Andrius Šaveiko, projektų vadovas

UAB Atviros informacinės sistemos

Kaspersky Lab. distributorius Lietuvoje

Andrius Šaveiko, projektų vadovas

UAB Atviros informacinės sistemos

Kaspersky Lab. distributorius Lietuvoje

Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai

Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai

Klaipėda, 2010

Turinys

Grėsmių klasifikacija ir skaičiai

Grėsmės ne Windows šeimos sistemoms

Grėsmių pobūdis

• Drive by Downloads

• Botnets

• Targeted Attacks

Aktyvios grėsmės

Tinklo įeigos taškų apsauga

Grėsmių klasifikacija ir skaičiaiGrėsmių klasifikacija ir skaičiai

Grėsmių klasifikacija

Kenkėjiška programinė įranga

Virusai

• Plinta iš failo į failą

Kirminai

• Plinta iš kompiuterio į kompiuterį

Trojos arkliai

• Neturi safarankiškos replikacijos

Kenkėjiški įrankiai

• Naudojami kenkėjiškų programų kūrėjų

• Pvz.: Pakuotojai, konstruktoriai, eksploitai

Trojos arkliai

Virusai iir kirminai

Kenkėjiški įrankiai

Grėsmių statistika: Q3 2010

| 21 April 2023

Source: Kaspersky Lab October2010

Grėsmių statistika Lietuvoje: Q3 2010

| 21 April 2023

Source: Kaspersky Lab October2010

Skaičiai

0250,000500,000750,000

1,000,0001,250,0001,500,0001,750,0002,000,0002,250,0002,500,0002,750,0003,000,0003,250,0003,500,0003,750,0004,000,0004,250,000 KL signatures

4,194,055 as of 17 Sept 2010

Source: Kaspersky Lab

Grėsmių ir spam‘o apdorojimas 2009

1992 – 2007: maždaug 2 mln. kenkėjiškų programų

Vien per 2009 metus: daugiau nei 14 mln. Naujų kenkėjiškų programų

Q1,2010 pabaiga: bendroj sumoj daugiau nei 36,2 mln. unikalių kenksmingų bylų Kaspersky Lab kolekcijoje

Kaspersky Lab šiuo metu apdoroja 1,5 – 3 mln. spam’o pavyzdžių per dieną!

Grėsmės ne Windows šeimos sistemomsGrėsmės ne Windows šeimos sistemoms

Unix-based malware

Slow rise in number of malicious programs

Total number of signatures for malware targeting Unix-based systems: 2722

2230

78117214

503

Linux

OSX

Sun OS

Unix

FreeBSD

Solaris

Source: Kaspersky Lab August 2010

Mobile malware: some statistics

Number of mobile malware families to date: 142

Number of mobile malware modifications to date: 926

Mobile malware found in August: 44 new modifications

Most common mobile threat: SMS-Trojans

Source: Kaspersky Lab August 2010

Mobile malware written for specific platforms:

33%

53%

7%6%1%

Symbian

J2ME

Python

WinCE

Other

First SMS trojan for Android

Example: Trojan-SMS.AndroidOS.FakePlayer.a

Pretends to be a media player

Sends SMS costing about $5 to Russian premium SMS numbers

Although anyone's device can be infected, it only causes losses for Russian users

Screenshot showing the malware

Grėsmių pobūdisGrėsmių pobūdis

Drive-by downloads

Recipe1.Find a vulnerable server2.Obfuscate your code to prevent easy analysis3.Insert your script onto the website4.Redirect users of the infected website to your malicious website5.Download malware to victims machine

Web page components

• 1 URL in the browser

• 222 links

• 45 images

• 32 scripts from 3 domains

• 5 cookies from 2 domains

• 4 flash objects from 2 domains

Vulnerabilities

Botnets

Botnet – robot (zombie) network

• A number of comprised machines controlled remotely

Botnet operation workflow

C&C – bot geo distribution

The cybercriminals can easily see where their victims are located or even target specific geo areas!

Dropzone

A Trojan dropzone is a server configured to receive stolen data

Stolen data can amount to several GB daily

Generally, cybercriminals tend to care and secure their valuables

Each cybercriminal group runs one or more Dropzones

Typical dropzone JPG screen captures

Cybercriminals have an interest in farming!

Profitability evolution – Cybercriminal Group “X”

400% growth in 9 months

-1000$

Even criminals have bad days

Total:

1.7 mil USD

Mobile Botnets

??

Mobile botnets will have almost the same functionality:

• send spam (e.g. SMS or MMS)

• steal passwords

• DDoS (telephone)?

Yet one more commercial offer on the cybercrime market

Net-Worm.IphoneOS.Ike.b - first ‘commercialised’ iPhone malware

Targeted attacks versus classic malware

Lethal injection versus a hail of bulletsTargeted attacks are not epidemics

• One email is enough, instead of tens of thousands

• Stay under the radar

Targeted organizations are either not awareor don’t publicly disclose information

• It is hard to get samples for analysis

Classic signature-based AV is useless

• New defence technologies

Much higher stakes

• Intellectual property theft,corporate espionage

Targeted attacks in 4 steps

1. Profiling the employeesChoosing the most vulnerable targets

Reconnaissance via social networks, mailing list posts, public presentations, etc

2. Developing a new and unique malware attackDoesn’t have to bypass all AV solutions, just the one used by the victim

Using social engineering to get the victim to click on a link

1. Gather OS, browser, plug-in versions – useful for vulnerabilities

• Gaining control and maintaining access2. Initial exploit drops malware onto victim machine

3. Networks are usually protected from outside threats

• Getting the ‘good stuff’ out quickly!Find an overseas office server to be used as an internal drop

Move data over the corporate WAN/intranet to the internal drop

Get all of the data out at once to the external drop server.

• Even if traffic is monitored, it might be too late to react

Targeted attacks: Aurora

CVE-2010-0249 vulnerability exploitation allowing remote code execution in Internet explorer.

Targeted major organisations including Google, Adobe and Juniper. Over 20 companies in total

designed to gain access to personal data and corporate intellectual property

Spread via email with malicious links

Scareware

Social Networks: Koobface

Social network malware: distribution 2009

27%

24%22%

17%

6%5%

VKontakteOdnoklassnikiFacebookOrkutHi5Twitter

VKontakte 87 million

Odnoklassniki 45 million

Facebook 500 million

Orkut 100 million

Hi5 50 million

Twitter 100 millionSource: Kaspersky Lab January 2010

Active ThreatsActive Threats

PAGE 30 |

Active Threats: Conficker

Active Threats: ZeuS aka Zbot, Wsnpoem, Kneber

The most popular banking Trojan in the wild!

Scotland Yard cuffs teens for role in cybercrime forum source: The Register: 24 June 2010

2 teenagers arrested for involvement largest English-language cybercrime forum

Forum had 8,000 members trading in malware, cybercrime tutorials and stolen banking information

Cybercrime tools for sale included the ZeuS Trojan and data stolen from machines it has already infected. Detectives have so far recovered 65,000 credit card numbers

Malware gang steal over $1m from one British bankSource: The Register: 10th August 2010

A banking Trojan attack has led to the fraudulent withdrawal of more than $1m from online banking accounts maintained with a UK bank since the start of July.Victims were infected by a Zeus banking Trojan variant while browsing the net. The Trojan swiped the customer's online banking ID and hijacked their online banking sessions, reportedly only targeting victims who had substantial balances

Most such attacks include the use of phishing middlemen to obtain funds from compromised accounts and transfer them by untraceable wire transfer to the Eastern European masterminds behind the scam

Active Threats: Gumblar

New Generation of Self Building Botnets!

Protecting Network Entry PointsProtecting Network Entry Points

Protecting Entry PointsAn entry point is any access route for data to get into the corporate network

Internet Gateway: Via web browser or ftp client

Drive-By Downloads is the most common infection route. Just browsing a website can lead to malware being downloaded automatically

Like all software browsers like Internet Explorer and Firefox contain vulnerabilities. These vulnerabilities are then exploited by cybercriminals to spread malware

Browser Add-ins like Adobe Flash Player and Acrobat Reader are also susceptible and have easy to exploit vulnerabilities and are now, in fact, the most ‘popular’ attack method used by cybercriminals

Social network sites and services like Facebook and Twitter are very popular as is instant messaging and they are also a perfect way to spread malware

Email Gateway: Via email clients like MS Outlook

Spam messages accounts for around 85% of all email traffic. Most are spread via botnets (see above)

Spammers use emails designed to look like legitimate notifications from social networking sites and email service providers to advertise Viagra and spread malware

Phishing attacks. Phishing is a form of social engineering trick to steal passwords, credit card and other information. The email you receive seems legitimate but then gets you to click on a link that takes you to a fake website where you asked to enter your information

Protecting Entry Points cont….

Network : Via File serversAccess can be via:LAN: Local Area NetworkWi-Fi: Wireless access usually for guests on the local networkWAN: Wide Area Network i.e. works across 2 or more connected sitesIf there is a security breach and malware has entered the network it will seek to spread. Viruses need user interaction i.e. someone has to click on the infected file. Network Worms, as their name suggests, will look for open ports to worm their way around the network. They can spread incredibly fastBlended Threats: a general description for malicious programs or bundles of malicious programs that combine the functionality of different types of malware and attack methods. So, for example functionality could include:Virus infectorNetwork wormKeylogger: To steal passwords and other sensitive dataP2P: Turn machines in the network into a Botnet controlled by the cybercriminal

Endpoint (Local Machine): CDs, USB sticks, smartphones and other removable devices

Computer users are usually the weakest link in the Security chain. Education is very important as is a security policy that everyone can understand and sign up to. However in the real world this is not always the case and cybercriminals take advantage of this

Malware with autorun functionality. So if you attach a USB memory stick or external hard drive to a machine it will automatically run

Concluding thoughts …

Cybercrime is very profitable

They use sophisticated yet easy to use systems

• Botnets using P2P and strong Encryption

• More targeted attacks

Cybercriminals are like online pickpockets following the crowd to social networks and smartphones

Prevention is a process:

• Modern hardware + software

• Internet Security Solution

• Patches and updates

• Right security mindset

• Education

Thank YouThank You

Andrius Šaveiko, projektų vadovas

UAB Atviros informacinės sistemos

Kaspersky Lab. distributorius Lietuvoje

Andrius Šaveiko, projektų vadovas

UAB Atviros informacinės sistemos

Kaspersky Lab. distributorius Lietuvoje

Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai

Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai