Threat & Virus best practices

Denver Security & Compliance User Group

March 17, 2010

Presenter: Chris Sandalcidi, CISSP - Symantec

Working with Support

Submitting Samples

Current Common Threats and Prevention

Threat Landscape

Threat Primer

Contents

1

2

3

4

5

How Symantec Stacks Up6

2

Threat & Virus

best practic

es

1ThreatPrimer

3

Threat & Virus

best practic

es

Virus Spread by infecting good files (hosts)

Worm Spreads by copying itself to other machines

Trojan Horse Does not spread itself.

Definitions of Threats

Info Stealers Steals information

Backdoors Allows unauthorized access

Downloaders Downloads additional threats

Browser Helper Objects Loads into a browser

Rootkits Hides files from user/OS

Risk Any file that is not malicious but could pose a

threat to security. (Not listed as a “threat”)

Threat A threat is a circumstance, event, or person with the potential to cause harm to a system

4

Threat & Virus

best practic

es

2ThreatLandscape

5

Threat & Virus

best practic

es

Brave New World

Threats are being re-written, and re-packed at such a fast rate, that the reliance of “reactive technology”, like signature based AntiVirus, alone is no

longer sufficient.

6

Threat & Virus

best practic

es

Escalating Threat Landscape

• 524% increase in threats over the second half of 2007

• More detections were created in 2008, than in all the other years combined.

• In 2003 Symantec released an average 5 definitions a day, in 2007 - 1431 daily

• At the beginning of 2008 Symantec was releasing 7500 definitions daily

Source: Symantec Security Response

• In 2009 we started releasing up to 12,000 new detections a day, and by June had days where over 20,000 new detections were released.

7

Threat & Virus

best practic

es

3Current

Common Threats

8

Threat & Virus

best practic

es

Autorun Worms

Autorun worms use the Autorun.inf file to automatically launch and spread across an environment. The Autorun.inf file is used by Windows

to launch executables whenever a drive is mounted, be it USB, local, or a network drive.

Example A: W32.Silly and its variants.The Silly family of threats use Autorun.inf to spread across the environment and then download secondary threats in the form of revenue generating software.

Example B: W32.Sality.AESality is a fast moving, file infecting virus, that is capable of disabling SAV/SEP remotely and the infecting the target machine from the host. There are so many re-packed variants that almost every outbreak include one or more new threats. This is one of the most destructive viruses we have seen in awhile.

9

Threat & Virus

best practic

es

Browser Helper Objects (BHO’s)

BHO’s plug into most browsers, but as a threat they generally target Windows Explorer and Internet Explorer

Example: Trojan.Vundo3rd party research estimates a new Vundo variant is created every 3.5 minutes for the last year or so. Vundo is a revenue generating Trojan that downloads additional threats to the system.They are generally spread through Adobe flash vulns and email and then download new variants of itself to keep it up to date.

10

Threat & Virus

best practic

es

4Finding and

Submitting a File

11

Threat & Virus

best practic

es

Finding a Suspect File (ESUG LPDU)

The Enterprise Support Utilities Group Load Point Diagnostic Utility or LPDU is used to collect data on all the common load points for threats on

a machine. Support trains front line engineers to use this utility to find threats quickly.

To access this tool open a Support case and request help with finding a new threat, we will work with you to see if it is right for your case.

We can move much faster with all the data.

12

Threat & Virus

best practic

es

What makes a file suspect?

• Name – Misspelled or “spoofed” names. (Microsofts, SVCH0ST)

• Version – Missing or overly simple version information (1.0.0.1)• Size – Between 50 and 500k• Creation date – within the last two months

Remember we are looking for Portable Executable files, first.

.EXE .BAT .COM .PIF .SCR

.DLL .VBS .SYS

And then we are looking for these other types:

13

Threat & Virus

best practic

es

Submitting The Suspect File

Submissions should be made to Security Response through the submission website.

BCS customers should submit through https://submit.symantec.com/bcsEssential customers should submit through https://submit.symantec.com/essentialBasic customers should submit through https://submit.symantec.com/basic

Once the file is submitted you will receive:• A tracking email and number within about an hour.

• A closing email with additional information about the files and detections.

Symantec policy states that at no time are Symantec employees, outside of Security Response, permitted to accept suspect or malicious code. Please do not send a sample via email.

You should also consider submitting to Threat Expert for an automated technical description of the threat within a few minutes

14

Threat & Virus

best practic

es

15

Threat & Virus

best practic

es

Submit to Threat Expert

• http://www.threatexpert.com/submit.aspx

16

Threat & Virus

best practic

es

5Working with

Support

17

Threat & Virus

best practic

es

In each of these cases it is important to note what services we can offer, and what is

appropriate advice for the circumstances.

Does Symantec know about Virus X?

….and am I protected?

Case Type 1I think I may have a virus

but I cant detect it.

Case Type 2

Standard Types of Virus Cases

I am in a full outbreak and have multiple

machines infected.What do I do?

Case Type 3

18

Threat & Virus

best practic

es

Case Type 1: Does Symantec know about Virus X? and am I protected?

Email-Worm.Win32.Nyxem.e

MyWife.d@MM

W32/MyWife.d@MM!M24

Tearec.A W32/Nyxem-D

W32.Blackmal.E@mm

????????

Difficulties:• Virus names differ from vendor to vendor

• Viruses may re-use files names or may use different file names for the same virus variant.Example: Use Google to search for the file name “internat.exe”

• Small difference in variants can make a big difference in detection.Example: Look at the differences between W32.Spybot.AKNO and W32.Spybot.ACYR

• We may add 100s of different variants to each virus family a day. It is impossible to tell if we have detection without a sample

Solutions:• Virus Submission – Best

A virus submission is the only way we can confirm that the threat that the customer is concerned about is one we already detect, or can add detection for.

• URL Investigation – Good If the customer knows a site or link that the suspect file was downloaded from Security Response can get the file and check it. – Don’t check it yourself.

19

Threat & Virus

best practic

es

Case Type 2: “I think I might have a virus but I cant detect it.”

Questions:

1. What is going on that makes you think you have a virus?Behavior can sometimes tell you where you need to start, or at least what you may be dealing with.

2. Are Virus Definitions up to date?Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file

3. Have you ran a scan, with the most up to date defs?Tasks:

1. Start a scan with current virus definitions.

2. Suggest the customer check “Common Load Points”

3. Help the customer check “Common Load Points” (ESUG LPDU or manually)Important Note:

With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode.

Other Important Note:

Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed.

20

Threat & Virus

best practic

es

Case Type 3: “I am in a full outbreak and have

multiple machines infected. What do I do?”

Questions:

1. What is going on that makes you think you have an outbreak? (1200 x 1%= 12)

2. Are Virus Definitions up to date? Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file. Note this for all infected systems

3. Have you run a scan, with the most up to date defs? (Do this for 1 or 2 systems, if it works, make this part of your 1st step)

Tasks:

1. Start a scan with current virus definitions.

2. Suggest the customer check “Common Load Points”

3. Help the customer check “Common Load Points” (ESUG LPDU or manually)Important Note:

With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode.

Other Important Note:

Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed.

21

Threat & Virus

best practic

es

6Missed

Detections and

False Positives

22

Threat & Virus

best practic

es

False Positives vs Detection Rates (18 months)

Source: http://www.av-comparatives.org 23

Threat & Virus

best practic

es

0

20000

40000

60000

80000

100000

120000

1 2

2000 Threats:11560

2009 Threats:113698

Missed Detections, 150

Missed Detections, 1478

Missed Detections

Total Threats

If Symantec is detecting 98.7% of the threats, why does it seem like we have MORE Outbreaks recently?If we apply the same detection rate to the amount of new threats as seen each year, the answer becomes more clear.Symantec Detection Rate = 98.7%Missed Detections = 1.3%

24

Threat & Virus

best practic

es

1. Identify The Threat

2. Identify The Machine

3. Quarantine The Machine

4. Clean The Machine

5. Prevent Re-Infection

The 5 Steps to Virus Troubleshooting

During an outbreak it is important that we have a game plan of what to do and in what order to do it.

25

Threat & Virus

best practic

es

There is no Magic Solution

Threat & Virus

best practic

es

26

But proper settings help

Like using real world setting for AV and Truscan

Default settings may have worked when product shipped

27Period

Nu

mb

er

of

sig

na

ture

s

SAV 9

SEP 11

SAV 10

Threat & Virus best practices

They don’t provide the best protection now

Threat & Virus

best practic

es

28

SEP AV Security Setting Default Settings High Security PolicyResponse Recommended

Lock settings Some Some AllRemediation – terminate processes No No YesRemediation – terminate services No No YesAP action taken for security risks Quarantine/Log Quarantine/Log Quarantine/DeleteNetwork AutoProtect Disabled Enabled Enabled*Bloodhound Level Default (2) Default (2) Maximum (3)*

Truscan Default SettingsResponse Recommended

Scan Sensitivity 9/Low 100

Action on detection Log Terminate

Scan Frequency 1:00 00:15

Additional Resources

29

Threat & Virus

best practic

es

Helpful links

• Security Response public blog:http://www.symantec.com/business/security_response/weblog/

• Internet Security Threat Report:http://www.symantec.com/business/theme.jsp?themeid=threatreport

• Submission Websitehttps://submit.symantec.com/(TYPE ENTITLMENT HERE)

• Threat Experthttp://www.threatexpert.com/submit.aspx

30

Threat & Virus

best practic

es