Is the antivirus warning message different from the name of your antivirus software? (e.g., super-antivirus 2016 when you have System Center Endpoint protection) If any of the above are TRUE, then it may be Scareware and you should call the Helpdesk or your supporter to make sure. 42

43 How To Avoid Malware Ensure up-to-date antivirus software is installed on you computer (LSUHSC provides antivirus software with updates to all university owned computers). Ensure up-to-date anti-spyware scanner software is installed on your computer (all LSUHSC owned computers have antispyware software installed which is updated regularly). Ensure operating system and software patches are up to date on your computer (LSUHSC automatically updates all operating system patches on university owned computers). 43

44 How To Avoid Malware (cont.) Ensure applications such as Adobe Reader or Flash are up-to-date with all patches. Ensure that your LSUHSC user ID is NOT a local administrator on your PC or laptop (contact your computer supporter for more information). Always check your computer for anything unfamiliar that may be plugged in. Use caution with your Internet surfing habits Think before you click- - avoid clicking on pop-up advertisements Turn on Internet Explorer s SmartScreen filter. (This is the default on LSUHSC owned computers.) 44

45 How To Avoid Malware (cont.) Bookmark trusted websites and access these websites via bookmarks. Make sure that any computer you use to access LSUHSC s network remotely (from home or while on vacation, or at a conference) has incorporated all of the precautions listed above. If you have any questions, contact your computer supporter or the Helpdesk. 45

46 YOU Are The Ultimate Defense Malware comes in a variety of types. Technical solutions such as antivirus and antispyware programs provide some protection. Limiting privileges of the user account can prevent many malware programs from installing. The ultimate defense is a well-informed user who can recognize malware and take the proper action. If you have any questions, contact your computer supporter or the Helpdesk (568-HELP). 46

47 Questions? We Are Here to Help! Office of Compliance Programs 433 Bolivar St. Suite 807 New Orleans, LA (504)