Information Security Training on Malware

Information Security

Training on Malware

Outline

•

Introduction

•

Goal

•

Malware defined

•

Motivation for Malware

•

Types of Malware

•

Recognizing Malware

Introduction

•

Welcome to LSUHSC-NO’s Computer Security

awareness online tutorial on Malware. This

tutorial is for ALL employees and students

Goal

•

The primary goal of this tutorial is to help raise

end-user awareness on how to recognize malicious

software and take proper action to prevent its

disruptive effects.

•

LSUHSC faculty, staff and students are the last line of

defense in identifying and eliminating malicious

software. Training is the key to that defense.

•

LSU cannot protect the confidentiality, integrity, and

availability of its information without the informed

participation and support of every employee and

student.

What is Malware?

•

Malware (short for “MALicious softWARE) is

any software designed to infiltrate a computer

system without the user's informed consent.

•

It can enter your PC as the result of clicking on

website links, pop-up ads, toolbars, games,

Motivation for Malware

•

Pranks

•

Spamming (unsolicited junk email)

•

Stealing data

•

Fraud (bank, credit card, etc.)

•

Vandalism

What Can Happen if your Computer

Becomes Infected with Malware?

•

Spy on your surfing habits

•

Steal your passwords by logging your keystrokes

•

Steal your identity

•

Read your email

•

Cause irreversible destruction to your current

applications, files and data.

•

Can infect others by attaching to your outgoing

What Can You Do? FIRST,

"KNOW THY ENEMY"

• Viruses

• Worms

• Spyware

• Trojans

• Scareware

• Rootkits

Viruses

• Viruses are programs that attempt to spread

throughout your system and the entire

network.

•

Prevention:

• Antivirus software should be installed and updated on

your computer (LSUHSC provides antivirus software

with updates to all university owned computers.)

• Ensure your LSUHSC user ID is NOT an administrator on

your PC or laptop. This will prevent new viruses that the

antivirus software doesn’t recognize from installing on

your computer.

Worms

• Worms spread without any user action. They usually take

advantage of security holes in the operating system or software package.

Prevention:

• Ensure that your operating system and all installed applications

have all security updates installed (LSUHSC automatically updates all operating system patches on university owned

computers. Users still need to ensure installed applications such as Adobe Reader or Flash are updated.)

• Ensure your LSUHSC user ID is NOT an administrator on your PC

or laptop. This will prevent new worms that exploit weaknesses that have yet to be corrected from installing on your computer.

Spyware

• Spyware is the class of programs that:

• Monitor your computer usage habits and report them back to a company that stores this information in a database for marketing purposes

• Are installed with little or no notification during the installation of another program or while browsing the Internet

• Open advertising windows when browsing the Internet

• Prevention:

• Install an updated spyware scanner (All LSUHSC owned computers have antispyware software installed which is updated regularly) • Ensure your LSUHSC user ID is NOT an administrator on your PC or

laptop. This will prevent new spyware that the spyware scanner doesn’t recognize from installing on your computer.

Rootkits

•

A Rootkit is software that enables continued privileged

access to a computer while actively hiding its presence

from the user by subverting normal operating system

processes.

•

Rootkits are made up of one or more programs designed

to perform any of the following functions:

– Obtain administrator privileges on the system

– Create a “backdoor” to allow the cybercriminal easy

administrative access whenever he desires

– Delete any log entries or other records that may reveal the

existence of the rootkit to the legitimate owner of the system

Rootkits (cont.)

•

Purposes of Rootkits

:

–

Rootkits are used by cybercriminals to:

•

Launch attacks on websites or networks

•

Send spam emails

•

Distribute copyrighted materials such as music,

videos, or commercial software

•

Steal passwords

Rootkits (cont.)

•

Prevention:

–

Install up-to-date antivirus software.

–

Ensure Windows automatic updates is enabled

and install every new version of Windows

Malicious Software Removal Tool as soon as it

becomes available.

–

These steps are automatically done on LSUHSC

Keystroke Loggers

• Keystroke loggers come in two varieties:

• Software programs that log every keystroke typed. • Hardware devices installed between your keyboard

and computer.

•

Prevention

: Hardware Keystroke Loggers

• Always check your computer for anything unfamiliar that may be plugged in.

• If you find anything suspicious, contact your supporter or the Helpdesk.

Keystroke Loggers (cont.)

Prevention: Software Keystroke Loggers

• Ensure up-to-date antivirus and anti-spyware scanner

software is installed on the computer.

• Ensure operating system and application software patches are

up to date.

• Ensure that your LSUHSC user ID is NOT a local administrator

on your PC or laptop to prevent installation of the keystroke logger. (Contact your supporter for more information.)

• If needed, have a separate user ID that is used ONLY for

Trojans

• Like their Greek namesake, Trojans are programs that appear

to be one type of program (e.g. a screensaver) but are hiding additional functions of which the legitimate user is completely unaware. These functions can include :

• Giving administrator access to the cybercriminal author of the Trojan.

• Reporting everything viewed on your screen or typed on your keyboard (e.g.

passwords) to another computer on the Internet.

• Running additional programs on your computer.

• Prevention:

 Ensure up-to-date antivirus and anti-spyware scanner software is installed on the computer.

 Ensure operating system and application software patches are up to date.

 _{Ensure that your LSUHSC user ID is NOT a local administrator on your PC or}

laptop to prevent installation of the Trojan. (Contact your supporter for more information.)

Hybrid Malware

• Different kinds of malware can be combined to create programs with new

capabilities. For example, the replicating features of a virus can be

combined with remote control features of a Trojan and the administrative functions of a rootkit to create a program that spreads like a virus, then “phones home” for instructions, then causes the victims computer to carry out those instructions.

Prevention:

• Ensure up-to-date antivirus and anti-spyware scanner software is installed

on the computer.

• Ensure operating system and application software patches are up to date. • Ensure that your LSUHSC user ID is NOT a local administrator on your PC or

laptop to prevent installation of the malware. (Contact your supporter for more information.)

• If needed, have a separate user ID that is used ONLY for software

Zero Day Malware

• Zero day malware refers to brand new or previously unknown

malware.

– Because zero day malware is brand new, antivirus and anti-spyware

scanner programs that depend solely on signature recognition cannot provide any protection.

– In recent years, foreign governments and organized crime have joined

the ranks of malware programmers. This has tremendously increased the resources available for researching and developing new types of malware.

– As a result, the occurrences of new malware are increasing at an

alarming rate.

– The STUXNET virus that infected computers used in Iranian nuclear

plants contained exploits for four previously unknown vulnerabilities in Microsoft’s Windows operating system.

Zero Day Malware (cont.)

Prevention:

• Install antivirus and anti-spyware scanner software that use

multiple methods for detecting malware and do not rely on signature databases alone. (LSUHSC-owned computers have such software already installed.)

• Ensure that your LSUHSC user ID is NOT a local administrator

on your PC or laptop to prevent installation of the malware. (Contact your supporter for more information.)

• If needed, have a separate user ID that is used ONLY for

Signs that you have Malware

• You start seeing an excessive amount of pop-up

ads.

• Reduced performance (your computer seems slow

or “freezes”)

• Windows opening by themselves

• Missing data

• Unusual toolbars added to your web browser

• Your email account sends out messages to your

Signs that you have Malware

(cont.)

•

The amount of spam you receive in your email

increases.

•

You are notified by someone you know that they

have received a strange email from you that you did

not send.

•

Contact your computer supporter or the Helpdesk if

you suspect that your computer has malware

installed.

Suspicious Email

•

Suspicious email includes:

– Any email you receive with an attachment

– Any email you receive from someone you don’t recognize

• Steps to combat malware from infecting your computer by

email include:

– disabling auto-preview and the preview panel in your email client – setting your email client to read all mail in plain text

– saving all attachments to your computer and scanning them with your

antivirus product before opening them

• The following is an example of an email designed to trick you

Suspicious Email (cont.)

Subpoena in case #79-285-FUZ Wednesday, April 16, 2008 5:38 AM

From: "United States District Court" <[email protected]> AO 88(Rev.11/94) Subpoena in a Civil Case

Issued by the

UNITED STATES DISTRICT COURT Issued to: Name Omitted

Business Name Omitted Phone No. Omitted

SUBPOENA IN A CIVIL CASE

Case number: 79-285-FUZ United States District Court

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specifiied below.

Place: United States Courthouse 880 Front Street

San Diego, California 92101 Date and Time: May 9,2008 9:00 a.m. PST Room: Grand Jury Room room 5217

Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los Angeles, CA 90071 Please download the entire document on this matter(follow this link) and print it for your record.

This subpoena shall remain in effect until you are granted leave to depart by the court or by an officer on behalf of the court.

Any organisation not a party to this suit thas is subponaed for the taking of a deposition shall designate one or more offcers, directors, or managing agents, or other persons to testify on its behalf, and may set forth, for each person designated, the matters on wich the person will testify. Federal Rules of Civil

Procedures,20(b)(6).

Failure to appear at the time and place indicated may result in a contempt of court citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct any questions to the person requesting you to appear: City Prosecutor.

Suspicious Email (cont.)

•

Frequently emails will try to trick the recipient into

installing malware by posing as a law enforcement or

other government agency (in this example the “U.S.

District Court”).

•

The email may include official-looking insignia.

•

The email will inform the recipient of some event (e.g.

“You have been sued.”) and direct the recipient to open

an attachment or click on a link for more information.

•

The malware will take the form of either:

– An attachment that, when selected, will install the

malware on the victim’s computer.

– A link that, when selected, will direct the browser to an

Suspicious Email (cont.)

• Does the demand makes sense?

– Are you familiar with the parties in the case?

– Do you have knowledge of the issue before the court?

– Would a “City Prosecutor” be issuing a subpoena for a “U.S. District Court”? – There are no names of court officers.

– Subpoenas are usually served in person or by certified mail, not email.

• Does the link make sense?

– The email refers to .

– U.S. government websites use the .gov domain so a legitimate link would be

• Attachments

– Most attachments of official documents will have a .pdf or .tif extension (e.g. “subpoena.pdf”). – More rarely .doc or .rtf are used (e.g. “subpoena.rtf”).

– Extensions such as .zip, .exe, or .com could be disguising malware (e.g. “subpeona.zip”).

• Other problems

Suspicious Email (cont.)

•

Other Actions

– Google the parties listed in the demand (e.g. O’Mevely and

Meyers, LLP). (You may find that they don’t exist, or, if they do, they have a notice posted on their website about how they have been victimized by the scam.

– Many courts now have websites that allow you to enter a

case number to see if the case is valid.

– Go to the FBI e-scam website (

) to see if they have a notice on an email

similar to the one in question.

– Send the suspicious email as an attachment to

– You should NEVER click on any links or open any

Infected Websites

• Malware can also infect websites.

• Any unprotected computer that browses an infected website will become

infected.

• Even well-known and respected websites such as the NewYorkTimes.com

and bbc.com have been infected.

• Prevention:

– Ensure up-to-date antivirus and anti-spyware scanner software is installed on

the computer.

– Ensure operating system and application software patches are up to date. – Ensure that your LSUHSC user ID is NOT a local administrator on your PC or

laptop to prevent installation of the malware. (Contact your supporter for more information.)

– If needed, have a separate user ID that is used ONLY for software installation. – Subscribe to a service that tests websites for infections. All LSUHSC computers

have such a service. Results of Internet searches will show a green circle around a white checkmark indicating that a website has been tested and is considered safe from malware infections.

Scareware

Scareware is a message designed to scare you

into installing malware on your system. The

following are examples of actual scareware

messages.

Scareware Examples

This scareware is designed to look like a

Windows error message.

Fortunately, all this program does is

separate the user from $40 of his hard

Scareware Examples (cont.)

This Scareware appears when surfing an infected website. It appears to be a warning from your antivirus program. The message is a fake. However, clicking on ANY of the buttons (including the “x” in the upper right corner) will cause malware to be installed on your system. The best course of action is to power off your system without “shutting down”.

Scareware Examples (cont.)

Antivirus XP scareware is designed to look like a message from the Windows XP Security Center. Clicking on ANY of the buttons (including the “x” in the upper right corner) will cause malware to be installed on your system. The best course of action is to power off your system without “shutting down”.

Scareware Examples (cont.)

• This type of scareware makes it appear that your hard drive is

crashing by moving and/or hiding files so it appears that they are inaccessible. Then it puts up an error message (as seen below). When you click on “OK” it appears to scan the system then reports multiple errors. It then prompts you to purchase their bogus software.

How Can you tell if a system

message is Scareware?

•

Does the message refer to some catastrophic event? (e.g

“Your registry is damaged!” or “Your computer is

infected”)

•

Does it instruct you to go to an unfamiliar website? (e.g

NOT microsoft.com or lsuhsc.edu)

•

Does it instruct you to download and install a program?

•

Does the name of the antivirus warning differ from the

name of your installed antivirus software?”

If any of the above are true, then it may be scareware.

Call the Helpdesk or your supporter to make sure.

How to Avoid Malware

• Ensure up-to-date antivirus software is installed on you computer

(LSUHSC provides antivirus software with updates to all university owned computers).

• Ensure up-to-date anti-spyware scanner software is installed on

your computer (all LSUHSC owned computers have antispyware software installed which is updated regularly).

• Ensure operating system and software patches are up to date on

your computer (LSUHSC automatically updates all operating system patches on university owned computers).

• Ensure applications such as Adobe Reader or Flash are up to date

with all patches.

• Ensure that your LSUHSC user ID is NOT a local administrator on

your PC or laptop (contact your computer supporter for more information).

How to Avoid Malware (cont.)

• Always check your computer for anything unfamiliar that may

be plugged in.

• Use caution with your Internet surfing habits

– think before you click- avoid clicking on pop-up advertisements – pay attention to the “Site Advisor” on your antivirus program.

• If you have any questions, contact your computer supporter

or the Helpdesk.

• Make sure that any computer you use to access LSUHSC’s

network remotely (from home or while on vacation, or at a conference) has incorporated all of the precautions listed above.

Ultimate Defense Against

Malware

•

A well-informed user who can recognize

malware symptoms and take the proper

action to eliminate and/or mitigate its

deleterious effects.

Questions?

We Are Here to Help!

Office of Compliance Programs

433 Bolivar St.

Suite 807

New Orleans, LA. 70112

568-2350