Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
October 7, 2010
The Evolving Threat Landscape
Craig Schmugar
Research Architect
McAfee Labs
Confidential McAfee Internal Use Only
Agenda
I. Historical Threat Evolutionary Factors
II. Current State of Threats
III. Influential Advancements and Threats to Come
IV. Additional Q&A
Confidential McAfee Internal Use Only
Brief Malware History
Confidential McAfee Internal Use Only
Threat Landscape Defining Conditions
Motivations
Influential
Technologies
Attack Vectors
Threats
Confidential McAfee Internal Use Only10/8/2010
5 Year Malware Forecast (Past)1990 1995 2000
Influences
Mo
tiva
tio
ns
Thre
ats
W16 viruses
File Infectors (COM and EXE)
Boot infectors
Multi-partite
Batch
Vecto
rs
Floppy disks
Local Area
Networks
Windows 3.x
Peer fame
Revenge
Macro viruses
Windows 95
Boot & floppy threats
decline
VBScript and W32 take
over, W16 & DOS dry up
100 million users
on Internet
Email worms take over
AV advanced
macro heur
Office97 introduces
tighter macro security
2005
VBScript viruses decline
Macro viruses decline
Joke PUPs
emerge
Web
AV script heur better
More Email servers &
clients block VBScripts
PWS trojans
emerge
Peer fame / notoriety
Personal challenge
P2P IM Drive by exploits
Network services
IRC bots first server-side poly
Threats become more componentized
Web app
vulns lead to
mass hacks
Pay-per-install affiliate
programs
Adware explodes
PoC exploit code made public
Self-executing worms
Financial
Windows rootkits rise
Authors exploit engine / product lifecycle (obfuscation)
Anti-analysis tactics common
BackDoors!
Vuln researchers looking for peer fame
Microsoft Office
Confidential McAfee Internal Use Only
5 Year Malware Forecast (to Present)2005
Influences
Mo
tiva
tio
ns
Thre
ats
Parasitics make a comeback
Server-side poly common
Single-use malware rampant
Vecto
rs
Cloud AV emerges
HTTP based bots
Less-seasoned AntiSpyware
vendors release offerings
Web 2.0 malware
“Web 2.0” explosion FTC brings down Adware kings
Advertisers don’t want to be
associated with Adware
2010
Adware declines
Web 2.0
PWS trojans target games
Financial
Obfuscation huge threat
Anti-analysis tactics more complex
Virtual economy picks up
Rogue AV takes over from adware
P2P Botnets
Vulnerability
research for
malware distribution
Vista flops, 64-bit slow uptake
Low scale & personalized attacks
Infrastructure malware emerges
Autorun worms [modern floppy]
More single-use malware
More complex parasitics
More network hijacking
Patching trojans increase
Rogue Ads
Vuln research for money
USB devices
Government espionage
USB devices
Confidential McAfee Internal Use Only
Adware Fall Sets The Stage…
Confidential McAfee Internal Use Only
Rise of the Rogues (AV /AS)
-
-
Confidential McAfee Internal Use Only
Innovative Marketing Ukraine
Cribbed with respect from Brian Krebs at The Washington Post
-
^
Confidential McAfee Internal Use Only
Innovative Marketing Ukraine
Cribbed with respect from Brian Krebs at The Washington Post
-
^
Duration of employment at IMU Number of people
More than 7 years 1
Between 6 and 7 years 2
Between 5 and 6 years 3
Between 4 and 5 years 5
Between 3 and 4 years 17
Between 2 and 3 years 31
Between 1 and 2 years 41
Between 6 months and 1 year 17
Between 3 and 6 months 3
Between 1 and 3 months 6
Confidential McAfee Internal Use Only
Other Fake AV Affiliate Programs
Cribbed with respect from Brian Krebs at The Washington Post
-
^
Confidential McAfee Internal Use Only
How much could they possibly make?
Cribbed with respect from Brian Krebs at The Washington Post
-
^
Confidential McAfee Internal Use Only13
Fake AV Development Active
According to the DAT Readme figures
January 2010
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
Q1-08 Q2-08 Q3-08 Q4-08 Q1-09 Q2-09 Q3-09 Q4-09 Q1-10 Q2-10 Q3-10
Unique Malicious Fake AV Binaries Discovered
Confidential McAfee Internal Use Only
Blackhat SEO – Fake AV
10/8/2010The Morphing Threat Landscape14
-
-
Confidential McAfee Internal Use Only
Blackhat SEO - Clickjacking
10/8/2010The Morphing Threat Landscape15
-
-
Confidential McAfee Internal Use Only
Blackhat SEO – Q3 2010 Top Poisoned Terms
10/8/2010The Morphing Threat Landscape16
-
-
60% of top search terms for Q3 2010 led to malicious sites
in the first 100 search results
Confidential McAfee Internal Use Only
Blackhat SEO – Another Fake AV
10/8/2010The Morphing Threat Landscape17
-
-
Confidential McAfee Internal Use Only
Koobface – Another Fake Video Lure, & Fake AV
payload
10/8/2010The Morphing Threat Landscape18
-
-
Confidential McAfee Internal Use Only
Koobface – Other Revenue Streams
10/8/2010The Morphing Threat Landscape19
-
-
• Password stealing
• Clickfraud
• Ad-hijacking
• Affiliate programs (Friendfinder, Fake AV)
• Captcha service
Confidential McAfee Internal Use Only
Other Big Fish
Confidential McAfee Internal Use Only
Zbot (aka Zeus)
• One of the most active password stealing kits
• Sells for a few thousand dollars
• Steals cached passwords
• Windows
• POP
• FTP
• Steals cookies
• Uploads & Downloads/Executes files
• And more…
10/8/2010The Morphing Threat Landscape21
-
-
Confidential McAfee Internal Use Only
Zbot (aka Zeus)
10/8/2010The Morphing Threat Landscape22
-
-
• Straight-forward UI for building threats
• Extensive documentation
Confidential McAfee Internal Use Only
Zbot (aka Zeus) – HTTPS page manipulation
10/8/2010The Morphing Threat Landscape23
-
-
Confidential McAfee Internal Use Only
Zbot (aka Zeus)
10/8/2010The Morphing Threat Landscape24
-
-
Confidential McAfee Internal Use Only
Virtual Economies &
“Softer” Targets
Confidential McAfee Internal Use Only
Large-scale malware attacks can pay big bucks, but the risks are high
Early for profit malware attacks blasted threats out to any and everyone
High profile attacks light-up radar screens
Fewer hops make it easier to track threat source
Melissa (Mar-09) authored caught after spamming threat to Usenet, in
combination with a large number of users getting infected.
Sasser (Apr-04) author caught after millions of dollars of damages reported
“Anna Kournikova” (Feb-01)
Gigabyte, Blaster.B, Fujacks, etc
Previously, a lot of direct attacks – High payout and
high risk
10/8/2010The Morphing Threat Landscape26
Melissa
Author
Blast
er.B
Autho
r
Sasser
Author -
^
Confidential McAfee Internal Use Only
Attackers shift tactics – Trade higher reward for
lower risk
Target those less likely to result in prosecutionBig banks poised to respond
Soft targets vulnerable and may lead to higher conversion rates
Virtual economies booming
Gold farming
Began with Ultima Online
Blocked by eBay (other than Second Life)
Not long ago, the trade of virtual goods/currency for real-world currency has been
made illegal in China (thought of as the main source of in-game gold farming)
10/8/2010The Morphing Threat Landscape27
^
-
Confidential McAfee Internal Use Only
Risk reduction through softer targets
Many virtual currencies exist
Trojan authors automate
Gold framing and target
Massively Multiplayer
Online Role Playing
Games (MMORPG)
10/8/2010The Morphing Threat Landscape28
Currency Value (USD)
City of Heroes influence 2631579
Dark Age of Camelot platinum 0.29
EverQuest 2 gold 5.88
EverQuest platinum 1851.85
EVE Online ISK 2500000
Final Fantasy XI gil 55897.15
Guild Wars gold 8333.33
Lineage 2 adena 357142.86
Second Life Linden dollar 267.97
Star Wars Galaxies credit 227272.73
Ultima Online gold 138888.89
United States dollar 1
World of Warcraft EU gold 7.69
World of Warcraft US gold 10.2
-
-
Confidential McAfee Internal Use Only
Low Scale & Targeted Attacks
Confidential McAfee Internal Use Only
Risk reduction through low-scale attacks
Low scale attacks commonplace; fly under radar and exploit law
enforcement resource constraints
Web 2.0 facilitating more convincing personalized attacks
Significant change in threat dynamics with high prevalence of “targeted
attacks” or personalized threats (“spear phishing”, targeted SPAM,
targeted malware, etc)
10/8/2010The Morphing Threat Landscape30
-
-
Confidential McAfee Internal Use Only
What is Operation Aurora?
A well-coordinated attack targeting a rapidly growing list of companies, including
Google, Adobe, Juniper and many others
Exploits a zero-day vulnerability in Microsoft IE (CVE 2010-0249)
“Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability”
Lures users to malicious websites via directed emails and IM messages, installs
Trojan malware on systems, uses the Trojan to gain remote access
Uses remote access to gain entry to corporate systems, steal intellectual
property (including source code), and penetrate user accounts
3131
Mid-2009
Confidential McAfee Internal Use Only
What is Stuxnet?
A highly complex virus targeting Siemens’ SCADA software.
The threat exploits a previously unpatched vulnerability in Siemens SIMATIC
WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft
Windows, two of which have been patched at this time (CVE-2010-2568, CVE-
2010-2729).
Uses a rootkit to conceal its presence, as well as two stolen digital certificates.
Spreads through USB devices
3232
Mid-2009
Confidential McAfee Internal Use Only
The Big Picture
Confidential McAfee Internal Use Only34
According to the DAT Readme figures
January 2010
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
45,000,000
50,000,000Jan-0
8
Feb-0
8
Mar-
08
Apr-
08
May-0
8
Jun-0
8
Jul-08
Aug-0
8
Sep-0
8
Oct-
08
Nov-0
8
Dec-0
8
Jan-0
9
Feb-0
9
Mar-
09
Apr-
09
May-0
9
Jun-0
9
Jul-09
Aug-0
9
Sep-0
9
Oct-
09
Nov-0
9
Dec-0
9
Jan-1
0
Feb-1
0
Mar-
10
Apr-
10
May-1
0
Jun-1
0
Jul-10
Aug-1
0
Sep-1
0
Unique Malicious Binaries Discovered(cumulative)
Explosion of Malicious Binaries
Confidential McAfee Internal Use Only
Global Threat Intelligence
Confidential McAfee Internal Use Only
Evolution of Threat Intelligence
Phase 3
Predictive
Phase 2
Proactive
Today1980s
Phase 1
Reactive
• Detection of known threats
• Signature-based technology
• Ex: AV, IPS, Spam Sigs
• Detection of unknown threats
• Real-time, global & local behavioral analysis
• Reputation-based
defenses
• Ex: TrustedSource,
Artemis, SiteAdvisor
• Prediction of new threats
• Global real-time cross-vector behavioral threat correlation
• Ex: Global Threat
Intelligence
36
Confidential McAfee Internal Use Only
What is Global Threat Intelligence?
Footprint that spans the entire Internet; including millions of
sensors gathering threat information
Across all threat vectors
Malware, web security, spam/phishing, network/IPS signatures, IP,
vulnerability management
Delivered utilizing a real-time “in-the-cloud” model for threat
collection and distribution
Provides reputation based predictive security
Distributed via a complete suite of endpoint and network
security products
Must have a global, threat research team dedicated solely to
Global Threat Intelligence
37
37
Confidential McAfee Internal Use Only
McAfee Labs
Global Threat Intelligence
Vulnerability
Research
Regulatory
Compliance
Research
Host and
Network Intrusion
Research
Malware
Research
Spam Research
Global
Threat
Intelligence
Web
Security
Research
Internet
• 90,000 samples/day
• Projected to increase by 300% from 2008 to 2009
• Rated over 21 million sites
• Cover 95% of the Internet
• Close to 10 million spam emails per day
• 50M enterprise nodes
• 100M consumer nodes
Confidential McAfee Internal Use Only
Internet
No detection with existing DATs, but the file is “suspicious”
2
3Fingerprint of file is created and sent using Artemis
4Artemis reviews this fingerprint
and other inputs statistically
across threat landscape
5 Artemis
identifies threat
and notifies client
User receives new file via email or web1
Artemis
McAfee Artemis Technology
6 VirusScan processes
information and
removes threat
Artemis
Collective Threat
Intelligence
Artemis is enabled on the endpoint without any additional client side install
Confidential McAfee Internal Use Only
Artemis
Artemis – Compresses “Protection Gap”
Malware in
the wildMalwar
e
discove
red
Protecti
on is
availabl
e
Protection is
downloadedProtection
is deployed
t1 t3t0 t4
Protection
delivered in
real-time
t1 t2
Confidential McAfee Internal Use Only
Artemis
Compressing Protection Gap – Case Study
Filename Malware TypeSubmitted by
Customer without Artemis
Detected by Artemis
Artemis Advantage
xxx.scr spy-agent.bv.dnldr Trojan 10/13/08 06:26 10/12/08 06:0024 hours 26 minutes
video.exe Generic downloader.ab Trojan 10/6/08 13:08 10/6/08 11:531 hour 15 minutes
ecard.exe generic.dx Trojan 9/26/08 13:08 9/26/08 07:445 hours 24 minutes
ecard.exe new malware.j Trojan 9/26/08 08:21 9/26/08 07:44 37 minutes
postcard.exe generic pup.x Trojan 9/25/08 11:21 9/24/08 10:4323 hours 37 minutes
xxx.exe spy-agent.bw Trojan 9/22/08 08:16 9/20/08 22:0034 hours 16 minutes
e-card.exe fakealert-ab.dr Trojan 9/18/08 08:43 9/17/08 13:3819 hours 5 minutes
• Customer submitted 7 malware samples in a 30-day period
• Artemis would have protected them from all those threats
• Artemis protection was available on average of 14 hours
before customer sent the sample to McAfee
Confidential McAfee Internal Use Only
New Suspicious fingerprint noted
1
Automation evaluates prevalence of fingerprint
2
Fingerprint marked as malicious.
3
Subsequent customers protected before malware is widespread. Protection provided in minutes
4
Artemis
Analytics and telemetry
Confidential McAfee Internal Use Only
Zbot Seeding
10/8/2010The Morphing Threat Landscape43
-
-
Confidential McAfee Internal Use Only
World’s first multi-identity reputation system
Atlanta
San Jose
London
Hong Kong
IntelliCenter
Mail, Web, Intrusions, Malware
Largest network of corporate & consumer sensors
• Highest quality data• Most sophisticated behavioral analysis
Chicago
Frankfurt
• Terabytes Processed Daily
• Real-time analytics
• 5+ yrs of transactional data
• Hundreds of Servers
• 7 Data Centers
• Multi-layered redundancy
Burstiness
Behavioral Correlation
Social
NetworksVolume PersistenceBreadth
0.0 0.2 0.4 0.6 0.8 1.0
0.0
0.2
0.4
0.6
0.8
1.0
0.2
0.4
0.6
0.8
0.0 0.2 0.4 0.6 0.8 1.0
0.0
0.2
0.4
0.6
0.8
1.0
TrustedSource TechnologyMost Complete Sensor Network Deployed in 100+ countries
44
44
Confidential McAfee Internal Use Only
Telemetry Scope
• Volume
• Web: 75 billion web reputation queries/month
• Mail: 20 billion mail reputation queries/month
• Malware: 2.5 billion malware reputation queries/month
• Intrusions: 300 million IPS attacks/month,
100 million IP/port reputation queries/month
Total: 100 billion queries
• Breadth & Depth
• Web: 20 million endpoints + 70 thousand gateways
• Malware: 40 million endpoints
• Mail: 30 million nodes
• Intrusions: 4 million nodes
Total: 100 million nodes, 120 countries
45
Confidential McAfee Internal Use Only
What we know…
• Every known malware
• Every IP address/domain that has sent mail through sensor
• Every URL/IP address visited by 90 million people
• Every IP address with malware detected
• Every message fingerprint and URL within it received by 50
million users
• Every domain registered
• Every BGP internet route publicized
• Every file hosted on 30+ million most visited URLs
• Every suspicious executable file resident on 40 million
machines
20+ years
6+ years
5+ years
4+ years
3+ years
2+ years
2+ years
1+ years
Visibility History
46
Confidential McAfee Internal Use Only
Attribute Correlation
IP Address
• Botnet/DDoS activity
• Mail/spam sending activity
• Web access activity
• Malware hosting activity
• Network probing activity
• Presence of malware
• DNS hosting activity
• Intrusion attacks launched
Malware
• IP addresses distributing
• URLs hosting malware
• Mail/spam including it
• Botnet affiliation
• IPS attacks caused
Domain/URL
• Mail/spam sending activity
• Web access/referer activity
• Malware hosting activity
• Hosted files
• Popups
• Affiliations
• DNS hosting activity
IPS Attacks/Vulnerabilities
• IP addresses of attackers
• Vulnerability utilized
• Botnet affiliation
• Malware responsible
47
Confidential McAfee Internal Use Only
Threat & Defense Forecast
Confidential McAfee Internal Use Only
5 Year Malware Forecast (Future)2010
Influences
Mo
tiva
tio
ns
Thre
ats
Poly-patching trojans
Vecto
rs Spam all over the web
(Poisoned content pervasive)
Companies adopt Windows 7
Powershell
Behavioral AV mainstream
Behavioral AV bypasses published
2015
Threats circumvent behavioral AV
Greater attempts at whitelist poisoning
Financial
Government espionage
Increase in file-less threats
Greater use of evasion and misdirection;
anti-anti defenses
Wider use of whitelisting
Mobile
Powershell rejuvenates script malware
Infrastructure
SaaS growth
Entertainment
systems
(TV, Game, etc)
Embedded security
Confidential McAfee Internal Use Only
Malware History Lessons Learned
Game changing events occur infrequentlyInternet moves file sharing away from removable media
New removable media devices bring the vector back
Macro and script defences enough to change threat direction
Major OS and application releases can greatly affect landscape
Greater availability of personal information leads to more convincing social engineering attacks
Social engineering attacks remain a constant throughout the landscape
Underlying themesThreats leverage widely adopted technology; technology gets defensive; threats react
Partial defence often viewed as non-existent. Even when desktops are protected, gateways must block too.
Threats linger. Even when conversion rates are very low, if it’s cheap to produce the threat, it may very well be around for years (namely exploits).
When it seems like a vector is past its prime, it may very well come back in force (email worms).
History repeats; old tactics come back in vogue. Users forget. (at the moment users are taken back by receiving threats from their circle of friends)
Confidential McAfee Internal Use Only
What may lie ahead
However, people make money in legit ways, attackers look to capitalize
Interactive TV will lead to new attack surface
Ad injection
Ad redirection
Reputation / Trust abuse
Popular sites
Social Networking sites
Establish trust with the intent of violating later
Search engine manipulation
10/8/2010The Morphing Threat Landscape51
-
-
Confidential McAfee Internal Use Only
Important Links
• Threat Center: http://www.mcafee.com/us/threat_center/default.asp
• McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/
• McAfee Security Journal:
http://www.mcafee.com/us/research/mcafee_security_journal/index.html
• AudioParasitics: http://podcasts.mcafee.com/audioparasitics/
• McAfee 2 Minute Warning: http://podcasts.mcafee.com/
• McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
Confidential McAfee Internal Use Only
Q&A