1 / 30

The End of Childhood

Cybercrime. Dan Clark, VP Marketing and Research. The End of Childhood. In the News. Gartner: Computers in use pass 1 billion mark. http://www.reuters.com/article/technologyNews/idUSL2324525420080623 . A Really Big Question. How many malicious files exist ?.

lethia
Download Presentation

The End of Childhood

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybercrime • Dan Clark, VP Marketing and Research The End of Childhood

  2. In the News... Gartner: Computers in use pass 1 billion mark http://www.reuters.com/article/technologyNews/idUSL2324525420080623

  3. A Really Big Question How many malicious files exist?

  4. Total Size of Samples Exchanged by AV Companies

  5. Samples exchanged by AV companies • volume approximately triples every year • 1998: volume < 100MB, files < 10k • 2008: volume > 1.5TB, files > 5mil. • volume in 2008 > all previous years combined • total number of files exchanged > 15mil.

  6. ThreatSense.Net • Included in the client with various configuration options • Two part system • statistical data submission • suspicious file submission • Statistics gathered can be separated • by country • by malware group • by detection type (heur/generic) • by time/date • by detection module (on-access, internet, mail etc)

  7. Top 20 Infiltrations by Infection Share

  8. Visualizing the Global Threat-Scape Source: ThreatSense.Net

  9. ThreatSense.Net Statistics • Total number of samples received, January & February 2009

  10. ThreatSense.Net Statistics • Total number of samples received, December 2007 – February 2009

  11. Samples from ThreatSense.Net • Only heuristic and generic detections sent • 2008: files > 100k daily, 50mil. total • 2009: files ~ 250k daily, expected > 100mil. • Filters applied (Swizzor, Virtumonde, Sality...) • <10% of computers participating • Unknown/undetected threats

  12. Conclusions • Our current estimate ~200 million of malicious files(analysis continues) • > 300k new malicious files daily • Probably still more PCs than threats, likely to change soon

  13. Why there are so many malicious files?

  14. In the News... The Register: Cybercrime ‘more lucrative’ than drugs http://www.theregister.co.uk/2005/11/29/cybercrime/

  15. Cybercrime • Money always attracts criminals • Internet today - new inexperienced users - new companies with little/no security policy enforced • Fraud opportunities examples • directly related to money (Internet banking, e-commerce) • indirectly related to money (advertisement) • data stealing (targeted attacks) • More malicious software than legitimate

  16. Cybercrime vs. AV industry • AV industry attacks their business • Malware response? Avoid detection and removal • encryption • polymorphism • stealth (rootkits) • Legal attacks • Volume mutations (obfuscation) • mutations generated in lab and distributed (Virtumonde, Zlob) • mutations constantly generated by the hosting server (Swizzor)

  17. Win32/TrojanDownloader.Zlob From: support [mailto:support@emediacodec.com] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject: Hello XXXXXXXXXXX. We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II". Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers. We would very appreciate if you remove our eMediaCodecfrom your virus list. Thanks

  18. Rogue Antivirus Subject: NOD32 detects our products as malwareDate: 21 Aug 2006 10:21:51 -0500From: "Tyler Moore" tyler.moore@winsoftware.com To: XXXXXXXXXXXXXX I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirusPro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification.Please confirm receipt of this message.Best regards, Tyler Moore Senior Vice-President, Legal Compliance WinSoftware Ltd.

  19. Consequences

  20. Ineffective defense • Simple signature approach doesn’t work • With 200 mil. malicious files we need • 3GB of MD5 signatures • 800MB of CRC32 signatures (the number of collisions would be enormous ;-)) • With 300k of new malicious files every day • Update size is too big • No chance to receive and process all files to create signatures

  21. Effective defense • Heuristics • simulates work of an AV expert (emulates the code in virtualized environment, analyses code and data and tries to identify suspicious behavior) • Smart signatures • contain behavior patterns and fingerprints of malware families (1 signature detects most mutations of particular threat) • need for sophisticated technology, big database of malware and legitimate software behavior patterns, experienced virus analyst team • database only ~16MB for current threats

  22. The Renown Tests • Number of Samples in the Test Sets A Couple of 100K ~ 1 Million 500K – 1 Million

  23. Testing labs • Work with relatively small number of malicious files • Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc) • Sample submissions from AV companies can skew results • Samples circulating among AV companies and test centers are well-known and products can be “tuned”

  24. The Weakest Link

  25. End-Users • Unaware of basic safety • Deliberately ignore policies (adult content on bus laptop) • Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.

  26. A Real Fresh Phish - 5/27/09

  27. A Fun Exercise Spot the “Phish Factors”

  28. 7 Current Malware Trends • Threats attacking popular browsers • drive-by downloads, exploitation of vulnerabilities in browsers and plugins • Increasing threats to OS X, game boxes and Linux • Malicious PDFs and other Trojan-like piggy-backing/exploitation of “trustworthy” documents • Social engineering attacks, more sophistication in the techniques used. • Fake antivirus and antispyware products • Exploitation of the Windows Autorun • Online Game password stealers

  29. Conclusions • Active malware isexpanding geometrically • Cybercrime is becoming more organized and flexible • To fight it effectively we need: • Innovative technology • More informed and security conscious users • Policies that reflect reality of user experience

  30. Childhood’s end. Thank you!

More Related