Jarno Niemelä Senior Anti-Virus Researcher, F

Transcription

Jarno Niemelä Senior Anti-Virus Researcher, F
Jarno Niemelä
Senior Anti-Virus Researcher, F-Secure Corp
1
F-Secure Corp
2
6
10
11
Malware
The volume growth of malware in
the wild shows no sign of slowing down
150 000
140 000
130 000
120 000
110 000
100 000
90 000
80 000
70 000
60 000
50 000
40 000
30 000
20 000
10 000
0
86
87
88
89
90
91
92
93
94
95
96
97
98
99
00
01
02
03
04 YTD
05
Data source: F-Secure
12
Reliable quality of protection: F-Secure
beats competition in speed
Average signature update speed for 12 major outbreaks in 1H of 2005
0
2
2:45
4
5:33
Hours from
6
detection
8
9:29
10:48
10
12
F-Secure
The results were similar in 2004, too.
Trend
McAfee
Symantec
Source: AV-Test.org
13
Number of updates / month
80
70
60
50
40
30
20
10
0
F-Secure
Trend Micro
McAfee
Symantec
14
Virus Eras 1986Years
Virus type
Outbreak speed
1986-1995
Boot virus
One year
1995-1999
Macro virus
One month
1999-
Email worm
One day
2001-
Network worm
One hour
15
Today we are fighting these!
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
16
Today we are fighting these!
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
17
Does anybody buy from spam?
18
19
22
23
24
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
25
26
27
28
29
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
30
31
32
33
34
Global Phishing
We're aware of phishing cases done in at least ten different languages, including:
- English
- German
- French
- Italian
- Spanish
- Russian
- Swedish
- Danish
- Hungarian
- Estonian
- Romanian
- Turkish
- Greek
35
36
BankAsh.E
Found on March 28th
Shows a fake bank web page whenever uses accesses:
web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp
www.bankofscotlandhalifax-online.co.uk/_mem_bin/UMLogonVerify.asp
www.halifax-online.co.uk/demos/public/umdemoengine.asp
www.ebank.hsbc.com.hk/servlet/onlinehsbc
www.iblogin.com/servlet/XCServlet;jsessionid
www.national.com.au/cgi-bin/7614_1.pl
www.bpinet.pt/verificaMCF.asp
sec.westpactrust.co.nz/IOLB/csReq
olb.westpac.com.au/ib/asp/login/bsd_lgvalidate.asp
www.halifax-online.co.uk/_mem_bin/UMLogonVerify.asp
www.rbsdigital.com/secure/default.asp
www.nwolb.com/secure/default.asp
olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp
online.lloydstsb.co.uk/logon.ibc
ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html
ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.html
myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logon
www.ebank.hsbc.co.uk/logonindex.jsp
37
ebanka.cz
e-bank.feibbank.com
ebank.hsbc.co.uk
ebank.ibank.bg
ebanking.com
ebankinter.com
ebankinter.es
ebb.ch
ebb.ubb.bg
ebrd.com
ebsb.com
ebs.ie
e-Bullion.com
ecb.int
eccb-centralbank.org
eco-bank.com
ecobank.com
edubank.ch
eek.ch
efggroup.com
efg-hermes.com
e-fibank.bg
egebank.com.tr
egg.com
egg.co.uk
nacf.co.kr
nadejny.narod.ru
nalbank.com
nasbank.bg
natbank.malawi.net
national-bank.de
nationalbanken.dk
nationalbank.kz
nationalbankplc.com
nationalbanksupply.com
national-city.com
national.com.au
nationalinterbank.com
nationet.com
nationsbank.com
nationwide.co.uk
natwest.com
natwest.co.uk
natwestoffshore.com
navyfcu.org
nba.az
nbad.com
nbbonline.com
nbc.ca
nbctkb.it
Keylogger: Bancos.NL
abbeyinternational.com
abbeynational.co.uk
abbeynational.it
abg.com.ge
abkbank.de
abnamro.be
abnamro.ca
abnamro.ch
abnamro.cl
abnamro.com
abnamro.com.ar
abnamro.com.hk
abnamro.com.pk
abnamro.cz
abnamro.dk
abnamroindia.com
abnamro.nl
abnamro.se
abocn.com
absa.co.za
abtbank.com
acbbank.com.vn
accbank.ie
accessanb.com
adabank.com.tr
adamandcompany.plc.uk
adamas.ch
adb.org
adelaidebank.com.au
admisi.com
advance-bank.de
advance.com.au
aegon.be
aekthun.ch
afcmerchantbank.com
Afdb.org
affinbank.com.my
afirme.com.mx
africahg.co.uk
africanbank.co.za
communitysavings.ca
compassweb.com
compubank.com
comtechcu.com
conavi.com.co
concord-ag.de
confartigianatobari.it
consors.de
contextcapital.com
continental.fin.ec
conto.ru
converse.r.am
coopbank.ch
co-operativebank.co.uk
corluy.com
corner.ch
corpbank.com
corpnet.bm
cortal.lu
cotedazur.banquepopulaire.fr
countrywide.co.nz
coutts.com
cowen.com
cpbi.com
cpb.net
cpp.pt
cpr.fr
cras.it
credibanco.com.br
credicoop.com.ar
creditandorra.ad
creditandorra.com
koba.cz
kobp.cz
kocbank.com.tr
koexbank.co.kr
kol.co.kr
konto-direkt.de
kookmin-bank.co.kr
kookmin-bank.com
kookmin.co.kr
korambank.co.kr
koreaexim.go.kr
korfezbank.com.tr
krajbanka.lv
krediidipank.ee
kreditkassen.no
kredytbank.com.pl
kreissparkasse-augsburg.de
kreissparkasse-recklinghausen.de
krungsri.com
ksk-annaberg.de
ksk-bayreuth-pegnitz.de
ksk.gelnhausen.net
ksk-hannover.de
ksk-koeln.de
ksklb.de
ksk-tuebingen.de
ktb.co.th
ktnet.co.kr
kutxa.es
kvinnherad-sparebank.no
kwongonbank.com.hk
laan-spar.dk
lacaixa.es
lakshmivilasbankltd.com
land.lv
landsbanki.is
lanka.net
lanzamoney.com
larochebanquiers.ch
lasallebank.com
latam.citibank.com
lateko.lv
latib.org.lv
latviancreditunion.com
laurentianbank.ca
laurentianbank.com
lavivienda.hn
lbank.lt
lb-kiel.de
lb-sbv.si
lbs-wuertt.de
lcf-rothschild.fr
38
39
From: [email protected]
Sir,
The ship deployment as of today. Reply as soon as confirmed.
Colonel Martin
[email protected]
Attachment: WAP.WMF
40
p
41
42
43
44
45
But surely you’re not serious?
...mobile phone viruses are just an urban legend...
...they are not really spreading anywhere...
...you are just hyping them...
46
Nope, this is already happening...
• Tens of thousands of infections worldwide
• Reports about Cabir and Commwarrior from over 30 countries
• A company with 8 m mobile subscribers says it has disinfected 13000 phones
• An operator with 9 million customers reports 200 infections a day
• Operator with 2 million customers: 3.5% of MMS traffic infected
• Operators have given money back to customers who had Commwarrior
• An antivirus service was needed during the athletics world championships
47
So, why do people get infected?
Because of the user interface
48
Commwarrior spreads very fast
49
Cabir is spreading
.
in the wild
Cabir was found in June 2004
First in-the-wild report from Philippines in August 2004
Singapore
UAE
China
India
Finland
Vietnam
Turkey
Russia
UK
Italy
USA
Japan
Hong Kong
France
South Africa
Australia
The Netherlands
Egypt
Luxembourg
New Zealand
Switzerland
Germany
50
Skulls.D
51
Cabir.AA
27th variant of Cabir
Found in the end
of October 2005
52
http://www.f-secure.com/weblog
53
54
Happy F-Secure customers
Financial
Financial Services
Services
Telecomm
Telecomm
Technology
Technology
Healthcare
Healthcare and
and
Pharmaceuticals
Pharmaceuticals
Retail,
Retail, Services
Services
Manufacturing
Manufacturing
Public
Public Sector
Sector
Education
Education
55