310 likes | 395 Views
Cybercrime. Dan Clark, VP Marketing and Research. The End of Childhood. In the News. Gartner: Computers in use pass 1 billion mark. http://www.reuters.com/article/technologyNews/idUSL2324525420080623 . A Really Big Question. How many malicious files exist ?.
E N D
Cybercrime • Dan Clark, VP Marketing and Research The End of Childhood
In the News... Gartner: Computers in use pass 1 billion mark http://www.reuters.com/article/technologyNews/idUSL2324525420080623
A Really Big Question How many malicious files exist?
Samples exchanged by AV companies • volume approximately triples every year • 1998: volume < 100MB, files < 10k • 2008: volume > 1.5TB, files > 5mil. • volume in 2008 > all previous years combined • total number of files exchanged > 15mil.
ThreatSense.Net • Included in the client with various configuration options • Two part system • statistical data submission • suspicious file submission • Statistics gathered can be separated • by country • by malware group • by detection type (heur/generic) • by time/date • by detection module (on-access, internet, mail etc)
Visualizing the Global Threat-Scape Source: ThreatSense.Net
ThreatSense.Net Statistics • Total number of samples received, January & February 2009
ThreatSense.Net Statistics • Total number of samples received, December 2007 – February 2009
Samples from ThreatSense.Net • Only heuristic and generic detections sent • 2008: files > 100k daily, 50mil. total • 2009: files ~ 250k daily, expected > 100mil. • Filters applied (Swizzor, Virtumonde, Sality...) • <10% of computers participating • Unknown/undetected threats
Conclusions • Our current estimate ~200 million of malicious files(analysis continues) • > 300k new malicious files daily • Probably still more PCs than threats, likely to change soon
In the News... The Register: Cybercrime ‘more lucrative’ than drugs http://www.theregister.co.uk/2005/11/29/cybercrime/
Cybercrime • Money always attracts criminals • Internet today - new inexperienced users - new companies with little/no security policy enforced • Fraud opportunities examples • directly related to money (Internet banking, e-commerce) • indirectly related to money (advertisement) • data stealing (targeted attacks) • More malicious software than legitimate
Cybercrime vs. AV industry • AV industry attacks their business • Malware response? Avoid detection and removal • encryption • polymorphism • stealth (rootkits) • Legal attacks • Volume mutations (obfuscation) • mutations generated in lab and distributed (Virtumonde, Zlob) • mutations constantly generated by the hosting server (Swizzor)
Win32/TrojanDownloader.Zlob From: support [mailto:support@emediacodec.com] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject: Hello XXXXXXXXXXX. We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II". Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers. We would very appreciate if you remove our eMediaCodecfrom your virus list. Thanks
Rogue Antivirus Subject: NOD32 detects our products as malwareDate: 21 Aug 2006 10:21:51 -0500From: "Tyler Moore" tyler.moore@winsoftware.com To: XXXXXXXXXXXXXX I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirusPro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification.Please confirm receipt of this message.Best regards, Tyler Moore Senior Vice-President, Legal Compliance WinSoftware Ltd.
Ineffective defense • Simple signature approach doesn’t work • With 200 mil. malicious files we need • 3GB of MD5 signatures • 800MB of CRC32 signatures (the number of collisions would be enormous ;-)) • With 300k of new malicious files every day • Update size is too big • No chance to receive and process all files to create signatures
Effective defense • Heuristics • simulates work of an AV expert (emulates the code in virtualized environment, analyses code and data and tries to identify suspicious behavior) • Smart signatures • contain behavior patterns and fingerprints of malware families (1 signature detects most mutations of particular threat) • need for sophisticated technology, big database of malware and legitimate software behavior patterns, experienced virus analyst team • database only ~16MB for current threats
The Renown Tests • Number of Samples in the Test Sets A Couple of 100K ~ 1 Million 500K – 1 Million
Testing labs • Work with relatively small number of malicious files • Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc) • Sample submissions from AV companies can skew results • Samples circulating among AV companies and test centers are well-known and products can be “tuned”
End-Users • Unaware of basic safety • Deliberately ignore policies (adult content on bus laptop) • Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.
A Fun Exercise Spot the “Phish Factors”
7 Current Malware Trends • Threats attacking popular browsers • drive-by downloads, exploitation of vulnerabilities in browsers and plugins • Increasing threats to OS X, game boxes and Linux • Malicious PDFs and other Trojan-like piggy-backing/exploitation of “trustworthy” documents • Social engineering attacks, more sophistication in the techniques used. • Fake antivirus and antispyware products • Exploitation of the Windows Autorun • Online Game password stealers
Conclusions • Active malware isexpanding geometrically • Cybercrime is becoming more organized and flexible • To fight it effectively we need: • Innovative technology • More informed and security conscious users • Policies that reflect reality of user experience
Childhood’s end. Thank you!