This document provides background on Roger Grimes, an InfoWorld contributing editor and security columnist. It then summarizes Grimes' presentation on malware trends, including a brief history of early malware from the 1960s-1980s and trends through the 2000s. It notes that today, malware is primarily trojans and is often spread through deceptive means rather than exploits, as people are tricked into intentionally installing malicious programs. Key points include that many legitimate websites are compromised to spread malware, and that fake anti-virus programs remain a highly effective deception tactic for cybercriminals.
This is a presentation about malwares, and how this are reconized the different types of malwares, who creates them, what's wrong and right about them, and the growth of these Malwares. I have also introduced a little chapter about the ethics of the internet/technology.
This is a presentation about malwares, and how this are reconized the different types of malwares, who creates them, what's wrong and right about them, and the growth of these Malwares. I have also introduced a little chapter about the ethics of the internet/technology.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
eScan, one of the leading Anti-Virus and Content Security Solution providers, has studied on a recent poll that says 32% of the top IT professionals agreed that data breaches and malware are the top threats that any organization faces.
Malvertising - Sounds like a mouthful, I know. But it’s a word-blend (postmanteau) between Malware and Advertising. Malvertising is what occurs when online advertising is used to spread malwares.
What is SPYWARE?
Spyware is a type of malware that's hard to detect.
It collects information about your surfing habits, browsing history, or personal information (such as credit card numbers), and often uses the internet to pass this information along to third parties without you knowing.
o Key loggers are a type of spyware that monitors your key strokes.
Spyware is mostly classified into four types:
1.System monitors
2.Trojans
3.Adware
4.Tracking Cookies
spyware is mostly used for the purposes of tracking and storing internet users' movements on the web and serving up pop-up ads to internet users.
History and development of spyware.
The first recorded on October 16, 1995 in a UseNet post that poked fun at microsoft's business model.
Spyware at first denoted software meant for espionage purposes.
However, in early 2000 the founder of zone labs, gregor freund, used the term in a press release for the zone alarm personal firewall.
Use of exploits in JavaScript, internet explorer and windows to install.
Effect and behavior.
Unwanted behavior and degradation of system performance.
Unwanted CPU activity, disk usage, and network traffic.
Stability issues:-
Application's freezing.
Failure to boot.
System-wide crashes.
Difficulty connecting to the internet.
Disable software firewalls and anti-virus software.
Routes of infection.
Installed when you open an email attachment.
Spyware installs itself
Install by using deceptive tactics
Common tactics are using a Trojan horse.
USB Keylogger.
browser forces the download and installation of spyware.
Security Practices.
• Installing anti-spyware programs.
• Network firewalls and web proxies to block access to web sites known to install spyware
• Individual users can also install firewalls.
• Install a large hosts file.
• It Install shareware programs offered for download.
• Downloading programs only from reputable sources can provide some protection from this source of attack
Anti-spyware Programs
• Products dedicated to remove or block spyware.
• Programs such as pc tool’s spyware doctor, lava soft's ad-aware se and patrick kolla's spybot - search & destroy.
Legal Issues.
Criminal law
US FTC actions
Netherlands OPTA
Civil law
Libel suits by spyware developers
Webcam Gate
Thank You!
Stay Connected
Stay connected with me at Facebook :- https://www.facebook.com/mangesh.wadibhasme
Follow at Instagram: - @mangesh_hkr
“Ransomware” is in the top of all news that affecting the economy of the world like witches’ curse. This curse has been spreaded by Friday, 12 May 2017 infecting more than 230,000 computers by targeting the “Microsoft Windows Operating System” including 150 countries and this attack has been elaborated by Europol as bizarre in a scale. Well this is the basic information all over the world but what affection it has disseminated over businesses and entrepreneurs? If you want to know what businesses & entrepreneurs imperative to know about Ransomware, then this article is the perfect choice for you. Let’s have look on important points regarding this:
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. Presenter BIO
Roger A. Grimes
CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada
InfoWorld Contributing Editor, Security Columnist, Product
Reviewer, and Blogger
23-year Windows security consultant, instructor, and author
Author of seven books on computer security, including:
Windows Vista Security: Security Vista Against
Malicious Attacks (Wiley, 2007)
Professional Windows Desktop and Server Hardening
(Dec. 2005)
Malicious Mobile Code: Virus Protection for Windows
(O’Reilly, 2001)
Honeypots for Windows (Apress, December 2004)
Author of over 300 national magazine articles on computer
security
Principal Security Architect for Microsoft InfoSec ACE Team
4. Presentation Summary
Quick History of Past Malware Threats
Today's Threats
Anatomy of Today's Cyber Attack
Malware Examples
Best Defenses
5. Malware Has Been Around Since The Beginning of
Computers
Most early malware were network worms
Late 1960’s – John Conway’s Game of LifeCore Wars
Imp
1971, Creeper worm was written by Bob Thomas of the
BBN (Bulletin Board Network)
(First PC, Altair 8800, 1974)
IBM Christmas worm –Dec. 1987
Robert Morris Worm –Nov. 1988
Historic Malware Trends
6. (Apple computer invented 1976)
1982 - Richard Skrenta, Jr. a 9th grade high school
student, a Core War fan, wrote a 400-line Apple II boot
virus, called Elk Cloner
Spread around the world
Every 50th boot would present message
No virus scanners or cleaners at this time
(IBM PC introduced in late 1981)
1986 – Pakistani Brain – first IBM-compatible virus
1987 – Stoned, Jerusalem, Cascade (encrypted), Lehigh
Historic Malware Trends
First PC Viruses – Boot Viruses
7. Boot Viruses
Even though they made up just a few percent of the
malware programs, they accounted for most of the
infections
March 1992 – Michelangelo
Executable Viruses
Some Trojan Horse Programs
Some Worms, but not many
Most malware programs were not intentionally
malicious
Historic Malware Trends
Early PC Malware
8. 1985 – Macro viruses
1998 – HTML viruses
2001 – Code Red – IIS worm
2003 – SQL Slammer
Fastest exploit to date – 10 minutes to infect world
2003 – MS Blaster
In 99.9999% of cases, patch was available before exploit
was released
Historic Malware Trends
PC Malware Hits Mainstream
9. From 1999 to late 2006, about 90% of malware attacks
arrived via email
VBScript, Javascript
Malicious file attachments
Rogue embedded links
Spam
MIME-type mismatches
Social-engineering methods
Melissa, I love you worm
Historic Malware Trends
Email wormsviruses
10. Still, most were not intentionally malicious
Those were the days!
Historic Malware Trends
Email wormsviruses
11. Run an up-to-date antivirus program
Run a host-based firewall that prevents
unauthorized outbound connections
Be fully patched
Visit only trusted web sites
Careful opening unexpected documents
Use other programs and OSs to remain safe
Current Malware Trends
Conventional Defense Wisdom
12. AV is not all that accurate and cannot be relied
upon
Host-based firewalls really don’t work most of
the time
Nobody fully patches
Trusted web sites are how you get infected
Many attacks work cross-platform or don’t care
about OS or app
Targeted spearphishing makes determining what
documents you should open hard to do
Current Malware Trends
Sadly...
13. Malware and hacking is worst than ever!
Even though we already do all the recommended
stuff
Current Malware Trends
Sadly...
14. Mostly trojans, worms, and downloaders
Professionally written
Development forks, teams
Criminally-motivated
Bots & botnets
Tens of millions of PCs “owned” at any one time
Designed To Get Money
Steal passwords, identity info, DDoS attacks
Mostly asks for permission to run and user responds
“YES”
Current Malware Landscape
New Malware Model
15. Cybercriminals are stealing tens of millions (at
least) of dollars every day
2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
Current Malware Landscape
Criminally Motivated
16. Cybercriminals are stealing tens of millions (at
least) of dollars every day
2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
“On the brighter side, we are happy to report that these
efforts with law enforcement led to arrests in at least 15
cases.”
Current Malware Landscape
Criminally Motivated
17. 1. User visits “innocent” infected web site
2. Contains simple Javascript redirector
3. Prompts user to install fake program
Anti-virus scanner, patch, codec, malformed PDF, etc.
4. First program is a small downloader
Starts the malware process
Provides bot control
Dials home for more instructions
Current Malware Landscape
Most Common Malware Cycle
19. What has trusted ever meant anyway?
How do I know I can trust it?
Do those “seals of approval” mean anything?
Current Malware Landscape
Trusted Web Sites?
20. What has trusted ever meant anyway?
How do I know I can trust it?
Do those “seals of approval” mean anything?
Me, I feel safer on a pay-for-view porn site!!
Current Malware Landscape
Trusted Web Sites?
21. 77 percent of web sites with malicious code are
legitimate sites that have been compromised
61 percent of the top 100 sites either hosted
malicious content or contained a masked redirect to
lure unsuspecting victims to malicious
37 percent of malicious Web/HTTP attacks included
data-stealing code
57 percent of data-stealing attacks are conducted over
the Web
Current Malware Landscape
Innocently Infected Web Sites
22. How?
Web site itself compromised
Misconfiguration
Vulnerability
Allows user postings
Malicious ads from legitimate ad services
Malicious sponsored ads on search engines
Poisoned search engine results
Web site codelets created by bad guys to go
malicious one day
Current Malware Landscape
Innocently Infected Web Sites
23. Tens of Millions of Malicious Web Sites
Look real, but completely malicious
Often taken there by OS or app help program or
search engine
Promote product that is nothing but malicious
Have entire teams of people dedicated to promoting
product on “independent” blogs, review magazines,
etc.
Ex: You must have this codec to watch these car
racing videos on YouTube
Current Malware Landscape
Some aren’t so Innocent!
24. Poisoned Ad Services
You name the major web site and it has probably
hosted malicious ads
Ads posted by web site owner, marketing firm hired
by web site, compromised ad service, or hacking
Avast - the most compromised services are Yahoo’s
yieldmanager.com and Fox’s fimserve.com
Responsible for more than 50% of poisoned ads
Doubleclick.net too
http://blog.avast.com/2010/02/18/ads-poisoning-
%e2%80%93-jsprontexi/
Current Malware Landscape
Innocently Infected Web Sites
25. Poisoned Cartoons?
King Features, a newspaper comic distributor was
hacked
King Feature distributes online comics to about 50
different newspapers
Online readers were prompted to download a
malicious PDF
http://voices.washingtonpost.com/securityfix/2009/
12/hackers_exploit_adobe_reader_f.html
Current Malware Landscape
Innocently Infected Web Sites
26. Search Engine Poisoning
Bad guys create web sites that are very attractive to search
engine bot crawlers (e.g. lots of links with lots of
keywords)
It is not uncommon to find malicious links in 15% to 20%
of the first 100 results from a search
Some of the most popular searches will return 90%
Malicious web sites are generated are often generated on
the fly, changed only by a single keyword in the URL
http://www.cyveillanceblog.com/general-
cyberintel/malware-google-search-results
Current Malware Landscape
Innocently Infected Web Sites
27. SEO Kits
Poisoned search engine results often created by Search
Engine Optimization (SEO) kits
Kits download must popular search engine requests from
the search engines themselves (e.g. googletrends)
Then generate web site on the fly with those keywords
and images
Generates thousands of web sites with those keywords
and link to each other
http://www.sophos.com/sophos/docs/eng/papers/sopho
s-seo-insights.pdf
Current Malware Landscape
Innocently Infected Web Sites
28. Sponsored Ads
Search engines often host sponsored ads that redirect to
malicious sites and code
Nearly all search engines involved
Certainly the ones you use are
Due to malware companies posing as legitimate
companies and switching up ads or legitimate web sites
being infected that paid for legitimate ad time
Current Malware Landscape
Innocently Infected Web Sites
30. Many Infected Host Providers Are Slow To
Respond
Example: ThePlanet.com
Stopbadware.org notifies ThePlanet when they note
an infected web site hosted by ThePlanet
Averages 12K-20K infected sites a month
1 month after reporting, 12K of reported web sites
remain infected
4.5K remain infected after 7 months
Current Malware Landscape
Innocently Infected Web Sites
31. Bulletproof Hosting
Many companies advertise on the promise that they
will keep your web site up no matter what you do
with it
The Russian Business Network is number one in this
space
McColo was #2 before 2008 takedown
Plenty of competition
Located in countries without appropriate laws
Current Malware Landscape
Not-So Innocently Infected Web Sites
34. `
Dynamic DNS Server
Initial Mothership
Web Server
Dynamic Mothership
1. Bot program exploits
victim PC and installs
itself
2. It “phones home”
using dynamic DNS
server to find
“mothership”
3. Finds mothership,
downloads new code and
instructions
4. Repeats 1-20 times
5. Infects new victim PCs
6. Sometimes plays role
of bot host, sometimes of
dynamic DNS server,
sometimes mothership
-Created for just this single
victim instance
-Can be a legitimate DNS
server or exploited system
-Usually just another
exploited victim or web
server
-Updates dynamic DNS
server with current IP
address
-Mothership updates may
cycle 20 times
-Sends bot host new
programs, new payload, new
instructions
Current Malware Landscape
New Malware Model Steps
35. 1. Infect or Exploit
2. Modify system to gain control
3. Phone “home” to get code update
Repeat this step 1-20 times
4. Modify host and spread to create bot net
5. Steal information-financial, passwords, etc.
6. Able to bypass any authentication method
7. When finished, self-delete, cover up tracks
Current Malware Landscape
New Malware Model Steps
36. Self-healing bot nets
Intended to live only a few hours
Auto-updating
Design To Hide
Millions of malicious links on social networking
sites
Some of the biggest users of Facebook, Myspace, and
Twitter
Current Malware Landscape
New Malware Model (con’t)
37. Silent Drive-by-Downloads and one-click and your
owned traps used to be the way people got infected
Require unpatched software and vulnerabilities
UAC and other browser protections make this harder to
do
Still happens, but now in the minority
OS patching is nearly 100% now
App patching could be better
Malware writers are mostly targeting unpatched
Internet browser apps now
Current Malware Landscape
New Malware Model (con’t)
38. In most cases, people are tricked into intentionally
installing a malware program
99% of the risk in most environments
Occasionally, a roving worm, like Conficker, becomes Ms.
Popularity for a few days or months
Current Malware Landscape
New Malware Model (con’t)
39. Vuls. trending down since 1H 2007
Current Malware Landscape
Known Vulnerabilities Going Down Year-after-Year
Figures for all reporting vendors
40. Even OS and Browser Vulnerabilities Are Flat
Current Malware Landscape
Known Vulnerabilities Going Down Year-after-Year
From MS SIR 8
41. Especially in the browser space
Every new browser vendor promises to make the
perfectly secure browser that apparently Microsoft
cannot seem to make
Later on I’ll tell you how it doesn’t matter at all
anyway
Current Malware Landscape
Still Plenty of Vulnerabilities
42. Firefox – 169
Apple Safari – 94
Internet Explorer – 45
Google Chrome – 41
Opera - 25
Current Malware Landscape
Number of Browser Vulnerabilities in 2009
From SymantecSecunia
43. Firefox – 52
3.0-15, 3.5-18, 3.6-19
Apple Safari 4– 17
Internet Explorer 8 – 21
Google Chrome – 28
Opera – 6
Of all browsers Symantec analyzed in 2009, Safari had the longest window
of exposure (the time between the release of exploit code for a
vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF,
and Opera had the shortest windows of exposure, avg 1 day.
Current Malware Landscape
Number of Browser Vulnerabilities in 2010 (so far)
44. The way almost all your users are getting
infected is direct action trojans
Current Malware Landscape
But Vulns Don’t Matter All That Much
45. By a huge percentage, trojans are number one!
Current Malware Landscape
Trojans Are #1!
(From Microsoft SIR 8)
Exploits
Trojans
Trojans
47. Trojan program looks “really, really” authentic
Coming from legitimate web sites, spam, phishing
attacks
Bad guy often buys ads on search engines or “poisons”
search engine results
Certain keywords are more likely to bring up malware
than legitimate web sites
Bad guys use the latest news (e.g. earthquake, celebrity
event, etc.)
Often accidentally redirected to malware sites by
legitimate trusted software
Why Are They So Prevalent?
49. In one year, Google found over 11,000 web sites
offering fake AV scanners
1,462 unique new installer programs per day
20% detection rate by real AV
1 hr – median time redirection web site is up before
hackers move on
In SIR 8, Microsoft said its security products cleaned
fake anti-virus related malware from 7.8 million
computers in the second half of 2009.
Fake AV Stats – from Google
51. Millions of new programs created every year
Challenging for pure definition scanners to keep up
No antivirus scanner will ever be perfect
Check out http://www.virustotal.com/estadisticas.html
Why Are They So Prevalent?
52. “Zero-day” exploits becoming more common
One attack program can have 20 exploit vectors
DNS tricks
Poisoning, hosts file manipulation
Sound-alikes
One-offs (everything unique for each victim)
Millions of malware programs each year
Symantec reported 2.8 M malware programs in 09
More than legitimate programs
Current Malware Landscape
Infection or Exploit
53. Known Malware Detection Rates Not Bad
www.virusbulletin.com
Dozens of AV scanners routinely detect 100% of the
known malware programs in the wild with zero false-
positives
Awarded VB100
Why Are They So Prevalent?
Malware Is Hiding Better
54. First-Day Malware Detection Rates Could Be Improved
www.av-test.org (Dec. 2009)
Brand new threats were released and tested
Best products detected malware 98% of the time, blocked
95% of the time
Average product was 70-90% effective
Sounds good until you realize that out of 100 users in
your network, at least two of them will be presented with
a trojan program that is not detected as malicious
Now multiple that by the size of your user base, especially
over time
Why Are They So Prevalent?
Malware Is Hiding Better
55. How Does Malware Hide?
Early Techniques:
Encrypted – hide the malware so it can’t be scanned
Oligomorphic- multi. encryption/decryption engines
Polymorphic- random encryption/decryption
Metamorphic- mutates malware body, looks for compiler
on host and re-compiles malware on-the-fly
Why Are They So Prevalent?
Malware Is Hiding Better
56. How Does Malware Hide?
Today’s Techniques:
HTML Encoding/Obfuscation
Character set (e.g. UTF-8, UTF-7, Unicode) encoding
Compression (e.g. multi-compressed zip files)
Packers, Multi-packers
SSL/TLS/encryption for travel and communications
Why Are They So Prevalent?
New Malware Is Hiding Even Better
57. How Does Malware Hide?
Today’s Techniques:
Language encoding (e.g. simplified Chinese)
Transfer encoding (e.g. chunked, token-extension)
Packet fragmentation, time-outs
Password protected files
Embedded code (e.g. RTF links)
Embedded in thick content (e.g. PDF, Flash, MS-Office
objects)
Why Are They So Prevalent?
New Malware Is Hiding Even Better
58. How Does Malware Hide?
Today’s Techniques:
Dynamic DNS names
Dynamic IP addressing
One-time URLs (unique per victim)
Self-deleting malware
Delete and come back when needed
Why Are They So Prevalent?
New Malware Is Hiding Even Better
59. Responsible for up to nearly 50% of all successful
web-based attacks.
Current Malware Landscape
Adobe Acrobat Malware Is a Huge Problem
60. Responsible for up to nearly 50% of all successful
web-based attacks.
Current Malware Landscape
Adobe Acrobat Malware Is a Huge Problem
61. Usually arrives in email
Sender has internal details
Most captured from company’s public web site and news
Other times, obviously has insider knowledge of project
or detal
Often target senior executives
Project document, pending lawsuit, child support inc.
Common scam: Target accounting to infect the payroll
transfer transaction computer
Defense: That computer should not be connected to the
normal network or used for anything else, highly guarded
and secured
Current Malware Landscape
Targeted Spearphishing
62. Can arrive in email
Current Malware Landscape
Adobe Acrobat Malware Example
63. Prompts User to Save Another “PDF” file
Current Malware Landscape
Adobe Acrobat Malware Example
64. Can be prevented by modifying one setting
Current Malware Landscape
Adobe Acrobat Malware Example
65. Most attacks several years old.
Current Malware Landscape
Do You Patch Office?
66. More than half (56.2 percent) of the attacks affected
Office program installations that had not been
updated since 2003.
Most of these attacks involved Office 2003 users who
had not applied a single service pack or other
security update since the original release of Office
2003 in October 2003.
Current Malware Landscape
Do You Patch Office?
67. CAN-SPAM Act of 2003 took down spam!
Current Malware Landscape
68. 25% - Percentage of spam when CAN-SPAM Act was
passed
Current Malware Landscape
Spam stats
69. Spam is most of our email
88% according to Symantec
93% according to MessageLabs
95 percent of user-generated comments to blogs, chat
rooms and message boards are spam or malicious.
(Websense 2009 report)
Spearphishing for targeted attacks increasing greatly
85% of spam is sent by bots from innocently infected
computers (Symantec)
20% of all spam sent in March 2010 used TLS
(MessageLabs)
Current Malware Landscape
Spam stats
70. Spammers bypass CAPTCHAs, by:
OCR – recognize the symbols
VCR – recognize the voice
Paying third world country employees to manually
answer
Freelancer.com - dozens of such projects are bid on
every week.
80 cents to $1.20 for each 1,000 deciphered boxes or
about $6 every 15 days for the average worker
Current Malware Landscape
Spammers Still Abusing Free Web Mail
71. Per MessageLabs
Hundreds of billions of spams are sent each day
85% from spambots, 90% from the top five bots
Rustock – largest current botnet with 2.4M hosts,
responsible for 1/3rd of all spam
Grum- Responsible for 24% of all spam
Mega-D – Responsible for 18% of all spam
Top spam bots vary according to measurer, but Rustock
always gets #1 spot
Current Malware Landscape
Bot Nets and Spam
73. Many commercial bot net kits
Management interfaces
24 x 7 tech support
Bypass any authentication
Made to order
Example: ButterflyMariposa bot net (March 2010)
13 million controlled computers in 190 countries
Run by three non-experts, required very little skill
Bought original bot kit for $300
Current Malware Landscape
Bot Nets
74. Crum - $200 – Creates polymorphic encrypted
malware, free updates
Eleonore Exploits Pack –$700 – several exploits
including MS, Firefox, Opera, and PDF
Neon – $500- PDFs (including FoxIt), Flash, Snapshot
Adrenaline- $3000- keylogging, theft of digital
certificates, encryption of information, anti-detection
techniques, cleaning of fingerprints, injection of viral
code, etc.
http://malwareint.blogspot.com/2009/08/prices-of-
russian-crimeware-part-2.html
Current Malware Landscape
Malware Kit Examples
76. For the most part, we aren’t catching many of the criminals
International jurisdictions, non-compliant countries, no hard
evidence, real crimefighting takes time
Users/admins not doing the simple things they should be
doing to stop malicious attacks
Attackers don’t need complex, hypervisor attacks to do
damage; current attacks doing just fine
Vendors could produce zero-defect software and it would
not make a measurable dent in cybercrime
Current Malware Landscape
Future Not Looking That Great
77. The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary
78. The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary
Regardless of whether or not Microsoft made it!
Windows, IE, Microsoft Office
PDF over XPS
Apache over IIS
Quicktime over Windows Media Player
ActiveX over Java Applets
79. AuctionSales Site scams
Selling a car or motorcycle for an unbelievable
price with unbelievable terms
“I’ll give you the best price ever and pay for
international shipping”
Send your money to a “trusted, third party”
“Buyer protection”
Doesn’t care what your OS or browser is
So much for your anti-malware programs
Current Malware Landscape
Many Times No Malware Needed
80. Auction Car Sale Scam Example
Current Malware Landscape
Many Times No Malware Needed
81. Auction Car Sale Example
Current Malware Landscape
Many Times No Malware Needed
82. Lessons To Take Away
Malware usually comes from innocently infected web sites
Visiting only “trusted” web sites is not great advice anymore
Consider investing more in technologies that can mitigate
these types of threats
Educate end users about the current state of malware
**If we could educate users to not install fake programs, the
majority of the current malware threat would disappear
overnight
Current Malware Landscape
Forming a Defense
83. Best End-User Defenses
Don’t be logged in as Administrator or root when
surfing the web or reading email
Run up-to-date anti-malware programs
Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion
detection
Fully patch OS and all applications, including
browser add-ons (harder than it sounds)
Use good, secure defaults
Fight the Good Fight
84. Best End-User Defenses
Educate end-users to most likely threats
Tell them to learn what their AV software looks like
and what it doesn’t
Show them what their patching software looks like
Tell them not to install software offered by their
favorite web site
Does your educational content contain this
information?
Phish your own users (be the first!)
Fight the Good Fight
85. Best End-User Defenses
Use search engines that contain anti-malware
abilities (e.g. Bing, Google, etc.)
Use browsers that have anti-malware checkers
Most of the popular ones, but not all
Look for unusual network traffic patterns
Unexpected large transfers, workstation-to-workstation,
server-to server
Install honeypots as early warning detectors
Fight the Good Fight
86. Future Defenses
Most countries are starting to work together better
(although very slowly)
Ultimately will take rebuilding the Internet
Building in pervasive identity and accountability
Still support anonymity
Will have to be done incrementally
Support End-t0-End Trust initiatives
All needed protocols are already in place
See Trusted Computing Group’s work
Microsoft’s End To End Trust
Current Malware Landscape
Forming a Defense