DOCSLIB.ORG

Microsoft Security Intelligence Report Volume 7 January Through June 2009

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Microsoft Security Intelligence Report Volume 7 January Through June 2009 Microsoft Security Intelligence Report Volume 7 January through June 2009 Microsoft Security Intelligence Report Microsoft Security Intelligence Report The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATU- TORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (elec- tronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copy- rights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2009 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, ActiveX, AppLocker, Bing, the Bing logo, BitLocker, Excel, Forefront, Hotmail, Internet Explorer, OneCare, Outlook, PowerPoint, the Security Shield logo, SmartScreen, SQL Server, Visual Basic, Visual Studio, Windows, the Windows Logo, Windows Live, Windows Media, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other coun- tries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 January through June 2009 Authors Richard Boscovich Tony Lee Paul Pottorff Microsoft Internet Safety and Enforcement Team Microsoft Malware Protection Center Windows Consumer Product Management T J Campana Ziv Mador Sterling Reasor Microsoft Internet Safety and Enforcement Team Microsoft Malware Protection Center Microsoft Malware Protection Center Darren Canavor Ritesh Mordani Christian Seifert Microsoft Security Engineering Center Microsoft Forefront Online Protection for Bing Bruce Dang Exchange Adam Shostack Microsoft Security Engineering Center Bala Neerumalla Microsoft Security Engineering Center Joe Faulhaber Microsoft Secure SQL Initiative Team George Stathakopoulos Microsoft Malware Protection Center Jonathan Ness Microsoft Security Response Center Vinny Gullotto Microsoft Security Engineering Center Adrian Stone Microsoft Malware Protection Center Hamish O’Dea Microsoft Security Response Center Yuhui Huang Microsoft Malware Protection Center Scott Wu Microsoft Malware Protection Center Sasi Parthasarathy Microsoft Malware Protection Center Jeff Jones Bing Terry Zink Microsoft Trustworthy Computing Anthony Penta Microsoft Forefront Online Protection John Lambert Microsoft Windows Safety Platform for Exchange Microsoft Security Engineering Center Contributors Fred Aaron Kathy Lambert Mike Reavey Microsoft Security Engineering Center Microsoft Legal and Corporate Affairs Microsoft Security Response Center Charles Anthe Jimin Li Marc Seinfeld Online Management Platform & Solutions Online Management Platform & Solutions Microsoft Malware Protection Center Kai Axford Ken Malcolmson Jinwook Shin Microsoft Trustworthy Computing Microsoft Trustworthy Computing Microsoft Security Engineering Center Doug Cavit Scott Molenkamp Sam Salhi Microsoft Trustworthy Computing Microsoft Malware Protection Center Microsoft Windows Safety Platform Nicola Cowie Patrick Nolan Matt Thomlinson Microsoft Security Engineering Center Microsoft Malware Protection Center Microsoft Security Engineering Center Dave Forstrom Price Oden Alan Wallace Microsoft Trustworthy Computing Microsoft IT Information Security Microsoft Trustworthy Computing Heather Goudey Ina Ragragio Jeff Williams Microsoft Malware Protection Center Microsoft Malware Protection Center Microsoft Malware Protection Center Michael Grady Tim Rains Microsoft Trustworthy Computing Microsoft Trustworthy Computing Roger Grimes Microsoft IT Information Security External Contributors Satomi Hayakawa Japan Security Response Team Andre DiMino Hideaki Kobayashi Sue Hotelling Shadowserver Foundation Information-Technology Promotion Agency, Japan Microsoft Internet Safety and Enforcement Team Paul Henry Toshiaki Kokado Aaron Hulett Technical Writer Information-Technology Promotion Agency, Japan Microsoft Malware Protection Center Hans-Peter Jedlicka Erka Koivunen Japan Security Response Team Federal Office for Information Safety, Germany Computer Emergency Response Team Microsoft Japan Leon Aaron Kaplan Communications Regulatory Authority, Finland Jeannette Jarvis National Computer Emergency Response Team Richard Perlotto Microsoft Customer Support Services of Austria Shadowserver Foundation Jimmy Kuo Huopio Kauto Torsten Voss Microsoft Malware Protection Center Computer Emergency Response Team DFN-CERT, Germany Communications Regulatory Authority, Finland 3 Microsoft Security Intelligence Report Table of Contents Authors, Contributors, External Contributors . 3 About This Report 7 Scope . 7 Reporting Period . 7 Conventions . 7 Data Sources . 7 Key Findings 8 Executive Foreword 15 Trustworthy Computing: Security Engineering at Microsoft Melissa Plus 10: Keeping People Safe in the Age of Malware 18 Ten Years of Malware and Security Threats, 1999–2009 . 18 Computer Security Today: Working Together to Close the Gap . 23 Case Study: The Conficker Working Group . 29 Strategies, Mitigations, and Countermeasures 33 Microsoft Malware Protection Center Malware and Potentially Unwanted Software Trends 36 Threat Naming Conventions . 36 Infection Rates and CCM . 37 Geographic Trends. 38 Best Practices Around the World . 44 Category Trends . 48 Operating System Trends . 50 Malware and Potentially Unwanted Software Families. 53 User Reaction to Alerts . 54 Trends in Sample Proliferation. 58 Threats at Home and in the Enterprise . 61 Malware and Signed Code . 64 Threat Combinations . 67 E-Mail Threats 72 Spam Trends and Statistics . 72 Geographic Origins of Spam Messages . 74 Reputation Hijacking . 76 Malware in E-Mail . 77 A Defense-in-Depth Strategy for E-Mail . 81 Malicious Web Sites 82 Analysis of Phishing Sites . 82 Analysis of Malware Hosts . 87 “Malvertising”: An Emerging Industry Threat . 92 4 January through June 2009 Top Malware and Spam Stories of 1H09 95 Win32/Conficker Update . 95 What Happened on April 1? . 99 Rogue Security Software Still a Significant Threat . 100 Automated SQL Injection Attacks . 102 Win32/Koobface Attacks Social Networks. 103 The Win32/Waledac Botnet and Spam . 104 Rogue ISP 3FN Taken Down . 106 Prolific Spammer Alan Ralsky Pleads Guilty . 107 Strategies, Mitigations, and Countermeasures 108 Microsoft Security Engineering Center Exploit Trends 112 Top Browser-Based Exploits . 113 Analysis of Drive-By Download Pages . 118 Document File Format Exploits . 126 Security Breach Trends 133 Social Security Numbers and Confidentiality. 136 Guidance for Organizations: Protecting Against a Data Breach . 138 Strategies, Mitigations, and Countermeasures 139 Microsoft Security Response Center Industry-Wide Vulnerability Disclosures 142 Vulnerability Disclosures . 142 Vulnerability Disclosure Date vs. Publication Date . 143 Vulnerability Severity . 144 Vulnerability Complexity . 146 Operating System and Browser Vulnerabilities . 148 Vulnerability Reports for Microsoft Products 150 Responsible Disclosures . 151 Microsoft Security Bulletins in 1H09 . 153 More Vendors Adopting Scheduled Release Strategies. 155 Exploitability Index . 155 Usage Trends for Windows Update and Microsoft Update 161 Update Clients and Services . 161 The Role of Automatic Updating . 163 Regional Variations in Update Service Usage . 164 Strategies, Mitigations, and Countermeasures 166 5 Microsoft Security Intelligence Report Afterword Call to Action: End to End Trust 168 MMPC Executive Afterword 169 Appendixes Appendix A: Full Geographic Data 172 Appendix B: Threat Assessments for Individual Locations 181 Australia . 181 Brazil . 184 China . 187 France . 190 Germany . 193 Gulf Cooperation Council States (Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and United Arab Emirates) . 196 Japan . 199 Korea . 202 Malaysia . 205 Norway . 208 Russia . 211 South Africa . 214 United Kingdom . 217 United States . 220 Appendix C: Data Sources 223 Microsoft Products and Services . 223 Software Vulnerability and Breach Data . 225 Appendix D: Microsoft Security Bulletins in 1H09 227 Glossary 229 6 January through June 2009 About This Report Scope The Microsoft Security Intelligence Report (SIR) is published twice per year. These reports focus on data and trends observed in the first and second halves of each calendar year. Past reports and related resources are available for download at http://www.microsoft.com/sir. We continue to focus on malware data, software vulnerability disclosure data, vulnerability exploit data, and related trends in this seventh installment of the Security Intelligence Report. We hope that readers find the data, insights, and guidance provided
Load more

Recommended publications
  • Symantec Report on Rogue Security Software July 08 – June 09
    REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: Symantec Report on Rogue Security Software July 08 – June 09 Published October 2009 Confidence in a connected world. White Paper: Symantec Enterprise Security Symantec Report on Rogue Security Software July 08 – June 09 Contents Introduction . 1 Overview of Rogue Security Software. 2 Risks . 4 Advertising methods . 7 Installation techniques . 9 Legal actions and noteworthy scam convictions . 14 Prevalence of Rogue Security Software . 17 Top reported rogue security software. 17 Additional noteworthy rogue security software samples . 25 Top rogue security software by region . 28 Top rogue security software installation methods . 29 Top rogue security software advertising methods . 30 Analysis of Rogue Security Software Distribution . 32 Analysis of Rogue Security Software Servers . 36 Appendix A: Protection and Mitigation. 45 Appendix B: Methodologies. 48 Credits . 50 Symantec Report on Rogue Security Software July 08 – June 09 Introduction The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs. This includes an overview of how these programs work and how they affect users, including their risk implications, various distribution methods, and innovative attack vectors. It includes a brief discussion of some of the more noteworthy scams, as well as an analysis of the prevalence of rogue security software globally. It also includes a discussion on a number of servers that Symantec observed hosting these misleading applications. Except where otherwise noted, the period of observation for this report was from July 1, 2008, to June 30, 2009. Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network.
    [Show full text]
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • Rootkit- Rootkits.For.Dummies 2007.Pdf
    01_917106 ffirs.qxp 12/21/06 12:04 AM Page i Rootkits FOR DUMmIES‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ii 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iii Rootkits FOR DUMmIES‰ by Larry Stevenson and Nancy Altholz 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iv Rootkits For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • PC Anti-Virus Protection 2011
    PC Anti-Virus Protection 2011 12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS Dennis Technology Labs, 03/08/2010 www.DennisTechnologyLabs.com This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available. A total of 12 products were exposed to genuine internet threats that real customers could have encountered during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s experience as closely as possible. For example, each test system visited real, infected websites that significant numbers of internet users were encountering at the time of the test. These results reflect what would have happened if those users were using one of the seven products tested. EXECUTIVE SUMMARY Q Products that block attacks early tended to protect the system more fully The nature of web-based attacks means that the longer malware has access to a system, the more chances it has of downloading and installing further threats. Products that blocked the malicious and infected websites from the start reduced the risk of compromise by secondary and further downloads. Q 100 per cent protection is rare This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is inevitable that there will be times when specific security products are unable to protect from some of these threats.
    [Show full text]
  • Large-Scale Malware Experiments
    LARGE-SCALE MALWARE EXPERIMENTS ... CALVET ET AL. LARGE-SCALE MALWARE • Unlike with in-the-wild experiments [1], there are fewer ethical or legal issues to deal with than when performing EXPERIMENTS: WHY, HOW, AND arbitrary attacks against infected computers. SO WHAT? • Having an in vitro environment provides us with a way to Joan Calvet, Jose M. Fernandez conduct computer security research in a scientifi c way: we École Polytechnique de Montréal, Montréal, Canada can reproduce experiments and test the effect of various independent variables. Email {joan.calvet, jose.fernandez}@polymtl.ca We decided to use the Waledac botnet as a fi rst experiment for the following reasons: Pierre-Marc Bureau ESET, Montréal, Canada • Thanks to prior reverse engineering [2], we had in-depth knowledge of this threat family. Email [email protected] • This malware does not replicate, thus limiting the risk of running an experiment that might get out of control. Jean-Yves Marion LORIA, Nancy, France • There exists a set of vulnerabilities in Waledac’s peer-to- peer protocol that were worth investigating. We wanted to Email [email protected] evaluate the impact of a mitigation scheme against the botnet. ABSTRACT 1.1 The Waledac case study One of the most popular research areas in the anti-malware The architecture of the Waledac botnet is split into four layers. industry (second only to detection) is to document malware The fi rst layer contains infected hosts with private IP addresses characteristics and understand their operations. Most initiatives that are referred to as spammers. They are essentially the are based on reverse engineering of malicious binaries so as to ‘worker’ bots and constitute approximately 80% of the botnet.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Solutions for Increased Productivity Simple “Do-It-Yourself” Tips For
    _ Solutions for Increased Productivity Simple “Do-it-Yourself” tips for speeding up your Computer So your computer is running slow. There are numerous things that can cause a slow PC. They are: • Spyware Programs running in the background without your knowledge. (Programs that spy on your surfing habits, etc, and report this info to someone else.) • Viruses, Trojans and other forms of Malware ( Mal icious Soft ware ). • Fragmented File Systems. • Lack of Hard Drive Space. • System Tray Overload After we look at these 5 “Anti-Productivity” Scenarios, we will look at ways of dealing with them, and bringing your system back up to speed. Spyware Let’s start off with Spyware. Spyware is software installed without your knowledge. How does this software get installed without you knowing about it, you ask? Remember the old saying, “The best things in life are free.” Well, as it turns out, Software isn’t one of them. You see, just because it is free for you (financially speaking), the company is still making money on it. Yes, I know.. you have the free version, and there is a full version, which you can buy. But, even the free version is making the software company money. How you ask? Spyware. This is how it works. A Big Software Company, lets call them “ Company A ”, has a product that they want to put on the market, but they don’t want the user to have to pay for it. They still however, want to make money off it though. How, you ask? This is where the Little Software Company (“ Company B ”) comes into the picture.
    [Show full text]
  • Fraudware How It Works and How to Prevent It from Attacking Your System a Fast Rhino Presentation to the Vistoso Computer Society November 11, 2012
    Fraudware How it works and how to prevent it from attacking your system A Fast Rhino Presentation to the Vistoso Computer Society November 11, 2012 Before we jump in to Fraudware, we should most likely begin by defining "Malware ", which is short for "Malicious software". We've all heard a lot in the past about viruses, adware, & spyware. Today, the industry basically refers to just about any software-based threat as "Malware". More specifically, Malware is a term used to define software that is intended to disrupt the operation of a computer, collect sensitive data, or gain access to private computer systems. Its definition is always expanding since new exploits continue to evolve. Malware consists of a broad spectrum of techniques used to infect systems, including viruses, worms, Trojan horses, rootkits, backdoors and drive-by downloads. Each of these operate differently, however, attacks can very often include a combination of these methods. And, although many of you in this room may already be aware of these, some of you may not, so please bear with me as we go through a basic understanding of these. A virus is a program that infects executable software. When it runs, it allows the virus to spread to other executables. In the spring of 1999, a man named David L. Smith created a computer virus based on a Microsoft Word macro. He built the virus so that it could spread through e-mail messages. Smith named the virus "Melissa," saying that he named it after an exotic dancer from Florida. "Melissa" was one of the first major computer viruses to get the public's attention.
    [Show full text]
  • Classification of Malware Persistence Mechanisms Using Low-Artifact Disk
    CLASSIFICATION OF MALWARE PERSISTENCE MECHANISMS USING LOW-ARTIFACT DISK INSTRUMENTATION A Dissertation Presented by Jennifer Mankin to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical and Computer Engineering in the field of Computer Engineering Northeastern University Boston, Massachusetts September 2013 Abstract The proliferation of malware in recent years has motivated the need for tools to an- alyze, classify, and understand intrusions. Current research in analyzing malware focuses either on labeling malware by its maliciousness (e.g., malicious or benign) or classifying it by the variant it belongs to. We argue that, in addition to provid- ing coarse family labels, it is useful to label malware by the capabilities they em- ploy. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present Dione, a flexible rule-based disk I/O monitoring and analysis infrastructure. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and re- constructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of Dione, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. ii Given the trustworthy behavioral traces obtained by Dione, we convert file system- level events to high-level capabilities.
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]