|
Types
of threats and malware
|
Explanation
|
|
Trojan horses
|
The
Trojan program is malware that masquerades as a legitimate program. The
program may have a legitimate function, but it carries ulterior motives.
Trojans can delete data compromise security, relay spam or porn, and
otherwise infect your computer.
|
|
Phishing
|
The
phishing scam masquerades as a legitimate website or link to a site, but what
it’s really trying to do is “fish” for information. By fooling you into
thinking that you’re visiting your bank or a shopping or government website,
the scam gets you to divulge personal or financial information, which the bad
guys then exploit.
|
|
Spyware
|
Like its
name says, spyware monitors your movements on the Internet, sending
information back to a central computer that then targets you with
advertising. It sounds okay, but the category has broadened to include
programs you download to your computer that monitor your activities to the
point that your computer slows down to a useless state. Further, the spyware
itself becomes nearly impossible to remove.
|
|
Virus
|
Like its
living counterpart, a computer virus infects your computer, taking control
over some or all of its functions. The virus destroys data or looks for
things like passwords, credit card numbers, or other sensitive data. This
information is often sent to another computer. A virus can also use your
computer to relay spam email or pornography or to coordinate attacks against
websites on the Internet.
|
|
Worm
|
Officially,
a worm is a virus that replicates itself over a network. Worms often arrive
via email, peruse your address book, and then send a copy of themselves to
others in your address book, masquerading the message as though it’s from
you. Worms are used to deliver viruses, or the worm itself might be a virus,
because the terms are interchangeable.
|
|
Types of malware
|
What it does?
|
How it can be repaired or removed?
|
|
The Conficker Worm
|
·
Termination\disablement
of third-party security services/software that deal with system security
(anti-virus, firewalls, etc)
·
Resetting system
restore points
·
Deleting backup
files
·
Checking for
internet connectivity and downloading arbitrary files
·
Users will not be
able to browse certain security-related Web sites with URLs containing
specific key words and phrases.
·
Increase in traffic
on port 445
·
Access to
administrator shared files is denied
·
Sluggish response
due to increase in network traffic
|
There are several
conficker removal tools available for download. Most Anti-Virus vendors have
developed removal tools and/or provided instructions for removing conficker
and links to some of these are listed below:
|
|
Malicious Social Networking: Koobface
Worm
|
|
A good
first line of defense against this family of malware is security awareness.
If users are trained to avoid clicking links from unsolicited or suspicious
posts and approach installing plug-ins with caution, the social engineering
infection vector is severely limited. Trained users combined with reputation
based network filtering and locally installed Anti-Malware solutions rounds
out a good defense against Koobface. For corporate entities, a ban on
non-work related social networking sites may limit the corporate exposure to
this family.
|
|
PDF Malware Overview
|
The combination of Buffer
Overflow + Heap Spraying is the most common
exploitation utilized by malicious PDFs. The BOF vulnerability
usually attacks one or more of the PDF Reader's parsing engines with the
intent of flowing data past the end of a buffer boundary. The attacker
ensures this "overflow" data is actually shellcode (a small
program written in machine code) that will give the attacker additional
control over the system when executed.
The attacker rarely
has control of where this "overflow" data is written so the
attacker increases their chance of getting their malicious code to execute by
writing it into many memory areas. The technique of writing shellcodeto
multiple heap memory areas is known as Heap Spraying.
|
A good enterprise
defense against PDF Malware begins with a strong email and web
filter. The goal of this layer is to greatly reduce the volume of
malicious PDFs that make it into the enterprise's backend
systems. The volume of malicious PDFs that make it through the
initial filtering layer should be further reduced by passing through layers
of IPS, Anti-Virus Scanning, and potentially sandboxing
technology. The small percentage of PDF malware that makes it to
the end user is hopefully met by a well trained and aware user that knows the
potential dangers lurking in suspect PDFs.
One very powerful
augment to this defensive approach is the implementation of application
controls to limit potentially malicious PDF Reader
behaviors. Examples of application controls include:
1.
Disabling
JavaScript support within the PDF Reader
2.
Disabling automatic
rendering of PDFs in browsers
3.
Block PDF Readers
from accessing the filesystem and network resources using Host IPS, Process
Control, or Process Whitelisting Technology
While application controls can be
very effective, it may brake some desirable user functionality and may
prevent the Reader from patching itself. Both of these obstacles
can be overcome but care should be taken when imposing these controls.
|
|
Mac Flashback Malware
|
The simple answer
is that the software was designed to do exactly that. In its initial
incarnation, the malware looked very similar to Adobe's Flash installer. It
didn't help that Apple hasn't shipped Flash on its computers for well over a
year, arguably creating a pool of users more likely to run the installer in
order to view popular Web sites that run on Flash. In its newer Java-related
variants, the software could install itself without the user having to click
on anything or provide it with a password.
What also didn't
help is the way that Apple deals with Java. Instead of simply using Java's
current public release, the company creates and maintains its own versions.
As it turns out, the malware writers exploited one particular vulnerability
that Oracle patched in February. Apple didn't get around to fixing its own
Java version until April.
|
Using one of the
above, aforementioned tools from F-Secure or Norton will automatically get
rid of the malware from your computer without any further steps. If you are,
for some reason, wary of using one of these third-party tools, CNET's Topher
Kessler provides a step-by-step guide on how to remove Flashback from your
Mac. This process also requires hopping into Terminal and running those
commands, then tracking down where the infected files are stored, then
manually deleting them.
For good measure,
it's also a good idea to change your online passwords at financial
institutions and other secure services that you may have used while your
computer was compromised. It's unclear if this data was being targeted,
logged, and sent as part of the attack, but it's a smart preventive behavior
that's worth doing on a regular basis.
|
No comments:
Post a Comment