Malware Management: Viruses, Worms, Trojans, Spyware, Adware

1
Malware Management Viruses, Worms, Trojans,
Spyware, Adware the increasing role that
Content Filtering plays in Malware Managment

• John Thurlow
• Partner Strategy Consultant
• Microsoft Jamaica
• Roberto AdelardiRegional Technology Officer
• Microsoft Caribbean Central America

2
Agenda

• Definitions examples
• Current Risks
• Content Filtering
• Recommendations
• Microsofts Approach

3
Definitions

• Malware (for "malicious software") is programming
  or files that are developed for the purpose of
  doing harm. Thus, malware includes computer
  viruses, worms, and Trojan horses.
• Trojan horse is a program in which malicious or
  harmful code is contained inside apparently
  harmless programming or data in such a way that
  it can get control and do its chosen form of
  damage

4
Definitions

• Spyware is any technology that aids in gathering
  information about a person or organization
  without their knowledge.
• Adware is any software application in which
  advertising banners are displayed while the
  program is running.

5
Current Situation
Most attacks occur here
Why does this gap exist?
Product ship
Vulnerability discovered
Component modified
Patch released
Patch deployed at customer site
6
Exploit Timeline
Why does this gap exist?
Days between patch and attack

• Days From Patch to Attack
• The average is now nine days for a patch to be
  reverse-engineered
• As this cycle keeps getting shorter, patching is
  a less effective defense in large organizations

7
The Forensics of a Virus
July 1
July 16
July 25
Aug 11
Vulnerability reported to us / Patch in progress
Bulletin patch available No exploit
Exploit code in public
Worm in the world

• Report
• Vulnerability in RPC/DDOM reported
• MS activated highest level emergency response
  process

• Bulletin
• MS03-026 delivered to customers (7/16/03)
• Continued outreach to analysts, press, community,
  partners, government agencies

• Exploit
• X-focus (Chinese group) published exploit tool
• MS heightened efforts to get information to
  customers

• Worm
• Blaster worm discovered variants and other
  viruses hit simultaneously (i.e. SoBig)

Blaster shows the complex interplay between
security researchers, software companies, and
hackers
8
Improve the Patching ExperiencePatch Enhancements
Your Need
Our Response
9
Delivering Safety Technologies

• Windows XP SP2
• Improved firewall
• Safer email and web browsing
• Enhanced memory protection
• Beta already released, RTM based on customer
  feedback (H1-04)
• Windows Server 2003 SP1
• Role-based security configuration
• Remote access client inspection currently only
  for VPN
• Local inspection on connection
• RTM H2 CY04

10
Continue Improving QualityMaking Progress
23 Products In the TwC Release Process
.NET Framework (for 2002 2003) ASP.NET (for
2002 2003) Biztalk Server 2002 SP1 Commerce
Server 2000 SP4 Commerce Server 2002 SP1 Content
Management Server 2002 Exchange Server 2003 Host
Integration Server 2002 Identity Integration
Server 2003 Live Communications Server
2003 MapPoint.NET
Office 2003 Rights Mgmt Client Server
1.0 Services For Unix 3.0 SQL Server 2000
SP3 Visual Studio .NET 2002 Visual Studio .NET
2003 Virtual PC Virtual Server Windows CE
(Magneto) Windows Server 2003 Windows Server 2003
ADAM
11
Improving Patching Experience Security Bulletin
Severity Rating System

• Free Security Bulletin Subscription Service
• http//www.microsoft.com/technet/security/bulletin
  /notify.asp

Revised November 2002 More information at
http//www.microsoft.com/technet/security/policy/r
ating.asp
12
Safety technology for clients Network Protection
Windows XP Internet Connection Firewall
What it is
Helps stop network-based attacks, like Blaster,
by closing unnecessary ports
What it does

• Protection turned on by default
• Improved interface makes it easier to configure
• Improved application compatibility
• Enhanced enterprise administration through Group
  Policy

Key Features
13
(No Transcript)
14
Safety technology for clients Safer E-mail
Instant Messaging
Improved protection against malicious e-mail
attachments and IM file transfers
What it is
Helps stop viruses that spread through e-mail and
IM, like SoBig.F
What it does

• More secure default settings
• Improved attachment blocking for Outlook Express
  and IM
• Increased Outlook Express security and reliability

Key Features
15
(No Transcript)
16
Safety technology for clients Safer Web Browsing
Safer browsing using Internet Explorer
What it is
Improved protection against malicious content on
the Web
What it does

• Better protection against harmful Web downloads
• Better user controls to prevent malicious ActiveX
  controls and Spyware
• Reduced potential for IE buffer overruns

Key Features
17
(No Transcript)
18
(No Transcript)
19
Safety technology for clients Memory Protection
What it is
Reduction of potential buffer overruns
Helps prevent the execution of malicious code in
memory normally reserved for data
What it does

• Improved compiler checks (/GS) to reduce stack
  overruns
• Improved heap overrun protection
• Leverages new processor innovations (NX) to
  prevent stack and heap overruns

Key Features
20
Client Attack Vectors
Malicious Web content
Malicious e-mail attachments
Buffer overrun attacks
Port-based attacks
21
Enterprise Attack Vectors
Potentially infected remote client
Potentially infected local client
22
(No Transcript)
23
Security Guidance for IT Pros

• Focused on operating a secure environment
• Patterns practices for defense in depth
• Enterprise security checklist the single place
  for authoritative security guidance

• Available Now
• 17 prescriptive books
• How Microsoft secures Microsoft
• Tools scripts to automate common tasks

24
Perform a Security Audit
Build a Security Plan
Activate Patch Management Strategy
Upgrade laptops remote systems to Windows XP
Standardize edge Windows Server2003
25
Resources
Security http//microsoft.com/security Microsoft
Support Lifecycle http//support.microsoft.com/def
ault.aspx?prlifecycle Microsoft Security
Notification Service http//www.microsoft.com/tech
net/security/bulletin/notify.asp Free Security
Bulletin Subscription Service http//www.microsoft
.com/technet/security/policy/rating.asp Next
Generation Secure Computing Base
http//www.microsoft.com/resources/ngscb/default.m
spx Trust Worthy Computing (TwC)
http//www.microsoft.com/mscorp/innovation/twc/
Longhorn http//www.microsoft.com/windows/longho
rn/default.mspx Common Criteria
http//www.commoncriteria.org/