Presentation is loading. Please wait.

Presentation is loading. Please wait.

The End of Childhood Cybercrime Dan Clark, VP Marketing and Research.

Similar presentations


Presentation on theme: "The End of Childhood Cybercrime Dan Clark, VP Marketing and Research."— Presentation transcript:

1 The End of Childhood Cybercrime Dan Clark, VP Marketing and Research

2 In the News... Gartner: Computers in use pass 1 billion mark http://www.reuters.com/article/t echnologyNews/idUSL2324525420080 623

3 A Really Big Question How many malicious files exist?

4 Total Size of Samples Exchanged by AV Companies

5 Samples exchanged by AV companies volume approximately triples every year 1998: volume < 100MB, files < 10k 2008: volume > 1.5TB, files > 5mil. volume in 2008 > all previous years combined total number of files exchanged > 15mil.

6 ThreatSense.Net Included in the client with various configuration options Two part system statistical data submission suspicious file submission Statistics gathered can be separated by country by malware group by detection type (heur/generic) by time/date by detection module (on-access, internet, mail etc)

7 Top 20 Infiltrations by Infection Share World Wide RankInfiltration NameInfection Share 1INF/Autorun.gen12,95% 2Win32/PSW.OnLineGames.NMY11,58% 3INF/Autorun8,02% 4Win32/Toolbar.MyWebSearch6,40% 5Win32/Agent.AJVG5,80% 6WMA/TrojanDownloader.GetCodec.gen5,57% 7Win32/Agent5,55% 8Win32/Conficker.AA3,88% 9Win32/Conficker.A3,85% 10Win32/Pacex.Gen3,36% 11Win32/Genetik2,99% 12Win32/AutoRun.KS2,97% 13WMA/TrojanDownloader.GetCodec.C2,73% 14Win32/Adware.Virtumonde2,53% 15Win32/PSW.OnLineGames.NMP2,29% 16Win32/Patched.BU2,10% 17Win32/Packed.Autoit.Gen2,06% 18Win32/Conficker.AE1,94% 19Win32/Qhost1,85% 20Win32/Conficker.E1,84%

8 Visualizing the Global Threat-Scape Source: ThreatSense.Net

9 ThreatSense.Net Statistics Total number of samples received, January & February 2009

10 ThreatSense.Net Statistics Total number of samples received, December 2007 – February 2009

11 Samples from ThreatSense.Net Only heuristic and generic detections sent 2008: files > 100k daily, 50mil. total 2009: files ~ 250k daily, expected > 100mil. Filters applied (Swizzor, Virtumonde, Sality...) <10% of computers participating Unknown/undetected threats

12 Conclusions Our current estimate ~200 million of malicious files (analysis continues) > 300k new malicious files daily Probably still more PCs than threats, likely to change soon

13 Why there are so many malicious files?

14 In the News... The Register: Cybercrime ‘more lucrative’ than drugs http://www.theregister.co.uk/2005/11 /29/cybercrime/

15 Cybercrime Money always attracts criminals Internet today - new inexperienced users - new companies with little/no security policy enforced Fraud opportunities examples -directly related to money (Internet banking, e-commerce) -indirectly related to money (advertisement) -data stealing (targeted attacks) More malicious software than legitimate

16 Cybercrime vs. AV industry AV industry attacks their business Malware response? Avoid detection and removal -encryption -polymorphism -stealth (rootkits) -Legal attacks Volume mutations (obfuscation) -mutations generated in lab and distributed (Virtumonde, Zlob) -mutations constantly generated by the hosting server (Swizzor)

17 From: support [mailto:support@emediacodec.com] Sent: Wednesday, April 12, 2006 4:28 PM To: XXXXXXXXXXX Subject: Hello XXXXXXXXXXX. We are eMediaCodec support team. we would like to know why your software NOD32 detects our codec as virus "Win32/TrojanDownloader.Zlob.II". Our emediacodec is provided with Terms and Conditions located at http://www.emediacodec.com/terms.html where we describe in details what is the codec itself. We do tell surfers about what being installed on their computers. We would very appreciate if you remove our eMediaCodec from your virus list. Thanks Win32/TrojanDownloader.Zlob

18 Subject: NOD32 detects our products as malware Date: 21 Aug 2006 10:21:51 -0500 From: "Tyler Moore" tyler.moore@winsoftware.com To: XXXXXXXXXXXXXX I am contacting you on behalf of WinSoftware Company. Recently our Quality Assurance Department discovered that parts of our product, WinAntiVirus Pro 2006, were added to your anti-malware database, and are currently being detected as malware. WinSoftware believes this may have been done inadvertently; nevertheless this has a big impact on our Company's reputation and on customer satisfaction level. WinSoftware, therefore, requests that you remove these product from your base no later than fourteen (14) days from receipt of this notification. Please confirm receipt of this message. Best regards, Tyler Moore Senior Vice-President, Legal Compliance WinSoftware Ltd. Rogue Antivirus

19 Consequences

20 Ineffective defense Simple signature approach doesn’t work With 200 mil. malicious files we need -3GB of MD5 signatures -800MB of CRC32 signatures (the number of collisions would be enormous ;-)) With 300k of new malicious files every day -Update size is too big -No chance to receive and process all files to create signatures

21 Effective defense Heuristics -simulates work of an AV expert (emulates the code in virtualized environment, analyses code and data and tries to identify suspicious behavior) Smart signatures -contain behavior patterns and fingerprints of malware families (1 signature detects most mutations of particular threat) -need for sophisticated technology, big database of malware and legitimate software behavior patterns, experienced virus analyst team -database only ~16MB for current threats

22 The Renown Tests A Couple of 100K ~ 1 Million 500K – 1 Million Number of Samples in the Test Sets

23 Testing labs Work with relatively small number of malicious files Volume of files is too big to be processed correctly (corrupted, non-working, non-malicious, etc) Sample submissions from AV companies can skew results Samples circulating among AV companies and test centers are well-known and products can be “tuned”

24 The Weakest Link

25 End-Users Unaware of basic safety Deliberately ignore policies (adult content on bus laptop) Susceptible to phishing and other attacks which prey on greed, fear, lust, ignorance, etc.

26 A Real Fresh Phish - 5/27/09

27 A Fun Exercise Spot the “Phish Factors”

28 7 Current Malware Trends Threats attacking popular browsers drive-by downloads, exploitation of vulnerabilities in browsers and plugins Increasing threats to OS X, game boxes and Linux Malicious PDFs and other Trojan-like piggy- backing/exploitation of “trustworthy” documents Social engineering attacks, more sophistication in the techniques used. Fake antivirus and antispyware products Exploitation of the Windows Autorun Online Game password stealers

29 Conclusions Active malware is expanding geometrically Cybercrime is becoming more organized and flexible To fight it effectively we need: -Innovative technology -More informed and security conscious users -Policies that reflect reality of user experience

30 Childhood’s end. Thank you!


Download ppt "The End of Childhood Cybercrime Dan Clark, VP Marketing and Research."

Similar presentations


Ads by Google