The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.
-
Upload
claude-lynch -
Category
Documents
-
view
216 -
download
0
Transcript of The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.
![Page 1: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/1.jpg)
The End of ChildhoodCybercrime
Dan Clark, VP Marketing and Research
![Page 2: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/2.jpg)
In the News...
Gartner:Computers in use pass 1 billion mark
http://www.reuters.com/article/technologyNews/idUSL2324525420080623
![Page 3: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/3.jpg)
A Really Big Question
How many malicious files exist?
![Page 4: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/4.jpg)
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 20090
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
Total Size of Samples Exchanged by AV Companies
![Page 5: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/5.jpg)
Samples exchanged by AV companies
• volume approximately triples every year
• 1998: volume < 100MB, files < 10k
• 2008: volume > 1.5TB, files > 5mil.
• volume in 2008 > all previous years combined
• total number of files exchanged > 15mil.
![Page 6: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/6.jpg)
ThreatSense.Net
• Included in the client with various configuration options
• Two part system
• statistical data submission
• suspicious file submission
• Statistics gathered can be separated
• by country
• by malware group
• by detection type (heur/generic)
• by time/date
• by detection module (on-access, internet, mail etc)
![Page 7: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/7.jpg)
Top 20 Infiltrations by Infection Share
World WideRank Infiltration Name Infection Share
1 INF/Autorun.gen 12,95%
2 Win32/PSW.OnLineGames.NMY 11,58%
3 INF/Autorun 8,02%
4 Win32/Toolbar.MyWebSearch 6,40%
5 Win32/Agent.AJVG 5,80%
6 WMA/TrojanDownloader.GetCodec.gen 5,57%
7 Win32/Agent 5,55%
8 Win32/Conficker.AA 3,88%
9 Win32/Conficker.A 3,85%
10 Win32/Pacex.Gen 3,36%
11 Win32/Genetik 2,99%
12 Win32/AutoRun.KS 2,97%
13 WMA/TrojanDownloader.GetCodec.C 2,73%
14 Win32/Adware.Virtumonde 2,53%
15 Win32/PSW.OnLineGames.NMP 2,29%
16 Win32/Patched.BU 2,10%
17 Win32/Packed.Autoit.Gen 2,06%
18 Win32/Conficker.AE 1,94%
19 Win32/Qhost 1,85%
20 Win32/Conficker.E 1,84%
![Page 8: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/8.jpg)
Visualizing the Global Threat-Scape
Source: ThreatSense.Net
![Page 9: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/9.jpg)
ThreatSense.Net StatisticsTotal number of samples received, January & February 2009
0
50000
100000
150000
200000
250000
300000
350000
400000
![Page 10: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/10.jpg)
ThreatSense.Net Statistics
2007-12 2008-
01 2008-02 2008-
03 2008-04 2008-
05 2008-06 2008-
07 2008-08 2008-
09 2008-10 2008-
11 2008-12 2009-
01 2009-02
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
8000000
Total number of samples received, December 2007 – February 2009
![Page 11: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/11.jpg)
Samples from ThreatSense.Net
• Only heuristic and generic detections sent
• 2008: files > 100k daily, 50mil. total
• 2009: files ~ 250k daily, expected > 100mil.
• Filters applied (Swizzor, Virtumonde, Sality ...)
•<10% of computers participating
• Unknown/undetected threats
![Page 12: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/12.jpg)
Conclusions
• Our current estimate ~200 million of malicious files (analysis continues)
•> 300k new malicious files daily• Probably still more PCs than threats, likely to change soon
![Page 13: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/13.jpg)
Why there are so many malicious files?
![Page 14: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/14.jpg)
In the News...
The Register:Cybercrime ‘more lucrative’ than drugs
http://www.theregister.co.uk/2005/11/29/cybercrime/
![Page 15: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/15.jpg)
Cybercrime
• Money always attracts criminals
• Internet today
- new inexperienced users
- new companies with little/no security policy enforced
• Fraud opportunities examples
- directly related to money (Internet banking, e-commerce)
- indirectly related to money (advertisement)
- data stealing (targeted attacks)
• More malicious software than legitimate
![Page 16: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/16.jpg)
Cybercrime vs. AV industry
• AV industry attacks their business
• Malware response? Avoid detection and removal
- encryption
- polymorphism
- stealth (rootkits)
- Legal attacks
• Volume mutations (obfuscation)
- mutations generated in lab and distributed (Virtumonde, Zlob)
- mutations constantly generated by the hosting server (Swizzor)
![Page 17: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/17.jpg)
From: support [mailto:[email protected]] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject:
Hello XXXXXXXXXXX.
We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II".
Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers.
We would very appreciate if you remove our eMediaCodec from your virus list.
Thanks
Win32/TrojanDownloader.Zlob
![Page 18: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/18.jpg)
Subject: NOD32 detects our products as malwareDate: 21 Aug 2006 10:21:51 -0500From: "Tyler Moore" [email protected] To: XXXXXXXXXXXXXX
I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirus Pro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification.Please confirm receipt of this message.
Best regards, Tyler Moore
Senior Vice-President, Legal Compliance WinSoftware Ltd.
Rogue Antivirus
![Page 19: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/19.jpg)
Consequences
![Page 20: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/20.jpg)
Ineffective defense
• Simple signature approach doesn’t work
•With 200 mil. malicious files we need
- 3GB of MD5 signatures
- 800MB of CRC32 signatures (the number of collisions would
be enormous ;-))
•With 300k of new malicious files every day
- Update size is too big
- No chance to receive and process all files to create
signatures
![Page 21: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/21.jpg)
Effective defense
• Heuristics
- simulates work of an AV expert (emulates the code in virtualized
environment, analyses code and data and tries to identify suspicious
behavior)
• Smart signatures
- contain behavior patterns and fingerprints of malware families (1
signature detects most mutations of particular threat)
- need for sophisticated technology, big database of malware and
legitimate software behavior patterns, experienced virus analyst
team
- database only ~16MB for current threats
![Page 22: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/22.jpg)
The Renown Tests
A Couple of 100K
~ 1 Million
500K – 1 Million
Number of Samples in the Test Sets
![Page 23: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/23.jpg)
Testing labs
•Work with relatively small number of malicious
files• Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc)
• Sample submissions from AV companies can skew results• Samples circulating among AV companies and test centers are well-known and products can be “tuned”
![Page 24: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/24.jpg)
The Weakest Link
![Page 25: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/25.jpg)
End-Users
• Unaware of basic safety
• Deliberately ignore policies (adult content on bus laptop)
• Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.
![Page 26: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/26.jpg)
A Real Fresh Phish - 5/27/09
![Page 27: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/27.jpg)
A Fun Exercise
Spot the “Phish Factors”
![Page 28: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/28.jpg)
7 Current Malware Trends
• Threats attacking popular browsers• drive-by downloads, exploitation of vulnerabilities in
browsers and plugins
• Increasing threats to OS X, game boxes and Linux
• Malicious PDFs and other Trojan-like piggy-backing/exploitation of “trustworthy” documents
• Social engineering attacks, more sophistication in the techniques used.
• Fake antivirus and antispyware products
• Exploitation of the Windows Autorun
• Online Game password stealers
![Page 29: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/29.jpg)
Conclusions
• Active malware is expanding geometrically
• Cybercrime is becoming more organized and
flexible
• To fight it effectively we need:
- Innovative technology
- More informed and security conscious users
- Policies that reflect reality of user experience
![Page 30: The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.](https://reader035.fdocuments.us/reader035/viewer/2022062500/56649e985503460f94b9b0a1/html5/thumbnails/30.jpg)
Childhood’s end.
Thank you!