april: ryan sherstobitoff topic: virus and intrusion prevention
TRANSCRIPT
Panda Software SecurityCast
Ryan SherstobitoffProduct Technology OfficerPanda Software, USA
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
Malware Trends 2000 - 2007
Payload Vectors
Signs and Symptoms
Malware Trends 2000 – 2007 – Cont.
New and unique samples detected by AV Labs
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
Current Malware Trends & Statistics
• Current situation regarding Malware
• Statistics from Panda Labs
• Change in Malware dynamics
• Effects on the industry & end-users
Current Situation
• Malware is now economically motivated and backed by organized crime and foreign interest.
• The development of highly critical malware such as targeted attacks is also on the rise.
• The level of sophistication behind malware makes it extremely difficult for traditional solutions to detect and remove.
• Creation of Bot-Networks to de-fraud business models and consumers through sophisticated social engineering
Current Malware Trends & Statistics
• Current situation regarding malicious code & vulnerabilities
• Statistics from Panda Labs
• Change in Malware dynamics
• Effects on the industry & end-users
Statistics from Panda Labs
Statistics from Panda Labs – Cont.
Panda Labs Statistics - Cont
Current Malware Trends & Statistics
• Current situation regarding malicious code & vulnerabilities
• Statistics from Panda Labs
• Change in Malware dynamics
• Effects on the industry & end-users
Change in Malware Dynamics
The Dynamics of Malware have changed and the visible front has diminished. The “Silent Epidemic” has emerged.
Worms
Spam
Phishing
Bots
Viruses
Spyware
Targeted Trojans
Rootkits
“Spear Phishing”
Stable Front
Growing Front
Front in Decline
Visibility
Propagation
Current Malware Trends & Statistics
• Current situation regarding malicious code & vulnerabilities
• Statistics from Panda Labs
• Change in Malware dynamics
• Effects on the industry & end-users
Effects on the Industry and End-Users
• Cyber-Criminals have turned to new techniques to stay ahead of the game. Hundreds of new variants of malware are released each month in an attempt to overload the resources at AV research labs.
• Consumers are now the prime target for ID Theft and other on-line fraud.
• Traditional signature based anti-virus solutions have become useless to these new sophisticated attacks.
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
The rise of economically motivated malware
• Overview of crime-ware families
• How bot-nets are used to commit financial fraud
• Sophisticated social engineering tricks used today
• Infection strategies used by hackers
Overview of crime-ware families
• Banking Trojans (Banker.BSX, Banbra variants, Citifraud.a, Crazyfrog.a, Bancos.NL)
• Keyloggers (Banbra, Cimuz)
• Bots (Clickbot.a, Botnet.A)
• Phishing (Barclays, PayPal)
• Targeted Trojans (Israel Case)
Crime-Ware is broken down into several categories
The rise of economically motivated malware
• Overview of crime-ware families
• How bot-nets are used to commit financial fraud
• Sophisticated social engineering tricks used today
• Infection strategies used by hackers
How bot-nets are used to commit financial fraud
• A bot network consists of a “controller” and compromised zombie PCs. There have been cases of bot networks containing up to 1.5 Million zombie PCs like in the Dutch bot-net case.
• The bots that infect systems can perform several actions such as relay spam, launch malware and perform ID theft.
• Some of the common methods for bot infection is through websites that contain exploits and vulnerabilities that actively transmit malware to the PC visiting the site. Components can also be downloaded such as ActiveX controls, etc that will then deal with the rest of the infection process.
• Social engineering techniques also exist to infect systems through Spam, Phishing and other content.
• Once a PC has become infected it can receive remote commands from the “Bot Master” remotely.
How botnets are used to commit financial fraud - Cont
How botnets are used to commit financial fraud - Cont
The rise of economically motivated malware
• Overview of crime-ware families
• How bot-nets are used to commit financial fraud
• Sophisticated social engineering tricks used today
• Infection strategies used by hackers
Sophisticated Social Engineering
Some common sophisticated social engineering techniques are:
• Spear-Phishing and other highly targeted scams
• Spam with exploits
• Phishing emails that direct users to web-sites with hidden Trojans
• Malware through IM channels
The rise of economically motivated malware
• Overview of crime-ware families
• How bot-nets are used to commit financial fraud
• Sophisticated social engineering tricks used today
• Infection strategies used by hackers
Infection strategies used by hackers
Common Infection Strategies used by hackers
• A web-site is physically hacked and seeded with Trojans (i.e. Superbowl website case).
• Phishing emails with exploits
• Malware transmitted through IM channels
• Malware attached to free-ware and share-ware
• Malware in the form of Video Codecs
• Infection through BOT-NETS
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
Understanding your enemy – Targeted attacks
• Overview of Targeted attacks
• The mechanics of Targeted attacks
• What is “Highly Critical” malware
• Some real-world cases
Overview of Targeted Attacks
• Involves “Highly Critical” malware tailored towards attacking a specific target (i.e. Bank Of America)
• Such Malware target a specific set of confidential information to capture and send to a 3rd party
• Targeted attacks always involve a hacker hired to design Malware to bypass specific defenses
• Attacks are very localized; therefore, distribution is limited. In most cases AV labs do not receive a sample which results in no signature file.
• Current security solutions will not detect the Malware because the hacker has tested to ensure it does not.
• Hackers are using sophisticated stealth techniques such as root-kits to hide the presence of malware
Understanding your enemy – Targeted attacks
• Overview of Targeted attacks
• The mechanics of Targeted attacks
• What is “Highly Critical” malware
• Some real-world cases
The Mechanics of a Targeted Attack
Research
Discovers Target
Installs Malware
PC Accesses Database
Credit Card Data Stolen
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
Security 2.0 – Defense Strategies
• Defending against “Highly Critical” malware
• Tracking and defending against botnets
• Protection strategies
Defending against “Highly Critical” Malware
Tracking and defending against bot-nets
Protection Strategies
Agenda
• Current Malware trends and statistics
• The rise of economically motivated malware
• Understanding your enemy – Targeted attacks
• Security 2.0 – Defense Strategies
• Product Solutions
• What is Malware Radar?• Software as a service• Real results obtained in pilot companies• How Malware Radar works
Panda RISK Assessment
It is an automated audit service of the whole network
•On-demand•It can be run locally or remotely•It does not require local installation or uninstallation of current security software
•It is designed to search for and find:1.Any malware on the network
•Malware that goes undetected by traditional protection solutions (highly critical or targeted malware) active or latent, known or unknown
2.Security flaws•Protection: Check the security protection status
•Critical vulnerabilities: Check for critical vulnerabilities exploited by malware (security holes)
•And allows the malware detected to be cleaned (greater protection)
What is Malware Radar?
Malware Radar Foundations
•Proactive approach of the latest generation of the genetic heuristic technologies TruPrevent
•Collective intelligence–Datacenter network of 100 servers–Based on:
•Collection of data from the community.
•Automated data processing
•Release of the knowledge extracted.
New Model: Collective Intelligence
1) Collection of data from the community. The data comes from different sources.
2) Automatic data processing. The system automatically analyzes and classifies the thousands of new samples received every day. To do this, an expert system correlates the data received from the community with PandaLabs’ extensive malware knowledge base.
3) The knowledge extracted is made available to users.
Collective Intelligence
•Initially, through the first Panda product to integrate it: Malware Radar.
–Periodically performing a malware audit along with the PIPS.–In addition to Collective Intelligence, Malware Radar offers other advantages:
•It has more sensitive heuristics, it detects more unknown malware
•It does not rely on the desktop protection being enabled and up-to-date
•It detects malware that other desktop protection does not detect (for example, rootkits)
How do we apply collective intelligence?
Software as a Service
Panda Malware Radar benefits from the software as a service (SaaS) concept
• It does not require specific hardware• It does not require any software to be installed, a web browser is
suffice.• The updates are immediate
– Latest technologies - latest signature file– Latest version of the product without having to worry about
upgrades• The intelligence and the application are in Panda
– Minimum cost to the client
REAL Results of the BETA
All these companies thought
they were protected
How does Malware Radar Work?
Real-time monitoring
RegistryLoginPassword
Choose the PCs that you want to scan
Distribution of a
client
(without installation)
Scan:-searches for all types of malware:-evaluates the protection-detects vulnerabilities
Sends suspicious files to PandaLabs
Online summary
Generates detailed reports and allows disinfection of all malware detected
Reports and disinfection
Conclusion
Ryan SherstobitoffProduct Technology OfficerPanda Software, USA