Threats

1
Threats ThreatSense

• InfoSecurity Moscow 2005
• Maros Mozola, Senior VP, Eset

2
Agenda

• The evolution of threats
• Zero and near zero day attacks
• Problems with update cycle approach
• Problems with heuristic approach
• New internet threats spyware, phishing

3
Threat evolution
1987
Boot Sector
1990
File Infector
1995
Macro Virus
1999
Email Worm
2001
Blended Threat
2003
Bots Spyware
4
(No Transcript)
5
Approaching Zero
6
Problems specific to update release cycle

• Trade off between maximum compatibility and
  release speed
• False alarms can be increased (less QA time)
• Complexity of virus can affect complete detection
• Only some parts/forms of a virus may be detected
  initially
• Polymorphic viruses can have partial detection
• Time to release is between 4 and 16 hours on
  average
• Nests of unopened emails on severs in other
  time-zones can rapidly increase spread as users
  log in.
• Malware exploiting known vulnerabilities can
  spread more rapidly (Slammer / Sasser)

7
Problems specific to heuristic approach

• Trade off between maximum detection, and false
  positive rate
• False alarms can be increased
• 100 detection is not possible
• Only some parts/forms of a virus may be detected
  initially
• Droppers can be a problem
• Performance can be affected depending on the
  makeup of the system under test
• Archives and packed files increase overhead
• Large systems can take much longer to scan

8
New malware is being released at an ever faster
rate, and is more prevalent than ever before
Criminal activity is responsible for a huge
amount of malware activity. Distributed networks
of compromised machines, or botnets give
spammers and scammers a fast delivery mechanism
for new malware.
9
Advantages specific to heuristic approach

• Best way to ensure Zero Hour protection
• No lag time for updates
• Better than 90 of common malware is detectable
• Huge customer advantage
• Partial protection may be enough
• Droppers if executed may drop recognizable file
• Performance is protected as the impact of
  overhead is lower than the probable impact of the
  malware
• Real security against evolving threats
• Mytob, Zotob
• Bots
• The fact we catch so many on Zero day is proof of
  the need

10
Spyware

• 66 of computers infected with spyware in the US
  (IDC study)
• Much installs without consent or even user
  intervention pay per install
• Spyware is very difficult to remove, so
  prevention is better
• Spyware is becoming more and more sophisticated

11
Phishing

• Distributed in short bursts
• Platform independent threat
• Exploits the human element, not a specific
  software vulnerability
• The signature recognition methods can not be
  applied to detect
• Detection by generic signatures and heuristic
  methods

12
(No Transcript)
13
New Features in V2.5

• Early Warning System
• Phishing detection
• Startup check
• Generic signatures
• Updating profiles based on current connection
  conditions

14
Thank you
Maros Mozola