Windows Malware: Detection And Removal

1
(No Transcript)
2
Windows Malware Detection And Removal

• TechBytes
• Tim Ramsey

3
Computer Security!

• What is malware?
• How does malware get on my PC?
• How do I get rid of malware?
• Resources

4
What Is Malware?

• Malicious Software
• Includes
• Viruses, worms, Trojan horses
• Spyware
• Remote-control software
• Botnets
• Rootkits
• The lines are getting blurry

5
Viruses, Worms, Trojan Horses

• Viruses modify executables and documents we
  humans do the rest
• Worms self-replicating programs
• Trojan Horses still fooling us after all these
  years

6
Spyware

• Installed with or without your knowledge and
  consent
• Do you read the entire EULA?
• I do (except the French part)
• Tracks URLs visited, information entered into
  forms
• Can even monitor secure (https//) pages

7
Spyware, Cont.

• Keyboard loggers capture passwords, PINs,
  account numbers
• Organized crime loves this stuff

8
RemoteControl Software

• Windows Remote Assistance
• VNC, Radmin
• Netbus, BackOrifice

9
Botnets

• The single greatest threat facing humanity
• Quickly becoming a top problem on campus
• Hordes of infected drone hosts
• Used for spam relay, DDOS, scanning, infection

10
Botnets, Cont.

• Spreading via IM, email, compromise
• Installs remote-control software
• Connects to central server to announce presence
  and await commands
• Allows Botmaster to control 100, 1000, 10000
  infected hosts with simple commands
• Continually evolving

11
Botnets, Cont. 2

• Network connections are initiated by the drone
  hosts
• Uses common protocols HTTP, IRC, FTP
• Starting to see stealth techniques employed to
  hide infection (rootkits), communications (SSL,
  steganography)
• Tremendous incentives for Botmasters to grow,
  maintain, defend their horde
• You dont want this on your computer

12
How Does Malware Get On My PC?

• Compromise
• Security vulnerabilities
• Browser vulnerabilities
• Open file shares
• Social Engineering
• People click on the darndest things
• Packaged with other software

13
How Do I Get Rid Of Malware?

• Best Dont get infected
• Antivirus
• OS and application patches
• Enable Windows Firewall
• Healthy paranoia
• Dont run files that friends or strangers send to
  you!
• Dont install random software from the Web
• Um, yeah. I still got infected. What now?

14
Malware Removal

• Safest R/R
• Reformat / Reinstall are necessary if the
  infection contains a remote control component
• No telling what has been installed, changed
• SIRT policy
• A botnet infection means R/R is mandatory
• Otherwise, try to identify the infection

15
Identifying The Infection

• Anti-Virus software scan
• Anti-Spyware scan
• Spybot Search Destroy
• Microsoft Windows AntiSpyware (Beta)
• AdAware
• Other, more specialized, tools

16
Removing The Infection

• Are you sure you wouldnt rather R/R?
• If youve identified the infection, look for a
  removal tool
• Symantec, McAfee, other AV vendors
• Google search (but be careful)
• When in doubt, reformat and reinstall

17
A Note About Reformat / Reinstall

• Back up your data first
• Practically every OS is vulnerable to network
  compromise during installation
• Unplug the computer from the network
• Install OS, service packs, patches from CD
• Enable Windows Firewall
• Install SAV from CD
• Set administrator password
• Then plug back in

18
Rootkits Making Life Harder

• Pre-packaged software to hide malware
• Freely obtainable (rootkit.org)
• There are even commercial packages!
• Insert hooks into system, kernel
• Trap program calls to list directory contents,
  running processes, registry entries
• Filter out what the bad guys dont want you to see

19
Detecting Rootkits

• Look for the hooks
• Look for known file names, processes
• Look for whats being hidden
• Difficult to do, getting more difficult
• Tools exist to do this, but most dont detect
  everything
• Hot topic of research for both sides

20
Removing Rootkits

• Are you sure you wouldnt rather R/R?
• Removal tools exist for most rootkits
• Deep magic, requiring wizardry and time

21
Resources

• K-State provided antivirus software
• http//antivirus.ksu.edu/nav/
• Spybot Search Destroy
• http//www.safer-networking.org/ 
• Microsoft Windows Antispyware (Beta)
• http//www.microsoft.com/athome/security/spyware/s
  oftware/

22
Resources, Cont.

• Rootkit Detection
• http//www.f-secure.com/blacklight/
• http//www.sysinternals.com/ntw2k/freeware/rootkit
  reveal.shtml
• K-State configuration for XP Firewall
• http//knowledgebase.itac.ksu.edu/art.asp?id274
• SANS Top 20
• http//www.sans.org/top20/

23
Questions?
24
Thanks For Coming!

• (I hope today wasnt too taxing)

25
This Slide Intentionally Left Blank