Post on 20-Jan-2016
The End of ChildhoodCybercrime
Dan Clark, VP Marketing and Research
In the News...
Gartner:Computers in use pass 1 billion mark
http://www.reuters.com/article/technologyNews/idUSL2324525420080623
A Really Big Question
How many malicious files exist?
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 20090
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
Total Size of Samples Exchanged by AV Companies
Samples exchanged by AV companies
• volume approximately triples every year
• 1998: volume < 100MB, files < 10k
• 2008: volume > 1.5TB, files > 5mil.
• volume in 2008 > all previous years combined
• total number of files exchanged > 15mil.
ThreatSense.Net
• Included in the client with various configuration options
• Two part system
• statistical data submission
• suspicious file submission
• Statistics gathered can be separated
• by country
• by malware group
• by detection type (heur/generic)
• by time/date
• by detection module (on-access, internet, mail etc)
Top 20 Infiltrations by Infection Share
World WideRank Infiltration Name Infection Share
1 INF/Autorun.gen 12,95%
2 Win32/PSW.OnLineGames.NMY 11,58%
3 INF/Autorun 8,02%
4 Win32/Toolbar.MyWebSearch 6,40%
5 Win32/Agent.AJVG 5,80%
6 WMA/TrojanDownloader.GetCodec.gen 5,57%
7 Win32/Agent 5,55%
8 Win32/Conficker.AA 3,88%
9 Win32/Conficker.A 3,85%
10 Win32/Pacex.Gen 3,36%
11 Win32/Genetik 2,99%
12 Win32/AutoRun.KS 2,97%
13 WMA/TrojanDownloader.GetCodec.C 2,73%
14 Win32/Adware.Virtumonde 2,53%
15 Win32/PSW.OnLineGames.NMP 2,29%
16 Win32/Patched.BU 2,10%
17 Win32/Packed.Autoit.Gen 2,06%
18 Win32/Conficker.AE 1,94%
19 Win32/Qhost 1,85%
20 Win32/Conficker.E 1,84%
Visualizing the Global Threat-Scape
Source: ThreatSense.Net
ThreatSense.Net StatisticsTotal number of samples received, January & February 2009
0
50000
100000
150000
200000
250000
300000
350000
400000
ThreatSense.Net Statistics
2007-12 2008-
01 2008-02 2008-
03 2008-04 2008-
05 2008-06 2008-
07 2008-08 2008-
09 2008-10 2008-
11 2008-12 2009-
01 2009-02
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
8000000
Total number of samples received, December 2007 – February 2009
Samples from ThreatSense.Net
• Only heuristic and generic detections sent
• 2008: files > 100k daily, 50mil. total
• 2009: files ~ 250k daily, expected > 100mil.
• Filters applied (Swizzor, Virtumonde, Sality ...)
•<10% of computers participating
• Unknown/undetected threats
Conclusions
• Our current estimate ~200 million of malicious files (analysis continues)
•> 300k new malicious files daily• Probably still more PCs than threats, likely to change soon
Why there are so many malicious files?
In the News...
The Register:Cybercrime ‘more lucrative’ than drugs
http://www.theregister.co.uk/2005/11/29/cybercrime/
Cybercrime
• Money always attracts criminals
• Internet today
- new inexperienced users
- new companies with little/no security policy enforced
• Fraud opportunities examples
- directly related to money (Internet banking, e-commerce)
- indirectly related to money (advertisement)
- data stealing (targeted attacks)
• More malicious software than legitimate
Cybercrime vs. AV industry
• AV industry attacks their business
• Malware response? Avoid detection and removal
- encryption
- polymorphism
- stealth (rootkits)
- Legal attacks
• Volume mutations (obfuscation)
- mutations generated in lab and distributed (Virtumonde, Zlob)
- mutations constantly generated by the hosting server (Swizzor)
From: support [mailto:support@emediacodec.com] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject:
Hello XXXXXXXXXXX.
We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II".
Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers.
We would very appreciate if you remove our eMediaCodec from your virus list.
Thanks
Win32/TrojanDownloader.Zlob
Subject: NOD32 detects our products as malwareDate: 21 Aug 2006 10:21:51 -0500From: "Tyler Moore" tyler.moore@winsoftware.com To: XXXXXXXXXXXXXX
I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirus Pro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification.Please confirm receipt of this message.
Best regards, Tyler Moore
Senior Vice-President, Legal Compliance WinSoftware Ltd.
Rogue Antivirus
Consequences
Ineffective defense
• Simple signature approach doesn’t work
•With 200 mil. malicious files we need
- 3GB of MD5 signatures
- 800MB of CRC32 signatures (the number of collisions would
be enormous ;-))
•With 300k of new malicious files every day
- Update size is too big
- No chance to receive and process all files to create
signatures
Effective defense
• Heuristics
- simulates work of an AV expert (emulates the code in virtualized
environment, analyses code and data and tries to identify suspicious
behavior)
• Smart signatures
- contain behavior patterns and fingerprints of malware families (1
signature detects most mutations of particular threat)
- need for sophisticated technology, big database of malware and
legitimate software behavior patterns, experienced virus analyst
team
- database only ~16MB for current threats
The Renown Tests
A Couple of 100K
~ 1 Million
500K – 1 Million
Number of Samples in the Test Sets
Testing labs
•Work with relatively small number of malicious
files• Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc)
• Sample submissions from AV companies can skew results• Samples circulating among AV companies and test centers are well-known and products can be “tuned”
The Weakest Link
End-Users
• Unaware of basic safety
• Deliberately ignore policies (adult content on bus laptop)
• Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.
A Real Fresh Phish - 5/27/09
A Fun Exercise
Spot the “Phish Factors”
7 Current Malware Trends
• Threats attacking popular browsers• drive-by downloads, exploitation of vulnerabilities in
browsers and plugins
• Increasing threats to OS X, game boxes and Linux
• Malicious PDFs and other Trojan-like piggy-backing/exploitation of “trustworthy” documents
• Social engineering attacks, more sophistication in the techniques used.
• Fake antivirus and antispyware products
• Exploitation of the Windows Autorun
• Online Game password stealers
Conclusions
• Active malware is expanding geometrically
• Cybercrime is becoming more organized and
flexible
• To fight it effectively we need:
- Innovative technology
- More informed and security conscious users
- Policies that reflect reality of user experience
Childhood’s end.
Thank you!