Kaspersky North American Virus Analyst Summit
Upcoming SlideShare
Loading in...5
×
 

Kaspersky North American Virus Analyst Summit

on

  • 1,696 views

Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct ...

Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.

Statistics

Views

Total Views
1,696
Views on SlideShare
1,696
Embed Views
0

Actions

Likes
0
Downloads
57
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Kaspersky North American Virus Analyst Summit Kaspersky North American Virus Analyst Summit Presentation Transcript

  • New York City
    August 5, 2010
  • Welcome
    Randy Drawas
    Chief Marketing Officer
    Kaspersky Lab Americas
  • Kaspersky Lab
    Fighting Cybercrime for 25 Years
    Founded in 1997
    Headquartered in Moscow,The Russian Federation
    Trained as cryptographer, Eugene Kaspersky got hit with one of the Internet’s very first viruses in 1986.
  • Kaspersky Technology Inside
    The World’s Largest OEM of Anti-Malware Technology (100+ Partners)
  • Fastest Growth in the Security Industry
    The world’s largest privately-held anti-malware company
    100% focus on Threat Protection & Anti-Malware
    Protecting 300 million systems worldwide
    50,000 new systems added every day!
    2,000 experts globally
    #1 selling software in the U.S. retail
    This includes MS Office & World of Warcraft
  • Special Guest
    Scott Stratten
    UnMarketing
    @unmarketing
  • Today’s Moderator
    Ryan Naraine
    Security Evangelist
    Kaspersky Lab Americas
  • Agenda
    The Rise & Rise of Scareware
    Nico Brulez, Senior Malware Researcher, France
  • Agenda
    Behind the Scenes of Identity Theft
    David Emm, Senior Researcher, United Kingdom
  • Agenda
    Social Media & the Automation of Targeted Attacks
    Stefan Tanase, Senior Anti-Virus Researcher, Romania
  • Agenda
    Aurora Who?
    Roel Schouwenberg, Senior Anti-Virus Researcher, U.S.
  • The Rise & Rise of Scareware
    Nicolas Brulez, Senior Malware Researcher
    Global Research and Analysis Team
  • History and Evolution of Rogue AV
    2006
    Desktop hijackers, fake anti-spyware
    2007
    Fake registry cleaning tools added
    2008
    Desktop hijackers, Fake anti-virus (rogue anti-virus)
    2009
    System notifications (popup near the system tray) became standard behavior
    2010
    Fake anti-virus becomes more advanced
    Now includes phone, chat and e-mail support, uninstallers, multi-language support
  • Infection Vectors
    Black Hat SEO
    Spam
    Fake videos and fake codecs
    Social Networks
    Instant Messengers
    Downloaded and installed by prior malware infections
  • The number of detected malware: up to 70
    Popup
    Wall paper Hijacking
    They copy the look and feel from legit Anti Virus products to display behavior detections
    Task Manager Injection
    Sounds, Screen blinking
    Fake Network Intrusion detection
    Scaring people 101
  • Real person
    Ready to answer any question
    Phone Support
    24*7 Support
    E-mail support in anylanguage
    Rogue AV Support
  • Conclusion and Predictions
    Rogue AV has greatly improved during the past 4 years
    Professional graphical interface - localized
    Phone, email and live chat support – 24/7
    Advanced scaring techniques
    Multiple ways to target new “customers”
    We predict improvements in the support systems to make them appear more legitimate
    New scaring and spreading techniques will appear in the future
  • Thank you!
    Nico Brulez
    Global Research and Analysis Team
  • Behind the Scenes of Identity Theft
    David Emm
    Global Research and Analysis Team
  • Setting the Scene: Cybercrime
    Cybercrime is a booming business
    It’s profitable.
    It’s easy to do.
    It’s low-risk.
    Botnets are a core component of the threat landscape.
    The drop-zone is where they stash the stolen loot.
    Let’s take a closer look at -
    Their modus operandi
    The drop-zone of a banking Trojan
  • The Zeus Trojan
    • Zeus
    • aka Zbot, Wsnpoem, Kneber
    • The most popular banking Trojan in the wild
    • First appeared at the end of 2006
    • Thousands of versions available
    • Full pack with generic version
    • Cost = $500-$1,000
    • Full pack + unique exclusive version
    • Cost = $3,000-$5,000
    • Many plug-ins and modules available
    • Licensed separately
  • Typical Zeus Distribution Page
  • Zeus Infections Worldwide
  • Command & Control
    Online Command & Control panels provide easy management of cybercriminal bot armies
  • Command & Control
    PDF exploits for Adobe Reader top the charts
  • C&C – Bot Geo Distribution
    The cybercriminals can easily see where their victims are located & even target specific geo areas!
  • C&C – Infection Statistics
  • C&C – Maintenance
  • Trojan Drop-Zones
    • What is a Trojan drop-zone?
    • A server configured to receive and store stolen data
    • This may amount to several GB daily.
    • Generally, cybercriminals like to take care of their valuables.
    • So they typically run several drop-zones.
  • Trojan Drop-Zones
  • Dump File Analysis
  • Drop-Zone Logs
    Logs can be easily read and understood:
  • Drop-Zone Logs
    Thousands of credit cards, bank accounts
  • Intercepting Financial Transactions
    Cybercriminals can intercept financial transactions on-the-fly and change the receiving account to their own.
  • Profitability Evolution – Cybercriminal Group ‘X’
    Total:
    $1.7 million
    -1000$
    Even criminals have bad days
    400% growth in 9 months
  • Conclusions
    • Cybercrime
    • Highly profitable
    • Sophisticated but easy-to-use systems
    • Drop-zones can be closed, but new ones appear immediately.
    • There are many victims.
    • Mitigation is a process.
    • Modern hardware and software
    • Patches and updates
    • Internet security solution
    • The right security mindset
    • Education
  • Thank you!
    David Emm
    Global Research and Analysis Team
  • Social Media & the Automation of Targeted Attacks
    Stefan Tanase
    Global Research and Analysis Team
  • The Evolution of Malware
    • 1992 – 2007: 2,000,000 unique malware programs
    • 2009: more than 15,000,000
    • End of 2009:Approximately 34,000,000unique malicious files in the Kaspersky Lab collection
  • Motivation: How Cybercriminals Make Money
    By stealing, of course
    Stealing directly from the user
    Online banking accounts, credit cardnumbers, electronic money, blackmailing.
    What if I don’t have money?
    Providing IT resources to other cybercriminals
    Creating botnets, sending spam, launching DDoSattacks, pay-per-click fraud, affiliate networks,renting computing power, collecting passwords etc.
    Providing access to targeted SMB and enterprise networks for interested 3rd parties
  • Targeted attacks: threats to SMBs & enterprises
  • Targeted Attacks - Threats to Businesses
  • Targeted Attacks vs Classic Malware
    • Targeted attacks are not epidemics.
    • One email is enough, instead of tens of thousands
    • Targeted organizations are either not awareor don’t publicly disclose information
    • It is hard to get samples for analysis
    • Classic signature-based AV is useless
    • New defense technologies
    • Much higher stakes
    • Intellectual property theft, corporate espionage
  • Targeted Attacks in Four Steps
    Step 1 - Reconnaissance
    • Choose most vulnerable targetsamong the employees
    Step 2 - Develop an undetectable malicious program
    • Doesn’t have to bypass all AVs, just the one used by the victim
    Step 3 - Mix the malicious payload with a perfectly tailored social engineering strategy
    Step 4 – Deliver the attack
  • What’s Socially Acceptable?
    • “White”, “black”, “pink”… “not wearing any” 
  • Targeted Attacks BecomingMainstream
    So much personal information is public on social networks right now
    Advertisers are already doing it: targeted ads
    Age
    Gender
    Location
    Interests
    Work field
    Browsing habits
    Relationships ...
  • Targeted Attacks Becoming Mainstream
    Targeted ads?
    Targeted attacks are already out there.
    Social networks
    Enabling cybercriminals to deliverautomated targeted attacks
    The personal data is there.
    Next step? Automation -
    Geographical IP location has been around for a while.
    Automatic language translation services are becoming better.
    Personal interests & tastes are public (ie: trending topics).
  • Geo Targeting Example
  • Language Targeting Example
  • Interests Targeting Example
  • Surviving Targeted Attacks
    • Proper security mindset
    • User education and awareness
    • Human mind is hard to patch
    • Proactive protection technologies
    • Virtualization and sandboxing
    • Behavioral analysis
    • A highly motivated targeted attacker will eventually succeed.
    Kaspersky Lab US Press Tour - San Francisco & New York - August 2010
  • A Targeted Attack Demo
  • A targeted attack demo
  • Thank you!
    Stefan Tanase
    Global Research and Analysis Team
  • Aurora Who?
    Roel Schouwenberg
    Global Research and Analysis Team
  • What is Stuxnet?
    • Targets SCADA networks
    • Siemens SimaticWinCC specifically
    • Uses rootkittechnology
    • Spreads via USB sticks
    • Once infected, machines become part of the Stuxnetbotnet
    Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
  • How Does Stuxnet Exploit a Zero-Day Vulnerability?
    • Weak point –Windows processing of shortcuts
    • Stuxnet uses the vulnerability to spread via USB sticks
    • Infection near-automatic when plugging in infected USB
    • Monday, August 2nd - Microsoft published OOB patch
    • Exploits adopted by other families
    • Sality, Zeus, Vobfus and others
  • Signed Drivers
    • Signed malware is not new
    • Realtek and Jmicron certificates stolen
    • Verisign-signed files trusted by security software
    Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
  • Stuxnet Geographic Distribution
    Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
  • Stuxnet vs. Aurora
    • Aurora had zero-day against old product – IE6.
    • Stuxnet has zero-day which works on old & new.
    • Stuxnet has signed drivers to evade security software.
    • Stuxnet uses Rootkit technology to hide itself.
    • Aurora is a Trojan Horse, Stuxnet a worm.
  • Closing Thoughts on Stuxnet…
    This is the most sophisticated attack seen so far.
    We suspect nation-state involvement.
    Stuxnet botnet has been sinkholed.
    We’re still investigating – more to come…
  • Predictions
    Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
    Attack is too complex to become mainstream.
    Similar attacks likely to slip under radar.
    Microsoft must improve handling of signed files.
  • Thank you!
    Roel Schouwenberg
    Global Research and Analysis Team
  • Introducing Kaspersky Lab’s 2011 Consumer Security
    Peter Beardmore
    Consumer Product Team
  • 65
    The Challenge
    Kaspersky Internet Security 2011
    Stay Ahead
    Outwit
    Kaspersky Anti-Virus2011
    Think Different
    Innovate
    65
  • Today’s Security is Complex
    Frequent/Small Updates
    Geo Filter
    Virtual Keyboard
    Vulnerability Scanning
    UDS
    Privacy Cleaner
    Application Security Rating
    Heuristics
    iSwift/iChecker
    Application Control
    Firewall
    Proactive Defense
    Dynamic Rating
    AV engine
    Anti-Spam
    Web Toolbar
    Safe Run
    Gamer Mode
    System Watcher
    Cloud-based Threat Intelligence
    Rescue Disk w/USB option
    Network Monitor
    Anti-banner
    System Monitoring
    Safe Desktop
    Browser Configuration
    Safe Surf
    URL Filtering
    Parental Control
    66
  • Kaspersky Makes It Easy and Intuitive
    67
  • Kaspersky Makes It Easy and Intuitive
    68
  • Kaspersky Makes It Easy and Intuitive
    69
  • Today’s Premium Protection
    70
    Real-time Protection
    Emerging Threat Protection
    ID Protection
    Family Protection
  • 71
    Real-time Protection
    Kaspersky Security Network
    URL Filtering
    Urgent Detection System
    New:
    Safe Surf
    Latest Threats
  • New:
    Safe Run for Web
    72
    Real-time Protection
    Kaspersky Security Network
    URL Filtering
    Urgent Detection System
    NEW: Safe Surf
  • Kaspersky Security Network
    URL Filtering
    Urgent Detection System
    NEW: Safe Surf
    NEW: Safe Run for Web
    73
    Real-time Protection
    New:
    Geo Filter
  • Proactive Defense
    Application Security Rating and Vulnerability Control
    Application Control
    74
    Emerging Threat Protection
    New:
    System Watcher
    Monitor
    Log
    Application Security
    Reverse
  • Proactive Defense
    Application Security Rating and Vulnerability Control
    Application Control
    NEW: System Watcher
    75
    Emerging Threat Protection
    New:
    Safe Desktop
  • v
    76
    ID Protection
    Anti-Phishing
    Virtual Keyboard
    Identity Information Control
    New:
    Proactive Phishing Protection
  • Block/Limit Access/ Log family activities
    Time Online
    Web Content
    File Downloads
    77
    Family Protection
    New:
    Added Features
    Communications via Email, IM, Social Network Contacts
    Personal Information(credit cards, phone #’s etc.)
    Specific words
    Applications
    Games
    Time on Computer
  • Kaspersky is Built for Speed
    78
    Intelligent Scanning
    Small, frequent updates
    Optimized
  • Kaspersky Even Installs On Infected Computers
    79
  • 80
    Kaspersky Internet Security 2011
    Kaspersky Anti-Virus2011
    Reassuring
    Optimized
    Different
    Always Ahead
    Relentless
  • Introducing Kaspersky Lab’s 2011 Consumer Security
    Peter Beardmore
    Consumer Product Team
  • Closing
    Monica Vila
    Chief Technology Mom
    The Online Mom
  • THANK YOU!