Modern Threats Landscape & GTI

Alex de GraafDirector, Pre-SalesMcAfee, Emerging Markets EMEA

Q2-2013 Key Trends

• The Dark Seoul attack against banks and media companies in South Korea

• Backdoor Trojans and banking malware were the most popular mobile threats

this quarter

• Ransomware, which holds a computer hostage until the victim pays to free it,

is getting worse.

• Spam levels are bouncing back

2

Q2-2013 Key Trend:

The Dark Seoul Attack

• The forensic data indicates that Dark Seoul was actually just the latest attack to emerge

from a malware development project that has been named Operation Troy.

• McAfee Labs investigation into the Dark Seoul incident uncovered a longterm attempt at

domestic spying, based on code that originated in 2009, against military targets in South

Korea.

• McAfee Labs research learned that the Dark Seoul attack was preceded by years of

attempted cyberespionage.

• For details, read the McAfee Labs report “Dissecting Operation Troy: Cyberespionage in

South Korea”.

3

Q2-2013 Key Trend:

Backdoor Trojans and Banking Malware

• Backdoor” Trojans, which steal data without the victim’s knowledge, and malware that goes

after banking login information have made up the largest portion of all new mobile malware

families.

• Halfway through 2013 McAfee Labs already collected almost as many mobile malware

samples as in all of 2012.

• In Q2 2013 we added more than 17,000 Android samples to our database.

• Malware shows no sign of changing its steady growth, which has risen steeply during the

last three quarters. At the end of this quarter we now have more than 147 million samples in

our malware “zoo.”

4

Q2-2013 Key Trend:

Ransomware is getting worse!

• Ransomware has become an increasing problem during the last several quarters, and the

situation continues to worsen.

• The number of new, unique samples this quarter is greater than 320,000, more than twice

as many as last quarter.

• During the past two quarters we have catalogued more ransomware than in all previous

periods combined.

• Reason for ransomware’s growth:

• It’s a very efficient means for criminals to earn money because they use various

anonymous payment services. This method of cash collection is superior to that used

by fake AV products, for example, which must process credit card orders for the fake

software.

• An underground ecosystem is already in place to help with services such as pay-per-

install on computers that are infected by other malware, such as Citadel, and easy-to-

use crime packs are available in the underground market. These advantages mean

that the problem of ransomware will not disappear anytime soon.

5

Q2-2013 Key Trend:

Spam levels are bouncing back

• This quarter volume reached 2 trillion messages in April, the highest figure we’ve seen since

2010.

• We continue to report on the variety of spam subjects and botnet prevalence in selected

countries around the world.

• Examining results by country, our statistics show marked differences from quarter to quarter.

Ukraine and Belarus are the most dramatic examples; each had an increase of greater than

200 percent this period.

6

Interested in the latest threats?

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2013.pdf

McAfee Confidential—Internal Use Only

2000 2001 2002 2003 2004 2005 2006 2011

Malware Tsunami

McAfee Labs discovers over 100,000 samples every day

2013

McAfee Confidential—Internal Use Only

Explosion of IP Devices95% are unprotected

1 BILLION DEVICES

50 BILLION CONNECTED

DEVICES

McAfee Confidential—Internal Use Only

2000 2001 2002 2003 2004 2005 2006 2013

Malware Tsunami

(100.000 Threats) * (50 Billion Devices)= X

McAfee Confidential—Internal Use Only

Rethink Security—a New Paradigm

THE CONCEPT OF SIGNATURES IS BROKEN

30 days to cross the office Minutes around the Globe Seconds around the Globe Milliseconds???

199750,000 known

Threat Samples

2013 (YTD)147 million known

Threat Samples

2007450,000 known

Threat SamplesThe future?

AMOUNT OF

SAMPLES PER DAY

AND TIME TO

PROTECTION

KERNEL BASED

ATTACKS

ZERO-DAY

EXPLOITS

THE NEW

NATURE OF

ATTACKS

McAfee Confidential—Internal Use Only

What it Takes to Make Your Organization Safe

GLOBAL THREAT INTELLIGENCE

300M IPS

attacks/mo.

300M IPS

attacks/mo.

2B botnet C&C

IP reputation

queries/mo.

20B message

reputation

queries/mo.

2.5B malware

reputation

queries/mo.

300M IPS

attacks/mo.

Network

IPSFirewall

Web

Gateway

Host

AV

Mail

Gateway

Host

IPS

3rd Party

Feed

Geo location

feeds

Network Activity

Affiliations

Ports/Protocol

IP Address

Web Reputation

URL

Web ActivitySender Reputation

Mail Activity

Email Address

File Reputation

DNS Server

Application

Domain

Data Activity

Geo-location

THREAT

REPUTATION

McAfee Confidential—Internal Use Only

What it Takes to Make Your Organization Safe

GLOBAL THREAT INTELLIGENCE

300M IPS

attacks/mo.

300M IPS

attacks/mo.

2B botnet C&C

IP reputation

queries/mo.

20B message

reputation

queries/mo.

2.5B malware

reputation

queries/mo.

300M IPS

attacks/mo.

Network

IPSFirewall

Web

Gateway

Host

AV

Mail

Gateway

Host

IPS

3rd Party

Feed

Geo location

feeds

THREAT

REPUTATION10–30% Detection Improvement

Average 5.3 Day Reduction in Time to Protection

Protection will rely on the cloud increasingly in the future

GTI can be used for both new detections and false alarm avoidance