malware in the 21 st century – is your identity secure? jason bruce, detection development manager...
TRANSCRIPT
Malware in the 21st Century – Is your identity secure?Jason Bruce, Detection development manager
SophosLabs UK
December 2005
Contents
• Introduction
• The scale of the threat
• The changing landscape
• Bots and botnets
• Combined Threats
• Sophos’ response
• Conclusion
Company background
• Sophos started in computer security in 1985
• We were first to market anti-virus with monthly updates (1989)
• We were first to offer 24/7/365 technical support (1991)
• We extended cover to a wide range of desktop/server platforms
• We established technology partnerships with leading managed
service providers
• We launched our own email virus protection in 2000
• We acquired anti-spam company, ActiveState, in 2003
The scale of the threat
There are over 114,000 viruses in existence. SophosLabs analyses over 1000 new viruses, Trojans and worms every month
0
20000
40000
60000
80000
100000
120000
Jan-96
Jan-97
Jan-98
Jan-99
Jan-00
Jan-01
Jan-02
Jan-03
Jan-04
Jan-05
Number of new virusesVirus count increases per month
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Feb-99 Aug-99 Feb-00 Aug-00 Feb-01 Aug-01 Feb-02 Aug-02 Feb-03 Aug-03 Feb-04 Aug-04 Feb-05 Aug-05
The changing landscape
The threat landscape changes…
Freeweb and webmail abusers
Bulletproofing hosting services
Address providers
Guaranteed delivery -
filterproofing services
Spamming software and
hardware providers
Zombie Networks
(anonymous spam
senders)
Exploited Host
Networks
Spammer
Message tracking services
The threat landscape changes…
Freeweb and webmail abusers
Bulletproofing hosting services
Address providers
Guaranteed delivery -
filterproofing services
Virus writing Gangs
Spamming software and
hardware providers
Hackers
Zombie Networks
(anonymous spam
senders)
Exploited Host
Networks
Spammer
Phisher
Credit Card Gangs
For-hireCorporate Espionage
Message tracking services
The profile of a virus writer is changing...
• Virus writers now have a financial motive
(phishing, stealing confidential data, denial of
service extortion attempts, spam)
• More organized criminals see that viruses and
Trojan horses can help them make money
• They are less likely to make the mistakes that
the “old school” virus writers make of needing to
show off to their friends
• Law enforcement coordination required to stop
international virus writing gangs
…targeted attacks
• Although large outbreaks make the
headlines, there are also attacks
targeted on specific sites or business
rivals
• Less likely to be noticed than a large
outbreak
• “Hacked to order” to steal information
or resources
• Large outbreaks typically target
Windows PCs (the great unwashed
public), but not necessary for
targeted attacks
Bots and botnets
Definitions
• Bot (Zombie, Drone)
• A piece of code developed to emulate human behavior on a
network, in computer security used to describe network
spreading viruses with payload that allows remote attacker to
control resources owned by the infected machine
• Control most frequently over IRC (TCP 6667 default port)
Definitions
• Botnet (Zombie army)
• A group of bots controlled by a single originator/hacker
• The botnet owner usually sets up an IRC server that allows
authenticated access for specific IRC bot clients bundled with
network spreading worms
• Botnet server often connected with other IRC botnet servers
Botnet originator(owner)
SpammingKeylogging Identity/funds theftSniffing
Botnets Botnet 2Botnet 1
Botnet user(customer)
Bots – spreading methods
• Direct
• Network shares
• RPC DCOM
• LSSAS
• Upgrading mechanisms of previous worms
• P’n’P
• Indirect
• Rogue websites
• Email seeding
Bots – payload
• Install spyware
• Spam relays/proxies
• DDOS attacks
• Credit card number theft
• Password sniffing
• Bandwidth utilisation
• Rootkit technology (stealth)
• Backdoor (FTP, HTTP servers)
• Screen capture
• Update mechanisms
Case study – Zotob - timeline
• 9 Aug – Microsoft releases patch for P’n’P vulnerability
(MS05-039)
• 10-11 Aug – first exploits developed
• 14 Aug – W32/Zotob-A released, no major impact
• 17 Aug – W32/Tpbot-A takes off-line a number of large
corporations, naming confusion
• 18 Aug – new variants, bot wars
Combined threats
Financially motivated malware
As well as traditional phishing websites and spam we’re also seeing more and more Trojan horses designed to steal bank account details
Attackers target financial and government institutions
Viruses include backdoors and functionality to steal confidential information
Virus-spam-spyware cooperation
•Viruses used to harvest email addresses to be used by spammers
•Viruses infect networks using bots (Zombienets) and virus writers sell the details to spammers to use for email proxies
Spammer Methods (thru 2003)
Reality was, spammers weren’t that tricky after all
Able to proactively identify the obfuscations, forged headers, and other mistakes2 to 3 new obfuscation techniques per week Updates were every 2 weeks
Focused on content obfuscation and source rotation
• 85% contained HTML “cloaking”
• 35% referenced web images
• freemail sites (Yahoo, Hotmail) and
open proxies most common
spam sources
Spammer Methods (2004 to date)
Rapid randomizing of source, content and destination
• Sources now include spam zombies (virus payloads)
• Content uses less obvious obfuscations (mis-spelling)
• Destinations are disposable
Sophos’ response
Multiple response mechanisms
• Threat innovation is targeted
• Most borrow from previous
efforts…
• But significantly vary one characteristic to
evade detection
• Multiple response mechanisms
• SophosLabs™ “race-horse” different
approaches
• Deploy using the fastest mechanism
• Earliest possible detection
Getting detection deployed at your site as quickly as possible
Virus update – code characteristics
Virus update – code characteristics3.Spam rule
(Genotype) – campaign characteristics
Spam rule (Genotype) – campaign characteristics
2.Policy rule – message characteristics
Policy rule – message characteristics
1.
e.g. Bofra-B
The email distributed by W32/Bofra-B creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses.
Survival time - 11 minutes
Genotype spam definitions
• New class of spam
techniques emerging
• Driven by zombie usage and
domain rotating
• Reputation and URL filtering
don’t react quickly enough
• Genotype spam definitions
• Campaigns are identified by a
common set of “static genes”
• Detects complex randomized
campaigns
• Delivers effective protection
against evolving campaigns
Campaign-based detection for more consistent catch rates
Messages missed
Average catch rate
46647
43%
Reputation URI filtering
Genotype
57568606
29%99.8%
e.g. Porn campaign (Nov/Dec 2004)
Genotype vs. reputation and URI filtering
0
20
40
60
80
100
120
Time (days)
Cat
ch R
ate
per
Day
(%
)
Genotype
Reputation
URI blacklist
Proportion of spam detected by Genotype
• Pro-active protection method
• Protection against yet unknown variants
• Optimised for enterprise environment
• Linked with ability to unpack run-time packers
(UPX,ASPack,Morphine)
Genotype virus detection
Genes
• Genes
• could copy itself to Windows system folder
• could send itself by email
• could contain a backdoor
• could terminate Anti-virus software
• Genes are inherited in a family
• New members of a virus family “evolve” but most of
genes usually stay
Genotype
Genotype detection rate
Genotype detection rates
0.00
20.00
40.00
60.00
80.00
100.00
120.00
Agobot Rbot Sdbot Bobax Spybot Korgo BagleDL MyDoom Mytob Forbot
Conclusion
Conclusion
• Today’s threat is more organised
• Your identity and personal details are at risk
• There have been some notable wins
• There is a desire for legitimacy amongst those on the fringe
• We are winning the fight
• Only agility will keep security companies ahead of the game
Thank you
Jason Bruce, Detection development manager
SophosLabs UK
December 2005