Mikko Hypponen Chief Research Officer, F-Secure Mikko

Transcription

Mikko Hypponen Chief Research Officer, F-Secure Mikko
Mikko Hypponen
Chief Research Officer, F-Secure
1
F-Secure Corp
2
We used to be fighting these...
Chen-Ing Hau
Author of
the CIH virus
Joseph McElroy
Hacked the Fermi lab
network
Jeffrey Parson
Author of Blaster.C
4
Today we are fighting these!
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
5
Today we are fighting these!
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
6
Does anybody buy from spam?
7
8
Direct spam
?#%$
!?
?
?#%$!
?#
%
$!?
Spammer
Ed
Bob
Lisa
?#%$!?
Jack
?#%$!?
Mary
9
Spam through Proxy
?#%$
!?
?
?#%$!
?#
%
$!?
Spammer
Peter
(Zombie / Proxy)
Ed
Bob
Lisa
?#%$!?
Jack
?#%$!?
Mary
10
13
14
15
Send-safe
16
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
17
22
23
24
http://www.f-secure.com/weblog
25
26
27
28
Jeremy Jaynes
Millionaire,
and a spammer
Jay Echouafni
CEO,
and a DDoS attacker
Andrew Schwarmkoff
Member of Russian mob,
and a phisher
29
30
31
32
33
So, what does phishing
have to do with viruses?
Not much
Until we started monitoring some later variants of the Bagle
worm
Turns out the machines eventually download an email proxy
And the mails sent through the infected machines turned out to
be...
34
35
BankAsh.E
Found on March 28th
Shows a fake bank web page whenever uses accesses:
web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp
www.bankofscotlandhalifax-online.co.uk/_mem_bin/UMLogonVerify.asp
www.halifax-online.co.uk/demos/public/umdemoengine.asp
www.ebank.hsbc.com.hk/servlet/onlinehsbc
www.iblogin.com/servlet/XCServlet;jsessionid
www.national.com.au/cgi-bin/7614_1.pl
www.bpinet.pt/verificaMCF.asp
sec.westpactrust.co.nz/IOLB/csReq
olb.westpac.com.au/ib/asp/login/bsd_lgvalidate.asp
www.halifax-online.co.uk/_mem_bin/UMLogonVerify.asp
www.rbsdigital.com/secure/default.asp
www.nwolb.com/secure/default.asp
olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp
online.lloydstsb.co.uk/logon.ibc
ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html
ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.html
myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logon
www.ebank.hsbc.co.uk/logonindex.jsp
36
BJs.com
Hacker stole an undisclosed amount of the database with 8 million
credit card numbers
US Navy
Unknown attacker stole 13,000 credit card numbers over the net.
Total number of cards in the system: 22,000.
Dpicorp.com
Over 8 million Visa, AMEX, Mastercard and Discovery numbers
stolen from a credit card brokerage.
Playboy.com
The whole customer database stolen. Hacker sent
e-mail about this to all customers.
Ecount.com
Hacker stole a database containing 350,000 customers and asked for
a $45,000 ransom.
Egghead.com
Over 3,700,000 customers had to change their credit cards after a
break-in.
Creditcards.com
Hacker stole 55,000 credit card numbers. He asked for a ransom and
when it wasn't met, he posted the numbers to a public web page.
Westernunion.com
Hacker stole over 15,000 credit card numbers and apparently sold
them.
CDUniverse.com
Russian hacker "Maxus" stole 350,000 credit card numbers and
posted them to a public web page.
37
38
Case Slacke
39
40
Cabir is spreading
.
in the wild
Cabir was found in June 2004
First in-the-wild report from Philippines in August 2004
Singapore
UAE
China
India
Finland
Vietnam
Turkey
Russia
UK
Italy
USA
Japan
Hong Kong
France
South Africa
Australia
The Netherlands
Egypt
Luxembourg
New Zealand
Switzerland
41
Skulls.D
42
46
http://www.f-secure.com/weblog
F-Secure Awards
Austria
Spain
Serbia
Norway
04/05
04/05
04/05
04/05
UK
Finland
United Kingdom
United Kingdom
Italy
04/05
04/05
03/05
02/05
12/04
Italy
United States
Sweden
United States
United Kingdom
12/04
12/04
11/04
11/04
10/04
Excellent
48