Post on 14-Apr-2017
Are we doing enough?Juraj Malcho
Chief Research Officer ESET
Agenda• Malware scene of today• Anything special about Australia?• Are security solutions dead and ineffective?• How to manage to survive (and sleep at night)?• How dark is the future of ICT security?
Malware prevalence AUS 2013 consumer vs businessThreat infection share total shareWin32/Toolbar.Conduit.B 7.95% 0.75%Win32/Toolbar.SearchSuite 4.81% 0.45%Win32/Toolbar.Conduit.P 4.48% 0.42%Win32/Toolbar.Widgi 3.58% 0.34%Win32/AdInstaller 3.05% 0.29%Win32/SoftonicDownloader.E 2.95% 0.28%Win32/Toolbar.Babylon.E 2.71% 0.25%Win32/DownloadAdmin.G 2.49% 0.23%Win32/Toolbar.Visicom.A 2.48% 0.23%Win32/Toolbar.MyWebSearch 2.38% 0.22%Win32/Toolbar.Conduit.Q 2.38% 0.22%Win32/Somoto.A 2.33% 0.22%Win32/Toolbar.Babylon.A 2.32% 0.22%Win32/Toolbar.Conduit.O 2.22% 0.21%Win32/Adware.Yontoo.B 2.13% 0.20%Win32/Toolbar.Linkury.A 2.09% 0.20%Win32/Toolbar.Visicom.C 2.03% 0.19%Win32/bProtector.A 2.00% 0.19%Win32/Toolbar.Visicom.B 1.89% 0.18%HTML/Iframe.B.Gen 1.89% 0.18%
Threat infection share total shareWin32/Toolbar.Widgi 4.89% 0.49%Win32/Toolbar.Conduit.B 4.48% 0.45%Win32/Toolbar.SearchSuite 3.80% 0.38%HTML/Iframe.B.Gen 3.56% 0.36%HTML/ScrInject.B.Gen 3.13% 0.32%Win32/Toolbar.Conduit.P 2.59% 0.26%Win32/DownloadAdmin.G 2.54% 0.26%Win32/AdInstaller 2.49% 0.25%Win32/SoftonicDownloader.E 2.11% 0.21%Win32/InstallIQ 2.11% 0.21%Win32/Toolbar.MyWebSearch 2.10% 0.21%Win32/NetTool.Portscan.C 2.06% 0.21%Win32/Tool.EvID4226 2.03% 0.21%Win32/Keygen.AO 2.02% 0.20%Win32/Keygen.CY 2.02% 0.20%Win32/bProtector.A 1.84% 0.19%Win32/Toolbar.Babylon.E 1.82% 0.18%Win32/Toolbar.Linkury.A 1.80% 0.18%Win32/Spy.Zbot.AAU 1.66% 0.17%Win32/InstallIQ.A 1.64% 0.17%
Malware prevalence AUS 2014 consumer vs businessThreat infection share total shareWin32/Toolbar.Conduit.Y 8.32% 0.50%Win32/Toolbar.Conduit.B 6.83% 0.41%
Win32/Toolbar.Conduit 4.57% 0.28%Win32/Toolbar.Conduit.P 4.16% 0.25%
Win32/Conduit.SearchProtect.N 3.69% 0.22%
Win32/PriceGong.A 3.66% 0.22%
Win32/Systweak 3.37% 0.20%
MSIL/MyPCBackup.A 3.07% 0.19%Suspicious 3.07% 0.19%
Win32/Toolbar.Conduit.X 2.85% 0.17%Win32/Toolbar.Conduit.Q 2.77% 0.17%
Win32/Conduit.SearchProtect.H 2.76% 0.17%
Win32/Toolbar.Conduit.H 2.62% 0.16%
Win32/Toolbar.Conduit.O 2.49% 0.15%
Win32/Toolbar.Conduit.AH 2.33% 0.14%
Win32/Toolbar.MyWebSearch.AC 2.04% 0.12%
Win32/Toolbar.Visicom.B 2.01% 0.12%Win64/Toolbar.Conduit.B 1.99% 0.12%
Win32/ClientConnect.A 1.87% 0.11%JS/Toolbar.Crossrider.B 1.86% 0.11%
Win32/TrojanDownloader.Wauchos.AF 1.82% 0.11%
Threat infection share total shareWin32/Toolbar.Conduit.Y 5.83% 0.39%Win32/Toolbar.Conduit.B 5.22% 0.35%
Win32/Conduit.SearchProtect.N 3.82% 0.26%Win32/TrojanDownloader.Wauchos.AF 3.65% 0.25%
Win32/TrojanDownloader.Waski.A 3.52% 0.24%
Win32/PriceGong.A 2.52% 0.17%
Win32/Rovnix.X 2.50% 0.17%
Win32/Toolbar.Conduit.P 2.50% 0.17%MSIL/MyPCBackup.A 2.24% 0.15%
Win32/Toolbar.Conduit.X 2.23% 0.15%Win32/Toolbar.Conduit.Q 2.20% 0.15%
Win32/Toolbar.Conduit.H 2.11% 0.14%
Win32/Toolbar.Conduit 2.09% 0.14%
Suspicious 2.02% 0.14%
Win32/Conduit.SearchProtect.P 1.95% 0.13%
Win32/Systweak 1.79% 0.12%
Win32/Toolbar.Conduit.AH 1.79% 0.12%Win32/AdInstaller 1.77% 0.12%
Win32/Toolbar.Montiera.A 1.74% 0.12%Win32/Toolbar.Conduit.V 1.66% 0.11%
Win32/TrojanDownloader.Waski.F 1.61% 0.11%
Malware prevalence AUS 2015 consumer vs businessThreat infection share total shareSuspicious 8.39% 0.40%Win32/TrojanDownloader.Waski.F 4.19% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.13%Win32/Systweak 2.03% 0.10%Win32/TrojanDownloader.Waski.A 1.89% 0.09%Win32/Conduit.SearchProtect.N 1.67% 0.08%Win32/ClientConnect.A 1.55% 0.07%Win32/AdkDLLWrapper.A 1.50% 0.07%Win32/Systweak.L 1.50% 0.07%Win32/TrojanDownloader.Waski.Z 1.37% 0.07%Win32/Toolbar.MyWebSearch.AC 1.36% 0.06%JS/Toolbar.Crossrider.B 1.23% 0.06%Win32/Systweak.N 1.21% 0.06%Win32/Toolbar.Conduit.B 1.21% 0.06%Win32/Toolbar.Conduit.O 1.16% 0.06%Win32/Toolbar.Conduit.X 1.15% 0.05%Win32/Toolbar.Conduit.Q 1.13% 0.05%Win32/Toolbar.MyWebSearch.AA 1.12% 0.05%MSIL/MyPCBackup.A 1.08% 0.05%Win32/Conduit.SearchProtect.H 1.04% 0.05%
Threat infection share total shareWin32/TrojanDownloader.Waski.F 7.56% 0.45%Suspicious 4.98% 0.30%Win32/TrojanDownloader.Waski.A 3.31% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.16%Win32/TrojanDownloader.Waski.Z 2.30% 0.14%Win32/Conduit.SearchProtect.N 1.81% 0.11%Win32/Toolbar.MyWebSearch.AO 1.46% 0.09%Win32/Filecoder.DI 1.37% 0.08%Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07%Win32/Systweak 1.20% 0.07%Win32/Conduit.SearchProtect.P 0.99% 0.06%MSIL/MyPCBackup.F 0.97% 0.06%Win32/Toolbar.Conduit.B 0.97% 0.06%Win32/Systweak.L 0.97% 0.06%Win32/Toolbar.Conduit.O 0.96% 0.06%Win32/Systweak.N 0.96% 0.06%Win32/Toolbar.Conduit.Q 0.89% 0.05%Win32/TrojanDownloader.Agent.BEL 0.86% 0.05%Win32/Danger.DoubleExtension 0.84% 0.05%Win32/Toolbar.Visicom.B 0.83% 0.05%
Malware prevalence 2015 AUS vs USA businessThreat infection share total shareWin32/TrojanDownloader.Waski.F 7.56% 0.45%Suspicious 4.98% 0.30%Win32/TrojanDownloader.Waski.A 3.31% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.16%Win32/TrojanDownloader.Waski.Z 2.30% 0.14%Win32/Conduit.SearchProtect.N 1.81% 0.11%Win32/Toolbar.MyWebSearch.AO 1.46% 0.09%Win32/Filecoder.DI 1.37% 0.08%Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07%Win32/Systweak 1.20% 0.07%Win32/Conduit.SearchProtect.P 0.99% 0.06%MSIL/MyPCBackup.F 0.97% 0.06%Win32/Toolbar.Conduit.B 0.97% 0.06%Win32/Systweak.L 0.97% 0.06%Win32/Toolbar.Conduit.O 0.96% 0.06%Win32/Systweak.N 0.96% 0.06%Win32/Toolbar.Conduit.Q 0.89% 0.05%Win32/TrojanDownloader.Agent.BEL 0.86% 0.05%Win32/Danger.DoubleExtension 0.84% 0.05%Win32/Toolbar.Visicom.B 0.83% 0.05%
Threat infection share total shareWin32/Toolbar.Conduit.Y 3.59% 0.14%Win32/Toolbar.MyWebSearch.AO 2.73% 0.10%Win32/TrojanDownloader.Waski.F 2.47% 0.09%HTML/ScrInject.B.Gen 2.39% 0.09%Win32/Systweak 2.21% 0.08%Win32/Toolbar.Conduit.X 1.92% 0.07%Suspicious 1.85% 0.07%Win32/Conduit.SearchProtect.N 1.83% 0.07%MSIL/MyPCBackup.F 1.76% 0.07%Win32/AdInstaller 1.54% 0.06%JS/Toolbar.Crossrider.B 1.52% 0.06%Win32/Toolbar.MyWebSearch.AC 1.51% 0.06%Win32/DealPly.S 1.51% 0.06%Win32/Systweak.L 1.49% 0.06%Win32/ClientConnect.A 1.46% 0.06%MSIL/MyPCBackup.A 1.42% 0.05%Win32/Toolbar.Visicom.B 1.38% 0.05%Win32/Systweak.N 1.38% 0.05%Win32/InstallIQ.A 1.29% 0.05%HTML/FakeAlert.AK 1.28% 0.05%
Malware prevalence 2015 AUS vs USA consumerThreat infection share total shareSuspicious 8.39% 0.40%Win32/TrojanDownloader.Waski.F 4.19% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.13%Win32/Systweak 2.03% 0.10%Win32/TrojanDownloader.Waski.A 1.89% 0.09%Win32/Conduit.SearchProtect.N 1.67% 0.08%Win32/ClientConnect.A 1.55% 0.07%Win32/AdkDLLWrapper.A 1.50% 0.07%Win32/Systweak.L 1.50% 0.07%Win32/TrojanDownloader.Waski.Z 1.37% 0.07%Win32/Toolbar.MyWebSearch.AC 1.36% 0.06%JS/Toolbar.Crossrider.B 1.23% 0.06%Win32/Systweak.N 1.21% 0.06%Win32/Toolbar.Conduit.B 1.21% 0.06%Win32/Toolbar.Conduit.O 1.16% 0.06%Win32/Toolbar.Conduit.X 1.15% 0.05%Win32/Toolbar.Conduit.Q 1.13% 0.05%Win32/Toolbar.MyWebSearch.AA 1.12% 0.05%MSIL/MyPCBackup.A 1.08% 0.05%Win32/Conduit.SearchProtect.H 1.04% 0.05%
Threat infection share total shareSuspicious 4.00% 0.15%Win32/Toolbar.Conduit.Y 3.11% 0.12%Win32/Systweak 2.54% 0.10%HTML/ScrInject.B.Gen 2.18% 0.08%JS/Toolbar.Crossrider.B 2.14% 0.08%Win32/ClientConnect.A 2.13% 0.08%Win32/Conduit.SearchProtect.N 1.96% 0.08%MSIL/MyPCBackup.A 1.86% 0.07%Win32/Systweak.L 1.77% 0.07%Win32/Toolbar.MyWebSearch.AC 1.64% 0.06%MSIL/MyPCBackup.F 1.61% 0.06%Win32/Toolbar.MyWebSearch.AA 1.61% 0.06%JS/Toolbar.Crossrider.G 1.57% 0.06%Win32/TrojanDownloader.Waski.F 1.53% 0.06%REG/Agent.AK 1.50% 0.06%HTML/FakeAlert.AK 1.46% 0.06%Win32/Systweak.N 1.43% 0.06%Win32/Toolbar.Conduit.X 1.39% 0.05%Win32/Toolbar.Conduit.AH 1.36% 0.05%Win32/Toolbar.MyWebSearch.AO 1.35% 0.05%
Malware prevalence 2015 AUS vs IDN businessThreat infection share total shareWin32/TrojanDownloader.Waski.F 7.56% 0.45%Suspicious 4.98% 0.30%Win32/TrojanDownloader.Waski.A 3.31% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.16%Win32/TrojanDownloader.Waski.Z 2.30% 0.14%Win32/Conduit.SearchProtect.N 1.81% 0.11%Win32/Toolbar.MyWebSearch.AO 1.46% 0.09%Win32/Filecoder.DI 1.37% 0.08%Win32/TrojanDownloader.Wauchos.AK 1.23% 0.07%Win32/Systweak 1.20% 0.07%Win32/Conduit.SearchProtect.P 0.99% 0.06%MSIL/MyPCBackup.F 0.97% 0.06%Win32/Toolbar.Conduit.B 0.97% 0.06%Win32/Systweak.L 0.97% 0.06%Win32/Toolbar.Conduit.O 0.96% 0.06%Win32/Systweak.N 0.96% 0.06%Win32/Toolbar.Conduit.Q 0.89% 0.05%Win32/TrojanDownloader.Agent.BEL 0.86% 0.05%Win32/Danger.DoubleExtension 0.84% 0.05%Win32/Toolbar.Visicom.B 0.83% 0.05%
Threat infection share total shareLNK/Agent.AV 7.93% 1.02%Win32/Ramnit.A 4.38% 0.57%LNK/Autostart.A 3.39% 0.44%Win32/Virut.NBP 3.10% 0.40%Win32/Ramnit.F 3.02% 0.39%Defo 2.94% 0.38%Win32/Ramnit.H 2.88% 0.37%JS/Kryptik.I 2.85% 0.37%Win32/Toolbar.MyWebSearch.AO 2.50% 0.32%INF/Autorun.gen 2.43% 0.31%JS/Toolbar.Crossrider.B 2.30% 0.30%Win32/Toolbar.SearchSuite.C 2.15% 0.28%Win32/Conficker.X 2.01% 0.26%Win32/Conficker.AA 2.00% 0.26%Win32/Sality.NBA 1.98% 0.26%Win32/Sality.NBJ 1.85% 0.24%LNK/Exploit.CVE-2010-2568 1.80% 0.23%Win32/SProtector.D 1.78% 0.23%LNK/Agent.AK 1.77% 0.23%Win32/Slugin.A 1.77% 0.23%
Malware prevalence 2015 AUS vs IDN consumerThreat infection share total shareSuspicious 8.39% 0.40%Win32/TrojanDownloader.Waski.F 4.19% 0.20%Win32/Toolbar.Conduit.Y 2.76% 0.13%Win32/Systweak 2.03% 0.10%Win32/TrojanDownloader.Waski.A 1.89% 0.09%Win32/Conduit.SearchProtect.N 1.67% 0.08%Win32/ClientConnect.A 1.55% 0.07%Win32/AdkDLLWrapper.A 1.50% 0.07%Win32/Systweak.L 1.50% 0.07%Win32/TrojanDownloader.Waski.Z 1.37% 0.07%Win32/Toolbar.MyWebSearch.AC 1.36% 0.06%JS/Toolbar.Crossrider.B 1.23% 0.06%Win32/Systweak.N 1.21% 0.06%Win32/Toolbar.Conduit.B 1.21% 0.06%Win32/Toolbar.Conduit.O 1.16% 0.06%Win32/Toolbar.Conduit.X 1.15% 0.05%Win32/Toolbar.Conduit.Q 1.13% 0.05%Win32/Toolbar.MyWebSearch.AA 1.12% 0.05%MSIL/MyPCBackup.A 1.08% 0.05%Win32/Conduit.SearchProtect.H 1.04% 0.05%
Threat infection share total shareLNK/Agent.AV 7.45% 1.12%Win32/Ramnit.A 5.11% 0.76%JS/Toolbar.Crossrider.B 4.45% 0.67%Win32/Virut.NBP 4.33% 0.65%LNK/Autostart.A 4.29% 0.64%Win32/Ramnit.F 3.98% 0.60%INF/Autorun.gen 2.88% 0.43%Win32/Ramnit.H 2.88% 0.43%JS/Toolbar.Crossrider.G 2.63% 0.39%Defo 2.38% 0.36%Win32/Sality.NBA 2.37% 0.36%Win32/AlteredSoftware.C 2.36% 0.35%LNK/Agent.AK 2.22% 0.33%Win32/ELEX.BM 1.90% 0.28%Win32/Toolbar.Visicom.B 1.81% 0.27%Win32/Slugin.A 1.75% 0.26%Win32/AlteredSoftware.A 1.74% 0.26%BAT/BadJoke.AP 1.72% 0.26%Win32/Sality 1.71% 0.26%Win32/Toolbar.CrossRider.CD 1.70% 0.26%
Incident ratio 2013-2015
Filecoders prevalence 2015 consumer vs businessCountry infection share total shareAustralia 2.70% 0.16%Spain 2.36% 0.16%Italy 2.44% 0.12%South Africa 1.47% 0.11%United States 2.73% 0.10%Canada 1.81% 0.09%Belgium 1.50% 0.07%Malaysia 0.74% 0.07%United Kingdom 0.98% 0.06%Russia 0.96% 0.06%Bulgaria 0.93% 0.06%Portugal 0.88% 0.06%United Arab Emirates 0.45% 0.05%Netherlands 1.18% 0.04%
Country infection share total shareSouth Africa 1.39% 0.10%Spain 1.45% 0.09%United States 1.80% 0.07%Australia 1.50% 0.07%Israel 0.82% 0.06%Canada 1.12% 0.05%United Kingdom 0.87% 0.05%Turkey 0.63% 0.05%Thailand 0.41% 0.05%New Zealand 1.07% 0.04%Netherlands 0.97% 0.04%Italy 0.91% 0.04%Singapore 0.50% 0.04%Belgium 0.83% 0.03%
Targeted campaigns
1/10/2015
1/11/2
015
1/12/2015
1/13/2
015
1/14/2
015
1/15/2
015
1/16/2015
1/17/2015
1/18/2
015
1/19/2015
1/20/2
015
1/21/2
015
1/22/2
015
1/23/2
015
1/24/2015
1/25/2
015
1/26/2
015
1/27/2015
1/28/2
015
1/29/2
015
1/30/2
015
1/31/2
015
2/1/2
015
2/2/2
015
2/3/2
015
2/4/2
015
2/5/2
015
2/6/2
015MX
PEIL
TRHU
IT
Massive spreading not en vogue anymore• The most burning issues rarely make it to top20
today: ransomware, banking Trojans, targeted malware
• Top ranks are completely taken by Potentially Unwanted Software
• Staying under the radar and tailoring malware for specific targets is the main focus today
IoT aka Internet of Threats• The history repeats again: Time to market is the
most important thing, not security• Problematic from simple ones to complex ones –
smart sensors, bulbs, intelligent home devices, smart TVs, internet routers, cars, mobile phones
• Could I get a “non-smart” option, please???
Fixing IoT• Simple ones need strict End of Life policy
– They won’t update, they’re extremely cheap• Complex ones must be easy to update
– Really? Home routers, cars, mobile phones?• Are legislation and industry standards going to save
us?• Endpoint protection is almost impossible
– We hear those saying firewalls are dead
Android/Simplocker
Android/Simplocker• Currently around 50 variants• Localization• Ransom amount 15->500$• Better „self-defense“• Encrypting archives• „Better” cryptography
vs.
Linux/Moose
APT or TPA?• If detected out of the box then the attacker failed• Advanced Persistent Threat is completely wrong
– those threats are usually not advanced, not everything is Stuxnet– the malware itself is just a tool to perform an attack– it’s the attacker who’s persistent
• Targeted Persistent Attack is much more spot on– Attackers combine different methods when doing
reconnaissance – phishing phone call, targeting email borne malware to different people in an organization
Is AV dead?• Yes, for about 20 years if you’re talking about the original
technology• However, it followed malware evolution:
– Network communication inspection – botnets, exploitation, exfiltration– Emulation/sandboxing of analyzed code– Behavioral monitoring and memory scanning– Exploitation blocking– Cloud-based reputation systems– Stealth detections which can’t be tested by malware writers– Gradual move from automatic to more verbose/interactive solutions
Bold words from the other side• Q: What types of security devices/services/techniques legitimately
make your life harder as a blackhat? Any that you think are a complete waste of money?
• A: Hmmmm, DDoS protection is a serious knock back, although as many groups have proven before it’s easy to bypass – e.g. cloudflare resolver before they changed the protection method (almost bypassable lol). Things that are a waste of money… Hmm, anti-virus is completely useless — yes it may protect you from skids using non-FUD files but that’s it. Every botnet that gets sold comes FUD as default. People do it for free, it’s that easy.
Current Android Malware
"HAHAHA THE AVS FELL FOR THE LAST STRING F*****G ICARUS AND ASQUARED I JUST WISH NOD32 WOULD LEAVE ME ALONE FOR A FEW DAT ITS PISSING ME OFF THIS IS HOW I LIVE""THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE-ME-A-BREAK"
The irritated author of Dorkbot
The Irritated Author of Win32/Dorkbot
"HAHAHA THE AVS FELL FOR THE LAST STRING FUCKING ICARUS AND ASQUARED I JUST WISH NOD32 WOULD LEAVE ME ALONE FOR A FEW DAT ITS PISSING ME OFF THIS IS HOW I LIVE""THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE-ME-A-BREAK"HOW CAN I PAY BILLS RENT FOOD WEALTH AND EVERYTHING NECESSARY IF NOD IS ALWAYS F******G UP MY CODES
What else is out there?• Endpoint Detection and Response systems provide
insight into behavior of your IT systems, however, there’s a reporting challenge
• Malware Prevention Systems (automated sandboxing and analysis)
• Intelligence Services and Managed Security• Deception techniques• SIEM
How to choose the right solution?• Consulting analysts such as Gartner or public testers
may help but doesn’t provide definitive answer and might have bias you’re not aware of
• Internal testing is best but very difficult; you will likely be biased, too, but aware of it
• Depending also on your needs: not only detection is important, but footprint, reliability, manageability, support quality etc
What’s the right SMB defense?• Unless a very specific vertical it’s unlikely that a true high
profile targeted attack would be conducted• Typically not enough expertise in SMBs• Automagic solutions work best, but of course can be
bypassed• If unable to manage more complex/interactive solutions, look
for MSSP• Cloud-based solutions may help where applicable as large
providers can implement better security measures
How about enterprise?• Defense needs have to adequately cover your
potential adversaries• Combine different layers and don’t advertise
them; SIEM management• Educate your teams• Trust but verify – employ network logging and
look for anomaly
Future issues• When IoT truly lifts off• When cloud adoption will be massive (access
management, governance, political issues)• Conflicting legislation: strict privacy and
encryption laws vs lawful(?) surveillance => leading to governments attacking security SW
• Global e-conflicts, cyber armies and attribution
Solving the situation• Active & Adequate Cyber Defense• Training, Education and Awareness• Responsible design and usage• Research & Investigation, cooperation with LE• Hitting criminals’ money flow• Preventing criminals from becoming criminals