rsu threat training
DESCRIPTION
RSU Threat Training. Sophon Ponglaksamana : Technical Account Manager. Agenda. - ไวรัสคอมพิวเตอร์คืออะไร - ประเภทของไวรัสคอมพิวเตอร์ - ช่องทางการแพร่กระจายของไวรัสคอมพิวเตอร์ - สาเหตุการติดไวรัสของเครื่องคอมพิวเตอร์ - การตรวจสอบการติดไวรัส - ไวรัสคอมพิวเตอร์เข้ามาคุกคามได้อย่างไร - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/1.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 1
RSU Threat Training
Sophon Ponglaksamana : Technical Account Manager
![Page 2: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/2.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 2
Agenda
-ไวรั�สคอมพิวเตอรั ค�ออะไรั- ปรัะเภทของไวรั�สคอมพิวเตอรั - ช่�องทางการัแพิรั�กรัะจายของไวรั�สคอมพิวเตอรั - สาเหต�การัตดไวรั�สของเครั��องคอมพิวเตอรั - การัตรัวจสอบการัตดไวรั�ส- ไวรั�สคอมพิวเตอรั เข!ามาค�กคามได!อย�างไรั- วธี#ป$องก�นไวรั�สคอมพิวเตอรั - ข!อควรัรัะว�งในการัเป'ดไฟล์ ต�างๆ เช่�น email, data files
![Page 3: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/3.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 3
Agenda
- โปรัแกรัมสแกนไวรั�ส Trend micro- เครั��องม�อป$องก�นไวรั�สจาก flash drive เช่�น autorun killer, usb security,- การัท,างานของซอฟต แวรั สแกนไวรั�ส- การัค!นหาวธี#ก,าจ�ดไวรั�สจากอนเตอรั เน.ต- แนะน,าเว.บไซต ก,าจ�ดไวรั�ส- สาธีตเทคนคการัป$องก�นแล์ะก,าจ�ดไวรั�ส
![Page 4: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/4.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 4
-ไวรั�สคอมพิวเตอรั ค�ออะไรั- ปรัะเภทของไวรั�สคอมพิวเตอรั
![Page 5: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/5.jpg)
Copyright 2009 Trend Micro Inc.
Threat Environment Evolution to Crimeware
2001
Co
mp
lexi
ty
2003 2004 2005 2007
Crimeware
Spyware
SpamMass Mailers
IntelligentBotnets
Web BasedMalware Attacks
• Multi-Vector• Multi-Component
• Web
Polymorphic• Rapid Variants• Single Instance• Single Target• Regional Attacks• Silent, Hidden • Hard to Clean• Botnet Enabled
VulnerabilitiesWorm/Outbreaks
![Page 6: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/6.jpg)
Copyright 2009 Trend Micro Inc.
What are the types of virus/malware?• Joke program: A virus- like program that often manipulates the
appearance of things on a computer monitor.
• Trojan program: An executable program that does not replicate but instead resides on systems to perform malicious acts, such as opening ports for hackers to enter. Traditional antivirus solutions can detect and remove viruses but not Trojans, especially those already running on the system.
• Virus: A program that replicates. To do so, the virus needs to attach itself to other program files and execute whenever the host program executes.
• Test virus: An inert file that acts like a real virus and is detectable by virus-scanning software. Use test viruses, such as the EICAR test script , to verify that your antivirus installation scans properly.
• Packers: A compressed and/ or encrypted Windows or Linux executable program, often a Trojan horse program. Compressing executables makes packer more difficult for antivirus products to detect.
• Others: Virus/Malware not belonging to any of the above categories.
• Generic: A potential security risk. Trend Micro considers a “generic” virus/malware a potential security risk based on its behavior and characteristics,
![Page 7: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/7.jpg)
Copyright 2009 Trend Micro Inc.
What are the types of spyware/grayware?
• Spyware : Gathers data, such as account user names and passwords, and transmits them to third parties
• Adware : Displays advertisements and gathers data, such as user Web surfing preferences, used for targeting advertisements at the user through a Web browser
• Dialer : Changes computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem. These are often pay-per-call or international numbers that can result in a significant expense for your organization
• Joke program : Causes abnormal computer behavior, such as closing and opening the CD-ROM tray and displaying numerous message boxes
• Hacking tool : Helps hackers enter computers
• Remote access tool : Helps hackers remotely access and control computers
• Password cracking application: Helps hackers decipher account user names and passwords
• Others: Other types of potentially malicious programs
![Page 8: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/8.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 8
- ช่�องทางการัแพิรั�กรัะจายของไวรั�สคอมพิวเตอรั - สาเหต�การัตดไวรั�สของเครั��องคอมพิวเตอรั - ไวรั�สคอมพิวเตอรั เข!ามาค�กคามได!อย�างไรั
![Page 9: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/9.jpg)
Copyright 2009 Trend Micro Inc.
Enterprise Endpoints the ultimate targets
Web threats
• Viruses• Trojans• Bots• Rootkits• Spyware• Adware• Key Logger• Information Stealer
Messaging threats
• Worms• Viruses• Phishing• Pharming• SPAM
Network threats• Network worms• Hacking• DoS
![Page 10: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/10.jpg)
Copyright 2009 Trend Micro Inc.
IT Environment ChangesThreat Landscape
• Exponential growth in malware– 3 new unique malware every 1 seconds– Profit drives sophistication and “quality” of malware
• Web is #1 infection vector– Even legitimate sites spread malware– 90% of all new malware leverages the Web
• Vulnerabilities are exploited faster– 74% of attacks emerge the same day than patches– 89% of attacks work remotely, over the network
Web-based attacks
![Page 11: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/11.jpg)
Copyright 2009 Trend Micro Inc.
57 205 7991,484
2,3973,881
6,279
10,160
16,438
26,598
2007 2009 2011 2013 2015
Signature file updates take too long • Delay protection across all clients and servers• Leave a critical security gap
Signature files are becoming too big • Increase impact on endpoint resources• Unpredictable increase of client size
Patches cannot be deployed in time• Systems remain exposed to exploits• Average time to patch was 55 days in 2009
Unique threat samples PER HOUR
IT Environment ChangesChallenge: Traditional Approaches Fail
![Page 12: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/12.jpg)
Copyright 2009 Trend Micro Inc.
04/20/23Classification
High Impact Threats
• Compromised Website (Italian Job)
MPack Server(malware site)
ONE.COM TWO.COM THREE.COM FOUR.COM FIVECOM SIX.COM
Group of web sites with IFRAMES pointing to malware site
UserUser goes to six.com
IFRAME in six.com connects to mpack server
Mpack server serves malicious code to user
![Page 13: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/13.jpg)
Copyright 2009 Trend Micro Inc.Paramount Q1 2008 - 13
Host A (192.168.1.3)
Host C (192.168.1.1)
Gateway
Host B (192.168.1.2)
Host D (192.168.1.4)
How ARP Works?
Who has 192.168.1.1?
Host A is sending an ARP request…
I have 192.168.1.1 My MAC address is [Host B MAC address]
Host B is sending an ARP response…
Man in the middle
Be Gateway now
![Page 14: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/14.jpg)
Copyright 2009 Trend Micro Inc.Paramount Q1 2008 - 14
Web threat and PE virus relationship
WEB Malicious user deploys TSPY_LINEAGE on the web…
Malicious user deploys PE_LOOKED to infect files and propagate via network shares
Network of Computers
PE_LOOKED downloads TSPY_LINEAGE
TSPY_LINEAGE gets downloaded from the web
TSPY_LINEAGE steals information and sends it to malicious user
![Page 15: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/15.jpg)
Copyright 2009 Trend Micro Inc. 15Classification
From the Trend Micro 2009 Annual Threat Report Roundup:
• Social networking sites will grow as targets
• Social engineering will become increasingly prevalent and clever
• Unlike the global economy, the underground economy will continue to flourish
![Page 16: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/16.jpg)
Copyright 2009 Trend Micro Inc.
Passive Attack Active Attack
Classification 04/20/23 16
Details of Black Hat Attack
• Google Hacking• WhoIs Query• Social Community• Offline Research
• Web Crawling• Network Scanning/Mapping• Port Scanning• Vulnerability Scanning• OS Fingerprinting• Enumeration• Social Engineering
• Malware Propagation
• Malware Acquisition and Execution (by the user)
• Active Exploit• Malware Placement and Execution (by the hacker)
• Malware Infection Behavior (File Infection, Program HiJacking, AV Retaliation, Process Termination, System Restriction, etc.)• Malicious Payload (Information Theft, Denial-of-Service, Backdoor, Agents, etc.)• Hacking Tools, Remote Access Tools
• Detection Avoidance (Covert Channel, Rootkit, Polymorphism, Fast Update Mechanism, File System Manipulation, Multiple-variant deployment, Login Hijacking, Use of Normal Applications, etc.)
Line of Successful Infection
![Page 17: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/17.jpg)
Copyright 2009 Trend Micro Inc. 17Classification
Cybercriminals will formulate more direct and brazen extortion tactics to gain quicker access to cash
• Malware developers, anti-detection vendors, and botnet herders are becoming better at their “jobs”
![Page 18: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/18.jpg)
Copyright 2009 Trend Micro Inc. 18Classification
Business as usual for botnets but heavier monetization by botnet herders
• Bot masters will aim for faster monetization
• “Pay-per-install” business model
![Page 19: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/19.jpg)
Copyright 2009 Trend Micro Inc. 19
Mobile threats will have more impact.
• Consumer acceptance of mobile phone-based financial activity is increasing
• Two distinct handset-based (albeit rudimentary) botnets were detected in 2009
![Page 20: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/20.jpg)
Copyright 2009 Trend Micro Inc. 20
Compromised products come straight from the factory.
• Devices that are tampered coming off the shelves are increasing – Media players– Other USB devices– Digital photo frames
• Even “known good” software run the risk of being embedded with a malware component
![Page 21: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/21.jpg)
Copyright 2009 Trend Micro Inc. 21Classification
Web threats will continue to plague Internet users.
• Poisoned searches
• More malicious scripts, less binaries
• Malvertisements
• Application vulnerabilities
![Page 22: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/22.jpg)
Copyright 2009 Trend Micro Inc. 22Classification
Web threats will continue to plague Internet users.
• Attack possibilities even in cloud-based scenarios
- Manipulating the connection to the cloud
- Attacking the cloud itself
- Cloud vendor data breaches
![Page 23: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/23.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 23
Man-In-The-Middle (MITM) Attack
• ARP Spoofing/Poisoning (active sniffing)– Poisoned ARP contains IP of destination with MAC address of the MITM
• DNS Poisoning– Provides fake DNS information to redirect network traffic to malicious destination– (DNS spoofing, Proxy Server DNS poisoning, DNS cache poisoning, Pharming, etc.)
• Session Hijacking– This is taking control of TCP session exchanged between two computers– This is being done by altering the sequence number of a TCP session
Man-In-The-Middle
Source To Real Destination
![Page 24: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/24.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23
DNS Poisoning Attack
Fake Website Fake Website www.g00gl3.comwww.g00gl3.com
Victim
Poisoned DNS on the ISP side
Legit Website Legit Website www.google.comwww.google.com
![Page 25: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/25.jpg)
Copyright 2009 Trend Micro Inc. 25Classification
Cybercriminals will use social media and social networks to enter users’ “circle of trust.”
• Social engineering will continue to play a big role in threat propagation
• Social networks will be ripe venues for stealing PII
![Page 26: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/26.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 26
Web Server Attack/Compromise
• Cross-Site Scripting (XSS)– Crafted URI <legit URL> + <injected malicious javascript>– Example: victimwebsite.com/default.asp?name=<script>evilScript()</script>
• SQL Injection– Use of SQL statements to directly access the DB behind a web server
• IFRAME Injection– Injection of foreign IFRAME scripts on a target victim web page
• Other web application exploits that enables the attacker to do modification on the web server for the purpose of…
– Redirecting users to a malicious website (disease vector)– Implementing a drive-by download
![Page 27: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/27.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23
Effects of Web Server AttackWebsite Defacement
Compromised Website
![Page 28: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/28.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 28
Denial-of-Service Attack (DoS)
• DoS prevents unauthorized users from accessing a computer or network
• Types DoS Attack: Smurf, Ping-of-Death, SYN flood, Teardrop, etc.
• DoS involving two or mote attacking host is called distributed denial-of-service (or DDOS).
Infected Machine
Attacked Server
Clients
DoS ATTACK
DoS ATTACK
Request Timed Out
Host Not Found
Request Timed OutHost Not Found
Request Timed Out
![Page 29: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/29.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 29
Exploit Packets
• Exploit packet are crafted packets (that cause buffer overflow) which contain a code (payload) that takes advantage of a certain vulnerability on the target machine
• Zero-Day Exploit is an exploit that is found in-the-wild before or on the same date that the vulnerability was discovered.
SECURITY EXPOSURE
VULNERABILITY
VULNERABILITY
EXPLOIT
![Page 30: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/30.jpg)
Copyright 2009 Trend Micro Inc.04/20/23 30
Exploit Terminologies and ConceptsAn vulnerable system is a particular OS version that contains a certain version of a Windows
DLL which is used by a particular application
An vulnerable system is a particular OS version that contains a certain version of a Windows
DLL which is used by a particular application
Certain versions of Windows DLL’s contain
functions which are vulnerable and can be
exploited
Certain versions of Windows DLL’s contain
functions which are vulnerable and can be
exploited
Malware FileMalware File
Exploit
Exploit worm malwares usually have code that simulates a file server
that provides the malware copy to
exploited machines
Exploit worm malwares usually have code that simulates a file server
that provides the malware copy to
exploited machinesThe worm malware contains exploit code whose main task is to cause the vulnerable application to crash
The worm malware contains exploit code whose main task is to cause the vulnerable application to crash
The malicious routines that the exploit will perform are called shellcode which
connects to the malware file server to download
the malware to the system
The malicious routines that the exploit will perform are called shellcode which
connects to the malware file server to download
the malware to the system
![Page 31: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/31.jpg)
Copyright 2009 Trend Micro Inc.04/20/23 31
Exploit Worm Operating Algorithm
Exploit
Exploit
192.168.100.2
192.168.100.3
The malware will first enumerate all machines in the network and find out the IP addresses of
the connected machines.
The malware will first enumerate all machines in the network and find out the IP addresses of
the connected machines.Infected System
It will then setup a ftp/http server which will
wait for requests from any exploited machine.
It will then setup a ftp/http server which will
wait for requests from any exploited machine.
If the machine is vulnerable, then the
exploit packet will cause the affected application to hang and the exploit shellcode will trigger.
If the machine is vulnerable, then the
exploit packet will cause the affected application to hang and the exploit shellcode will trigger.
The exploit shellcode will connect back to the
malware ftp/http server to download the malware copy to the exploited system and execute the malware in the
system.
The exploit shellcode will connect back to the
malware ftp/http server to download the malware copy to the exploited system and execute the malware in the
system.
![Page 32: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/32.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 32
Command & Control (C&C) or Backdooring
Command and Control (C&C)
• Backdoors has two(2) components: client and server component
• Server component (acts as the Bot client/zombie) is the infecting malware that opens up backdoor communication, receives command from a C&C server, and executes them
• Client component (or the hacker console) which enables the cyber criminal to send commands and takes control of the machine/s which was infected by the server component
• Backdoor client system which controls so many server components or bots is called in layman’s term as “command and control” or C&C server.
![Page 33: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/33.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 33
Information Theft
Victim
Cyber TheftLogged Keystrokes
Personal/Confidential Files
Email Addresses
System Information
Application Serial Keys
Account Credentials
Browser History
![Page 34: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/34.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 34
- วธี#ป$องก�นไวรั�สคอมพิวเตอรั - ข!อควรัรัะว�งในการัเป'ดไฟล์ ต�างๆ เช่�น email, data files
![Page 35: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/35.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 35
Worms
Email Worm
IM Worm
Network Worm
![Page 36: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/36.jpg)
Copyright 2009 Trend Micro Inc.
Malware started from a simple programMalware started from a simple programcalled “Elk Cloner”called “Elk Cloner”
Classification 04/20/23 36
• Most mobile malware threats to date cannot be called serious, however we have seen several have capabilities that are similar to information stealers on desktop systems.
• WINCE_INFOJACK.A – runs on Windows CE/Mobile devices; has information stealing capabilities, as well as changing the security settings of the mobile device.
• SYMBOS_YXES.A and SYMBOS_YXES.B – runs on Symbian devices; also has information stealing capabilities, .B variant can also spam user contacts on the phone
It will get on all your disksIt will infiltrate your chipsYes it's Cloner!It will stick to you like glueIt will modify ram tooSend in the Cloner!
![Page 37: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/37.jpg)
Copyright 2009 Trend Micro Inc.
Early Mobile NetworkingEarly Mobile Networking
Classification 04/20/23 37
Bluetooth Hijacker
![Page 38: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/38.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 38
The Age of Mobile ComputingThe Age of Mobile Computing
Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet.
![Page 39: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/39.jpg)
Copyright 2009 Trend Micro Inc.
The latest trend is “iPhone Mania”The latest trend is “iPhone Mania”
Classification 04/20/23 39
• However, while attacks based on malicious files on mobile devices are limited, there is nothing that stops Web-based threats from working on Internet-capable mobile devices.
• Examples: phishing attacks can be carried out whatever the platform.
• FAKEAV alerts appear on any system, even iPhones
![Page 40: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/40.jpg)
Copyright 2009 Trend Micro Inc.
iPhone JailbreakingiPhone JailbreakingThe possibilities are endless.
Classification 04/20/23 40
Dutch users of jailbroken iPhones in T-Mobile's 3G IP range began experiencing a pop-up ransomware (due to IP scanning via the internet). The popup window notifies the victim that the phone has been hacked, and then sends that victim to a website where a $5 ransom payment is demanded to remove the malware infection
The worm would install a wallpaper of the British 1980's pop star Rick Astley onto the victim's iPhone, and it succeeded in infecting an estimated 21,000 victims within about a week in Australia.
![Page 41: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/41.jpg)
Copyright 2009 Trend Micro Inc. 41
FackAV Review
• FakeAV official website– XpAntivirusonline.com– XPOnlinescanner.com– XPSecuritycenter.com– XPAntispyware.com– XPAntiviruspro.com– XPAntivirus2008.com– XPAntivirus-scanner.com– XPAntivirus.com– XPAntivirussite.com– FileShredder2008.com– XPDownloadings.com
– CleanerMaster.com
![Page 42: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/42.jpg)
Copyright 2009 Trend Micro Inc. 42
FakeAV still alive in 2009&2010
• XPVirusProtection, TotalVirusProtection, MalwareDoc(ref: http://www.lavasoft.com/mylavasoft/company/blog/2-new-rogue-antivirus-programs)
• Anti-Virus-1
(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-anti-virus-1.html)
• AntiSpyware Protector, System Guard Center, Privacy components(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-security-products.html)
• SpyBurner, XpyBurner System Tuner, HDriveSweeper(ref: http://sunbeltblog.blogspot.com/2009/02/new-rogue-xpyburner.html)
![Page 43: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/43.jpg)
Copyright 2009 Trend Micro Inc. 43
Reality Check on FAKE AV’s
112/04/20
43
Why are they reoccurring? Because the malwares are updating by the minute, website brought and spawns up in another host, malware knows they are being detected so they are innovating and we didn’t have the complete sample from the 1st visible case of the said malware since it wasn’t deemed a note worth case during the time.
![Page 44: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/44.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 44
Regional Web Threats, Web Compromised SAMPLE
![Page 45: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/45.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 45
Regional Web Threats, Web Compromised SAMPLE
![Page 46: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/46.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 46
Malware file Hunt Down
• Directory / Folder– Program Files– System32– Windows– C:\
![Page 47: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/47.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 47
Malware file Hunt Down
• Date and Time stamp– Most recent file that was added or modified– Locate malware component files
4 suspected files were recently added in your system
2 of which arrived at the same time,indicating that an installer or trojandropper had placed these files.
![Page 48: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/48.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 48
Malware file Hunt Down
• Filename– Wrong Spelling (e.g. svchost.exe scvhost.exe)
– Double extension name (e.g. Nude_Britney.jpg.exe)
– Random name
![Page 49: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/49.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 49
Malware file Hunt Down
• File ICON– Spoofed icons
– Generic icons
– Shortcut Link icons found at desktop
Pixilated icon of Microsoft update warning
Fabricated icon of Microsoft security center
Legitimate icon of Microsoft security center, but Microsoftdoes not use this icon for win32 / executable files.
Legitimate normal files usually have unique file icon
Shortcut links could also provide the file location of its executable.Icons with explicit graphics usually attracts users into clicking the iconthus allowing the execution of its executable file
![Page 50: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/50.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 50
Example : Virus
![Page 51: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/51.jpg)
Copyright 2009 Trend Micro Inc.
WORM_DOWNAD.ADTo get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Initial samples received on: Dec 30, 2008
Vulnerability used: (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Payload 1: Downloads files
Payload 2: Connects to a URL
![Page 52: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/52.jpg)
Copyright 2009 Trend Micro Inc.
WORM_DOWNAD.AD
Replication channel1. Via MS08-067
vulnerability exploit
2. Via network shares, by attacking the admin password to the share
3. Via removable storage
4. Via Internet
Victim• Unpatched Windows
• Account with weak password
• Enable autorun on windows (enable by default)
• User with internet access
• Highly dependant on Pattern solutions
![Page 53: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/53.jpg)
Copyright 2009 Trend Micro Inc.
PE_SALITY.M Behavior Details
• Deletes entries under "Safeboot" key—possibly to prevent users from doing anything in safe mode
![Page 54: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/54.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 54
Example : FakeAV
![Page 55: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/55.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 55
Example : FakeAV
![Page 56: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/56.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 56
Example : FakeAV
![Page 57: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/57.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 57
The Security Challenge
• Malware threats are now being deployed in multiple variants deployed in multiple variants at the same time by using sophisticated packing (compression) and encryption technology (this is the reason behind the rapid growth of undetected malware volume in-the-wild)
• Malware threats are now implementing “active update” mechanism now implementing “active update” mechanism (i.e. malware binaries are being updated every less than an hour)
• Threats are now using legit channel now using legit channel to attack/infect such as using HTTP and port 80 which are not advisable to block
• Malware threats are attacking and disabling security and antivirus attacking and disabling security and antivirus productsproducts
• Malware threats are using advanced stealth techniques are using advanced stealth techniques (i.e. rootkits) to avoid detection
• Threats are using 0-day exploits to attack/infect using 0-day exploits to attack/infect (0-day exploits are normally unblockable)
![Page 58: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/58.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 58
- โปรัแกรัมสแกนไวรั�ส Trend micro- การัท,างานของซอฟต แวรั สแกนไวรั�ส
![Page 59: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/59.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 59
OSCE client
![Page 60: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/60.jpg)
Copyright 2009 Trend Micro Inc.
Scan Flows Scan Flows – detailed– detailed
![Page 61: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/61.jpg)
Copyright 2009 Trend Micro Inc.
Internal Document
Proof of Concept – Basic setup
• This is a basic diagram of OfficeScan which can show most of the features as POC
![Page 62: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/62.jpg)
Copyright 2009 Trend Micro Inc.62
Client Console Scan Tab
From the Scan tab you can:
• Select the drives and directories you want to manually scan
• Begin a manual scan– Scanning will use settings
configured in client console with privileges or OfficeScan management console
• Run Damage Cleanup Services (DCS)
![Page 63: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/63.jpg)
Copyright 2009 Trend Micro Inc.63
Client Console Scan Results Tab
From the Scan Results tab you can:
• View the results from the most recent manual scan
• View statistics about the most recent manual scan
![Page 64: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/64.jpg)
Copyright 2009 Trend Micro Inc.64
Client Console Log Report Tab
From the Log Report tab you can:
• View logs about the virus activities on your computer
• Manage logs and assess your computer’s protection
![Page 65: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/65.jpg)
Copyright 2009 Trend Micro Inc.65
Additional Functions
Real-time Monitor
• Real-time scan status– Last file scanned– Last virus found
• Scan Statistics– Total number of files
scanned– Number of infected filed
• Scheduled Scan Settings– When scan is scheduled
to run
![Page 66: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/66.jpg)
Copyright 2009 Trend Micro Inc.
Example scan results
![Page 67: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/67.jpg)
Copyright 2009 Trend Micro Inc.
Example scan results
![Page 68: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/68.jpg)
Copyright 2009 Trend Micro Inc.
Example scan results
![Page 69: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/69.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 69
- เครั��องม�อป$องก�นไวรั�สจาก flash drive เช่�น autorun killer, usb security
![Page 70: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/70.jpg)
Copyright 2009 Trend Micro Inc.
USB Scan
![Page 71: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/71.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 71
- การัค!นหาวธี#ก,าจ�ดไวรั�สจากอนเตอรั เน.ต- แนะน,าเว.บไซต ก,าจ�ดไวรั�ส- สาธีตเทคนคการัป$องก�นแล์ะก,าจ�ดไวรั�ส
![Page 72: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/72.jpg)
Copyright 2009 Trend Micro Inc.
http://us.trendmicro.com/us/trendwatch/
![Page 73: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/73.jpg)
Copyright 2009 Trend Micro Inc.
http://free.antivirus.com/clean-up-tools/
![Page 74: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/74.jpg)
Copyright 2009 Trend Micro Inc.
http://housecall.trendmicro.com/index.html
![Page 75: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/75.jpg)
Copyright 2009 Trend Micro Inc.
http://free.antivirus.com/clean-up-tools/
![Page 76: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/76.jpg)
Copyright 2009 Trend Micro Inc.
http://about-threats.trendmicro.com/
![Page 77: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/77.jpg)
Copyright 2009 Trend Micro Inc.
http://about-threats.trendmicro.com/Search.aspx?language=us&p=worm_downad.ad
![Page 78: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/78.jpg)
Copyright 2009 Trend Micro Inc.
http://about-threats.trendmicro.com/malware.aspx?language=us&name=WORM_DOWNAD.AD
![Page 79: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/79.jpg)
Copyright 2009 Trend Micro Inc.
Sysclean1. ทำ��ก�รสร��งโฟลเดอร�ส��หร�บโปรแกรม Sysclean บนคอมพิ�วเตอร�2. ด�วน�โหลด Sysclean จ�ก
http://www.trendmicro.com/ftp/products/tsc/sysclean.com ไปไว�ทำ��โฟลเดอร� ทำ��ได�สร��งไว�
3. ทำ��ก�รด�วน�โหลดไฟล�• Control Pattern (lptxxx.zip) จาก
http://www.trendmicro.com/download/pattern-cpr.asp
![Page 80: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/80.jpg)
Copyright 2009 Trend Micro Inc.
Sysclean• ท,าการัแตกไฟล์ ไว!ท#�โฟล์เดอรั ท#�ได!สรั!างไว!
4. ให!ป'ดโปรัแกรัมท�/งหมดท#�ได!เป'ดไว! แล์ะท,าการัรั�นโปรัแกรัม Sysclean.com
![Page 81: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/81.jpg)
Copyright 2009 Trend Micro Inc.
Sysclean5. ทำ��ก�รร�นโปรแกรม Sysclean.com และ Click Scan
![Page 82: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/82.jpg)
Copyright 2009 Trend Micro Inc.
Sysclean6. Sysclean จะทำ��ก�ร Scan Virus และ Spyware
![Page 83: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/83.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 83
- แจ!งไปท#�ส,าน�กบรัการัเทคโนโล์ย#สารัสนเทศ- ตดต�อเบอรั : 5648/5649-Email : [email protected]
แจ!งป1ญหาไวรั�ส
![Page 84: RSU Threat Training](https://reader036.vdocuments.us/reader036/viewer/2022062408/5681378a550346895d9f260e/html5/thumbnails/84.jpg)
Copyright 2009 Trend Micro Inc.Classification 04/20/23 84