March March “Malware” “Malware” MadnessMadness

by

Micah Van MaanenSioux County IT Director

Game #1Game #1Inbox vs. spamInbox vs. spam

spam facts Who sends it? Why do they send it? Who does it affect? How did they get my E-mail address? An ounce of prevention Tracing and Reporting spam Blocking spam Identifying spam Sioux County E-mail statistics

Sizing up the competition

spam factsspam facts spam is… Unsolicited Commercial E-mail In 1978 the first internet E-mail spam was sent* More than 50% of all spam originates in the U.S** 50% to 85% of all E-mail is spam*** CAN-SPAM (Controlling the Assault of Non-Solicited

Pornography and Marketing Act) – has not helped****

Approximately 45% of Sioux County’s E-mail is spam What does Hormel, makers of SPAM think of spam?

http://www.spam.com/ci/ci_in.htm

*http://www.templetons.com/brad/spamterm.html**http://www.internetnews.com/stats/article.php/3376331***http://www.metafilter.com/mefi/34180****http://www.computerweekly.com/Article130765.htm

Illegitimate businesses that advertise*:Chain lettersPyramid schemes“Get Rich Quick” or “Make Money Fast” schemesOffers for phone sex lines and ads for pornographyOffers of software collecting E-mail addresses and

sending spamOffers of bulk E-mailing servicesStock offerings for unknown start-up corporationsQuack health products or remedies Illegally pirated software (“Wares”)

*http://www.cauce.org/about/problem.shtml

Who sends it?Who sends it?

Why do they send Why do they send it?it?

These types of companies send spam because: It is effective. Over a four-week period 6,000 people

responded to E-mail ads and placed orders for a supplement at $50 per bottle*

It is inexpensive (for the sender). A dialup connection and a PC can send hundreds of thousands of messages per hour**

It could be you!As much as 30% of all spam is relayed by

compromised computers***

*http://www.wired.com/news/business/0,1367,59907,00.html**http://www.cauce.org/about/problem.shtml***http://www.ftc.gov/bcp/conline/pubs/alerts/whospamalrt.htm

Who does it Who does it affect?affect?

Everyone that uses the Internet.* Here is how:The cost is shifted from the spammer to you

Your ISP must process the spam using up bandwidth and processor time that you pay for

They fraudulently change the headers of a message and relay off unsuspecting users

Other ISPs must also process and forward the spam using up their bandwidth and processor time

Your normal E-mail is displaced. Similar to Junk-Faxing, which without the Anti-Junk-Fax law, would make your fax machine almost useless

Your E-mail address belongs to you! You pay for it. You should have the choice to opt-in to receive spam.

*http://www.wired.com/news/business/0,1367,59907,00.html

How did they get How did they get my E-mail my E-mail address?address? From a newsgroup posting containing your E-mail address

From a mailing list that contains your E-mail address From a website that shows your E-mail address From various website and paper forms From your web browser From IRC and chat rooms From AOL Profiles By guessing and cleaning (using spam beacons http://tinyurl.com/4vxvp) From white and yellow pages Social engineering Viruses and worms Hacking into sites

*http://www.wired.com/news/business/0,1367,59907,00.html

An ounce of An ounce of preventionprevention

Never respond to spam. They will not remove you from their mailing list*

Don’t post your address on your website Use a second E-mail address in newsgroups Don’t give out your E-mail address without knowing how it

will be used Use a spam filter Never buy anything advertised in spam Keep your anti-virus / anti-spyware software up to date Use a firewall on high-speed Internet connections

*http://www.spamrecycle.com/antispamthings.htm

Tracing and Tracing and reporting spamreporting spam

1. Look at E-mail headers for the true sender of the E-mail

2. Run a tracert on the spammers IP Address

3. Send a nice E-mail to postmaster@<isp.com> or abuse@<isp.com>

4. Search Google newsgroups to find extent of spam (just for fun)

Or

Buy a tool such as SpamCop http://www.spamcop.net/

*http://www.spamrecycle.com/antispamthings.htm

Blocking spamBlocking spam Use an E-mail client with built-in spam filtering such as

Mozilla Thunderbird Buy software to scan your E-mail before you receive it For the enterprise:

Server-based products Client-based products Anti-spam services Appliances

Create acceptable use policies for E-mail and network Close open SMTP relay servers An alternative for really large networks (not Bayesian):

www.turntide.com

*http://www.spamrecycle.com/antispamthings.htm

Identifying spam*Identifying spam* Host-based filtering

Real-time Black Holes

Rule-based filtering Spam Assassin

Bayesian statistical analysis Statistical probability

White lists Trusted hosts

*Inside the Spam Cartel by Spammer-X

Sioux County E-Sioux County E-mail statisticsmail statistics

Traffic stats: August 2004 – 11,638 E-mails received September 2004 – 10,644 E-mails received January 2005 – 14,390 E-mails received February 2005 – 13,794 E-mails received

spam stats: August 2004 – 6,083 spam E-mails, 6,942 spam beacons September 2004 – 5,464 spam E-mails, 5,583 spam beacons January 2005 – 6,907 spam E-mails, 522 spam beacons February 2005 – 6,162 spam E-mails, 876 spam beacons

*http://www.spamrecycle.com/antispamthings.htm

spam resourcesspam resources• On the web:

– http://www.cauce.org/index.phtml - Coalition Against Unsolicited Commercial E-mail

– http://spam.abuse.net/ - A lot of spam info

– http://tinyurl.com/6zyc7 - Best practices for Outlook

– http://www.bath.ac.uk/bucs/email/anatomy.shtml - Anatomy of an E-mail message

– http://www.xintercept.com/pkpeek.htm - Pocketknife Peek for Outlook

– http://www.dnsstuff.com - Excellent DNS site

– http://antispam.radio-showtime.com/ - How to report spam

– http://www.mozilla.com - Firefox / Thunderbird website

– http://tinyurl.com/3vzv8 - InfoWorld enterprise anti-spam review

– http://tinyurl.com/3r72k - Network World enterprise anti-spam review

– http://tinyurl.com/59pc8 - Inside the Spam Cartel book on Amazon.com

Game #2Game #2Privacy vs. SpywarePrivacy vs. Spyware

Defining spyware Spyware facts Finding and removing spyware Spyware test results How did I get spyware? Blocking spyware An ounce of prevention Sioux County spyware statistics

Sizing up the competition

Defining spywareDefining spyware Spyware, which includes malware, trackware and adware, is the

categorical name for any application that may track your online and/or offline PC activity and is capable of locally saving or transmitting those findings for third parties sometimes with but more often without your knowledge or consent.*

The differences between spyware and viruses*

*http://www.webroot.com

Spyware Viruses

Profit motivation Harmful Intention

Monitor online activities for commercial gain

Damage computer system, corrupt files and destroy data

Undetectable with anti-virus software

Detectable with anti-virus software

New technology (less than 5 years) Old technology (more than 20 years)

Spyware factsSpyware facts Four in five users (80%) have spyware or adware programs on

their computer* The average infected user has 93 spyware / adware

components on their computer and the most found on a single computer during the scan was 1,059*

An overwhelming majority of users (89%) who were infected said they didn’t know the programs were on their computer*

90% didn’t know what the programs are or do* 95% never gave permission for the programs to be installed* 86% asked the technicians performing the study to remove

the programs*

*http://www.staysafeonline.info/news/NCSA-AOLIn-HomeStudyRelease.pdf

Finding and removing Finding and removing spywarespyware

You can use any or all of these programs: Ad-aware Spybot Search and Destroy Microsoft AntiSpyware beta Webroot Spy Sweeper CWShredder

Even these programs may not find all spyware. In a recent test of these programs the results are interesting…

*http://www.staysafeonline.info/news/NCSA-AOLIn-HomeStudyRelease.pdf

Spyware test results*Spyware test results*

*http://www.windowssecrets.com

Product Spyware Fixed False Positives

Giant AntiSpyware (now MS) 63% 0

Webroot Spy Sweeper 48% 0

Ad-Aware SE Personal 47% 0

Pest Patrol 41% 10

SpywareStormer 35% 0

Intermute SpySubtract Pro 34% 0

PC Tools Spyware Doctor 33% 0

Spybot Search and Destroy 33% 0

McAfee AntiSpyware 33% 9

Xblock X-Cleaner Deluxe 31% 1

XoftSpy 27% 3

NoAdware 24% 0

More results on site….

How did I get How did I get spyware?spyware?

Piggybacked software installationDrive-by downloadsBrowser add-onsMasquerading as anti-spyware

*http://computer.howstuffworks.com/spyware2.htm

Blocking spywareBlocking spyware Many of today’s anti-spyware products also include

permanent protection of your systemHome page shield Internet Explorer bad-download blockerHosts file protectionSystem startup protectionWindows registry protectionMSN Messenger protectionTracking cookie protectionBad website protection

*http://www.staysafeonline.info/news/NCSA-AOLIn-HomeStudyRelease.pdf

An ounce of An ounce of preventionprevention

Use Mozilla Firefox web browser Adjust Internet Explorer security settings Surf safely Keep Windows up to date Keep your anti-virus / anti-spyware software up to date Use a firewall on high-speed Internet connections

*http://www.spamrecycle.com/antispamthings.htm

Sioux County Sioux County spyware statisticsspyware statistics

Out of 61 machines 31 had spyware One machine had 41 pieces of spyware Most frequent visitors: Comet cursor, CWS

*http://www.staysafeonline.info/news/NCSA-AOLIn-HomeStudyRelease.pdf

Spyware Spyware resourcesresources

• On the web:– http://www.nwfusion.com/reviews/2004/121304rev.html - Enterprise spyware review

– http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml - Sysinternals autoruns

– http://www.benedelman.org/ - Interesting spyware site

– http://spywarewarrior.com/asw-test-guide.htm - spyware test results

– http://www.nwnetworks.com/iezones.htm - configuring IE zones