The Evolving Threat Landscape

Transcription

The Evolving Threat Landscape
Craig Schmugar
Research Architect
McAfee Labs
October 7, 2010
Agenda
I.
II.
III.
IV.
Historical Threat Evolutionary Factors
Current State of Threats
Influential Advancements and Threats to Come
Additional Q&A
Confidential McAfee Internal Use Only
Brief Malware History
Threat Landscape Defining Conditions
Motivations
Influential
Technologies
Attack Vectors
Threats
5 Year Malware Forecast (Past)
1990
1995
2000
2005
Threats
 Authors exploit engine / product lifecycle (obfuscation)
 Email worms take over
 Macro viruses
 File Infectors (COM and EXE)
 Boot infectors
 Multi-partite
 Batch
 IRC bots first server-side poly
 Joke PUPs
emerge
 W16 viruses
 VBScript and W32 take
over, W16 & DOS dry up
 Threats become more componentized
 BackDoors!
 Adware explodes
 Anti-analysis tactics common
 Boot & floppy threats
decline
 VBScript viruses decline
Macro viruses decline
 PWS trojans
emerge
 Self-executing worms
Motivations
Influences
Vectors
 Windows rootkits rise
 Floppy disks
 Local Area
Networks
 Email
 Web
 IM
 Drive by exploits
 Network services
 Microsoft Office
 Windows 3.x
 P2P
 Windows 95
 Web app
vulns lead to
mass hacks
 100 million users
on Internet
 Pay-per-install affiliate
programs
 AV advanced
 AV script heur better
macro heur
 More Email servers &
 Office97 introduces clients block VBScripts
tighter macro security
 PoC exploit code made public
 Vuln researchers looking for peer fame
 Peer fame / notoriety
 Personal challenge
 Peer fame
 Revenge
 Financial
10/8/2010
5 Year Malware Forecast (to Present)
2005
2010
 Parasitics make a comeback
 Server-side poly common
 Single-use malware rampant
 Rogue AV takes over from adware
Threats
 HTTP based bots
 Adware declines
 P2P Botnets
 Patching trojans increase
 Autorun worms [modern floppy]
 Web 2.0 malware
 Low scale & personalized attacks
 Anti-analysis tactics more complex
 Infrastructure malware emerges
 Obfuscation huge threat
Motivations
Influences
Vectors
 PWS trojans target games
 More single-use malware
 More complex parasitics
 More network hijacking
 Rogue Ads
 Web 2.0
 USB devices
 “Web 2.0” explosion
 Less-seasoned AntiSpyware
vendors release offerings
 FTC brings down Adware kings
 Advertisers don’t want to be
associated with Adware
 Vulnerability
 Vista flops, 64-bit slow uptake
research for
 Virtual economy picks up
malware distribution
 USB devices
 Cloud AV emerges
 Vuln research for money
 Financial
Government espionage
Adware Fall Sets The Stage…
Rise of the Rogues (AV /AS)
-
Innovative Marketing Ukraine
Cribbed with respect from Brian Krebs at The Washington Post
^
Innovative Marketing Ukraine
Duration of employment at IMU
Number of people
More than 7 years
1
Between 6 and 7 years
2
3
5
17
31
41
Between 6 months and 1 year
17
Between 3 and 6 months
3
Between 1 and 3 months
6
^
Other Fake AV Affiliate Programs
^
How much could they possibly make?
^
Fake AV Development Active
Unique Malicious Fake AV Binaries Discovered
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
Q1-08
January 2010
Q2-08
Q3-08
Q4-08
Q1-09
According
to the DAT
Readme
figures
Q2-09
Q3-09
Q4-09
Q1-10
Q2-10
13
Q3-10
Blackhat SEO – Fake AV
14
The Morphing Threat Landscape
10/8/2010
-
Blackhat SEO - Clickjacking
15
10/8/2010
-
Blackhat SEO – Q3 2010 Top Poisoned Terms
60% of top search terms for Q3 2010 led to malicious sites
in the first 100 search results
16
10/8/2010
-
Blackhat SEO – Another Fake AV
17
10/8/2010
-
Koobface – Another Fake Video Lure, & Fake AV
payload
18
10/8/2010
-
Koobface – Other Revenue Streams
• Password stealing
• Clickfraud
• Ad-hijacking
• Affiliate programs (Friendfinder, Fake AV)
• Captcha service
19
10/8/2010
-
Other Big Fish
Zbot (aka Zeus)
• One of the most active password stealing kits
• Sells for a few thousand dollars
• Steals cached passwords
• Windows
• POP
• FTP
• Steals cookies
• Uploads & Downloads/Executes files
• And more…
21
10/8/2010
-
Zbot (aka Zeus)
• Straight-forward UI for building threats
• Extensive documentation
22
10/8/2010
-
Zbot (aka Zeus) – HTTPS page manipulation
23
10/8/2010
-
Zbot (aka Zeus)
24
10/8/2010
-
Virtual Economies &
“Softer” Targets
Previously, a lot of direct attacks – High payout and
high risk
Large-scale malware attacks can pay big bucks, but the risks are high
Early for profit malware attacks blasted threats out to any and everyone
High profile attacks light-up radar screens
Fewer hops make it easier to track threat source
Melissa (Mar-09) authored caught after spamming threat to Usenet, in
combination with a large number of users getting infected.
Sasser (Apr-04) author caught after millions of dollars of damages reported
“Anna Kournikova” (Feb-01)
Gigabyte, Blaster.B, Fujacks, etc
Melissa
Author
26
Blast
er.B
Autho
Sasser
Author
10/8/2010
^
Attackers shift tactics – Trade higher reward for
lower risk
Target those less likely to result in prosecution
Big banks poised to respond
Soft targets vulnerable and may lead to higher conversion rates
Virtual economies booming
Gold farming
Began with Ultima Online
Blocked by eBay (other than Second Life)
Not long ago, the trade of virtual goods/currency for real-world currency has been
made illegal in China (thought of as the main source of in-game gold farming)
27
10/8/2010
^
-
Risk reduction through softer targets
Many virtual currencies exist
Trojan authors automate
Gold framing and target
Massively Multiplayer
Online Role Playing
Games (MMORPG)
Currency
Value (USD)
City of Heroes influence
2631579
Dark Age of Camelot platinum
0.29
EverQuest 2 gold
5.88
EverQuest platinum
1851.85
EVE Online ISK
2500000
Final Fantasy XI gil
55897.15
Guild Wars gold
8333.33
Lineage 2 adena
357142.86
Second Life Linden dollar
267.97
Star Wars Galaxies credit
227272.73
Ultima Online gold
138888.89
United States dollar
28
1
World of Warcraft EU gold
7.69
World of Warcraft US gold
10.2
10/8/2010
-
Low Scale & Targeted Attacks
Risk reduction through low-scale attacks
Low scale attacks commonplace; fly under radar and exploit law
enforcement resource constraints
Web 2.0 facilitating more convincing personalized attacks
Significant change in threat dynamics with high prevalence of “targeted
attacks” or personalized threats (“spear phishing”, targeted SPAM,
targeted malware, etc)
30
10/8/2010
-
What is Operation Aurora?
A well-coordinated attack targeting a rapidly growing list of companies, including
Google, Adobe, Juniper and many others
Exploits a zero-day vulnerability in Microsoft IE (CVE 2010-0249)
“Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability”
Lures users to malicious websites via directed emails and IM messages, installs
Trojan malware on systems, uses the Trojan to gain remote access
Uses remote access to gain entry to corporate systems, steal intellectual
property (including source code), and penetrate user accounts
Mid-2009
3131
What is Stuxnet?
A highly complex virus targeting Siemens’ SCADA software.
The threat exploits a previously unpatched vulnerability in Siemens SIMATIC
WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft
Windows, two of which have been patched at this time (CVE-2010-2568, CVE2010-2729).
Uses a rootkit to conceal its presence, as well as two stolen digital certificates.
Spreads through USB devices
Mid-2009
3232
The Big Picture
Explosion of Malicious Binaries
Unique Malicious Binaries Discovered
(cumulative)
50,000,000
45,000,000
40,000,000
35,000,000
30,000,000
25,000,000
20,000,000
15,000,000
10,000,000
January 2010
Sep-10
Jul-10
Jun-10
May-10
Apr-10
Mar-10
Feb-10
Jan-10
Dec-09
Oct-09
Nov-09
Sep-09
34
Aug-09
Jul-09
Jun-09
May-09
According to the DAT Readme figures
Apr-09
Mar-09
Jan-09
Feb-09
Dec-08
Nov-08
Oct-08
Sep-08
Aug-08
Jul-08
Jun-08
Apr-08
May-08
Mar-08
Feb-08
Jan-08
0
Aug-10
5,000,000
Global Threat Intelligence
36
Evolution of Threat Intelligence
Predictive
• Prediction of new threats
• Global real-time cross-vector behavioral threat correlation
Proactive
• Detection of unknown threats
• Real-time, global & local behavioral analysis
• Ex: Global Threat
Intelligence
• Reputation-based
defenses
• Ex: TrustedSource,
• Detection of known threats Artemis, SiteAdvisor
• Signature-based technology
• Ex: AV, IPS, Spam Sigs
Reactive
Phase 1
1980s
Phase 2
Phase 3
Today
37
What is Global Threat Intelligence?
Footprint that spans the entire Internet; including millions of
sensors gathering threat information
Across all threat vectors
Malware, web security, spam/phishing, network/IPS signatures, IP,
vulnerability management
Delivered utilizing a real-time “in-the-cloud” model for threat
collection and distribution
Provides reputation based predictive security
Distributed via a complete suite of endpoint and network
security products
Must have a global, threat research team dedicated solely to
37
McAfee Labs
• 90,000 samples/day
• 50M enterprise nodes
• 100M consumer nodes
Malware • Projected to increase by
Research 300% from 2008 to 2009
Internet
Vulnerability
Research
Web
Security
Research
Spam Research
• Close to 10 million
spam emails per day
• Rated over 21 million sites
• Cover 95% of the Internet
Regulatory
Compliance
Research
Global
Threat
Intelligence
Host and
Network Intrusion
Research
Artemis
McAfee Artemis Technology
1
User receives new
file via email or web
2
No detection with
existing DATs, but
the file is “suspicious”
3
Fingerprint of file
is created and sent
using Artemis
4
Artemis reviews this fingerprint
and other inputs statistically
across threat landscape
Internet
6
VirusScan processes
information and
removes threat
Artemis
5
Artemis
identifies threat
and notifies client
Collective Threat
Intelligence
Artemis is enabled on the endpoint without any additional client side install
Artemis
Artemis – Compresses “Protection Gap”
Protection
delivered in
real-time
t0
Malware in
the wild
t1
t1
t2
t3
t4
Protection
Protection
Malwaris
Protecti
is
deployed
downloade
d
on is
e
discove
availabl
red
e
Artemis
Compressing Protection Gap – Case Study
Filename
Malware
Type
Submitted by
Customer
without Artemis
Detected by
Artemis
Artemis
Advantage
xxx.scr
spy-agent.bv.dnldr
Trojan
10/13/08 06:26
10/12/08 06:00
24 hours 26
minutes
video.exe
Generic downloader.ab
Trojan
10/6/08 13:08
10/6/08 11:53
1 hour 15
minutes
• Customer submitted 7 malware samples in a 30-day period
5 hours 24
ecard.exe
generic.dx
Trojan
9/26/08 13:08
9/26/08 07:44
minutes
• Artemis would have protected them from all those threats
ecard.exe
new malware.j
Trojan
9/26/08 08:21
9/26/08 07:44
37 minutes
xxx.exe
spy-agent.bw
Trojan
9/22/08 08:16
9/20/08 22:00
34 hours 16
minutes
e-card.exe
fakealert-ab.dr
Trojan
9/18/08 08:43
9/17/08 13:38
19 hours 5
minutes
• Artemis protection was available on average of 14 hours
23 hours 37
customer
sent
the sample
to11:21
McAfee
postcard.exebefore
generic
pup.x
Trojan
9/25/08
9/24/08 10:43
minutes
Artemis
Analytics and telemetry
2
Automation evaluates
prevalence of
fingerprint
3
1
Fingerprint marked as
malicious.
New Suspicious
fingerprint noted
4
Subsequent customers
protected before
malware is widespread.
Protection provided in
minutes
Zbot Seeding
43
10/8/2010
-
44
TrustedSource Technology
Most Complete Sensor Network Deployed in 100+ countries
World’s first
multi-identity
reputation system
Largest network
of corporate &
consumer sensors
IntelliCenter
Behavioral
Mail, Web, Intrusions,
Malware
Correlation
0.2
0.4
0.6
0.8
1.0
0.0
0.0
1.0
2.0
0.8
0.8
4.0
0.6
0.6
0.4
0.2
6.0
0.4
• Highest quality data
• Most sophisticated
behavioral analysis
8.0
0.2
0.0
• Terabytes Processed Daily
0.2
0.4
0.6
0.8
Breadth
1.0
0.1
0.0
Volume
Persistence Social
Burstiness
Networks
• Hundreds of Servers
• Real-time analytics
• 7 Data Centers
• 5+ yrs of transactional data
• Multi-layered redundancy
London
Chicago
Atlanta
Frankfurt
Hong Kong
San Jose
44
45
Telemetry Scope
• Volume
• Web: 75 billion web reputation queries/month
• Mail: 20 billion mail reputation queries/month
• Malware: 2.5 billion malware reputation queries/month
• Intrusions: 300 million IPS attacks/month,
100 million IP/port reputation queries/month
Total: 100 billion queries
• Breadth & Depth
• Web: 20 million endpoints + 70 thousand gateways
• Malware: 40 million endpoints
• Mail: 30 million nodes
• Intrusions: 4 million nodes
Total: 100 million nodes, 120 countries
46
What we know…
Visibility
History
• Every known malware
20+ years
• Every IP address/domain that has sent mail through sensor
6+ years
• Every URL/IP address visited by 90 million people
5+ years
• Every IP address with malware detected
4+ years
• Every message fingerprint and URL within it received by 50
million users
• Every domain registered
3+ years
• Every BGP internet route publicized
2+ years
• Every file hosted on 30+ million most visited URLs
2+ years
• Every suspicious executable file resident on 40 million
machines
1+ years
47
Attribute Correlation
IP Address
Domain/URL
• Botnet/DDoS activity
• Mail/spam sending activity
• Mail/spam sending activity
• Web access/referer activity
• Web access activity
• Malware hosting activity
• Malware hosting activity
• Hosted files
• Network probing activity
• Popups
• Presence of malware
• Affiliations
• DNS hosting activity
• DNS hosting activity
• Intrusion attacks launched
Malware
IPS Attacks/Vulnerabilities
• IP addresses distributing
• IP addresses of attackers
• URLs hosting malware
• Vulnerability utilized
• Mail/spam including it
• Botnet affiliation
• Botnet affiliation
• Malware responsible
• IPS attacks caused
Threat & Defense Forecast
5 Year Malware Forecast (Future)
2010
2015
 Increase in file-less threats
Threats
 Poly-patching trojans
 Threats circumvent behavioral AV
 Powershell rejuvenates script malware
Motivations
Influences
Vectors
 Greater use of evasion and misdirection;
anti-anti defenses
 Greater attempts at whitelist poisoning
 Infrastructure
 Spam all over the web
(Poisoned content pervasive)
 Entertainment
systems
(TV, Game, etc)
 Mobile
 Powershell
 Behavioral AV mainstream
 Behavioral AV bypasses published
 Companies adopt Windows 7
 SaaS growth
Embedded security
 Wider use of whitelisting
 Financial
 Government espionage
Malware History Lessons Learned
Game changing events occur infrequently
Internet moves file sharing away from removable media
New removable media devices bring the vector back
Macro and script defences enough to change threat direction
Major OS and application releases can greatly affect landscape
Greater availability of personal information leads to more convincing social engineering
attacks
Social engineering attacks remain a constant throughout the landscape
Underlying themes
Threats leverage widely adopted technology; technology gets defensive; threats react
Partial defence often viewed as non-existent. Even when desktops are protected,
gateways must block too.
Threats linger. Even when conversion rates are very low, if it’s cheap to produce the
threat, it may very well be around for years (namely exploits).
When it seems like a vector is past its prime, it may very well come back in force (email
worms).
History repeats; old tactics come back in vogue. Users forget. (at the moment users
are taken back by receiving threats from their circle of friends)
What may lie ahead
However, people make money in legit ways, attackers look to capitalize
Interactive TV will lead to new attack surface
Ad injection
Ad redirection
Reputation / Trust abuse
Popular sites
Social Networking sites
Establish trust with the intent of violating later
Search engine manipulation
51
10/8/2010
-
Important Links
• Threat Center: http://www.mcafee.com/us/threat_center/default.asp
• McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/
• McAfee Security Journal:
http://www.mcafee.com/us/research/mcafee_security_journal/index.html
• AudioParasitics: http://podcasts.mcafee.com/audioparasitics/
• McAfee 2 Minute Warning: http://podcasts.mcafee.com/
• McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
Q&A

The Evolving Threat Landscape

Transcription

Similar documents

McAfee Total Protection 2014

Manufacturing Energy Management Solution (MEMS)

Malware World 2010

Set McAfee to Auto Update .DAT files Auto

re-imaging your future.

HP Pavilion Data Sheet

What`s New: McAfee VirusScan Enterprise, 8.8

Shut the Front Door (and the Back Door too)

Snapshot EFB – Enterprise File Backup Rack 8b

Background

McAfee VirusScan Home Edition