Security Malware Threats

Now and Tomorrow Eddy Willems

Security Evangelist ndash G Data Security Labs

Director Security Industry Relationships ndash EICAR -- AMTSO

eddywillemsgdatade

bull Security Evangelist at G Data Sofware AG

- Privately owned

- Established 1985 in Germany (Bochum)

- First Atari AV software

- Security solutions for end users and companies

bull Personally Involved in the security industry since 1989

bull Worked as Senior ConsultantAnti-Virus Expert for several CERT-organisations and

commercial enterprises like Kaspersky Lab Westcon(Noxs) etc

bull Co-founder and board member of EICAR and AMTSO (international security industry org)

Introduction

Some History The old days

Spam

Some years ago

Virus

Worm

Trojan

Current threats

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

bull Security Evangelist at G Data Sofware AG

- Privately owned

- Established 1985 in Germany (Bochum)

- First Atari AV software

- Security solutions for end users and companies

bull Personally Involved in the security industry since 1989

bull Worked as Senior ConsultantAnti-Virus Expert for several CERT-organisations and

commercial enterprises like Kaspersky Lab Westcon(Noxs) etc

bull Co-founder and board member of EICAR and AMTSO (international security industry org)

Introduction

Some History The old days

Spam

Some years ago

Virus

Worm

Trojan

Current threats

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

Some History The old days

Spam

Some years ago

Virus

Worm

Trojan

Current threats

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

Spam

Some years ago

Virus

Worm

Trojan

Current threats

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

Current threats

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

History facts 1986 Brain first PC(bootsector) virus

1988 Morris-worm infected 10 of the internet (6000 computers)

1992 Michelangelo first virus in the media

1995 Concept first macro-virus

1999 Melissa mass mailer

2003 Slammer memory worm replicated very fast over the world

2004 Cabir first lsquoproof-of-conceptrsquo for Symbian

2006 Leap first virus for Mac OS X

2007 Storm Worm first use of distributed CampC-servers

2008 Koobface first malware on Facebook

2008 Conficker one of the biggest epidemics in history infecting everybody

2010 FakePlayer SMS-trojan for Android

2010 Stuxnet Targetted attack against Iranian enrichment of Uranium

2011 Duqu advanced spyware trojan

2012 Flame advanced spyware virus

About 70000 new threats per day =gt over 80000000 ThreatsMalware

Under the Radar = Money is involved

The Numbers Game

Problem 1 Botnets

Using botnet

- DDos for fun and glory

- Sending spam or making spamlists

- Phishing

- Stealing private data dropping spyware modules etchellip

- Ransoming

- Botnet Renting

- Eg Citadel botnet with Dorifel (Aug 2012)

- The NVB (Dutch Association of Banks Netherlands) reported 8000 cases

of fraud with online banking in 2011 amounting to euro 35 million in damages The

average loss per case amounts to approximately euro 4375

- Febelfin (Belgium Assocation of Banks) reported 396 cases of fraud with

online banking in 2012 (first half) amounting euro 675000 in damages after

recuperationhelliphellip

The user is exposed to a high risk ~ euro 4000

1 of every days new threats

Man-in-the-Browser Attack

More used in other attacks

Related problem Online banking threats

Problem 2 Social Media Websites

Over 36 million URLrsquos are malicious

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Problem 1 Botnets

Using botnet

- DDos for fun and glory

- Sending spam or making spamlists

- Phishing

- Stealing private data dropping spyware modules etchellip

- Ransoming

- Botnet Renting

- Eg Citadel botnet with Dorifel (Aug 2012)

- The NVB (Dutch Association of Banks Netherlands) reported 8000 cases

of fraud with online banking in 2011 amounting to euro 35 million in damages The

average loss per case amounts to approximately euro 4375

- Febelfin (Belgium Assocation of Banks) reported 396 cases of fraud with

online banking in 2012 (first half) amounting euro 675000 in damages after

recuperationhelliphellip

The user is exposed to a high risk ~ euro 4000

1 of every days new threats

Man-in-the-Browser Attack

More used in other attacks

Related problem Online banking threats

Problem 2 Social Media Websites

Over 36 million URLrsquos are malicious

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Using botnet

- DDos for fun and glory

- Sending spam or making spamlists

- Phishing

- Stealing private data dropping spyware modules etchellip

- Ransoming

- Botnet Renting

- Eg Citadel botnet with Dorifel (Aug 2012)

- The NVB (Dutch Association of Banks Netherlands) reported 8000 cases

of fraud with online banking in 2011 amounting to euro 35 million in damages The

average loss per case amounts to approximately euro 4375

- Febelfin (Belgium Assocation of Banks) reported 396 cases of fraud with

online banking in 2012 (first half) amounting euro 675000 in damages after

recuperationhelliphellip

The user is exposed to a high risk ~ euro 4000

1 of every days new threats

Man-in-the-Browser Attack

More used in other attacks

Related problem Online banking threats

Problem 2 Social Media Websites

Over 36 million URLrsquos are malicious

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

- The NVB (Dutch Association of Banks Netherlands) reported 8000 cases

of fraud with online banking in 2011 amounting to euro 35 million in damages The

average loss per case amounts to approximately euro 4375

- Febelfin (Belgium Assocation of Banks) reported 396 cases of fraud with

online banking in 2012 (first half) amounting euro 675000 in damages after

recuperationhelliphellip

The user is exposed to a high risk ~ euro 4000

1 of every days new threats

Man-in-the-Browser Attack

More used in other attacks

Related problem Online banking threats

Problem 2 Social Media Websites

Over 36 million URLrsquos are malicious

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Problem 2 Social Media Websites

Over 36 million URLrsquos are malicious

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Social Media a combination of the

Human and Technological Factor

Human factor

Tech factor Victim

Malicious website

Other web 20

apps

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Human Factor

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Technology Factor

Blackhole Exploit Kit Statistics

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

- Profit Depending on the target

- Easy to do (technicallymorally)

- Low risk business

- New services that are

profitable to attack

Problem 3

Shift of focus to corporate targets

lsquoTargAttacksrsquo

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

- June 2009-Dec 2009 (Google announced

it in January 2010)

- Other victims include Adobe Systems

Juniper Rackspace Yahoo

- Targeted at Fortune 100

- Using a Zero Day vulnerability to gain

access to and potentially modify source

code repositories Cyber-espionage

- Social Engineering targeted techniques

via Facebook accounts etc

First serious sign Aurora attack

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Copyright IEEE Spectrum 2011

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

- Dignotar Hack in July 2011 (NL)

(Certificate Authority)

What False certificates for google mail

and 247 others stolengenerated from

CA provider

Who Iran (government) -

ComodoHacker

Why impersonate Google mdash assuming

you can first reroute Internet traffic for

googlecom to you Only affect users

within that country or under that ISP

Also affecting

the Cloud

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

- Hacking mailboxes of (known) people

- Hacking email adresses and

passwords from corporates egPhilips

- Hacking and Ransoming

(Rex Mundi) Accord (NL)

Elantis (BE) CreditPret (FR)

- Hacktivism Flash bang Mentality

change (Anonymous GhostShell)

And

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Problem 4 Cyberespionage and Sabotage Stuxnet Duqu Flame

- Discovered July 2010

- Used Windows OS industrial software application Siemens PLC

- Using 5 vulnerabilities (4 Zero Day Vulnerabilities)

- Initially spread via USB (= Floppy) afterwards peer-to-peer

functionalities

- Targetting SCADA company based in Finland and the real target

nuclear plant based in Iran

- Problems caused in enrichment of Uranium Success

Cybersabotage

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

Internet

The real problem Todayrsquos

Networks Lack Boundaries

Contractors

Mobile Users

Network

Telecommuters

Wireless Users

InternalExternal network

Individual Users connect from multiple locations

ManagedUnmanaged devices

Individual devices operate both inside the network

and on public networks

New Devices on the Network eg Netbooks Mobile

devices etc

Question Who has an Android phone iPhone

Symbian BlackBerry Tablet

The first incidents

Liberty Horse Trojan Sept 2000

Telefonica SMS Mailer Dec 2000

911 DoS SMS Mailer in Japan April 2001

Flooder sending not wanted SMS Aug 2001

Phage destroys files on Palm Sept 2001

Vapor Trojan Horse hides applications Oct 2001

GPRS hack into 25G US network devices Nov 2002

Nokia 6210 V-card Exploit Feb 25 2003

Siemens ldquoStringrdquo Exploit March 2 2003

ATampT SMS Trojan May 5 2003

First Symbian based Trojan Sept 2003

Problem 5

Mobile threats and BYOD

Source Gartner

0

10

20

30

40

50

60

70

2007 2008 2009 2010 2011e 2012e

Symbian iPhone Blackberry Win Mobile Android

Global Market Share of Mobile OS percentage for smartphones - 2007 to 2012 (e = expected)

Security Model

Unix multi-user sandbox (uidgid)

No permissions by default

Strict permissions

bull Enforced by kernel

bull Displayed on installtime

bull Not changeable later on

DroidDream Googlersquos removal tool

Which is the real tool

The Update Problem

- 2011 = +- 1800 total mobile malware threats (until December 2011)

- 2012 = +- 13000 total mobile malware (until July 201296 Android)

Mobile Malware Situation

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

Source Gartner

0

10

20

30

40

50

60

70

2007 2008 2009 2010 2011e 2012e

Symbian iPhone Blackberry Win Mobile Android

Global Market Share of Mobile OS percentage for smartphones - 2007 to 2012 (e = expected)

Security Model

Unix multi-user sandbox (uidgid)

No permissions by default

Strict permissions

bull Enforced by kernel

bull Displayed on installtime

bull Not changeable later on

DroidDream Googlersquos removal tool

Which is the real tool

The Update Problem

- 2011 = +- 1800 total mobile malware threats (until December 2011)

- 2012 = +- 13000 total mobile malware (until July 201296 Android)

Mobile Malware Situation

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

Security Model

Unix multi-user sandbox (uidgid)

No permissions by default

Strict permissions

bull Enforced by kernel

bull Displayed on installtime

bull Not changeable later on

DroidDream Googlersquos removal tool

Which is the real tool

The Update Problem

- 2011 = +- 1800 total mobile malware threats (until December 2011)

- 2012 = +- 13000 total mobile malware (until July 201296 Android)

Mobile Malware Situation

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

DroidDream Googlersquos removal tool

Which is the real tool

The Update Problem

- 2011 = +- 1800 total mobile malware threats (until December 2011)

- 2012 = +- 13000 total mobile malware (until July 201296 Android)

Mobile Malware Situation

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

The Update Problem

- 2011 = +- 1800 total mobile malware threats (until December 2011)

- 2012 = +- 13000 total mobile malware (until July 201296 Android)

Mobile Malware Situation

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

bull More mobile Malware Apps related malware =gt Drive-By-Download based mobile malware

bull More MitB driven attacks to gain access to encrypted data and to the cloud

bull More Human based behaviour attacks (social)

bull 64Bit Malware Ransomware Java based malware

bull Botnets continue to (mis)use internal networks of companies

bull More targeted attacks cyberespionage and cybersabotage ( not only nation driven)

bull More hacks of SMB websites

=gt =gt =gt Most of it Under the radar of the public lt= lt= lt=

THE FUTURE

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

Malware related to

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems

A Secure Solution for mobile threats hellip-)

Thank you Questions

Twitter EddyWillems