Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware in the 21 st Century – Is your identity secure? Jason Bruce, Detection development manager SophosLabs UK December 2005.

Published byLaureen May Modified over 8 years ago

Similar presentations

Presentation on theme: "Malware in the 21 st Century – Is your identity secure? Jason Bruce, Detection development manager SophosLabs UK December 2005."— Presentation transcript:

1 Malware in the 21 st Century – Is your identity secure? Jason Bruce, Detection development manager SophosLabs UK December 2005

2 Contents Introduction The scale of the threat The changing landscape Bots and botnets Combined Threats Sophos’ response Conclusion

3 Company background Sophos started in computer security in 1985 We were first to market anti-virus with monthly updates (1989) We were first to offer 24/7/365 technical support (1991) We extended cover to a wide range of desktop/server platforms We established technology partnerships with leading managed service providers We launched our own email virus protection in 2000 We acquired anti-spam company, ActiveState, in 2003

4 The scale of the threat

5 There are over 114,000 viruses in existence. SophosLabs analyses over 1000 new viruses, Trojans and worms every month

6 Number of new viruses

7 The changing landscape

8 The threat landscape changes… Freeweb and webmail abusers Bulletproofing hosting services Address providers Guaranteed delivery - filterproofing services Spamming software and hardware providers Zombie Networks (anonymous spam senders) Exploited Host Networks Spammer Message tracking services

9 The threat landscape changes… Freeweb and webmail abusers Bulletproofing hosting services Address providers Guaranteed delivery - filterproofing services Virus writing Gangs Spamming software and hardware providers Hackers Zombie Networks (anonymous spam senders) Exploited Host Networks Spammer Phisher Credit Card Gangs For-hire Corporate Espionage Message tracking services

10 The profile of a virus writer is changing... Virus writers now have a financial motive (phishing, stealing confidential data, denial of service extortion attempts, spam) More organized criminals see that viruses and Trojan horses can help them make money They are less likely to make the mistakes that the “old school” virus writers make of needing to show off to their friends Law enforcement coordination required to stop international virus writing gangs

11 …targeted attacks Although large outbreaks make the headlines, there are also attacks targeted on specific sites or business rivals Less likely to be noticed than a large outbreak “Hacked to order” to steal information or resources Large outbreaks typically target Windows PCs (the great unwashed public), but not necessary for targeted attacks

12 Bots and botnets

13 Definitions Bot (Zombie, Drone) A piece of code developed to emulate human behavior on a network, in computer security used to describe network spreading viruses with payload that allows remote attacker to control resources owned by the infected machine Control most frequently over IRC (TCP 6667 default port)

14 Definitions Botnet (Zombie army) A group of bots controlled by a single originator/hacker The botnet owner usually sets up an IRC server that allows authenticated access for specific IRC bot clients bundled with network spreading worms Botnet server often connected with other IRC botnet servers

15 Botnet originator (owner) Spamming Keylogging Identity/funds theft Sniffing Botnets Botnet 2 Botnet 1 Botnet user (customer)

16 Bots – spreading methods Direct Network shares RPC DCOM LSSAS Upgrading mechanisms of previous worms P’n’P Indirect Rogue websites Email seeding

17 Bots – payload Install spyware Spam relays/proxies DDOS attacks Credit card number theft Password sniffing Bandwidth utilisation Rootkit technology (stealth) Backdoor (FTP, HTTP servers) Screen capture Update mechanisms

18 Case study – Zotob - timeline 9 Aug – Microsoft releases patch for P’n’P vulnerability (MS05-039) 10-11 Aug – first exploits developed 14 Aug – W32/Zotob-A released, no major impact 17 Aug – W32/Tpbot-A takes off-line a number of large corporations, naming confusion 18 Aug – new variants, bot wars

19 Combined threats

20 Financially motivated malware As well as traditional phishing websites and spam we’re also seeing more and more Trojan horses designed to steal bank account details Attackers target financial and government institutions Viruses include backdoors and functionality to steal confidential information

21 Virus-spam-spyware cooperation Viruses used to harvest email addresses to be used by spammers Viruses infect networks using bots (Zombienets) and virus writers sell the details to spammers to use for email proxies

22 Spammer Methods (thru 2003) Reality was, spammers weren’t that tricky after all Able to proactively identify the obfuscations, forged headers, and other mistakes 2 to 3 new obfuscation techniques per week Updates were every 2 weeks Focused on content obfuscation and source rotation 85% contained HTML “cloaking” 35% referenced web images freemail sites (Yahoo, Hotmail) and open proxies most common spam sources

23 Spammer Methods (2004 to date) Rapid randomizing of source, content and destination Sources now include spam zombies (virus payloads) Content uses less obvious obfuscations (mis-spelling) Destinations are disposable

24 Sophos’ response

25 Multiple response mechanisms Threat innovation is targeted Most borrow from previous efforts… But significantly vary one characteristic to evade detection Multiple response mechanisms SophosLabs™ “race-horse” different approaches Deploy using the fastest mechanism Earliest possible detection Getting detection deployed at your site as quickly as possible Virus update – code characteristics 3. Spam rule (Genotype) – campaign characteristics 2. Policy rule – message characteristics 1. e.g. Bofra-B The email distributed by W32/Bofra-B creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses.

26 Survival time - 11 minutes

27 Genotype spam definitions New class of spam techniques emerging Driven by zombie usage and domain rotating Reputation and URL filtering don’t react quickly enough Genotype spam definitions Campaigns are identified by a common set of “static genes” Detects complex randomized campaigns Delivers effective protection against evolving campaigns Campaign-based detection for more consistent catch rates Messages missed Average catch rate 46647 43% ReputationURI filtering Genotype 57568606 29%99.8% e.g. Porn campaign (Nov/Dec 2004)

28 Proportion of spam detected by Genotype

29 Pro-active protection method Protection against yet unknown variants Optimised for enterprise environment Linked with ability to unpack run-time packers (UPX,ASPack,Morphine) Genotype virus detection

30 Genes could copy itself to Windows system folder could send itself by email could contain a backdoor could terminate Anti-virus software Genes are inherited in a family New members of a virus family “evolve” but most of genes usually stay

31 Genotype

32 Genotype detection rate

33 Conclusion

34 Today’s threat is more organised Your identity and personal details are at risk There have been some notable wins There is a desire for legitimacy amongst those on the fringe We are winning the fight Only agility will keep security companies ahead of the game

35 Thank you Jason Bruce, Detection development manager SophosLabs UK December 2005

Download ppt "Malware in the 21 st Century – Is your identity secure? Jason Bruce, Detection development manager SophosLabs UK December 2005."

Similar presentations

How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Social media threats. Warning! May contain mild peril.

Social media threats. Warning! May contain mild peril.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
1 Protecting Your Computer Internet Annoyances (Already done in Chapter 3) Spam Pop-ups Identity theft phishing hoaxes Spyware.

1 Protecting Your Computer Internet Annoyances (Already done in Chapter 3) Spam Pop-ups Identity theft phishing hoaxes Spyware.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Similar presentations

Ads by Google