docJarno Niemelä Senior Anti-Virus Researcher, F
download 
Report Transcription
Jarno Niemelä Senior Anti-Virus Researcher, F
Jarno Niemelä Senior Anti-Virus Researcher, F-Secure Corp 1 F-Secure Corp 2 6 10 11 Malware The volume growth of malware in the wild shows no sign of slowing down 150 000 140 000 130 000 120 000 110 000 100 000 90 000 80 000 70 000 60 000 50 000 40 000 30 000 20 000 10 000 0 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 YTD 05 Data source: F-Secure 12 Reliable quality of protection: F-Secure beats competition in speed Average signature update speed for 12 major outbreaks in 1H of 2005 0 2 2:45 4 5:33 Hours from 6 detection 8 9:29 10:48 10 12 F-Secure The results were similar in 2004, too. Trend McAfee Symantec Source: AV-Test.org 13 Number of updates / month 80 70 60 50 40 30 20 10 0 F-Secure Trend Micro McAfee Symantec 14 Virus Eras 1986Years Virus type Outbreak speed 1986-1995 Boot virus One year 1995-1999 Macro virus One month 1999- Email worm One day 2001- Network worm One hour 15 Today we are fighting these! Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 16 Today we are fighting these! Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 17 Does anybody buy from spam? 18 19 22 23 24 Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 25 26 27 28 29 Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 30 31 32 33 34 Global Phishing We're aware of phishing cases done in at least ten different languages, including: - English - German - French - Italian - Spanish - Russian - Swedish - Danish - Hungarian - Estonian - Romanian - Turkish - Greek 35 36 BankAsh.E Found on March 28th Shows a fake bank web page whenever uses accesses: web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp www.bankofscotlandhalifax-online.co.uk/_mem_bin/UMLogonVerify.asp www.halifax-online.co.uk/demos/public/umdemoengine.asp www.ebank.hsbc.com.hk/servlet/onlinehsbc www.iblogin.com/servlet/XCServlet;jsessionid www.national.com.au/cgi-bin/7614_1.pl www.bpinet.pt/verificaMCF.asp sec.westpactrust.co.nz/IOLB/csReq olb.westpac.com.au/ib/asp/login/bsd_lgvalidate.asp www.halifax-online.co.uk/_mem_bin/UMLogonVerify.asp www.rbsdigital.com/secure/default.asp www.nwolb.com/secure/default.asp olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp online.lloydstsb.co.uk/logon.ibc ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.html myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logon www.ebank.hsbc.co.uk/logonindex.jsp 37 ebanka.cz e-bank.feibbank.com ebank.hsbc.co.uk ebank.ibank.bg ebanking.com ebankinter.com ebankinter.es ebb.ch ebb.ubb.bg ebrd.com ebsb.com ebs.ie e-Bullion.com ecb.int eccb-centralbank.org eco-bank.com ecobank.com edubank.ch eek.ch efggroup.com efg-hermes.com e-fibank.bg egebank.com.tr egg.com egg.co.uk nacf.co.kr nadejny.narod.ru nalbank.com nasbank.bg natbank.malawi.net national-bank.de nationalbanken.dk nationalbank.kz nationalbankplc.com nationalbanksupply.com national-city.com national.com.au nationalinterbank.com nationet.com nationsbank.com nationwide.co.uk natwest.com natwest.co.uk natwestoffshore.com navyfcu.org nba.az nbad.com nbbonline.com nbc.ca nbctkb.it Keylogger: Bancos.NL abbeyinternational.com abbeynational.co.uk abbeynational.it abg.com.ge abkbank.de abnamro.be abnamro.ca abnamro.ch abnamro.cl abnamro.com abnamro.com.ar abnamro.com.hk abnamro.com.pk abnamro.cz abnamro.dk abnamroindia.com abnamro.nl abnamro.se abocn.com absa.co.za abtbank.com acbbank.com.vn accbank.ie accessanb.com adabank.com.tr adamandcompany.plc.uk adamas.ch adb.org adelaidebank.com.au admisi.com advance-bank.de advance.com.au aegon.be aekthun.ch afcmerchantbank.com Afdb.org affinbank.com.my afirme.com.mx africahg.co.uk africanbank.co.za communitysavings.ca compassweb.com compubank.com comtechcu.com conavi.com.co concord-ag.de confartigianatobari.it consors.de contextcapital.com continental.fin.ec conto.ru converse.r.am coopbank.ch co-operativebank.co.uk corluy.com corner.ch corpbank.com corpnet.bm cortal.lu cotedazur.banquepopulaire.fr countrywide.co.nz coutts.com cowen.com cpbi.com cpb.net cpp.pt cpr.fr cras.it credibanco.com.br credicoop.com.ar creditandorra.ad creditandorra.com koba.cz kobp.cz kocbank.com.tr koexbank.co.kr kol.co.kr konto-direkt.de kookmin-bank.co.kr kookmin-bank.com kookmin.co.kr korambank.co.kr koreaexim.go.kr korfezbank.com.tr krajbanka.lv krediidipank.ee kreditkassen.no kredytbank.com.pl kreissparkasse-augsburg.de kreissparkasse-recklinghausen.de krungsri.com ksk-annaberg.de ksk-bayreuth-pegnitz.de ksk.gelnhausen.net ksk-hannover.de ksk-koeln.de ksklb.de ksk-tuebingen.de ktb.co.th ktnet.co.kr kutxa.es kvinnherad-sparebank.no kwongonbank.com.hk laan-spar.dk lacaixa.es lakshmivilasbankltd.com land.lv landsbanki.is lanka.net lanzamoney.com larochebanquiers.ch lasallebank.com latam.citibank.com lateko.lv latib.org.lv latviancreditunion.com laurentianbank.ca laurentianbank.com lavivienda.hn lbank.lt lb-kiel.de lb-sbv.si lbs-wuertt.de lcf-rothschild.fr 38 39 From: [email protected] Sir, The ship deployment as of today. Reply as soon as confirmed. Colonel Martin [email protected] Attachment: WAP.WMF 40 p 41 42 43 44 45 But surely you’re not serious? ...mobile phone viruses are just an urban legend... ...they are not really spreading anywhere... ...you are just hyping them... 46 Nope, this is already happening... • Tens of thousands of infections worldwide • Reports about Cabir and Commwarrior from over 30 countries • A company with 8 m mobile subscribers says it has disinfected 13000 phones • An operator with 9 million customers reports 200 infections a day • Operator with 2 million customers: 3.5% of MMS traffic infected • Operators have given money back to customers who had Commwarrior • An antivirus service was needed during the athletics world championships 47 So, why do people get infected? Because of the user interface 48 Commwarrior spreads very fast 49 Cabir is spreading . in the wild Cabir was found in June 2004 First in-the-wild report from Philippines in August 2004 Singapore UAE China India Finland Vietnam Turkey Russia UK Italy USA Japan Hong Kong France South Africa Australia The Netherlands Egypt Luxembourg New Zealand Switzerland Germany 50 Skulls.D 51 Cabir.AA 27th variant of Cabir Found in the end of October 2005 52 http://www.f-secure.com/weblog 53 54 Happy F-Secure customers Financial Financial Services Services Telecomm Telecomm Technology Technology Healthcare Healthcare and and Pharmaceuticals Pharmaceuticals Retail, Retail, Services Services Manufacturing Manufacturing Public Public Sector Sector Education Education 55
