Malware Presentation 2010

UCAR Malware incidents
The Mebroot/Torpig threat
Tim Fredrick
March 2010
Malware Presentation 2010
What we’re up against
Malware Presentation 2010
Infections in ACD
• Attempted compromise of a Linux machine visiting a newspaper site
• Successful compromise of a 2 Windows XP, 1 Vista machine
• Multiple infections of UCAR systems – all Windows PC’s
• One UCAR system re-infected after it was reformatted/reinstalled
• All were variants of TORPIG – all detected by monitoring network activity
Cost of Infections
• TIME: Security staff, System Administrators, End-user
• Systems must be reformatted/reinstalled. (in ACD we’ve used new disks)
• Each System must remain down for forensics for approx 1 week
• In one case, a staff member complained personal information was
removed from his/her control.
Malware Presentation 2010
What is infecting us…
• MEBROOT is a “root kit” (aka Sinowal or Anserin)
• TORPIG is a keystroke logger
What does TORPIG do?
• Scans for credentials
• Keystroke logging – sends to evasive but known collection sites
• Knows about hundreds of banking sites; captures credentials
• RSA researchers estimate TORPIG has stolen more than 300,000
bank accounts
• Motivation: Financial
• A problem among personal computers as well as corporate networks
Malware Presentation 2010
How does TORPIG get in?
Malware Presentation 2010
How does TORPIG get in?
“Malware community”
Buys ads – look legitimate
when viewed by Google, but
inject scripts when viewed by
other browsers
Malware Presentation 2010
Drive-by download
• Uses scripting (Javascript, Flash)
• Intelligence built into the script
• Looks legitimate except for the “target” audience
• Avoids certain environments (Linux, MacOS)
• Must find a vulnerable application
• Looks for dozens of vulnerabilities
• Browsers
• Java plugins
• Media players (video, audio)
• Adobe PDF applications
Malware Presentation 2010
The Mebroot “root kit”
• The vulnerability is exploited and a “rootkit” is injected
•What is a rootkit?
• Software to give an intruder access to a machine
• The software defends itself
• against detection
• against removal
Malware Presentation 2010
The Mebroot “root kit”
What is the Master Boot Record?
• A machine’s BIOS passes control to the MBR at boot time
• 512 bytes of code
• Holds the partition table
• Bootstraps the OS
Malware Presentation 2010
The Mebroot “root kit”
What does Mebroot do?
• Replaces the MBR
• Intercepts network and disk I/O
• Mebroot passes the original MBR to the OS for any disk I/O
• Making it invisible to all programs including Antivirus
• “Hides” Torpig in the same way – hides hooks into the OS
• Code is evolving: Much more evasive than it used to be
• Mebroot can be used to “hide” future malware
• Symantec Antivirus may detect the hooks – it cannot detect Mebroot
Malware Presentation 2010
Our best defense: block scripts
Stop Scripting, Java and
Media incl Flash
“Malware community”
Buys ads – look legitimate
when viewed by Google, but
inject scripts when viewed by
other browsers
Malware Presentation 2010
Blocking scripts: NoScript
•NoScript is a browser plugin for Firefox
• Blocks by default:
• JavaScript
• Java
• Flash
• Silverlight
• Some other plugins
• Whitelist
• Allows you to select scripts to run for a session, or always allow
• Sites may also be blacklisted with NoScript
Malware Presentation 2010
NoScript: All good things have a cost
“My web page looks different!”
Malware Presentation 2010
NoScript: Decisions… scripts:
• google-analytics
• coloradonewshome
• brightcove
• others…
Statistic gathering
(potential malware)
Multimedia provider
Malware Presentation 2010
Rules of thumb
Allow a minimum of what will make a site useful to you
Sites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.)
Don’t allow advertising:
• Prevents drive-by downloads
• Speeds up web page loading
• Google analytics and Google Adsense may always be blocks by NoScript
Feel free to delete cookies
Malware Presentation 2010
Online banking
• Online banking is the specific target of TORPIG
• Over 300,000 known credential thefts related to banking
• Even small banks are being targeted
Malware Presentation 2010
Online banking:
• USE a dedicated SEPARATE BROWSER for online banking
• Better yet, a separate computer that does no other browsing
• Virtual machines might work
• Use only one machine from one IP address for banking. Makes it
easier to investigate incidents involving banking fraud.
• Use strong passwords
• Convince your bank to use a one-time password token
Malware Presentation 2010
PC/Windows recommendations
• Plan so your work may continue in the event of a compromise
• Be ready to use a secondary machine or laptop
• Reduce your risk
• Keep applications updated
• Install and use the Secunia Software inspector
• Be wary of fake antivirus or other popups
• Report anything unusual
• We’ll do our best to protect your privacy but need
information to help investigate virus incidents
Malware Presentation 2010
Mac/Linux recommendations
• MBR malware can just as easily compromise Linux
• Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable
• Currently TORPIG detects Mac or Linux and doesn’t allow itself to download
software to exploit vulnerable applications
• Situation may change:
• Adobe and Java vulnerabilities affect Mac and Linux versions as well
• A growing Macintosh market may make it worth exploiting
Malware Presentation 2010
Mebroot/TORPIG are only our
current threat…
Malware Presentation 2010
Oregon Top 10
We see this
often at
Top 10 Malware Dec 2009
Torpig & Conficker have low
detect rates because of new
stealth technology like
Malware Presentation 2010
• NoScript plugin
• Secunia Software Inspector (if there’s time)
Tim Fredrick
March 2010
March 17, 2010

similar documents