|
1
|
|
|
2
|
- Background & Terminology
- Features
- Scanning types
- Browser & System Control
- Malware disinfection
- Database updates
- User Interfaces
|
|
3
|
|
|
4
|
- Software designed specifically to disrupt or damage a system
- M a l i s i o u s S o f t w a r
e
- Virus
- Worm
- Trojan
- Spyware
|
|
5
|
|
|
6
|
- VIRUS is a computer program that replicates by attaching itself to
another object
- Boot sector viruses:
- Replicate by infecting the boot sector of diskettes accessed by an
infected machine
- Macro viruses
- Attaches themselves to documents (doc, xls, etc.)
- File viruses
- Attaches itself to programs (Windows)
- Can use the full set of Win APIs
|
|
7
|
- WORM is a computer program that replicates independently by sending
itself to other systems
- There are two types of worms
- Email worms
- Network worms
- Very fast at spreading
|
|
8
|
- TROJAN HORSE is a program with hidden destructive functionality
- Damages data
- Hijacks computers
- Sniffs files or network
- Steals confidential information
|
|
9
|
- SPYWARE is software program that aids in gathering information about a
person or organization without their knowledge, and can relay this
information back to an unauthorized third party
- Spyware has many names, that have slightly different connotations:
Commercial Malware, TrackWare, ScumWare, ParasiteWare, UCS (Unsolicited
Commercial Software)…
|
|
10
|
- SPYWARE can reach computers as a software virus or as the result of
installing a new program
- Technically not viruses, but pose a threat to Internet users' privacy
- Today, spyware appears in dozens of malicious forms, clearly not just
with the purpose of gathering your browsing habits
- Hijacking your browser or system
- Installing trojan backdoors
- Stealing confidential data
- Installing premium dialers
|
|
11
|
- ADWARE is advertising-supported software that displays advertisements
whenever the program is running
- COOKIE is a mechanism for storing a user’s information on a local drive
that websites may access
- TRACKING COOKIE allows multiple web sites to store and access records
that may contain personal information (including surfing habits, user
names and passwords, areas of interest, etc.), and subsequently share
this information with other web sites and marketing firms
- PERSONALIZATION COOKIE allows users to customize pages, personalize web
experience and remember passwords
|
|
12
|
- WEB BUG (or web beacon) is a file, usually a a transparent picture,
placed on a web page or in an e-mail to monitor user behaviour without
consent
- BROWSER HELPER OBJECT (BHO) is a program that runs automatically every
time a browser is launched. They can track usage data and collect any
information displayed on the Internet.
|
|
13
|
- BROWSER HIJACKER is an applications that attempts to take control over a
user's start page or desktop icons, resetting them to conform with the
attacker’s wishes
- SYSTEM HIJACKER is software that uses the host computer's resources to
proliferate itself or use the system as a resource for other activities
- Acting as a spamming zombie
- Contributing to DDoS attacks
|
|
14
|
- KEYLOGGER (or system monitor) is designed to monitor computer activity
by capturing virtually everything a user does on the computer, including
recording all keystrokes
- TROJAN HORSE (or trojan) is a malicious program that is disguised as
legitimate software
- DRIVE-BY DOWNLOAD is a program which is automatically downloaded to a
host without user consent or knowledge.
- PREMIUM DIALER (or expensive dialer)
|
|
15
|
|
|
16
|
- Criteria to add software to Spyware database is based on a point system
- The system is based on a total of 10 points, 1 being the least and 10
being the most threatening and/or problematic
- 5 Criterias: Removal, Integration, Distribution, Behaviour, Privacy
- TAC number of three or higher required to be included in the database
- Applications that are difficult to remove and cause system instability
and do not contain any further violation, are not added to the chart,
eventhough they reach 3 points!
- This list is public and complying to these strict rules is important as
most spyware is legal software
|
|
17
|
- Integration: 2 points
- Can cause system instability
- Distribution: 2 points
- Intentionally hidden (stealth) install and/or clear evidence that the
application is designed with the clear intention of either making it
difficult or impossible to remove using normal removal procedures
- Bundled installation that is undisclosed (no notice given to the user
pre-install or the host application’s End User License Agreement (EULA)
attempts to hide the application’s inclusion)
- No info disclosed in EULA, confusing EULA, or a hidden EULA listing
|
|
18
|
- Behaviour: 3 points
- Virus or trojan
- Connects to perform or aid in a DDoS attack
- Use or creation of tracking cookies
- Changes browsing results (browser hijack, redirect, replaces text or
graphics, opens random websites)
- Operates in stealth
- Opens web sites not initiated by the user, unsolicited pop-ups or
requests to join a different site
- Auto-updates without user permission or knowledge
- Dials an unprompted or unauthorized Internet connection
- Opens or exploits a system vulnerability
|
|
19
|
- Privacy: 2 points
- Connects to a remote system with or without the user's awareness to
transmit usage statistics and/or personally identifiable information
- Connects to a remote system without the user's awareness to
transmit/receive information
- Tracks the user's surfing habits
- Removal: 1 point
- Provides no uninstaller at all or non-functional application
uninstaller
- Lacks clear evidence of intention, suspicion that the application's
developer intentionally made the software difficult to uninstall
|
|
20
|
- CATEGORY Malware
- FAMILY CoolWebSearch
- TAC LEVEL 10
- BEHAVIOR
- Operates hidden
- Hijacks browser
- Redirects browsing search results
- Tracks users surfing habits
- Javascript which guesses adult pages
|
|
21
|
- There is a lot of similarity in viruses and spyware
- Both are delivered via web sites, downloads and e-mail attachments
- Both have the ability to capture and destroy information
- Both can ruin the system performance
- The difference is their behaviour
|
|
22
|
- Virus
- Has a replication mechanism (file infecter)
- Tries to infect as many machines as possible
- Signatures updates have to be very frequent (daily)
- Virus writer is unknown
- Creating viruses is illegal
- Spyware
- Has no replication mechanism
- Signature updates are not as urgent, usually 1-2 times a week
- Spyware is typically installed by the end-user
- Spyware vendor is known
- Typically the user is made aware of spyware installation (EULA)
- It is not illegal to write and distribute spyware
|
|
23
|
- Every time data is transmitted a virus may spread as well
- E-mail attachment (over 80% of the cases)
- Files downloaded from the Web
- Usenet News Groups
- Chat channels (IRC, ICQ, MSN, AOL, Trillian)
- Peer-to-peer file share networks
- Demo and magazine cover CD-ROMs or floppies
- Sharing games, Pirated CD-ROMs, Infrared beaming, Bluetooth, Company
visitors…
- Worms can find their own way in through open ports or other security
holes without assistance form the user
|
|
24
|
- Normal web browsing
- Badly configured browser, for example allowing ActiveX installations or
accepting cookies from third parties
- Many free software available on the internet contains spyware
- Freeware is usually usefull, so the user is tempted to download (for
example Peer-to-Peer software)
- Why is the software free?
- Financed with advertisements
- Also a lot of commonly trusted software comes bundled with spyware
- Data Miner Alexa comes bundled with some versions of Internet Explorer
|
|
25
|
|
|
26
|
- Fastest reaction time on new threats
- Virus and spyware software is only as good as the antivirus company's
capability to provide cure for new virus outbreaks
- Spyware updates are not as urgent as anti-virus updates
- F-Secure Virus Research Team is on call 24-hours a day responding new
and emerging threats
- Frequent definition updates
- As some 10 new viruses are found on each day
- F-Secure updates virus definitions 2 times a day on average
- Automated update methods
|
|
27
|
|
|
28
|
|
|
29
|
|
|
30
|
- 4 different ways to scan data
- Real-time scanning
- E-mail scanning
- Scheduled scanning
- Manual scanning
|
|
31
|
- Files are scanned every time they are accessed
- Created
- Opened
- Moved
- Renamed
- Scanning done by Scanner Manager
- Scanning takes place in user mode
- A black list is created for problematic files
|
|
32
|
- When real-time scanning is enabled, computer is protected against
viruses and spyware
- ”Scan for spyware” must be enabled
- Other features
- Protection against tracking cookies
- Done by Browser Control
(Ad-Watch)
- Separate primary actions for virus and spyware infections
|
|
33
|
- Scans the content of incoming POP3 or IMAP and outgoing SMTP mail
traffic
- Ensures that no viruses are sent out from the workstation nor are
viruses received through email
- Transparent operation
- Works with any email client that uses SMTP and POP3 or IMAP
- Scanning done by Scanner Manager
- Mail traffic is only scanned for viruses
|
|
34
|
- Enables you to scan your computer at a specific time by selecting the
“Enable scheduled scanning” checkbox
- On daily, weekly or monthly bases
- Start time can be a fixed time or a fixed computer idle time
- Accesses scheduling service in Windows
|
|
35
|
- Manual scans can be run to check a certain file, folder or drive
- Viruses and Spyware can be scanned seperately or together
- More flexible malware scanning
- No need of running always a full computer check
- Usually, on-demand scans are more detailed scans and therefore more
time consuming
- Scan inside compressed files
- Scan all files
|
|
36
|
- When Browser Control is enabled, it blocks intrusive ad popups and
protects Internet Explorer against unwanted changes
- Internet Explorer Shield
- Blocks IE related registry changes
- Blocks ActiveX installation
- Superior to IE security profiles
- Block browser downloads
|
|
37
|
- Protects the system from unexpected changes (unknown, new Malware)
- Monitors certain sections of the windows registry and alerts changes
- Actions
- Shows nofification flyers
- Following changes are monitored
- Allow
- System start-up changes
- Critical file associations
- Ask user for decision
- Application hijacking
- Generally critical system changes
|
|
38
|
- Primary actions
- Prompt user for decision
- Disinfect
- Delete infected file
- Do nothing
- Disinfect automatically
- Rename automatically
- Delete Automatically
- Report only
- Secondary actions (automatically)
|
|
39
|
- Actions
- Prompt user for decision
- Quarantine
- Delete infected file
- Exclude from scan
- Do nothing
- Report only
|
|
40
|
- Quarantine functions
- Restore application
- Delete
- Properties
|
|
41
|
- User gets automatically informed about latest security threats
- Protection status for every reported malware
- Three alert levels
- Level 1: Worldwide virus epidemic
- Level 2: New virus causing large, localised infections
- Level 3: New virus technique or platform found
|
|
42
|
- Shows html news items
- Separate user interface, icon and Start-menu entries
- Possible for ISPs to reach their customers
- For example service information
- Not allowed for marketing purposes!
|
|
43
|
- Possible to unload F-Secure products to free memory, for example for
gaming
- 2 unload possiblilities
- Unload Virus & Spy Protection and continue with active Internet
Shield Security Level
- Unload both Virus & Spy Protection and Internet Shield
- No protection left, since firewall is unloaded
- Unloads all except some UI files
|
|
44
|
- Heart of Virus & Spy Protection
- Provided by FSC Anti-Virus Research
- Different for each scanning engine (Orion, AVP, Libra and Draco)
- Databases are signed (DAAS)
- Viruses are normally detected by several scanning engines but disinfect
by the first engine that detects it
|
|
45
|
- There are two types of databases
- Update databases
- Cumulative databases
- 3 to 4 MB because contains all databases
- Released on monthly bases
|
|
46
|
- Databases
- Virus & Spy Protection
- Spam Scanner
- Parental Control Engine and Parental Control List update
- Virus & Spy Protection and Spam Scanner only function after updates
are installed
- GUI will show “Initialising” for a minute after installation
|
|
47
|
- Incoming samples
- Most come from customers or users of free versions
- Rest (30%) coming via sample exchange from competitors
- Most coming in via e-mail
- Send samples to: vsamples@f-secure.com
|
|
48
|
|
|
49
|
- Virus & Spy Protection
- Real-time scanning
- E-mail scanning
- Scheduled scanning
- Browser Control
- System Control
|
|
50
|
- Virus & Spy protection levels
|
|
51
|
- Virus & Spy Protection
- Protection activity
- Virus protection level
|
|
52
|
- Settings
- Realtime scanning
- Scanning options
- File types included in scan
- Differs in protection levels
- File exclusions
- Actions
- Separate actions for virus and spyware
- Quarantine possibility for spyware
- Block tracking cookies
|
|
53
|
- Settings
- Scanning Options
- File types scanned
- Exclude certain attachments
- Protocol settings
- Actions
- Different actions for incoming and outgoing mails
- Outgoing mails are never disinfected
- If infected, message is blocked and user notified
|
|
54
|
- Settings
- Scan frequency
- Start time
- Specific hour
- Computer idle time
- Scan will start after computer hasn’t been used for the defined time
|
|
55
|
- Settings
- Scanning options
- File types scanned
- Differs in protection levels
- File exclusions
- Action on infected file
- Separate actions for virus and spyware
- Quarantine possibility for spyware
|
|
56
|
- Settings
- Browser Control (enable, disable)
- Popup blocker
- Internet Explorer Shield (IE Shield)
- Lock IE settings
- Browser hijacks
- ActiveX
- Downloads
- Notification flyers for block events
|
|
57
|
- Settings
- System Control (enable, disable)
- System registry monitoring
- Startup changes
- Application hijacks
- Critical file associations
- Critical system changes
- Possible actions
- Notification flyers for block events
|
|
58
|
- Background & Terminology
- Features
- Scanning types
- Browser & System Control
- Malware disinfection
- Database updates
- User Interfaces
|
Notes
