Kaspersky North American Virus Analyst Summit


Published on

Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kaspersky North American Virus Analyst Summit

  1. 1. New York City<br />August 5, 2010 <br />
  2. 2. Welcome<br />Randy Drawas<br />Chief Marketing Officer<br />Kaspersky Lab Americas <br />
  3. 3. Kaspersky Lab<br />Fighting Cybercrime for 25 Years<br />Founded in 1997<br />Headquartered in Moscow,The Russian Federation<br />Trained as cryptographer, Eugene Kaspersky got hit with one of the Internet’s very first viruses in 1986.<br />
  4. 4. Kaspersky Technology Inside<br />The World’s Largest OEM of Anti-Malware Technology (100+ Partners)<br />
  5. 5. Fastest Growth in the Security Industry<br />The world’s largest privately-held anti-malware company<br />100% focus on Threat Protection & Anti-Malware<br />Protecting 300 million systems worldwide<br />50,000 new systems added every day!<br />2,000 experts globally<br />#1 selling software in the U.S. retail<br />This includes MS Office & World of Warcraft<br />
  6. 6. Special Guest<br />Scott Stratten<br />UnMarketing<br />@unmarketing<br />
  7. 7. Today’s Moderator<br />Ryan Naraine<br />Security Evangelist<br />Kaspersky Lab Americas <br />
  8. 8. Agenda<br />The Rise & Rise of Scareware<br />Nico Brulez, Senior Malware Researcher, France<br />
  9. 9. Agenda<br />Behind the Scenes of Identity Theft<br />David Emm, Senior Researcher, United Kingdom<br />
  10. 10. Agenda<br />Social Media & the Automation of Targeted Attacks<br />Stefan Tanase, Senior Anti-Virus Researcher, Romania<br />
  11. 11. Agenda<br />Aurora Who?<br />Roel Schouwenberg, Senior Anti-Virus Researcher, U.S. <br />
  12. 12. The Rise & Rise of Scareware<br />Nicolas Brulez, Senior Malware Researcher<br />Global Research and Analysis Team<br />
  13. 13. History and Evolution of Rogue AV<br />2006<br />Desktop hijackers, fake anti-spyware<br />2007<br />Fake registry cleaning tools added<br />2008<br />Desktop hijackers, Fake anti-virus (rogue anti-virus)<br />2009<br />System notifications (popup near the system tray) became standard behavior<br />2010<br />Fake anti-virus becomes more advanced <br />Now includes phone, chat and e-mail support, uninstallers, multi-language support<br />
  14. 14. Infection Vectors<br />Black Hat SEO<br />Spam<br />Fake videos and fake codecs<br />Social Networks<br />Instant Messengers<br />Downloaded and installed by prior malware infections<br />
  15. 15. The number of detected malware: up to 70<br />Popup<br />Wall paper Hijacking<br />They copy the look and feel from legit Anti Virus products to display behavior detections<br />Task Manager Injection<br />Sounds, Screen blinking<br />Fake Network Intrusion detection<br />Scaring people 101<br />
  16. 16. Real person<br />Ready to answer any question<br />Phone Support<br />24*7 Support<br />E-mail support in anylanguage<br />Rogue AV Support<br />
  17. 17. Conclusion and Predictions<br />Rogue AV has greatly improved during the past 4 years<br />Professional graphical interface - localized<br />Phone, email and live chat support – 24/7<br />Advanced scaring techniques<br />Multiple ways to target new “customers”<br />We predict improvements in the support systems to make them appear more legitimate<br />New scaring and spreading techniques will appear in the future<br />
  18. 18. Thank you! <br />Nico Brulez<br />Global Research and Analysis Team<br />
  19. 19. Behind the Scenes of Identity Theft<br />David Emm<br />Global Research and Analysis Team<br />
  20. 20. Setting the Scene: Cybercrime<br />Cybercrime is a booming business<br />It’s profitable.<br />It’s easy to do.<br />It’s low-risk.<br />Botnets are a core component of the threat landscape.<br />The drop-zone is where they stash the stolen loot.<br />Let’s take a closer look at -<br />Their modus operandi<br />The drop-zone of a banking Trojan<br />
  21. 21. The Zeus Trojan<br /><ul><li>Zeus
  22. 22. aka Zbot, Wsnpoem, Kneber
  23. 23. The most popular banking Trojan in the wild
  24. 24. First appeared at the end of 2006
  25. 25. Thousands of versions available
  26. 26. Full pack with generic version
  27. 27. Cost = $500-$1,000
  28. 28. Full pack + unique exclusive version
  29. 29. Cost = $3,000-$5,000
  30. 30. Many plug-ins and modules available
  31. 31. Licensed separately</li></li></ul><li>Typical Zeus Distribution Page <br />
  32. 32. Zeus Infections Worldwide<br />
  33. 33. Command & Control<br />Online Command & Control panels provide easy management of cybercriminal bot armies<br />
  34. 34. Command & Control<br />PDF exploits for Adobe Reader top the charts<br />
  35. 35. C&C – Bot Geo Distribution<br />The cybercriminals can easily see where their victims are located & even target specific geo areas!<br />
  36. 36. C&C – Infection Statistics<br />
  37. 37. C&C – Maintenance<br />
  38. 38. Trojan Drop-Zones<br /><ul><li>What is a Trojan drop-zone?
  39. 39. A server configured to receive and store stolen data
  40. 40. This may amount to several GB daily.
  41. 41. Generally, cybercriminals like to take care of their valuables.
  42. 42. So they typically run several drop-zones.</li></li></ul><li>Trojan Drop-Zones<br />
  43. 43. Dump File Analysis<br />
  44. 44. Drop-Zone Logs<br />Logs can be easily read and understood:<br />
  45. 45. Drop-Zone Logs<br />Thousands of credit cards, bank accounts<br />
  46. 46. Intercepting Financial Transactions<br />Cybercriminals can intercept financial transactions on-the-fly and change the receiving account to their own.<br />
  47. 47. Profitability Evolution – Cybercriminal Group ‘X’<br />Total:<br />$1.7 million<br />-1000$<br />Even criminals have bad days<br />400% growth in 9 months<br />
  48. 48. Conclusions<br /><ul><li>Cybercrime
  49. 49. Highly profitable
  50. 50. Sophisticated but easy-to-use systems
  51. 51. Drop-zones can be closed, but new ones appear immediately.
  52. 52. There are many victims.
  53. 53. Mitigation is a process.
  54. 54. Modern hardware and software
  55. 55. Patches and updates
  56. 56. Internet security solution
  57. 57. The right security mindset
  58. 58. Education</li></li></ul><li>Thank you! <br />David Emm<br />Global Research and Analysis Team<br />
  59. 59. Social Media & the Automation of Targeted Attacks<br />Stefan Tanase<br />Global Research and Analysis Team<br />
  60. 60. The Evolution of Malware<br /><ul><li>1992 – 2007: 2,000,000 unique malware programs
  61. 61. 2009: more than 15,000,000
  62. 62. End of 2009:Approximately 34,000,000unique malicious files in the Kaspersky Lab collection</li></li></ul><li>Motivation: How Cybercriminals Make Money<br />By stealing, of course<br />Stealing directly from the user<br />Online banking accounts, credit cardnumbers, electronic money, blackmailing.<br />What if I don’t have money?<br />Providing IT resources to other cybercriminals<br />Creating botnets, sending spam, launching DDoSattacks, pay-per-click fraud, affiliate networks,renting computing power, collecting passwords etc.<br />Providing access to targeted SMB and enterprise networks for interested 3rd parties<br />
  63. 63. Targeted attacks: threats to SMBs & enterprises<br />
  64. 64. Targeted Attacks - Threats to Businesses<br />
  65. 65. Targeted Attacks vs Classic Malware<br /><ul><li>Targeted attacks are not epidemics.
  66. 66. One email is enough, instead of tens of thousands
  67. 67. Targeted organizations are either not awareor don’t publicly disclose information
  68. 68. It is hard to get samples for analysis
  69. 69. Classic signature-based AV is useless
  70. 70. New defense technologies
  71. 71. Much higher stakes
  72. 72. Intellectual property theft, corporate espionage</li></li></ul><li>Targeted Attacks in Four Steps<br />Step 1 - Reconnaissance<br /><ul><li>Choose most vulnerable targetsamong the employees</li></ul>Step 2 - Develop an undetectable malicious program<br /><ul><li>Doesn’t have to bypass all AVs, just the one used by the victim</li></ul>Step 3 - Mix the malicious payload with a perfectly tailored social engineering strategy<br />Step 4 – Deliver the attack<br />
  73. 73. What’s Socially Acceptable?<br /><ul><li>“White”, “black”, “pink”… “not wearing any” </li></li></ul><li>Targeted Attacks BecomingMainstream<br />So much personal information is public on social networks right now<br />Advertisers are already doing it: targeted ads<br />Age<br />Gender<br />Location<br />Interests<br />Work field<br />Browsing habits<br />Relationships ...<br />
  74. 74. Targeted Attacks Becoming Mainstream<br />Targeted ads? <br />Targeted attacks are already out there.<br />Social networks <br />Enabling cybercriminals to deliverautomated targeted attacks<br />The personal data is there. <br />Next step? Automation -<br />Geographical IP location has been around for a while.<br />Automatic language translation services are becoming better.<br />Personal interests & tastes are public (ie: trending topics).<br />
  75. 75. Geo Targeting Example<br />
  76. 76. Language Targeting Example<br />
  77. 77. Interests Targeting Example<br />
  78. 78. Surviving Targeted Attacks<br /><ul><li>Proper security mindset
  79. 79. User education and awareness
  80. 80. Human mind is hard to patch
  81. 81. Proactive protection technologies
  82. 82. Virtualization and sandboxing
  83. 83. Behavioral analysis
  84. 84. A highly motivated targeted attacker will eventually succeed.</li></ul>Kaspersky Lab US Press Tour - San Francisco & New York - August 2010<br />
  85. 85. A Targeted Attack Demo<br />
  86. 86. A targeted attack demo<br />
  87. 87. Thank you! <br />Stefan Tanase<br />Global Research and Analysis Team<br />
  88. 88. Aurora Who?<br />Roel Schouwenberg<br />Global Research and Analysis Team<br />
  89. 89. What is Stuxnet?<br /><ul><li>Targets SCADA networks
  90. 90. Siemens SimaticWinCC specifically
  91. 91. Uses rootkittechnology
  92. 92. Spreads via USB sticks
  93. 93. Once infected, machines become part of the Stuxnetbotnet</li></ul>Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010<br />
  94. 94. How Does Stuxnet Exploit a Zero-Day Vulnerability?<br /><ul><li>Weak point –Windows processing of shortcuts
  95. 95. Stuxnet uses the vulnerability to spread via USB sticks
  96. 96. Infection near-automatic when plugging in infected USB
  97. 97. Monday, August 2nd - Microsoft published OOB patch
  98. 98. Exploits adopted by other families
  99. 99. Sality, Zeus, Vobfus and others</li></li></ul><li>Signed Drivers<br /><ul><li>Signed malware is not new
  100. 100. Realtek and Jmicron certificates stolen
  101. 101. Verisign-signed files trusted by security software</li></ul>Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010<br />
  102. 102. Stuxnet Geographic Distribution<br />Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010<br />
  103. 103. Stuxnet vs. Aurora<br /><ul><li>Aurora had zero-day against old product – IE6.
  104. 104. Stuxnet has zero-day which works on old & new.
  105. 105. Stuxnet has signed drivers to evade security software.
  106. 106. Stuxnet uses Rootkit technology to hide itself.
  107. 107. Aurora is a Trojan Horse, Stuxnet a worm.</li></li></ul><li>Closing Thoughts on Stuxnet…<br />This is the most sophisticated attack seen so far.<br />We suspect nation-state involvement.<br />Stuxnet botnet has been sinkholed.<br />We’re still investigating – more to come…<br />
  108. 108. Predictions<br />Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010<br />Attack is too complex to become mainstream.<br />Similar attacks likely to slip under radar.<br />Microsoft must improve handling of signed files.<br />
  109. 109. Thank you! <br />Roel Schouwenberg<br />Global Research and Analysis Team<br />
  110. 110. Introducing Kaspersky Lab’s 2011 Consumer Security<br />Peter Beardmore <br />Consumer Product Team <br />
  111. 111. 65<br />The Challenge<br />Kaspersky Internet Security 2011<br />Stay Ahead<br />Outwit<br />Kaspersky Anti-Virus2011<br />Think Different<br />Innovate<br />65<br />
  112. 112. Today’s Security is Complex<br />Frequent/Small Updates<br />Geo Filter<br />Virtual Keyboard<br />Vulnerability Scanning<br />UDS<br />Privacy Cleaner<br />Application Security Rating<br />Heuristics<br />iSwift/iChecker<br />Application Control<br />Firewall<br />Proactive Defense<br />Dynamic Rating<br />AV engine <br />Anti-Spam<br />Web Toolbar<br />Safe Run<br />Gamer Mode<br />System Watcher<br />Cloud-based Threat Intelligence<br />Rescue Disk w/USB option<br />Network Monitor<br />Anti-banner<br />System Monitoring<br />Safe Desktop<br />Browser Configuration<br />Safe Surf<br />URL Filtering<br />Parental Control<br />66<br />
  113. 113. Kaspersky Makes It Easy and Intuitive<br />67<br />
  114. 114. Kaspersky Makes It Easy and Intuitive<br />68<br />
  115. 115. Kaspersky Makes It Easy and Intuitive<br />69<br />
  116. 116. Today’s Premium Protection<br />70<br />Real-time Protection<br />Emerging Threat Protection<br />ID Protection<br />Family Protection<br />
  117. 117. 71<br />Real-time Protection<br />Kaspersky Security Network<br />URL Filtering<br />Urgent Detection System<br />New: <br />Safe Surf<br />Latest Threats<br />
  118. 118. New: <br />Safe Run for Web<br />72<br />Real-time Protection<br />Kaspersky Security Network<br />URL Filtering<br />Urgent Detection System<br />NEW: Safe Surf<br />
  119. 119. Kaspersky Security Network<br />URL Filtering<br />Urgent Detection System<br />NEW: Safe Surf<br />NEW: Safe Run for Web<br />73<br />Real-time Protection<br />New: <br />Geo Filter<br />
  120. 120. Proactive Defense<br />Application Security Rating and Vulnerability Control<br />Application Control<br />74<br />Emerging Threat Protection<br />New: <br />System Watcher<br />Monitor<br />Log<br />Application Security<br />Reverse<br />
  121. 121. Proactive Defense<br />Application Security Rating and Vulnerability Control<br />Application Control<br />NEW: System Watcher<br />75<br />Emerging Threat Protection<br />New: <br />Safe Desktop<br />
  122. 122. v<br />76<br />ID Protection<br />Anti-Phishing<br />Virtual Keyboard<br />Identity Information Control<br />New: <br />Proactive Phishing Protection<br />
  123. 123. Block/Limit Access/ Log family activities<br />Time Online<br />Web Content<br />File Downloads<br />77<br />Family Protection<br />New: <br />Added Features<br />Communications via Email, IM, Social Network Contacts<br />Personal Information(credit cards, phone #’s etc.)<br />Specific words<br />Applications<br />Games<br />Time on Computer<br />
  124. 124. Kaspersky is Built for Speed<br />78<br />Intelligent Scanning<br />Small, frequent updates<br />Optimized<br />
  125. 125. Kaspersky Even Installs On Infected Computers<br />79<br />
  126. 126. 80<br />Kaspersky Internet Security 2011<br />Kaspersky Anti-Virus2011<br />Reassuring<br />Optimized<br />Different<br />Always Ahead<br />Relentless<br />
  127. 127. Introducing Kaspersky Lab’s 2011 Consumer Security<br />Peter Beardmore <br />Consumer Product Team <br />
  128. 128. Closing <br />Monica Vila<br />Chief Technology Mom <br />The Online Mom <br />
  129. 129. THANK YOU!<br />