INSTRUCTOR NOTES ON 08 Computer Protection HAND OUT THE COMPUTER PROTECTION BROCHURE

Transcription

1 INSTRUCTOR NOTES ON 08 Computer Protection Seminar intro Talking Points This seminar has two major topics: 1. What is a virus and how many virus types are there? 2. How do I protect against them? HAND OUT THE COMPUTER PROTECTION BROCHURE Overview the Brochure 1a. What is a virus? Virus is a catch all term, like Kleenex, often used in place of the proper term MALWARE. MALWARE is any malicious program that disrupts the integrity of computer software and proper operation of the Internet. Imagine all the trouble bad recipes could cause in a kitchen. Imagine all the trouble destruction or disarrangement of pantry goods could cause in a kitchen. 1b. What types of Malware are there? A partial list appears below: Viruses A computer virus is a type of Malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Worms The difference between viruses and worms is that viruses hide inside the files of real computer programs (for instance, the macros in Word or the VBScript in many other Microsoft applications), while worms do not infect a file or program, but rather stand on their own. Trojans Broadly speaking, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or further installing malicious or undesirable software. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks. Page 1 of 13 4/12/ _Instructor_Presentation_Notes.wps

2 Spyware Spyware is software that spies on you, often tracking your internet activities in order to serve you advertising. (Yes, it's possible to be both adware and spyware at the same time.) Adware The least dangerous and most lucrative Malware (lucrative for its distributors, that is). Adware displays ads on your computer. Exploits Exploits attack specific security vulnerabilities. You know how Microsoft is always announcing new updates for its operating system? Often enough the updates are really trying to close the security hole targeted in a newly discovered exploit. Keyloggers Keyloggers log your keystrokes, i.e., what you type. Typically, the Malware kind of keyloggers (as opposed to keyloggers deliberately installed by their owners to use in diagnosing computer problems) are out to log sensitive information such as passwords and financial details, and pass it out to a hacker. Rootkits Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program. 2. How do I protect against them? You need one active up to date Antivirus program on your computer. You need one active up to date Firewall on your computer. You may add one or two Spyware/Adware/Keylogger detection programs on your computer. How does this protection work? Describe the diagram on the next page. Refer to the brochure s cover. Page 2 of 13 4/12/ _Instructor_Presentation_Notes.wps

3 Emphasize the need to keep your protection software updated. What Protection Should I use? Refer to the information in the brochure (inside right half). INSTRUCTOR PREPARATION INFORMATION - TYPES OF MALWARE TYPES OF MALWARE 1. Viruses. The malware that's on the news so much, even your grandmother knows what it is. You probably already have heard plenty about why this kind of software is bad for you, so there's no need to belabor the point. 2. Worms. Slight variation on viruses. The difference between viruses and worms Page 3 of 13 4/12/ _Instructor_Presentation_Notes.wps

4 is that viruses hide inside the files of real computer programs (for instance, the macros in Word or the VBScript in many other Microsoft applications), while worms do not infect a file or program, but rather stand on their own. 3. Wabbits. Be honest: had you ever even heard of wabbits before (outside of Warner Bros. cartoons)? According to Wikipedia, wabbits are in fact rare, and it's not hard to see why: they don't do anything to spread to other machines. A wabbit, like a virus, replicates itself, but it does not have any instructions to itself or pass itself through a computer network in order to infect other machines. The least ambitious of all malware, it is content simply to focus on utterly devastating a single machine. 4. Trojans. Arguably the most dangerous kind of malware, at least from a social standpoint. While Trojans rarely destroy computers or even files, that's only because they have bigger targets: your financial information, your computer's system resources, and sometimes even massive denial-of-service attack launched by having thousands of computers all try to connect to a web server at the same time. 5. Spyware. In another instance of creative software naming, spyware is software that spies on you, often tracking your internet activities in order to serve you advertising. (Yes, it's possible to be both adware and spyware at the same time.) 6. Backdoors. Backdoors are much the same as Trojans or worms, except that they do something different: they open a "backdoor" onto a computer, providing a network connection for hackers or other malware to enter or for viruses or sp@m to be sent out through. 7. Exploits. Exploits attack specific security vulnerabilities. You know how Microsoft is always announcing new updates for its operating system? Often enough the updates are really trying to close the security hole targeted in a newly discovered exploit. 8. Rootkit. The malware most likely to have a human touch, rootkits are installed by crackers (bad hackers) on other people's computers. The rootkit is designed to camouflage itself in a system's core processes so as to go undetected. It is the hardest of all malware to detect and therefore to remöve; many experts recommend completely wiping your hard drive and reinstalling everything fresh. Page 4 of 13 4/12/ _Instructor_Presentation_Notes.wps

5 9. Keyloggers. No prïze for guessing what this software does: yes, it logs your keystrokes, i.e., what you type. Typically, the malware kind of keyloggers (as opposed to keyloggers deliberately installed by their owners to use in diagnosing computer problems) are out to log sensitive information such as passwords and financial details. 10. Dialers. Dialers dial telephone numbers via your computer's modem. Like keyloggers, they're only malware if you don't want them. Dialers either dial expensive premium-rate telephone numbers, often located in small countries far from the host computer; or, they dial a hacker's machine to transmit stolen data. 11. URL injectors. This software "injects" a given URL in place of certain URLs when you try to visit them in your browser. Usually, the injected URL is an affïliate link to the target URL. An affïliate link is a special link used to track the traffïc an affïliate (advertiser) has sent to the original website, so that the original website can pay commissions on any salës from that traffïc. 12. Adware. The least dangerous and most lucrative malware (lucrative for its distributors, that is). Adware displays ads on your computer. The Wikipedia entry on malware does not give adware its own category even though adware is commonly called malware. As Wikipedia notes, adware is often a subset of spyware. The implication is that if the user chooses to allow adware on his or her machine, it's not really malware, which is the defense that most adware companies take. In reality, however, the choice to install adware is usually a lëgal farce involving placing a mention of the adware somewhere in the installation materials, and often only in the licensing agreement, which hardly anyone reads. Malware From Wikipedia, the free encyclopedia Jump to: navigation, search Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[1] The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Page 5 of 13 4/12/ _Instructor_Presentation_Notes.wps

6 Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U. S. states, including California and West Virginia.[2][3] Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs. Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[4] According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."[5] Malware's most common pathway from criminals to users is through the Internet: primarily by e- mail and the World Wide Web.[6] Trojan horses For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer via which it is running. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan. Broadly speaking, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or further installing malicious or undesirable software. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks. One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement which states the behavior of the spyware in loose terms, and which the users are unlikely to read or understand. Page 6 of 13 4/12/ _Instructor_Presentation_Notes.wps

7 [edit] Rootkits Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program. Some malicious programs contain routines to defend against removal: not merely to hide themselves; but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system: Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.[8] Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor and restore one another as needed. [edit] Backdoors A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order. Backdoors may also be installed prior to malicious software, to allow attackers entry. The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods. [edit] Malware for profit: spyware, botnets, keystroke loggers, and dialers Main articles: Spyware, Botnet, Keystroke logging, Web threats, and Dialer During the 1980s and 1990s, it was usually taken for granted that malicious Page 7 of 13 4/12/ _Instructor_Presentation_Notes.wps

8 programs were created as a form of vandalism or prank. More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering webbrowser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue is redirected to the spyware creator rather than the intended recipient. Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court. Another way that financially-motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target antispam organizations with distributed denial-of-service attacks. In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus software or other security measures. It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a key logger, which intercepts the user's keystrokes when entering a password, credit card number, or other information that may exploited. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD Page 8 of 13 4/12/ _Instructor_Presentation_Notes.wps

9 key or password for online games, allowing the creator to steal accounts or virtual items. Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user. Data-stealing malware Data-stealing malware is a web threat that divests victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category. Characteristics of data-stealing malware Does not leave traces of the event The malware is typically stored in a cache which is routinely flushed The malware may be installed via a drive-by-download process The website hosting the malware as well as the malware is generally temporary or rogue Frequently changes and extends its functions It is difficult for antivirus software to detect final payload attributes due to the combinations of malware components The malware uses multiple file encryption levels Thwarts Intrusion Detection Systems (IDS) after successful installation There are no perceivable network anomalies The malware hides in web traffic The malware is stealthier in terms of traffic and resource use Thwarts disk encryption Data is stolen during decryption and display The malware can record keystrokes, passwords, and screenshots Page 9 of 13 4/12/ _Instructor_Presentation_Notes.wps

10 Thwarts Data Loss Prevention (DLP) C4S Computer Protection Seminar - Instructor Notes Leakage protection hinges on metadata tagging, not everything is tagged Miscreants can use encryption to port data Mobile-Threats Security Threats to mobile devices(smartphones, PDA) are on the rise, as more sensitive information is stored on them. Crimeware: the silent epidemic Malware evolves to focus on obtaining financial returns Rootkits: Malware is hidden to increase its useful life span and avoid detection. Viruses: All you need to know to understand viruses and other malware. Spyware Spyware is perhaps the most worrying of all IT threats, as it intrudes on your privacy without you realizing Phishing: personal data theft Have you received an message from your bank, in which you are asked to verify your account details? Spam: Unsolicited messages Miracle products? Make money easily? Unbeatable mortgage terms? Spam, spam, wonderful spam Introduction Viruses, worms, Trojans, and bots are all part of a class of software called malware. Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other bad or illegitimate action on data, hosts, or networks. Page 10 of 13 4/12/ _Instructor_Presentation_Notes.wps

11 There are many different classes of malware that have varying ways of infecting systems and propagating themselves. Malware can infect systems by being bundled with other programs or attached as macros to files. Others are installed by exploiting a known vulnerability in an operating system (OS), network device, or other software, such as a hole in a browser that only requires users to visit a website to infect their computers. The vast majority, however, are installed by some action from a user, such as clicking an attachment or downloading a file from the Internet. Some of the more commonly known types of malware are viruses, worms, Trojans, bots, back doors, spyware, and adware. Damage from malware varies from causing minor irritation (such as browser popup ads), to stealing confidential information or money, destroying data, and compromising and/or entirely disabling systems and networks. Malware cannot damage the physical hardware of systems and network equipment, but it can damage the data and software residing on the equipment. Malware should also not be confused with defective software, which is intended for legitimate purposes but has errors or bugs. Classes of Malicious Software Two of the most common types of malware are viruses and worms. These types of programs are able to self-replicate and can spread copies of themselves, which might even be modified copies. To be classified as a virus or worm, malware must have the ability to propagate. The difference is that a worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself. These and other classes of malicious software are described below. Viruses A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-ofservice (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program Page 11 of 13 4/12/ _Instructor_Presentation_Notes.wps

12 keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected attachments. Worms Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or informationtransport features on the system, allowing it to travel unaided. Trojans A Trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an attachment or downloading and running a file from the Internet. Bots "Bot" is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites. Bots can be used for either good or malicious intent. A malicious bot is selfpropagating malware designed to infect a host and connect back to a central server Page 12 of 13 4/12/ _Instructor_Presentation_Notes.wps

13 or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet." With a botnet, attackers can launch broadbased, "remote-control," flood-type attacks against their target(s). In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice. Page 13 of 13 4/12/ _Instructor_Presentation_Notes.wps