Upload
pr-americas
View
1.404
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.
Citation preview
New York CityAugust 5, 2010
WelcomeRandy DrawasChief Marketing OfficerKaspersky Lab Americas
Kaspersky Lab
• Founded in 1997• Headquartered in Moscow,
The Russian Federation• Trained as cryptographer,
Eugene Kaspersky got hit with one of the Internet’s very first viruses in 1986.
Fighting Cybercrime for 25 Years
The World’s Largest OEM of Anti-Malware Technology (100+ Partners)
Kaspersky Technology Inside
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
• The world’s largest privately-held anti-malware company
• 100% focus on Threat Protection & Anti-Malware
• Protecting 300 million systems worldwide– 50,000 new systems added every day!
• 2,000 experts globally• #1 selling software in the U.S. retail
– This includes MS Office & World of Warcraft
Fastest Growth in the Security Industry
Special GuestScott StrattenUnMarketing@unmarketing
Today’s ModeratorRyan NaraineSecurity EvangelistKaspersky Lab Americas
The Rise & Rise of ScarewareNico Brulez, Senior Malware Researcher, France
Agenda
Behind the Scenes of Identity Theft
David Emm, Senior Researcher, United Kingdom
Agenda
AgendaSocial Media & the Automation of Targeted Attacks
Stefan Tanase, Senior Anti-Virus Researcher, Romania
AgendaAurora Who?
Roel Schouwenberg, Senior Anti-Virus Researcher, U.S.
The Rise & Rise of Scareware
Nicolas Brulez, Senior Malware ResearcherGlobal Research and Analysis Team
History and Evolution of Rogue AV 2006
Desktop hijackers, fake anti-spyware
2007 Fake registry cleaning tools added
2008 Desktop hijackers, Fake anti-virus (rogue anti-virus)
2009 System notifications (popup near the system tray) became
standard behavior
2010 Fake anti-virus becomes more advanced Now includes phone, chat and e-mail support, uninstallers, multi-
language support
Infection Vectors Black Hat SEO Spam Fake videos and fake codecs Social Networks Instant Messengers Downloaded and installed by prior malware
infections
The number of detected malware: up to 70 Popup Wall paper Hijacking They copy the look and feel from legit Anti Virus
products to display behavior detections Task Manager Injection Sounds, Screen blinking Fake Network Intrusion detection
Scaring people 101
Real person Ready to answer any question Phone Support 24*7 Support E-mail support in any language
Rogue AV Support
Conclusion and Predictions
Rogue AV has greatly improved during the past 4 years Professional graphical interface - localized Phone, email and live chat support – 24/7 Advanced scaring techniques Multiple ways to target new “customers”
We predict improvements in the support systems to make them appear more legitimate
New scaring and spreading techniques will appear in the future
Thank you! Nico BrulezGlobal Research and Analysis Team
Behind the Scenes of Identity TheftDavid EmmGlobal Research and Analysis Team
Setting the Scene: Cybercrime
• Cybercrime is a booming business– It’s profitable.– It’s easy to do.– It’s low-risk.
• Botnets are a core component of the threat landscape.
• The drop-zone is where they stash the stolen loot.
• Let’s take a closer look at -– Their modus operandi– The drop-zone of a banking Trojan
The Zeus Trojan• Zeus
• aka Zbot, Wsnpoem, Kneber
• The most popular banking Trojan in the wild• First appeared at the end of 2006• Thousands of versions available• Full pack with generic version
• Cost = $500-$1,000
• Full pack + unique exclusive version• Cost = $3,000-$5,000
• Many plug-ins and modules available• Licensed separately
Typical Zeus Distribution Page
Zeus Infections Worldwide
Command & ControlOnline Command & Control
panels provide easy management of
cybercriminal bot armies
Command & Control
PDF exploits for Adobe Reader top the charts
C&C – Bot Geo Distribution
The cybercriminals can easily see where their
victims are located & even target specific geo areas!
C&C – Infection Statistics
C&C – Maintenance
Trojan Drop-Zones
• What is a Trojan drop-zone?• A server configured to receive and store stolen data• This may amount to several GB daily.• Generally, cybercriminals like to take care of their
valuables.• So they typically run several drop-zones.
Trojan Drop-Zones
Average dropzone size: 14GB
Average files in a dropzone: 31,000
Dump File Analysis
JPG •Screen captures•Spying on victims
TXT •Private information•Financial gain
PFX •Certificates•Financial gain
DAT •Scripts•Server side programs
Drop-Zone LogsName of
infected PCBot
version Country
Operating system
Malware location
Logs can be easily read and understood:
Drop-Zone LogsThousands of credit cards, bank
accounts
Intercepting Financial Transactions
Cybercriminals can intercept financial transactions on-the-fly and change the receiving
account to their own.
Profitability Evolution – Cybercriminal Group ‘X’
Total:
$1.7 million
-1000$
Even criminals have bad days
400% growth in 9 months
Conclusions• Cybercrime
• Highly profitable• Sophisticated but easy-to-use systems• Drop-zones can be closed, but new ones
appear immediately.• There are many victims.• Mitigation is a process.
• Modern hardware and software• Patches and updates• Internet security solution• The right security mindset• Education
Thank you! David EmmGlobal Research and Analysis Team
Social Media & the Automation of Targeted Attacks
Stefan TanaseGlobal Research and Analysis Team
The Evolution of Malware• 1992 – 2007: 2,000,000 unique malware
programs• 2009: more than 15,000,000• End of 2009: Approximately 34,000,000
unique malicious files in the Kaspersky Lab collection
By stealing, of course– Stealing directly from the user
• Online banking accounts, credit cardnumbers, electronic money, blackmailing.
– What if I don’t have money?– Providing IT resources to other
cybercriminals• Creating botnets, sending spam, launching
DDoSattacks, pay-per-click fraud, affiliate networks,renting computing power, collecting passwords etc.
– Providing access to targeted SMB and enterprise networks for interested 3rd parties
Motivation: How Cybercriminals Make Money
Targeted attacks: threats to SMBs & enterprises
Targeted Attacks - Threats to Businesses
Targeted Attacks vs Classic Malware
• Targeted attacks are not epidemics.• One email is enough, instead of tens of
thousands• Targeted organizations are either not
aware or don’t publicly disclose information• It is hard to get samples for analysis
• Classic signature-based AV is useless• New defense technologies
• Much higher stakes• Intellectual property theft, corporate
espionage
Targeted Attacks in Four Steps
Step 1 - Reconnaissance• Choose most vulnerable targets
among the employeesStep 2 - Develop an undetectable malicious
program• Doesn’t have to bypass all AVs, just the one
used by the victimStep 3 - Mix the malicious payload with a
perfectly tailored social engineering strategyStep 4 – Deliver the attack
What’s Socially Acceptable?• “White”, “black”, “pink”… “not wearing any”
• So much personal information is public on social networks right now
• Advertisers are already doing it: targeted ads– Age– Gender– Location– Interests– Work field– Browsing habits– Relationships ...
Targeted Attacks Becoming Mainstream
• Targeted ads? – Targeted attacks are already out there.
• Social networks – Enabling cybercriminals to deliver
automated targeted attacks
• The personal data is there. • Next step? Automation -
• Geographical IP location has been around for a while.• Automatic language translation services are becoming
better.• Personal interests & tastes are public (ie: trending
topics).
Targeted Attacks Becoming Mainstream
Geo Targeting Example
Language Targeting Example
Interests Targeting Example
Kaspersky Lab US Press Tour - San Francisco & New York - August 2010
Surviving Targeted Attacks
• Proper security mindset
• User education and awareness
• Human mind is hard to patch
• Proactive protection technologies
• Virtualization and sandboxing
• Behavioral analysis
• A highly motivated targeted attacker will eventually succeed.
A Targeted Attack Demo
A targeted attack demo
Thank you! Stefan TanaseGlobal Research and Analysis Team
Aurora Who?Roel SchouwenbergGlobal Research and Analysis Team
What is Stuxnet?
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
• Targets SCADA networks• Siemens Simatic WinCC specifically
• Uses rootkit technology• Spreads via USB sticks• Once infected, machines become part of the
Stuxnet botnet
How Does Stuxnet Exploit a Zero-Day Vulnerability?• Weak point –Windows processing of shortcuts• Stuxnet uses the vulnerability to spread via USB
sticks• Infection near-automatic when plugging in infected USB
• Monday, August 2nd - Microsoft published OOB patch• Exploits adopted by other families
• Sality, Zeus, Vobfus and others
Signed Drivers
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
• Signed malware is not new• Realtek and Jmicron certificates stolen• Verisign-signed files trusted by security software
Stuxnet Geographic Distribution
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
Stuxnet vs. Aurora
• Aurora had zero-day against old product – IE6.• Stuxnet has zero-day which works on old & new.• Stuxnet has signed drivers to evade security
software.• Stuxnet uses Rootkit technology to hide itself.• Aurora is a Trojan Horse, Stuxnet a worm.
Closing Thoughts on Stuxnet…
• This is the most sophisticated attack seen so far.
• We suspect nation-state involvement.• Stuxnet botnet has been sinkholed.• We’re still investigating – more to come…
Predictions
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
• Attack is too complex to become mainstream.• Similar attacks likely to slip under radar.• Microsoft must improve handling of signed files.
Thank you! Roel SchouwenbergGlobal Research and Analysis Team
Introducing Kaspersky Lab’s 2011 Consumer Security
Peter Beardmore Consumer Product Team
65
The Challenge
Stay Ahead
Outwit
Think Different
Innovate
65
Kaspersky Anti-Virus
2011
Kaspersky Internet Security 2011
Today’s Security is Complex
66
AV engine
Frequent/Small Updates
iSwift/iCheckerProactive Defense
System Watcher
System Monitoring Anti-banner
Cloud-based Threat Intelligence
URL Filtering
UDSApplication Security Rating
Dynamic RatingApplication Control
Firewall
Vulnerability Scanning
Safe Run
Safe DesktopSafe Surf
Virtual Keyboard
Gamer ModeAnti-Spam
Parental Control
Heuristics
Rescue Disk w/USB option
Geo Filter
Web Toolbar
Network Monitor
Browser Configuration
Privacy Cleaner
67
Kaspersky Makes It Easy and Intuitive
68
Kaspersky Makes It Easy and Intuitive
69
Kaspersky Makes It Easy and Intuitive
70
Today’s Premium Protection
Real-time Protection
Emerging Threat Protection
ID Protection
Family Protection
71
• Kaspersky Security Network
• URL Filtering• Urgent
Detection System
Real-time Protection
Latest ThreatsNew: Safe Surf
72
New: Safe Run for Web• Kaspersky Security Network
• URL Filtering• Urgent
Detection System
• NEW: Safe Surf
Real-time Protection
73
• Kaspersky Security Network
• URL Filtering• Urgent
Detection System
• NEW: Safe Surf• NEW: Safe Run
for Web
New: Geo Filter
Real-time Protection
74
Application Security
• Proactive Defense
• Application Security Rating and Vulnerability Control
• Application Control
New: System Watcher
Emerging Threat Protection
Monitor
Log
Reverse
75
• Proactive Defense
• Application Security Rating and Vulnerability Control
• Application Control
• NEW: System Watcher
New: Safe Desktop
Emerging Threat Protection
76
v
• Anti-Phishing• Virtual
Keyboard• Identity
Information Control
ID Protection
New: Proactive Phishing Protection
77
• Block/Limit Access/ Log family activities– Time Online– Web Content– File Downloads
New: Added Features
Family Protection
Communications via Email, IM, Social Network ContactsPersonal Information(credit cards, phone #’s etc.)Specific words
Applications
Games
Time on Computer
78
Kaspersky is Built for Speed
Intelligent Scanning
Optimized
Small, frequent updates
79
Kaspersky Even Installs On Infected Computers
80
Kaspersky Anti-Virus
2011
Kaspersky Internet Security 2011
ReassuringOptimizedDifferentAlways AheadRelentless
Introducing Kaspersky Lab’s 2011 Consumer Security
Peter Beardmore Consumer Product Team
Closing Monica VilaChief Technology Mom The Online Mom
THANK YOU!