The Malware Life Cycle

1
The Malware Life Cycle
2
The Fascinating World of Infections
3
The Circle of Life
4
Birth

• User invites malware onto PC

5
Birth

• User invites malware onto PC
• Opens infected e-mail attachment
• Surfs infected web sites
• Downloads warezWinrar v3 FULL VERSION with
  patch!.exeCR-WZIP8.EXE
• Clicks on link in mail, tweet, IM, text message
• Runs infected app on social networking site
• Plugs in infected USB drive

6
The Circle of Life
7
Self-protection

• Malware takes steps to protect itself

8
Self-protection

• Malware takes steps to protect itself
• Turn off anti-virus software
• Hide clones in places that users wont notice
• Adds startup entries to registry or startup
  folder
• Block anti-virus sites
• Install rootkit
• Infect common programs Internet Explorer,
  Windows Explorer, svchost

9
The Circle of Life
10
Call home

• Malware calls home for guidance

11
Call home

• Malware calls home for guidance
• Disguises the connection as web traffic
• Has internal address book with primary and
  fallback addresses
• Reports in frequently, usually several times a day

12
The Circle of Life
13
Your wish is my command

• Malware gets instructions from owner

14
Your wish is my command

• Malware gets instructions from owner
• Download more malware, change own signature
• Send PC information home
• Log and report web sites
• Monitor and steal banking credentials
• Turn on microphone or camera
• Monitor and steal network account credentials
• Encrypt files for ransom
• Whatever the bad guy wants to do

15
The Circle of Life
16
Psst! Pass it on

• Malware the gift that keeps giving

17
Psst! Pass it on

• Malware the gift that keeps giving
• Sends infected mail from you to addresses found
  on your PC From You_at_mail.sdsu.edu To
  YourBuddy_at_uhoh.net Subject Check this out!
• Infects writable files on network shares
• Installs itself on removable media
• Scans local network for vulnerable systems
• Scans Internet for vulnerable system

18
The Circle of Life
19
Lather, Rinse, Repeat
20
Our Defenses

• Anti-virus

21
Our Defenses

• Anti-virus Important part of Defense-In-Depth
• Can be a powerful defense if properly configured
  and used with a central server (ePO for McAfee)
• Very effective against known malware
• Can protect against suspicious behaviorRogue
  e-mail IRC connections Scripts running from
  temp Additions to startup locations Additions
  to system directories Disabling anti-virus
  Installation of Browser Helper Objects (IE) and
  more!

22
Our Defenses

• Anti-virus Not a cure-all
• Not very responsive to unknown threats
• Lag time of days or weeks to develop and update
  signatures for malware, leaving systems
  unprotected against emerging threats
• May never detect some malware
• Generally not very effective against unknown
  malware (other than mass mailers)
• Can be disabled by Admin users
• Logs are often ignored or not understood

23
Speaking of Logs

• ePO Tips

24
Speaking of Logs

• ePO Tips Most interesting ePO report fields
• Analyzer Detection Method Was the detection On
  Access or during an On Demand/Fixed Disk Scan?
• Action Taken What happened to it?
• Threat Target File Path Where was it found?
• Threat Name What was detected?
• Other useful fieldsEvent Generated Time, Threat
  Target IPv4 Address, Threat Target Host Name,
  Threat Type

25
Speaking of Logs

• ePO Tips Things to Consider
• Look at the Analyzer Detection Method
• On Access?The malware was detected as it was
  written to or read from the disk
• On Demand, Managed Fixed Disk Scan?The malware
  got onto the PC without being detected
• Look at the Action TakenDeleted, Cleaned, None?

26
Speaking of Logs

• ePO Tips Things to Consider
• Look at Target Threat File Path
• C\Windows\?
• Probably infected, Probably admin user
• C\Documents and Settings\gleduc\Application
  Data\?
• Probably infected
• G\?
• Probably not infected, but thumb drive was
• IE Cache?
• Need to talk to the user, maybe look at the
  machine

27
Investigating a malware detection
28
Investigating a malware detection

• Research (Google is your friend)
• Threat Name Exploit-CVE2008-5353
• Understand what it does and how it does it
• Java vulnerability patched in JRE 6u11
• If the machine is at JRE 6u21 then ignore

29
Investigating a malware detection

• Check the McAfee logs on the machine
• C\Docs and Settings\All Users\Application
  Data\McAfee\DesktopProtection\
• OnAccessScanLog.txt OAS detections, DAT version,
  stats
• OnDemandScanLog.txt detections, type of scan,
  action taken
• AccessProtectionLog.txt attempts to terminate
  McAfee, send e-mail, run programs from temp or
  cache directories

30
What if its Infected?

• Refer to Information Security Plan
• http//security.sdsu.edu
• Escalate to ITSO if the system processes or
  stores Protected InformationNames with SSNs,
  Credit card data, Passwords, Medical data,
  Disability data, Combinations or name, birthdate,
  mothers maiden name, last 4 of SSN, drivers
  license, grades, etc., etc., etc.
• Be prepared to give up machine for the duration
  of the investigation
• Be prepared to rebuild machine

31
Our Defenses

• Third-party application patching

32
Our Defenses

• Third-party application patching
• When responsive, vendors are often very quick to
  patch
• Many applications require a manual download and
  install to update a big PITA if user cant get
  Admin rights on system
• Users and sysadmins often dont know that an
  update is available or whether its a security
  update
• IT support staff often dont know what software
  is on their users systems
• If a vendor stops support a product, but users
  really love it, they keep using it
• Patch Mgt must be able to patch third-party
  applications!

33
The End