Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Similar to Malware's Most Wanted: The Many Faces of Malware
Similar to Malware's Most Wanted: The Many Faces of Malware (20)
Recently uploaded
Recently uploaded (20)
Malware's Most Wanted: The Many Faces of Malware
- 2. The Many Faces of Malware @belogor
- 3. Your speakers today Nick Bilogorskiy @belogor Director of Security Research Shel Sharma Product Marketing Director
- 4. Agenda o Fake Antivirus o Ransomware o APTs o Adware o Web Exploits o Wrap-up and Q&A CyphortLabsT-shirt
- 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 7. Fake Antivirus timeline Mac Defender Antivirus XP 2008 2005 2008 2009 2010 2011 2012 2013 2014 WinFixer PC Optimizer Pro
- 8. WinFixer
- 9. XP Antivirus 2008 Affiliate Username Account Balance (USD) nenastniy $158,568.86 krab $105,955.76 rstwm $95,021.16 newforis $93,260.64 slyers $85,220.22 ultra $82,174.54 cosma2k $78,824.88 dp322 $75,631.26 iamthevip $61,552.63 dp32 $58,160.20
- 10. 2011 - Mac Defender
- 11. 2011 - Mac Defender o Pavel Vrublevsky Sentenced to 2.5 Years
- 12. 2015 Adware PcOptimizerPro o PcOptimizerPro shows fake alerts of performance problems o Fixing only possible with commercial version o Offers user to buy an upgrade
- 13. PC Optimizer Pro
- 15. PGPCoder Trojan – 1024 RSA key, collects money via EGOLD Bitcoin was invented by Satoshi Nakamoto Reveton Trojan, aka Police Trojan. collects money via Moneypak BitCoin becomes popular, Cryptolocker appears Cryptowall, TeslaCrypt Ransomware History 2005 2009 2012 2013 2014
- 17. TeslaCrypt
- 18. TeslaCrypt
- 19. Kovter
- 20. CryptoWall
- 22. Lockers
- 25. DarkSeoul o DarkSeoul, a hacking group with suspected links to North Korea, performed a delayed wipe on 32,000 systems at South Korean banks and media companies o Credit claimed by Whois
- 26. Sony Wiper
- 27. DarkComet RAT
- 30. BlackEnergy/Sandworm o CVE-2014-4114 o “complete list of Members of Parliament”.
- 31. Asprox/Kuluoz
- 36. OSX – Genieo o MD5: 11f085fdfca46a4b446760a0e68dc2c3 o Browser Hijacker
- 37. Outbrowse
- 38. Hack Tools
- 39. Hack Tools
- 43. Summary o Most malware runs silently o Some malware uses GUI for monetization o Error windows are very common in malware output, both real and fake o APTs display fake documents for misdirection
- 44. Thank You! Twitter: @belogor Previous MMW slides on http://cyphort.com/labs/ malwares-wanted/
Editor's Notes
- But First, let me introduce our team – Cyphort Labs. We are a group of malware researchers in several countries who monitor malware and security trends daily, reverse engineer interesting malware samples and contribute to the Cyphort threat research. In addition our team deals with customer escalations -analyzing malware escalated by the support team, advising Cyphort engineering team on improving detection, and sharing threat intelligence on Cyphort Labs blog. For example, check out our post from June 9 on breach at the Office of Personnel Management (OPM). You can find our blog at www.cyphort.com/blog
- Winfixer is an application that is installed by drive-by downloads and ActiveX installations. The program starts automatically at boot-up and presents the user with multiple dialogs stating that a full license should be purchased to remove problems it has found. The infection usually occurs during a visit to a distributing web site using a web browser. A message appears in a dialog box or popup asking the user if they want to install WinFixer, or claiming a user's machine is infected with malware, and requests the user to run a free scan. You can see this JavaScript message on the left in this slide. When the user chooses any of the options or tries to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it will trigger apop-up window and WinFixer will download and install itself, regardless of the user’s wishes. On the right you can see the actual WinFixer fake antivirus window screenshot. On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings.“ On December 2, 2008, the Federal Trade Commission requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain, Kristy Ross, the creators of WinFixer and its sister products. On September 24, 2012, Kristy Ross was fined $163 million by the Federal Trade Commission for her part in this. The pop-up ads she created would be under the names DriveCleaner, Winfixer, WinAntivirus, WinAntispyware, FreeRepair or System Doctor. Over a million people fell as a victim to her scam and purchased the software from $40 to $60 each.