Recent Malicious Email Attack
Trend Micro Updates
SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
August 14, 2009
Agenda

Recent malicious email attachments






What happened?
Why was it so effective?
How can we defend against these attacks?
Trend Micro OfficeScan 10
Trend Micro Security for Macs
Q&A
2
What happened?






Monday, July 13, 12:59pm – received first report (from
Penn State) that a K-State computer was sending
spam with a malicious attachment
Many more reports soon followed from around the
world implicating many K-State IP addresses
Many K-Staters started reporting receipt of the
malicious emails too
4:22pm - started blocking infected computers;
continued detecting/blocking infected computers for
three more days
113 infected computers blocked, others detected by
sysadmins and rebuilt w/o getting blocked
5:45pm – posted info/warning to IT security threats blog
3
What happened?

Four different emails with the following subjects:





Three (somewhat) different attachments:




Shipping update for your Amazon.com order 254-78546325-658742
You have received A Hallmark E-Card!
Jessica would like to be your friend on hi5!
Your friend invited you to twitter!
Shipping documents.zip
Postcard.zip
Invitation card.zip
At least three different malicious executables in the zip files (note the
numerous spaces in the file name before the “.exe” extension):



“attachment.pdf
“attachment.htm
“attachment.chm
.exe”
.exe”
.exe”
4
What happened?




New variant of malware so Trend Micro
OfficeScan did not detect it.
10:45pm - I tried to submit samples to Trend
Micro. Thought it worked, but found out in
the morning it didn’t.
11:52pm – warning email sent to profacstaff
and classified mailing lists
July 14, 8:00am – virustotal.com reports 29
of 41 AV products identify the malware (not
Trend Micro)
www.virustotal.com/analisis/...
5
What happened?







July 14, 9:00am – finally get samples uploaded to Trend
Micro
11:40am – Trend reports malware identified as
WORM_AGENTO.BY, “bandage” pattern file available
2:00pm – bandage pattern file pushed out to OfficeScan
clients
Production pattern file released later that evening which
detects the malware
397 instances detected/deleted by TMOS since July 13
IT Tuesday article posted about it
itnews.itac.k-state.edu/2009/07/malicious...
July 29 and August 7 - similar attacks with new variants of
the malware; submitted samples to Trend faster with about a
2 hour turnaround for pattern file that detects the malware
6
Malware Characteristics




Harvested email addresses in address books
and sent the same malicious emails to
everyone – aka “mass mailing worm”; that’s
why so many people at K-State received so
many copies
Modified registry to run every time the
computer boots
Copied itself to mounted file systems,
including USB flash drives
Copied itself to common P2P file sharing
folders, masquerading as enticing software
downloads
7
Malware Characteristics

Sample P2P folders used:






%ProgramFiles%\ICQ\Shared Folder
%ProgramFiles%\Grokster\My Grokster
%ProgramFiles%\EMule\Incoming
%ProgramFiles%\Morpheus\My Shared Folder
%ProgramFiles%\LimeWire\Shared
Sample enticing software downloads:











Ad-aware 2009.exe
Adobe Photoshop CS4 crack.exe
Avast 4.8 Professional.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Microsoft Office 2007 Home and Student keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Total Commander7 license+keygen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Perfect keylogger family edition with crack.exe
… and about 25 more
8
Why was it so effective?

Used familiar services











Amazon.com
Hallmark eCard greeting
Twitter
Sensual enticement (“Jessica would like to be your friend on hi5!”)
Somewhat believable replicas of legitimate emails
Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com, or is having a birthday)
Effectively masked the name of the .exe file in the .zip attachment
by padding the name with lots of spaces
New variant that spread quickly so initial infections missed by
antivirus protection
I was too slow submitting samples to Trend (better the second and
third time around)
Malware/attachment filtering in Zimbra did not stop it
Been a long time since attack came by email attachment so people
caught off-guard
9
What can we do?

Users need to learn to recognize scams




Hallmark, amazon.com, etc. do not send
info in attachments
Don’t open attachment unless you are
expecting it and have verified with sender
Think before you click
Be paranoid!
10
Malicious
Hallmark
E-Card
11
Legitimate
Hallmark
E-Card
12
Malicious
Amazon
Shipping
Notice
13
Legitimate
Amazon
Shipping
Notice
14
Malicious
Twitter
Invitation
15
What can we do?

Better malware filtering in e-mail



Need to work more closely with
Zimbra/Yahoo
Submit malware samples sooner
(we’re doing that now)
Trend Micro OfficeScan 10…
16
Trend Micro OfficeScan 10



Major upgrade from current version 8 (where did version 9
go?!)
Ripe with marketing hype (“Cloud-Client Architecture”,
“Smart Protection Network”, “Global Threat Intelligence”)
But it appears to provide real value:







Faster deployment of pattern file updates
Smaller client footprint
Windows 7 support (not officially supported in OfficeScan 8)
More options for re-scheduling missed scheduled scans
Better Active Directory integration
Better control of removable devices like USB drives
Protection of the OfficeScan program itself (prevents malware
from altering OfficeScan files, processes and registry entries)
17
Trend Micro OfficeScan 10

“In-the-cloud” scanning (“SmartScan”) vs.
conventional scanning





Client uses pattern info stored on local or global
servers rather than having to store everything on
every client computer
Updates pattern files hourly instead of daily
Smaller pattern files on the client, less network
bandwidth used to deploy pattern files
Some heuristic-based detection
Can still do conventional scanning for systems
with limited Internet access
18
Trend Micro OfficeScan 10

Better options for dealing with missed scheduled scan





Postpone a schedule scan before it begins
Stop and Resume a current active schedule scan
Resume a missed schedule scan
Automatically skip schedule scan when Laptop Battery is
below certain %
Automatically stop schedule scan when it lasts over a
certain amount of period.
19
Trend Micro OfficeScan 10

Device Access Control


Sysadmins can control use of removable drives
Examples: Removable Thumb Drives, Firewire Hard Drives,
PC-Cards, Media Players.
20
Trend Micro OfficeScan 10

The Trend Micro Unauthorized Change
Prevention Service replaces the OfficeScan
watchdog as the principal means of preventing
OfficeScan services from being stopped, and
settings from being changed




To prevent OSCE applications being injected with
malware and impact business operation
Feature provides the ability to protect OfficeScan
files / file types within folders from being modified
Protect OfficeScan system processes to prevent
unauthorized shut-down
Protect OfficeScan system registries from
unauthorized modification
21
Trend Micro OfficeScan 10

TMOS 10 concerns






Is a major upgrade so needs to thorough testing
Uncertainty about use of SmartScan vs. conventional
scan
Significant CPU utilization every hour on Local Scan
Server when it downloads and processes new pattern
files
Standalone Scan Server requires VMware™ ESXi Server 3.5
Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0
1,000 client limit if run Local Scan Server and
OfficeScan server on same server (compared to 5,0008,000 clients for latter) – called “Integrated Scan
Server”
No tool yet to export/import config form TMOS 8 server
to TMOS 10 environment, but they’re working on it. 22
Trend Micro OfficeScan 10

TMOS 10 plans





Is available now, been out for a while (service
pack 1 in beta)
Needs more testing – campus sysadmins
encouraged to test
Central TMOS 10 server for testing sometime...
SIRT will plan coordinated rollout for campus
(can be pushed from the server)
No timeline at this point, but advantages warrant
a somewhat aggressive schedule, as does
release of Windows 7 in late October
23
Trend Micro Security for Macs




K-State’s license for Symantec AV for
Macs expires October 27, 2009
No budget for renewal or replacement
TM Security for Macs (TMSM) new
product from Trend Micro, included in
our campus site license
Barring a show-stopper problem, we
will switch to TMSM this fall
24
Trend Micro Security for Macs

Features/Advantages:








No additional cost
Managed product (can push pattern file updates,
manage configuration, centralized reporting, etc.)
Managed as plug-in to current Windows OfficeScan
servers, so have common mgmt platform
Supports MacOS 10.4 and 10.5 on Intel and
PowerPC processors
Includes Web Reputation Services to help prevent
users from visiting known malicious web sites
Covered by current Silver Premium Support
contract
Single vendor for all AV product
25
No additional cost
Trend Micro Security for Macs

Timeline:


Version 1.5 in beta test now
Being tested pretty extensively at K-State




Fixed known issues we had with v1.0
Production release available to K-State after
August 25
Switch by October 27, or semester break for
imaged labs (SAV will continue to work)
New Macs should install Symantec now
but plan to switch
26
What’s on your mind?
27