Andrius Šaveiko, projektų vadovas UAB Atviros informacinės sistemos Kaspersky Lab. distributorius...
-
Upload
eustacia-eaton -
Category
Documents
-
view
299 -
download
0
Transcript of Andrius Šaveiko, projektų vadovas UAB Atviros informacinės sistemos Kaspersky Lab. distributorius...
Andrius Šaveiko, projektų vadovas
UAB Atviros informacinės sistemos
Kaspersky Lab. distributorius Lietuvoje
Andrius Šaveiko, projektų vadovas
UAB Atviros informacinės sistemos
Kaspersky Lab. distributorius Lietuvoje
Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai
Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai
Klaipėda, 2010
Turinys
Grėsmių klasifikacija ir skaičiai
Grėsmės ne Windows šeimos sistemoms
Grėsmių pobūdis
• Drive by Downloads
• Botnets
• Targeted Attacks
Aktyvios grėsmės
Tinklo įeigos taškų apsauga
Grėsmių klasifikacija ir skaičiaiGrėsmių klasifikacija ir skaičiai
Grėsmių klasifikacija
Kenkėjiška programinė įranga
Virusai
• Plinta iš failo į failą
Kirminai
• Plinta iš kompiuterio į kompiuterį
Trojos arkliai
• Neturi safarankiškos replikacijos
Kenkėjiški įrankiai
• Naudojami kenkėjiškų programų kūrėjų
• Pvz.: Pakuotojai, konstruktoriai, eksploitai
Trojos arkliai
Virusai iir kirminai
Kenkėjiški įrankiai
Grėsmių statistika: Q3 2010
| 21 April 2023
Source: Kaspersky Lab October2010
Grėsmių statistika Lietuvoje: Q3 2010
| 21 April 2023
Source: Kaspersky Lab October2010
Skaičiai
0250,000500,000750,000
1,000,0001,250,0001,500,0001,750,0002,000,0002,250,0002,500,0002,750,0003,000,0003,250,0003,500,0003,750,0004,000,0004,250,000 KL signatures
4,194,055 as of 17 Sept 2010
Source: Kaspersky Lab
Grėsmių ir spam‘o apdorojimas 2009
1992 – 2007: maždaug 2 mln. kenkėjiškų programų
Vien per 2009 metus: daugiau nei 14 mln. Naujų kenkėjiškų programų
Q1,2010 pabaiga: bendroj sumoj daugiau nei 36,2 mln. unikalių kenksmingų bylų Kaspersky Lab kolekcijoje
Kaspersky Lab šiuo metu apdoroja 1,5 – 3 mln. spam’o pavyzdžių per dieną!
Grėsmės ne Windows šeimos sistemomsGrėsmės ne Windows šeimos sistemoms
Unix-based malware
Slow rise in number of malicious programs
Total number of signatures for malware targeting Unix-based systems: 2722
2230
78117214
503
Linux
OSX
Sun OS
Unix
FreeBSD
Solaris
Source: Kaspersky Lab August 2010
Mobile malware: some statistics
Number of mobile malware families to date: 142
Number of mobile malware modifications to date: 926
Mobile malware found in August: 44 new modifications
Most common mobile threat: SMS-Trojans
Source: Kaspersky Lab August 2010
Mobile malware written for specific platforms:
33%
53%
7%6%1%
Symbian
J2ME
Python
WinCE
Other
First SMS trojan for Android
Example: Trojan-SMS.AndroidOS.FakePlayer.a
Pretends to be a media player
Sends SMS costing about $5 to Russian premium SMS numbers
Although anyone's device can be infected, it only causes losses for Russian users
Screenshot showing the malware
Grėsmių pobūdisGrėsmių pobūdis
Drive-by downloads
Recipe1.Find a vulnerable server2.Obfuscate your code to prevent easy analysis3.Insert your script onto the website4.Redirect users of the infected website to your malicious website5.Download malware to victims machine
Web page components
• 1 URL in the browser
• 222 links
• 45 images
• 32 scripts from 3 domains
• 5 cookies from 2 domains
• 4 flash objects from 2 domains
Vulnerabilities
Botnets
Botnet – robot (zombie) network
• A number of comprised machines controlled remotely
Botnet operation workflow
C&C – bot geo distribution
The cybercriminals can easily see where their victims are located or even target specific geo areas!
Dropzone
A Trojan dropzone is a server configured to receive stolen data
Stolen data can amount to several GB daily
Generally, cybercriminals tend to care and secure their valuables
Each cybercriminal group runs one or more Dropzones
Typical dropzone JPG screen captures
Cybercriminals have an interest in farming!
Profitability evolution – Cybercriminal Group “X”
400% growth in 9 months
-1000$
Even criminals have bad days
Total:
1.7 mil USD
Mobile Botnets
??
Mobile botnets will have almost the same functionality:
• send spam (e.g. SMS or MMS)
• steal passwords
• DDoS (telephone)?
Yet one more commercial offer on the cybercrime market
Net-Worm.IphoneOS.Ike.b - first ‘commercialised’ iPhone malware
Targeted attacks versus classic malware
Lethal injection versus a hail of bulletsTargeted attacks are not epidemics
• One email is enough, instead of tens of thousands
• Stay under the radar
Targeted organizations are either not awareor don’t publicly disclose information
• It is hard to get samples for analysis
Classic signature-based AV is useless
• New defence technologies
Much higher stakes
• Intellectual property theft,corporate espionage
Targeted attacks in 4 steps
1. Profiling the employeesChoosing the most vulnerable targets
Reconnaissance via social networks, mailing list posts, public presentations, etc
2. Developing a new and unique malware attackDoesn’t have to bypass all AV solutions, just the one used by the victim
Using social engineering to get the victim to click on a link
1. Gather OS, browser, plug-in versions – useful for vulnerabilities
• Gaining control and maintaining access2. Initial exploit drops malware onto victim machine
3. Networks are usually protected from outside threats
• Getting the ‘good stuff’ out quickly!Find an overseas office server to be used as an internal drop
Move data over the corporate WAN/intranet to the internal drop
Get all of the data out at once to the external drop server.
• Even if traffic is monitored, it might be too late to react
Targeted attacks: Aurora
CVE-2010-0249 vulnerability exploitation allowing remote code execution in Internet explorer.
Targeted major organisations including Google, Adobe and Juniper. Over 20 companies in total
designed to gain access to personal data and corporate intellectual property
Spread via email with malicious links
Scareware
Social Networks: Koobface
Social network malware: distribution 2009
27%
24%22%
17%
6%5%
VKontakteOdnoklassnikiFacebookOrkutHi5Twitter
VKontakte 87 million
Odnoklassniki 45 million
Facebook 500 million
Orkut 100 million
Hi5 50 million
Twitter 100 millionSource: Kaspersky Lab January 2010
Active ThreatsActive Threats
PAGE 30 |
Active Threats: Conficker
Active Threats: ZeuS aka Zbot, Wsnpoem, Kneber
The most popular banking Trojan in the wild!
Scotland Yard cuffs teens for role in cybercrime forum source: The Register: 24 June 2010
2 teenagers arrested for involvement largest English-language cybercrime forum
Forum had 8,000 members trading in malware, cybercrime tutorials and stolen banking information
Cybercrime tools for sale included the ZeuS Trojan and data stolen from machines it has already infected. Detectives have so far recovered 65,000 credit card numbers
Malware gang steal over $1m from one British bankSource: The Register: 10th August 2010
A banking Trojan attack has led to the fraudulent withdrawal of more than $1m from online banking accounts maintained with a UK bank since the start of July.Victims were infected by a Zeus banking Trojan variant while browsing the net. The Trojan swiped the customer's online banking ID and hijacked their online banking sessions, reportedly only targeting victims who had substantial balances
Most such attacks include the use of phishing middlemen to obtain funds from compromised accounts and transfer them by untraceable wire transfer to the Eastern European masterminds behind the scam
Active Threats: Gumblar
New Generation of Self Building Botnets!
Protecting Network Entry PointsProtecting Network Entry Points
Protecting Entry PointsAn entry point is any access route for data to get into the corporate network
Internet Gateway: Via web browser or ftp client
Drive-By Downloads is the most common infection route. Just browsing a website can lead to malware being downloaded automatically
Like all software browsers like Internet Explorer and Firefox contain vulnerabilities. These vulnerabilities are then exploited by cybercriminals to spread malware
Browser Add-ins like Adobe Flash Player and Acrobat Reader are also susceptible and have easy to exploit vulnerabilities and are now, in fact, the most ‘popular’ attack method used by cybercriminals
Social network sites and services like Facebook and Twitter are very popular as is instant messaging and they are also a perfect way to spread malware
Email Gateway: Via email clients like MS Outlook
Spam messages accounts for around 85% of all email traffic. Most are spread via botnets (see above)
Spammers use emails designed to look like legitimate notifications from social networking sites and email service providers to advertise Viagra and spread malware
Phishing attacks. Phishing is a form of social engineering trick to steal passwords, credit card and other information. The email you receive seems legitimate but then gets you to click on a link that takes you to a fake website where you asked to enter your information
Protecting Entry Points cont….
Network : Via File serversAccess can be via:LAN: Local Area NetworkWi-Fi: Wireless access usually for guests on the local networkWAN: Wide Area Network i.e. works across 2 or more connected sitesIf there is a security breach and malware has entered the network it will seek to spread. Viruses need user interaction i.e. someone has to click on the infected file. Network Worms, as their name suggests, will look for open ports to worm their way around the network. They can spread incredibly fastBlended Threats: a general description for malicious programs or bundles of malicious programs that combine the functionality of different types of malware and attack methods. So, for example functionality could include:Virus infectorNetwork wormKeylogger: To steal passwords and other sensitive dataP2P: Turn machines in the network into a Botnet controlled by the cybercriminal
Endpoint (Local Machine): CDs, USB sticks, smartphones and other removable devices
Computer users are usually the weakest link in the Security chain. Education is very important as is a security policy that everyone can understand and sign up to. However in the real world this is not always the case and cybercriminals take advantage of this
Malware with autorun functionality. So if you attach a USB memory stick or external hard drive to a machine it will automatically run
Concluding thoughts …
Cybercrime is very profitable
They use sophisticated yet easy to use systems
• Botnets using P2P and strong Encryption
• More targeted attacks
Cybercriminals are like online pickpockets following the crowd to social networks and smartphones
Prevention is a process:
• Modern hardware + software
• Internet Security Solution
• Patches and updates
• Right security mindset
• Education
Thank YouThank You
Andrius Šaveiko, projektų vadovas
UAB Atviros informacinės sistemos
Kaspersky Lab. distributorius Lietuvoje
Andrius Šaveiko, projektų vadovas
UAB Atviros informacinės sistemos
Kaspersky Lab. distributorius Lietuvoje
Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai
Šiandieniniai skaitmeniniai pavojai ir apsisaugojimo būdai