• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,866
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
145
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
  • http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
  • http://www.websense.com/assets/reports/report-wsl-state-of-internet-security-q1-q2-2009.pdf
  • http://blog.avast.com/2010/02/18/ads-poisoning-%e2%80%93-jsprontexi/
  • http://research.zscaler.com/2010/04/google-search-more-links-are-malicious.html
  • http://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf
  • http://research.zscaler.com/2010/04/bing-and-yahoo-sponsored-advertising.htmlhttp://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf
  • http://research.zscaler.com/2010/04/bing-and-yahoo-sponsored-advertising.html
  • http://stopbadware.org/reports/asn http://blog.stopbadware.org/2010/03
  • From Microsoft SIR 8
  • From Microsoft SIR 8
  • From Secunia as of 4-28-10
  • From Secunia as of 4-28-10
  • http://krebsonsecurity.com/2010/04/fake-anti-virus-peddlers-outmaneuvering-legitimate-av/
  • 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • http://blogs.pcmag.com/securitywatch/2009/12/av-testorg_releases_real-world.php 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Some data taken from IBM X-morphic exploitation paper (May 2007, Gunter Ollmann) 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Some data taken from IBM X-morphic exploitation paper (May 2007, Gunter Ollmann) 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • 05/18/10 21:15 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Source is MS SIR 8
  • http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
  • http://securitylabs.websense.com/content/Alerts/3593.aspx
  • http://securitylabs.websense.com/content/Alerts/3593.aspx
  • http://www.nytimes.com/2010/04/26/technology/26captcha.html
  • From MessageLabs email 4-27-10
  • http://www.zdnet.co.uk/news/security-threats/2010/03/16/how-the-butterfly-botnet-was-broken-40088328/?tag=content;col1
  • http://malwareint.blogspot.com/2009/08/prices-of-russian-crimeware-part-2.html
  • http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

Transcript

  • 1. Roger A. Grimes InfoWorld
  • 2. Presenter BIO Roger A. Grimes  CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada  InfoWorld Contributing Editor, Security Columnist, Product Reviewer, and Blogger  23-year Windows security consultant, instructor, and author  Author of seven books on computer security, including:  Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)  Professional Windows Desktop and Server Hardening (Dec. 2005)  Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)  Honeypots for Windows (Apress, December 2004)  Author of over 300 national magazine articles on computer security  Principal Security Architect for Microsoft InfoSec ACE Team
  • 3. Roger’s Books
  • 4. Presentation Summary  Quick History of Past Malware Threats  Today's Threats  Anatomy of Today's Cyber Attack  Malware Examples  Best Defenses
  • 5. Malware Has Been Around Since The Beginning of Computers  Most early malware were network worms  Late 1960’s – John Conway’s Game of LifeCore Wars  Imp  1971, Creeper worm was written by Bob Thomas of the BBN (Bulletin Board Network)  (First PC, Altair 8800, 1974)  IBM Christmas worm –Dec. 1987  Robert Morris Worm –Nov. 1988 Historic Malware Trends
  • 6.  (Apple computer invented 1976)  1982 - Richard Skrenta, Jr. a 9th grade high school student, a Core War fan, wrote a 400-line Apple II boot virus, called Elk Cloner  Spread around the world  Every 50th boot would present message  No virus scanners or cleaners at this time  (IBM PC introduced in late 1981)  1986 – Pakistani Brain – first IBM-compatible virus  1987 – Stoned, Jerusalem, Cascade (encrypted), Lehigh Historic Malware Trends First PC Viruses – Boot Viruses
  • 7.  Boot Viruses  Even though they made up just a few percent of the malware programs, they accounted for most of the infections  March 1992 – Michelangelo  Executable Viruses  Some Trojan Horse Programs  Some Worms, but not many Most malware programs were not intentionally malicious Historic Malware Trends Early PC Malware
  • 8.  1985 – Macro viruses  1998 – HTML viruses  2001 – Code Red – IIS worm  2003 – SQL Slammer  Fastest exploit to date – 10 minutes to infect world  2003 – MS Blaster  In 99.9999% of cases, patch was available before exploit was released Historic Malware Trends PC Malware Hits Mainstream
  • 9.  From 1999 to late 2006, about 90% of malware attacks arrived via email  VBScript, Javascript  Malicious file attachments  Rogue embedded links  Spam  MIME-type mismatches  Social-engineering methods  Melissa, I love you worm Historic Malware Trends Email wormsviruses
  • 10.  Still, most were not intentionally malicious  Those were the days! Historic Malware Trends Email wormsviruses
  • 11.  Run an up-to-date antivirus program  Run a host-based firewall that prevents unauthorized outbound connections  Be fully patched  Visit only trusted web sites  Careful opening unexpected documents  Use other programs and OSs to remain safe Current Malware Trends Conventional Defense Wisdom
  • 12.  AV is not all that accurate and cannot be relied upon  Host-based firewalls really don’t work most of the time  Nobody fully patches  Trusted web sites are how you get infected  Many attacks work cross-platform or don’t care about OS or app  Targeted spearphishing makes determining what documents you should open hard to do Current Malware Trends Sadly...
  • 13.  Malware and hacking is worst than ever!  Even though we already do all the recommended stuff Current Malware Trends Sadly...
  • 14.  Mostly trojans, worms, and downloaders  Professionally written  Development forks, teams  Criminally-motivated  Bots & botnets  Tens of millions of PCs “owned” at any one time  Designed To Get Money  Steal passwords, identity info, DDoS attacks  Mostly asks for permission to run and user responds “YES” Current Malware Landscape New Malware Model
  • 15.  Cybercriminals are stealing tens of millions (at least) of dollars every day  2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity. Current Malware Landscape Criminally Motivated
  • 16.  Cybercriminals are stealing tens of millions (at least) of dollars every day  2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity.  “On the brighter side, we are happy to report that these efforts with law enforcement led to arrests in at least 15 cases.” Current Malware Landscape Criminally Motivated
  • 17. 1. User visits “innocent” infected web site 2. Contains simple Javascript redirector 3. Prompts user to install fake program  Anti-virus scanner, patch, codec, malformed PDF, etc. 4. First program is a small downloader  Starts the malware process  Provides bot control  Dials home for more instructions Current Malware Landscape Most Common Malware Cycle
  • 18. Only Visit Trusted web sites Good advice?
  • 19.  What has trusted ever meant anyway?  How do I know I can trust it?  Do those “seals of approval” mean anything? Current Malware Landscape Trusted Web Sites?
  • 20.  What has trusted ever meant anyway?  How do I know I can trust it?  Do those “seals of approval” mean anything?  Me, I feel safer on a pay-for-view porn site!! Current Malware Landscape Trusted Web Sites?
  • 21.  77 percent of web sites with malicious code are legitimate sites that have been compromised  61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims to malicious  37 percent of malicious Web/HTTP attacks included data-stealing code  57 percent of data-stealing attacks are conducted over the Web Current Malware Landscape Innocently Infected Web Sites
  • 22. How?  Web site itself compromised  Misconfiguration  Vulnerability  Allows user postings  Malicious ads from legitimate ad services  Malicious sponsored ads on search engines  Poisoned search engine results  Web site codelets created by bad guys to go malicious one day Current Malware Landscape Innocently Infected Web Sites
  • 23. Tens of Millions of Malicious Web Sites  Look real, but completely malicious  Often taken there by OS or app help program or search engine  Promote product that is nothing but malicious  Have entire teams of people dedicated to promoting product on “independent” blogs, review magazines, etc.  Ex: You must have this codec to watch these car racing videos on YouTube Current Malware Landscape Some aren’t so Innocent!
  • 24. Poisoned Ad Services  You name the major web site and it has probably hosted malicious ads  Ads posted by web site owner, marketing firm hired by web site, compromised ad service, or hacking  Avast - the most compromised services are Yahoo’s yieldmanager.com and Fox’s fimserve.com  Responsible for more than 50% of poisoned ads  Doubleclick.net too http://blog.avast.com/2010/02/18/ads-poisoning- %e2%80%93-jsprontexi/ Current Malware Landscape Innocently Infected Web Sites
  • 25. Poisoned Cartoons?  King Features, a newspaper comic distributor was hacked  King Feature distributes online comics to about 50 different newspapers  Online readers were prompted to download a malicious PDF  http://voices.washingtonpost.com/securityfix/2009/ 12/hackers_exploit_adobe_reader_f.html Current Malware Landscape Innocently Infected Web Sites
  • 26. Search Engine Poisoning  Bad guys create web sites that are very attractive to search engine bot crawlers (e.g. lots of links with lots of keywords)  It is not uncommon to find malicious links in 15% to 20% of the first 100 results from a search  Some of the most popular searches will return 90%  Malicious web sites are generated are often generated on the fly, changed only by a single keyword in the URL  http://www.cyveillanceblog.com/general- cyberintel/malware-google-search-results Current Malware Landscape Innocently Infected Web Sites
  • 27. SEO Kits  Poisoned search engine results often created by Search Engine Optimization (SEO) kits  Kits download must popular search engine requests from the search engines themselves (e.g. googletrends)  Then generate web site on the fly with those keywords and images  Generates thousands of web sites with those keywords and link to each other  http://www.sophos.com/sophos/docs/eng/papers/sopho s-seo-insights.pdf Current Malware Landscape Innocently Infected Web Sites
  • 28. Sponsored Ads  Search engines often host sponsored ads that redirect to malicious sites and code  Nearly all search engines involved  Certainly the ones you use are  Due to malware companies posing as legitimate companies and switching up ads or legitimate web sites being infected that paid for legitimate ad time Current Malware Landscape Innocently Infected Web Sites
  • 29. Sponsored Ads Current Malware Landscape Innocently Infected Web Sites
  • 30. Many Infected Host Providers Are Slow To Respond  Example: ThePlanet.com  Stopbadware.org notifies ThePlanet when they note an infected web site hosted by ThePlanet  Averages 12K-20K infected sites a month  1 month after reporting, 12K of reported web sites remain infected  4.5K remain infected after 7 months Current Malware Landscape Innocently Infected Web Sites
  • 31. Bulletproof Hosting  Many companies advertise on the promise that they will keep your web site up no matter what you do with it  The Russian Business Network is number one in this space  McColo was #2 before 2008 takedown  Plenty of competition  Located in countries without appropriate laws Current Malware Landscape Not-So Innocently Infected Web Sites
  • 32. Bulletproof Hosting -Examples Current Malware Landscape Not-So Innocently Infected Web Sites
  • 33. Bulletproof Hosting -Examples Current Malware Landscape Not-So Innocently Infected Web Sites
  • 34. ` Dynamic DNS Server Initial Mothership Web Server Dynamic Mothership 1. Bot program exploits victim PC and installs itself 2. It “phones home” using dynamic DNS server to find “mothership” 3. Finds mothership, downloads new code and instructions 4. Repeats 1-20 times 5. Infects new victim PCs 6. Sometimes plays role of bot host, sometimes of dynamic DNS server, sometimes mothership -Created for just this single victim instance -Can be a legitimate DNS server or exploited system -Usually just another exploited victim or web server -Updates dynamic DNS server with current IP address -Mothership updates may cycle 20 times -Sends bot host new programs, new payload, new instructions Current Malware Landscape New Malware Model Steps
  • 35. 1. Infect or Exploit 2. Modify system to gain control 3. Phone “home” to get code update Repeat this step 1-20 times 4. Modify host and spread to create bot net 5. Steal information-financial, passwords, etc. 6. Able to bypass any authentication method 7. When finished, self-delete, cover up tracks Current Malware Landscape New Malware Model Steps
  • 36.  Self-healing bot nets  Intended to live only a few hours  Auto-updating  Design To Hide  Millions of malicious links on social networking sites  Some of the biggest users of Facebook, Myspace, and Twitter Current Malware Landscape New Malware Model (con’t)
  • 37.  Silent Drive-by-Downloads and one-click and your owned traps used to be the way people got infected  Require unpatched software and vulnerabilities  UAC and other browser protections make this harder to do  Still happens, but now in the minority  OS patching is nearly 100% now  App patching could be better  Malware writers are mostly targeting unpatched Internet browser apps now Current Malware Landscape New Malware Model (con’t)
  • 38.  In most cases, people are tricked into intentionally installing a malware program  99% of the risk in most environments  Occasionally, a roving worm, like Conficker, becomes Ms. Popularity for a few days or months Current Malware Landscape New Malware Model (con’t)
  • 39.  Vuls. trending down since 1H 2007 Current Malware Landscape Known Vulnerabilities Going Down Year-after-Year  Figures for all reporting vendors
  • 40.  Even OS and Browser Vulnerabilities Are Flat Current Malware Landscape Known Vulnerabilities Going Down Year-after-Year  From MS SIR 8
  • 41.  Especially in the browser space  Every new browser vendor promises to make the perfectly secure browser that apparently Microsoft cannot seem to make  Later on I’ll tell you how it doesn’t matter at all anyway Current Malware Landscape Still Plenty of Vulnerabilities
  • 42.  Firefox – 169  Apple Safari – 94  Internet Explorer – 45  Google Chrome – 41  Opera - 25 Current Malware Landscape Number of Browser Vulnerabilities in 2009  From SymantecSecunia
  • 43.  Firefox – 52  3.0-15, 3.5-18, 3.6-19  Apple Safari 4– 17  Internet Explorer 8 – 21  Google Chrome – 28  Opera – 6  Of all browsers Symantec analyzed in 2009, Safari had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF, and Opera had the shortest windows of exposure, avg 1 day. Current Malware Landscape Number of Browser Vulnerabilities in 2010 (so far)
  • 44.  The way almost all your users are getting infected is direct action trojans Current Malware Landscape But Vulns Don’t Matter All That Much
  • 45.  By a huge percentage, trojans are number one! Current Malware Landscape Trojans Are #1! (From Microsoft SIR 8) Exploits Trojans Trojans
  • 46. Current Malware Landscape But Worms are more frequent on work computers (From Microsoft SIR 8)
  • 47.  Trojan program looks “really, really” authentic  Coming from legitimate web sites, spam, phishing attacks  Bad guy often buys ads on search engines or “poisons” search engine results  Certain keywords are more likely to bring up malware than legitimate web sites  Bad guys use the latest news (e.g. earthquake, celebrity event, etc.)  Often accidentally redirected to malware sites by legitimate trusted software Why Are They So Prevalent?
  • 48. Tricking End Users Antivirus 2010
  • 49.  In one year, Google found over 11,000 web sites offering fake AV scanners  1,462 unique new installer programs per day  20% detection rate by real AV  1 hr – median time redirection web site is up before hackers move on  In SIR 8, Microsoft said its security products cleaned fake anti-virus related malware from 7.8 million computers in the second half of 2009. Fake AV Stats – from Google
  • 50. Apparently worry about copyright infringement
  • 51.  Millions of new programs created every year  Challenging for pure definition scanners to keep up  No antivirus scanner will ever be perfect  Check out http://www.virustotal.com/estadisticas.html Why Are They So Prevalent?
  • 52.  “Zero-day” exploits becoming more common  One attack program can have 20 exploit vectors  DNS tricks  Poisoning, hosts file manipulation  Sound-alikes  One-offs (everything unique for each victim)  Millions of malware programs each year  Symantec reported 2.8 M malware programs in 09  More than legitimate programs Current Malware Landscape Infection or Exploit
  • 53. Known Malware Detection Rates Not Bad www.virusbulletin.com  Dozens of AV scanners routinely detect 100% of the known malware programs in the wild with zero false- positives  Awarded VB100 Why Are They So Prevalent? Malware Is Hiding Better
  • 54. First-Day Malware Detection Rates Could Be Improved www.av-test.org (Dec. 2009)  Brand new threats were released and tested  Best products detected malware 98% of the time, blocked 95% of the time  Average product was 70-90% effective  Sounds good until you realize that out of 100 users in your network, at least two of them will be presented with a trojan program that is not detected as malicious  Now multiple that by the size of your user base, especially over time Why Are They So Prevalent? Malware Is Hiding Better
  • 55. How Does Malware Hide? Early Techniques:  Encrypted – hide the malware so it can’t be scanned  Oligomorphic- multi. encryption/decryption engines  Polymorphic- random encryption/decryption  Metamorphic- mutates malware body, looks for compiler on host and re-compiles malware on-the-fly Why Are They So Prevalent? Malware Is Hiding Better
  • 56. How Does Malware Hide? Today’s Techniques:  HTML Encoding/Obfuscation  Character set (e.g. UTF-8, UTF-7, Unicode) encoding  Compression (e.g. multi-compressed zip files)  Packers, Multi-packers  SSL/TLS/encryption for travel and communications Why Are They So Prevalent? New Malware Is Hiding Even Better
  • 57. How Does Malware Hide? Today’s Techniques:  Language encoding (e.g. simplified Chinese)  Transfer encoding (e.g. chunked, token-extension)  Packet fragmentation, time-outs  Password protected files  Embedded code (e.g. RTF links)  Embedded in thick content (e.g. PDF, Flash, MS-Office objects) Why Are They So Prevalent? New Malware Is Hiding Even Better
  • 58. How Does Malware Hide? Today’s Techniques:  Dynamic DNS names  Dynamic IP addressing  One-time URLs (unique per victim)  Self-deleting malware  Delete and come back when needed Why Are They So Prevalent? New Malware Is Hiding Even Better
  • 59.  Responsible for up to nearly 50% of all successful web-based attacks. Current Malware Landscape Adobe Acrobat Malware Is a Huge Problem
  • 60.  Responsible for up to nearly 50% of all successful web-based attacks. Current Malware Landscape Adobe Acrobat Malware Is a Huge Problem
  • 61.  Usually arrives in email  Sender has internal details  Most captured from company’s public web site and news  Other times, obviously has insider knowledge of project or detal  Often target senior executives  Project document, pending lawsuit, child support inc.  Common scam: Target accounting to infect the payroll transfer transaction computer  Defense: That computer should not be connected to the normal network or used for anything else, highly guarded and secured Current Malware Landscape Targeted Spearphishing
  • 62.  Can arrive in email Current Malware Landscape Adobe Acrobat Malware Example
  • 63.  Prompts User to Save Another “PDF” file Current Malware Landscape Adobe Acrobat Malware Example
  • 64.  Can be prevented by modifying one setting Current Malware Landscape Adobe Acrobat Malware Example
  • 65.  Most attacks several years old. Current Malware Landscape Do You Patch Office?
  • 66.  More than half (56.2 percent) of the attacks affected Office program installations that had not been updated since 2003.  Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003. Current Malware Landscape Do You Patch Office?
  • 67. CAN-SPAM Act of 2003 took down spam! Current Malware Landscape
  • 68.  25% - Percentage of spam when CAN-SPAM Act was passed Current Malware Landscape Spam stats
  • 69.  Spam is most of our email  88% according to Symantec  93% according to MessageLabs  95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious. (Websense 2009 report)  Spearphishing for targeted attacks increasing greatly  85% of spam is sent by bots from innocently infected computers (Symantec)  20% of all spam sent in March 2010 used TLS (MessageLabs) Current Malware Landscape Spam stats
  • 70.  Spammers bypass CAPTCHAs, by:  OCR – recognize the symbols  VCR – recognize the voice  Paying third world country employees to manually answer  Freelancer.com - dozens of such projects are bid on every week.  80 cents to $1.20 for each 1,000 deciphered boxes or about $6 every 15 days for the average worker Current Malware Landscape Spammers Still Abusing Free Web Mail
  • 71. Per MessageLabs  Hundreds of billions of spams are sent each day  85% from spambots, 90% from the top five bots  Rustock – largest current botnet with 2.4M hosts, responsible for 1/3rd of all spam  Grum- Responsible for 24% of all spam  Mega-D – Responsible for 18% of all spam  Top spam bots vary according to measurer, but Rustock always gets #1 spot Current Malware Landscape Bot Nets and Spam
  • 72. Current Malware Landscape Popular Botnet Families (From Microsoft SIR 8)
  • 73.  Many commercial bot net kits  Management interfaces  24 x 7 tech support  Bypass any authentication  Made to order Example: ButterflyMariposa bot net (March 2010)  13 million controlled computers in 190 countries  Run by three non-experts, required very little skill  Bought original bot kit for $300 Current Malware Landscape Bot Nets
  • 74.  Crum - $200 – Creates polymorphic encrypted malware, free updates  Eleonore Exploits Pack –$700 – several exploits including MS, Firefox, Opera, and PDF  Neon – $500- PDFs (including FoxIt), Flash, Snapshot  Adrenaline- $3000- keylogging, theft of digital certificates, encryption of information, anti-detection techniques, cleaning of fingerprints, injection of viral code, etc. http://malwareint.blogspot.com/2009/08/prices-of- russian-crimeware-part-2.html Current Malware Landscape Malware Kit Examples
  • 75. Current Malware Landscape Crime Does Pay
  • 76.  For the most part, we aren’t catching many of the criminals  International jurisdictions, non-compliant countries, no hard evidence, real crimefighting takes time  Users/admins not doing the simple things they should be doing to stop malicious attacks  Attackers don’t need complex, hypervisor attacks to do damage; current attacks doing just fine  Vendors could produce zero-defect software and it would not make a measurable dent in cybercrime Current Malware Landscape Future Not Looking That Great
  • 77. The most popular software in a particular category will be successfully attacked the most Grimes Corollary
  • 78. The most popular software in a particular category will be successfully attacked the most Grimes Corollary Regardless of whether or not Microsoft made it!  Windows, IE, Microsoft Office  PDF over XPS  Apache over IIS  Quicktime over Windows Media Player  ActiveX over Java Applets
  • 79. AuctionSales Site scams  Selling a car or motorcycle for an unbelievable price with unbelievable terms  “I’ll give you the best price ever and pay for international shipping”  Send your money to a “trusted, third party”  “Buyer protection”  Doesn’t care what your OS or browser is  So much for your anti-malware programs Current Malware Landscape Many Times No Malware Needed
  • 80.  Auction Car Sale Scam Example Current Malware Landscape Many Times No Malware Needed
  • 81.  Auction Car Sale Example Current Malware Landscape Many Times No Malware Needed
  • 82. Lessons To Take Away  Malware usually comes from innocently infected web sites  Visiting only “trusted” web sites is not great advice anymore  Consider investing more in technologies that can mitigate these types of threats  Educate end users about the current state of malware **If we could educate users to not install fake programs, the majority of the current malware threat would disappear overnight Current Malware Landscape Forming a Defense
  • 83. Best End-User Defenses  Don’t be logged in as Administrator or root when surfing the web or reading email  Run up-to-date anti-malware programs  Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion detection  Fully patch OS and all applications, including browser add-ons (harder than it sounds)  Use good, secure defaults Fight the Good Fight
  • 84. Best End-User Defenses  Educate end-users to most likely threats  Tell them to learn what their AV software looks like and what it doesn’t  Show them what their patching software looks like  Tell them not to install software offered by their favorite web site  Does your educational content contain this information?  Phish your own users (be the first!) Fight the Good Fight
  • 85. Best End-User Defenses  Use search engines that contain anti-malware abilities (e.g. Bing, Google, etc.)  Use browsers that have anti-malware checkers  Most of the popular ones, but not all  Look for unusual network traffic patterns  Unexpected large transfers, workstation-to-workstation, server-to server  Install honeypots as early warning detectors Fight the Good Fight
  • 86. Future Defenses  Most countries are starting to work together better (although very slowly)  Ultimately will take rebuilding the Internet  Building in pervasive identity and accountability  Still support anonymity  Will have to be done incrementally  Support End-t0-End Trust initiatives  All needed protocols are already in place  See Trusted Computing Group’s work  Microsoft’s End To End Trust Current Malware Landscape Forming a Defense
  • 87.  e: roger@banneretcs.com Current Malware Landscape Questions