230 likes | 303 Views
UCAR Malware incidents. The Mebroot / Torpig threat. What we’re up against. Infections in ACD. Attempted compromise of a Linux machine visiting a newspaper site Successful compromise of a 2 Windows XP, 1 Vista machine Multiple infections of UCAR systems – all Windows PC’s
E N D
UCAR Malware incidents The Mebroot/Torpigthreat NCAR/ACD/NESL Computing
Infections in ACD • Attempted compromise of a Linux machine visiting a newspaper site • Successful compromise of a 2 Windows XP, 1 Vista machine • Multiple infections of UCAR systems – all Windows PC’s • One UCAR system re-infected after it was reformatted/reinstalled • All were variants of TORPIG – all detected by monitoring network activity Cost of Infections • TIME: Security staff, System Administrators, End-user • Systems must be reformatted/reinstalled. (in ACD we’ve used new disks) • Each System must remain down for forensics for approx 1 week • In one case, a staff member complained personal information was removed from his/her control.
What is infecting us… • TORPIG/MEBROOT • MEBROOT is a “root kit” (aka Sinowal or Anserin) • TORPIG is a keystroke logger What does TORPIG do? • Scans for credentials • Keystroke logging – sends to evasive but known collection sites • Knows about hundreds of banking sites; captures credentials • RSA researchers estimate TORPIG has stolen more than 300,000 bank accounts • Motivation: Financial • A problem among personal computers as well as corporate networks
How does TORPIG get in? “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers
Drive-by download • Uses scripting (Javascript, Flash) • Intelligence built into the script • Looks legitimate except for the “target” audience • Avoids certain environments (Linux, MacOS) • Must find a vulnerable application • Looks for dozens of vulnerabilities • Browsers • Java plugins • Media players (video, audio) • Adobe PDF applications
The Mebroot “root kit” • The vulnerability is exploited and a “rootkit” is injected • What is a rootkit? • Software to give an intruder access to a machine • The software defends itself • against detection • against removal
The Mebroot “root kit” • What is the Master Boot Record? • A machine’s BIOS passes control to the MBR at boot time • 512 bytes of code • Holds the partition table • Bootstraps the OS
The Mebroot “root kit” • What does Mebroot do? • Replaces the MBR • Intercepts network and disk I/O • Mebroot passes the original MBR to the OS for any disk I/O • Making it invisible to all programs including Antivirus • “Hides” Torpig in the same way – hides hooks into the OS • Code is evolving: Much more evasive than it used to be • Mebroot can be used to “hide” future malware • Symantec Antivirus may detect the hooks – it cannot detect Mebroot
Our best defense: block scripts HTML content “Malware community” Buys ads – look legitimate when viewed by Google, but inject scripts when viewed by other browsers Stop Scripting, Java and Media incl Flash
Blocking scripts: NoScript • NoScript is a browser plugin for Firefox • Blocks by default: • JavaScript • Java • Flash • Silverlight • Some other plugins • Whitelist • Allows you to select scripts to run for a session, or always allow • Sites may also be blacklisted with NoScript
NoScript: All good things have a cost “My web page looks different!”
NoScript: Decisions… Statistic gathering • 9news.com scripts: • google-analytics • coloradonewshome • revsci.net • brightcove • gannett-tv.com • others… Advertising(potential malware) Multimedia provider
Rules of thumb • Allow a minimum of what will make a site useful to youSites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.)Don’t allow advertising: • Prevents drive-by downloads • Speeds up web page loading • Google analytics and Google Adsense may always be blocks by NoScript • Feel free to delete cookies
Online banking • Online banking is the specific target of TORPIG • Over 300,000 known credential thefts related to banking • Even small banks are being targeted
Online banking: Recommendations • USE a dedicated SEPARATE BROWSER for online banking • Better yet, a separate computer that does no other browsing • Virtual machines might work • Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud. • Use strong passwords • Convince your bank to use a one-time password token
PC/Windows recommendations • Plan so your work may continue in the event of a compromise • Be ready to use a secondary machine or laptop • Reduce your risk • Keep applications updated • Install and use the SecuniaSoftware inspector http://secunia.com/vulnerability_scanning/personal/ • Be wary of fake antivirus or other popups • Report anything unusual • We’ll do our best to protect your privacy but need information to help investigate virus incidents
Mac/Linux recommendations • MBR malware can just as easily compromise Linux • Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable • Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications • Situation may change: • Adobe and Java vulnerabilities affect Mac and Linux versions as well • A growing Macintosh market may make it worth exploiting
Oregon Top 10 … We see this often at NCAR Torpig & Conficker have low detect rates because of new stealth technology like Mebroot Social networkingvirus
Demonstrations • NoScriptplugin • Secunia Software Inspector (if there’s time)
Thank You ! … March 17, 2010