tim fredrick march 2010 ncar/acd/nesl computing the mebroot/torpig threat ucar malware incidents

Tim FredrickMarch 2010

NCAR/ACD/NESL Computing

The Mebroot/Torpig threat

UCAR Malware incidents

Malware Presentation 2010

What we’re up against


Infections in ACD• Attempted compromise of a Linux machine visiting a newspaper site• Successful compromise of a 2 Windows XP, 1 Vista machine• Multiple infections of UCAR systems – all Windows PC’s• One UCAR system re-infected after it was reformatted/reinstalled• All were variants of TORPIG – all detected by monitoring network activity

Cost of Infections• TIME: Security staff, System Administrators, End-user• Systems must be reformatted/reinstalled. (in ACD we’ve used new disks)• Each System must remain down for forensics for approx 1 week• In one case, a staff member complained personal information was

removed from his/her control.


What is infecting us…• TORPIG/MEBROOT

• MEBROOT is a “root kit” (aka Sinowal or Anserin)• TORPIG is a keystroke logger

What does TORPIG do?• Scans for credentials• Keystroke logging – sends to evasive but known collection sites• Knows about hundreds of banking sites; captures credentials• RSA researchers estimate TORPIG has stolen more than 300,000

bank accounts• Motivation: Financial• A problem among personal computers as well as corporate networks


How does TORPIG get in?


How does TORPIG get in?

“Malware community”Buys ads – look legitimate

when viewed by Google, but inject scripts when viewed by

other browsers


Drive-by download

• Uses scripting (Javascript, Flash)

• Intelligence built into the script• Looks legitimate except for the “target” audience• Avoids certain environments (Linux, MacOS)

• Must find a vulnerable application• Looks for dozens of vulnerabilities• Browsers• Java plugins• Media players (video, audio)• Adobe PDF applications


The Mebroot “root kit”

• The vulnerability is exploited and a “rootkit” is injected

• What is a rootkit?• Software to give an intruder access to a machine• The software defends itself

• against detection• against removal



What is the Master Boot Record?• A machine’s BIOS passes control to the MBR at boot time• 512 bytes of code• Holds the partition table• Bootstraps the OS



What does Mebroot do?• Replaces the MBR• Intercepts network and disk I/O• Mebroot passes the original MBR to the OS for any disk I/O

• Making it invisible to all programs including Antivirus• “Hides” Torpig in the same way – hides hooks into the OS• Code is evolving: Much more evasive than it used to be• Mebroot can be used to “hide” future malware

• Symantec Antivirus may detect the hooks – it cannot detect Mebroot


Our best defense: block scripts

“Malware community”Buys ads – look legitimate

when viewed by Google, but inject scripts when viewed by

other browsers

HTMLcontent

Stop Scripting, Java andMedia incl Flash


Blocking scripts: NoScript

• NoScript is a browser plugin for Firefox

• Blocks by default:• JavaScript• Java• Flash• Silverlight• Some other plugins

• Whitelist• Allows you to select scripts to run for a session, or always allow

• Sites may also be blacklisted with NoScript


NoScript: All good things have a cost

“My web page looks different!”


NoScript: Decisions…

9news.com scripts:• google-analytics• coloradonewshome• revsci.net• brightcove• gannett-tv.com• others…

Statistic gathering

Advertising(potential malware)

Multimedia provider


Rules of thumb

Allow a minimum of what will make a site useful to you

Sites without marketing can be trusted more (UCAR, NASA, Paymentnet, etc.)

Don’t allow advertising:• Prevents drive-by downloads• Speeds up web page loading• Google analytics and Google Adsense may always be blocks by NoScript

Feel free to delete cookies


Online banking

• Online banking is the specific target of TORPIG• Over 300,000 known credential thefts related to banking• Even small banks are being targeted


Online banking: Recommendations

• USE a dedicated SEPARATE BROWSER for online banking• Better yet, a separate computer that does no other browsing• Virtual machines might work

• Use only one machine from one IP address for banking. Makes it easier to investigate incidents involving banking fraud.

• Use strong passwords

• Convince your bank to use a one-time password token


PC/Windows recommendations

• Plan so your work may continue in the event of a compromise• Be ready to use a secondary machine or laptop

• Reduce your risk• Keep applications updated• Install and use the Secunia Software inspector

http://secunia.com/vulnerability_scanning/personal/ • Be wary of fake antivirus or other popups

• Report anything unusual• We’ll do our best to protect your privacy but need

information to help investigate virus incidents


Mac/Linux recommendations

• MBR malware can just as easily compromise Linux• Macs use Extensible Firmware Interface (EFI) to boot – less vulnerable

• Currently TORPIG detects Mac or Linux and doesn’t allow itself to download software to exploit vulnerable applications

• Situation may change:• Adobe and Java vulnerabilities affect Mac and Linux versions as well• A growing Macintosh market may make it worth exploiting


Mebroot/TORPIG are only our current threat…


…

39

2621

17 1713 12

7 6 5

051015202530354045

Top 10 Malware Dec 2009

Oregon Top 10

Torpig & Conficker have low detect rates because of new

stealth technology like Mebroot

Social networking

virus

We see this often at NCAR


Demonstrations

• NoScript plugin

• Secunia Software Inspector (if there’s time)

Tim FredrickMarch 2010

March 17, 2010

…

tim fredrick march 2010 ncar/acd/nesl computing the mebroot/torpig threat ucar malware incidents

Documents