The End of ChildhoodCybercrime

Dan Clark, VP Marketing and Research

In the News...

Gartner:Computers in use pass 1 billion mark

http://www.reuters.com/article/technologyNews/idUSL2324525420080623

A Really Big Question

How many malicious files exist?

1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 20090

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

Total Size of Samples Exchanged by AV Companies

Samples exchanged by AV companies

• volume approximately triples every year

• 1998: volume < 100MB, files < 10k

• 2008: volume > 1.5TB, files > 5mil.

• volume in 2008 > all previous years combined

• total number of files exchanged > 15mil.

ThreatSense.Net

• Included in the client with various configuration options

• Two part system

• statistical data submission

• suspicious file submission

• Statistics gathered can be separated

• by country

• by malware group

• by detection type (heur/generic)

• by time/date

• by detection module (on-access, internet, mail etc)

Top 20 Infiltrations by Infection Share

World WideRank Infiltration Name Infection Share

1 INF/Autorun.gen 12,95%

2 Win32/PSW.OnLineGames.NMY 11,58%

3 INF/Autorun 8,02%

4 Win32/Toolbar.MyWebSearch 6,40%

5 Win32/Agent.AJVG 5,80%

6 WMA/TrojanDownloader.GetCodec.gen 5,57%

7 Win32/Agent 5,55%

8 Win32/Conficker.AA 3,88%

9 Win32/Conficker.A 3,85%

10 Win32/Pacex.Gen 3,36%

11 Win32/Genetik 2,99%

12 Win32/AutoRun.KS 2,97%

13 WMA/TrojanDownloader.GetCodec.C 2,73%

14 Win32/Adware.Virtumonde 2,53%

15 Win32/PSW.OnLineGames.NMP 2,29%

16 Win32/Patched.BU 2,10%

17 Win32/Packed.Autoit.Gen 2,06%

18 Win32/Conficker.AE 1,94%

19 Win32/Qhost 1,85%

20 Win32/Conficker.E 1,84%

Visualizing the Global Threat-Scape

Source: ThreatSense.Net

ThreatSense.Net StatisticsTotal number of samples received, January & February 2009

0

50000

100000

150000

200000

250000

300000

350000

400000

ThreatSense.Net Statistics

2007-12 2008-

01 2008-02 2008-

03 2008-04 2008-

05 2008-06 2008-

07 2008-08 2008-

09 2008-10 2008-

11 2008-12 2009-

01 2009-02

0

1000000

2000000

3000000

4000000

5000000

6000000

7000000

8000000

Total number of samples received, December 2007 – February 2009

Samples from ThreatSense.Net

• Only heuristic and generic detections sent

• 2008: files > 100k daily, 50mil. total

• 2009: files ~ 250k daily, expected > 100mil.

• Filters applied (Swizzor, Virtumonde, Sality ...)

•<10% of computers participating

• Unknown/undetected threats

Conclusions

• Our current estimate ~200 million of malicious files (analysis continues)

•> 300k new malicious files daily• Probably still more PCs than threats, likely to change soon

Why there are so many malicious files?

In the News...

The Register:Cybercrime ‘more lucrative’ than drugs

http://www.theregister.co.uk/2005/11/29/cybercrime/

Cybercrime

• Money always attracts criminals

• Internet today

- new inexperienced users

- new companies with little/no security policy enforced

• Fraud opportunities examples

- directly related to money (Internet banking, e-commerce)

- indirectly related to money (advertisement)

- data stealing (targeted attacks)

• More malicious software than legitimate

Cybercrime vs. AV industry

• AV industry attacks their business

• Malware response? Avoid detection and removal

- encryption

- polymorphism

- stealth (rootkits)

- Legal attacks

• Volume mutations (obfuscation)

- mutations generated in lab and distributed (Virtumonde, Zlob)

- mutations constantly generated by the hosting server (Swizzor)

From: support [mailto:support@emediacodec.com] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject:

Hello XXXXXXXXXXX.

We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II".

Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers.

We would very appreciate if you remove our eMediaCodec from your virus list.

Thanks

Win32/TrojanDownloader.Zlob

Subject: NOD32 detects our products as malwareDate: 21 Aug 2006 10:21:51 -0500From: "Tyler Moore" tyler.moore@winsoftware.com To: XXXXXXXXXXXXXX

I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirus Pro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification.Please confirm receipt of this message.

Best regards, Tyler Moore

Senior Vice-President, Legal Compliance WinSoftware Ltd.

Rogue Antivirus

Consequences

Ineffective defense

• Simple signature approach doesn’t work

•With 200 mil. malicious files we need

- 3GB of MD5 signatures

- 800MB of CRC32 signatures (the number of collisions would

be enormous ;-))

•With 300k of new malicious files every day

- Update size is too big

- No chance to receive and process all files to create

signatures

Effective defense

• Heuristics

- simulates work of an AV expert (emulates the code in virtualized

environment, analyses code and data and tries to identify suspicious

behavior)

• Smart signatures

- contain behavior patterns and fingerprints of malware families (1

signature detects most mutations of particular threat)

- need for sophisticated technology, big database of malware and

legitimate software behavior patterns, experienced virus analyst

team

- database only ~16MB for current threats

The Renown Tests

A Couple of 100K

~ 1 Million

500K – 1 Million

Number of Samples in the Test Sets

Testing labs

•Work with relatively small number of malicious

files• Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc)

• Sample submissions from AV companies can skew results• Samples circulating among AV companies and test centers are well-known and products can be “tuned”

The Weakest Link

End-Users

• Unaware of basic safety

• Deliberately ignore policies (adult content on bus laptop)

• Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.

A Real Fresh Phish - 5/27/09

A Fun Exercise

Spot the “Phish Factors”

7 Current Malware Trends

• Threats attacking popular browsers• drive-by downloads, exploitation of vulnerabilities in

browsers and plugins

• Increasing threats to OS X, game boxes and Linux

• Malicious PDFs and other Trojan-like piggy-backing/exploitation of “trustworthy” documents

• Social engineering attacks, more sophistication in the techniques used.

• Fake antivirus and antispyware products

• Exploitation of the Windows Autorun

• Online Game password stealers

Conclusions

• Active malware is expanding geometrically

• Cybercrime is becoming more organized and

flexible

• To fight it effectively we need:

- Innovative technology

- More informed and security conscious users

- Policies that reflect reality of user experience

Childhood’s end.

Thank you!