Malware for profit: the latest trends in network threats

1
Malware for profit the latest trends in network
threats

• Ron OBrien Senior Security AnalystMay 2, 2006

2
Evolution of the virus threat
3
Image available from http//www.sophos.com/pressof
fice/imggallery/virusimg/
4
Image available from http//www.sophos.com/pressof
fice/imggallery/virusimg/
5
Image available from http//www.sophos.com/pressof
fice/imggallery/virusimg/
6
Image available from http//www.sophos.com/pressof
fice/imggallery/virusimg/
7
2005 at a glance

• 48 increase in new malware threats over previous
  year
• 1 in 44 of all emails is viral
• New Trojans outweigh Windows worms almost 21
• Medical-related spam remains the most common, but
  pornographic content and pump-and-dump scams have
  surged
• Cybercriminals joining forces, and attacking
  using combined technology

8
New and inventive challenges

• Increased complexity of demand on IT
• Increase in speed of threat
• Increase in different types of threat
• Spyware
• Zombies
• Phishing
• DOS Blackmail Threats
• Scams
• Pharming
• Spear Phishing

9
Financial motivation of cybercrime

• Huge financial gains
• - more viruses, worms and Trojans to steal and
  extort money from individuals and companies
• Significant effect on the nature of threats
• smaller, focused attacks to come in under
  detection radar through, e.g. zombies and
  phishing
• blended methods of spreading to increase success
  rate

10
48 increase in malware threats

• 2004 - 10,724 new threats
• 2005 - 15,907 new threats more than 1 EVERY
  hour
• November Most viral month in history
• 1,940 new threats

11
Malware authors get more creative

• Multiple new versions of viruses and Trojan
  horses
• Repackaging of malicious code in multiple
  disguises
• Quick replacement of old versions of malware as
  soon as authors realize it is no longer effective
• Example Sophos has seen over 200 Mytob worm
  variants since March 2005

12
Top ten malware threats REPORTED, 2005 1 and
2 are a year old - new threats are stealthy
13
1 Zafi-D

• First seen 14 December 2004
• The most commonly reported virus of the year
• Hungarian worm, disguised as a Christmas
  greeting, tricks users into opening its
  infected attachment
• Spread successfully evenoutside the holiday
  season

14
2 Netsky-P

• First seen 22 March 2004
• Accounted for over 55 of all reports in 2004
• Uses many disguises, including posing as a Harry
  Potter game

15
3 Sober-Z

• First seen 22 November 2005
• Pretended to be from FBI/CIA, investigating
  access to illegal websites
• Caused an email avalanche, but most users were
  already protected.

Dear Sir/Madam, We have logged your IP-address
on more than 30 illegal Websites. Important
Please answer our questions! The list of
questions are attached. Yours faithfully,
Steven Allison Federal Bureau of
Investigation-FBI- 935 Pennsylvania Avenue, NW ,
Room 3220 Washington , DC 20535 Phone (202)
324-30000
16
1 in 44 of all email in 2005 was viral

• At times of major outbreak (for instance, the
  Sober-Z worm) this rose as high as 1 in 12
• Fewer new mass-mailing worms making an impact -
  but they still pose a threat

17
Types of new malware threat in 2005

• More Trojans each month than Windows worms 21
• Giving hacker more control over how many people
  get infected, and who gets infected
• Draw less attention to themselves
• Easier to steal money from200 people than
  200,000

18
Top threat characteristics 1 create Zombies
19
Spying - zombies

• Zombie computers are typically used to
• send spam
• steal information and spy (keypresses, passwords,
  usernames, webcam, files)
• launch distributed denial of service (DDoS)
  attacks
• distribute new malware
• install adware

20
Zotob

• Prime example of a worm which opened backdoors
  for hackers to exploit
• Hit CNN live on-air, disrupting their program
  schedule

21
Spyware

• Over two-thirds of new threats are spyware

22
Spreading methods
23
Spam categories
24
Types of spam

• Medical spam (weight loss, human growth hormone,
  sexual performance medication, etc) still 1
• Pornographic spam rose in August, remaining 2
• Opportunistic spam campaigns e.g. exploiting
  concern about avian flu
• Dating spam rose
• Stock-related spam grew from 0.8 to 13.5 of all
  spam

25
Scams

• Pump-and-dump stock scams
• 419 (aka Letter from, Nigeria) scams still there
• Scams relating to Indian Ocean tsunami, the
  London terrorist bombings, a bogus football
  lottery

26
Dirty dozen spam-relaying countries, 2005
27
Need for protection

• Risk of infection from an internet worm if
  computer is unprotected
• 40 after 10 minutes
• 94 after 60 minutes
• Unprotected and unpatched, its nota case of
  if... or even when...Your computers will get
  infected
• running Windows XP without SP2

28
Top internet-borne threats, 2005
29
2006 and beyond

• Spyware and adware
• Spam
• Host Intrusion Prevention Systems (HIPS)
• Mobile viruses
• Microsoft
• Malware authors
• Vulnerability exploitation
• Zombies

30
Summary

• Growing quantity of new threats
• Increased speed of spread
• Hugely complex task of protecting networks
• Combination of spreading methods
• Multi-level nature of many threats
• Need for integrated threat management