The Evolving Threat Landscape - nwacc.org · Games (MMORPG) 28 The Morphing Threat Landscape 10/8/2010 Currency Value (USD) City of Heroes influence 2631579 Dark Age of Camelot platinum

October 7, 2010

The Evolving Threat Landscape

Craig Schmugar

Research Architect

McAfee Labs

Confidential McAfee Internal Use Only

Agenda

I. Historical Threat Evolutionary Factors

II. Current State of Threats

III. Influential Advancements and Threats to Come

IV. Additional Q&A


Brief Malware History


Threat Landscape Defining Conditions

Motivations

Influential

Technologies

Attack Vectors

Threats

Confidential McAfee Internal Use Only10/8/2010

5 Year Malware Forecast (Past)1990 1995 2000

Influences

Mo

tiva

tio

ns

Thre

ats

W16 viruses

File Infectors (COM and EXE)

Boot infectors

Multi-partite

Batch

Vecto

rs

Floppy disks

Local Area

Networks

Windows 3.x

Peer fame

Revenge

Macro viruses

Windows 95

Boot & floppy threats

decline

VBScript and W32 take

over, W16 & DOS dry up

100 million users

on Internet

Email worms take over

AV advanced

macro heur

Office97 introduces

tighter macro security

2005

VBScript viruses decline

Macro viruses decline

Joke PUPs

emerge

Email

Web

AV script heur better

More Email servers &

clients block VBScripts

PWS trojans

emerge

Peer fame / notoriety

Personal challenge

P2P IM Drive by exploits

Network services

IRC bots first server-side poly

Threats become more componentized

Web app

vulns lead to

mass hacks

Pay-per-install affiliate

programs

Adware explodes

PoC exploit code made public

Self-executing worms

Financial

Windows rootkits rise

Authors exploit engine / product lifecycle (obfuscation)

Anti-analysis tactics common

BackDoors!

Vuln researchers looking for peer fame

Microsoft Office


5 Year Malware Forecast (to Present)2005

Influences

Mo

tiva

tio

ns

Thre

ats

Parasitics make a comeback

Server-side poly common

Single-use malware rampant

Vecto

rs

Cloud AV emerges

HTTP based bots

Less-seasoned AntiSpyware

vendors release offerings

Web 2.0 malware

“Web 2.0” explosion FTC brings down Adware kings

Advertisers don’t want to be

associated with Adware

2010

Adware declines

Web 2.0

PWS trojans target games

Financial

Obfuscation huge threat

Anti-analysis tactics more complex

Virtual economy picks up

Rogue AV takes over from adware

P2P Botnets

Vulnerability

research for

malware distribution

Vista flops, 64-bit slow uptake

Low scale & personalized attacks

Infrastructure malware emerges

Autorun worms [modern floppy]

More single-use malware

More complex parasitics

More network hijacking

Patching trojans increase

Rogue Ads

Vuln research for money

USB devices

Government espionage

USB devices


Adware Fall Sets The Stage…


Rise of the Rogues (AV /AS)

-

-


Innovative Marketing Ukraine

Cribbed with respect from Brian Krebs at The Washington Post

-

^


Innovative Marketing Ukraine


-

^

Duration of employment at IMU Number of people

More than 7 years 1

Between 6 and 7 years 2






Between 6 months and 1 year 17

Between 3 and 6 months 3

Between 1 and 3 months 6


Other Fake AV Affiliate Programs


-

^


How much could they possibly make?


-

^

Confidential McAfee Internal Use Only13

Fake AV Development Active

According to the DAT Readme figures

January 2010

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

Q1-08 Q2-08 Q3-08 Q4-08 Q1-09 Q2-09 Q3-09 Q4-09 Q1-10 Q2-10 Q3-10

Unique Malicious Fake AV Binaries Discovered


Blackhat SEO – Fake AV

10/8/2010The Morphing Threat Landscape14

-

-


Blackhat SEO - Clickjacking


-

-


Blackhat SEO – Q3 2010 Top Poisoned Terms


-

-

60% of top search terms for Q3 2010 led to malicious sites

in the first 100 search results


Blackhat SEO – Another Fake AV


-

-


Koobface – Another Fake Video Lure, & Fake AV

payload


-

-


Koobface – Other Revenue Streams


-

-

• Password stealing

• Clickfraud

• Ad-hijacking

• Affiliate programs (Friendfinder, Fake AV)

• Captcha service


Other Big Fish


Zbot (aka Zeus)

• One of the most active password stealing kits

• Sells for a few thousand dollars

• Steals cached passwords

• Windows

• POP

• FTP

• Steals cookies

• Uploads & Downloads/Executes files

• And more…


-

-


Zbot (aka Zeus)


-

-

• Straight-forward UI for building threats

• Extensive documentation


Zbot (aka Zeus) – HTTPS page manipulation


-

-


Zbot (aka Zeus)


-

-


Virtual Economies &

“Softer” Targets


Large-scale malware attacks can pay big bucks, but the risks are high

Early for profit malware attacks blasted threats out to any and everyone

High profile attacks light-up radar screens

Fewer hops make it easier to track threat source

Melissa (Mar-09) authored caught after spamming threat to Usenet, in

combination with a large number of users getting infected.

Sasser (Apr-04) author caught after millions of dollars of damages reported

“Anna Kournikova” (Feb-01)

Gigabyte, Blaster.B, Fujacks, etc

Previously, a lot of direct attacks – High payout and

high risk


Melissa

Author

Blast

er.B

Autho

r

Sasser

Author -

^


Attackers shift tactics – Trade higher reward for

lower risk

Target those less likely to result in prosecutionBig banks poised to respond

Soft targets vulnerable and may lead to higher conversion rates

Virtual economies booming

Gold farming

Began with Ultima Online

Blocked by eBay (other than Second Life)

Not long ago, the trade of virtual goods/currency for real-world currency has been

made illegal in China (thought of as the main source of in-game gold farming)


^

-


Risk reduction through softer targets

Many virtual currencies exist

Trojan authors automate

Gold framing and target

Massively Multiplayer

Online Role Playing

Games (MMORPG)


Currency Value (USD)

City of Heroes influence 2631579

Dark Age of Camelot platinum 0.29

EverQuest 2 gold 5.88

EverQuest platinum 1851.85

EVE Online ISK 2500000

Final Fantasy XI gil 55897.15

Guild Wars gold 8333.33

Lineage 2 adena 357142.86

Second Life Linden dollar 267.97

Star Wars Galaxies credit 227272.73

Ultima Online gold 138888.89

United States dollar 1

World of Warcraft EU gold 7.69

World of Warcraft US gold 10.2

-

-


Low Scale & Targeted Attacks


Risk reduction through low-scale attacks

Low scale attacks commonplace; fly under radar and exploit law

enforcement resource constraints

Web 2.0 facilitating more convincing personalized attacks

Significant change in threat dynamics with high prevalence of “targeted

attacks” or personalized threats (“spear phishing”, targeted SPAM,

targeted malware, etc)


-

-


What is Operation Aurora?

A well-coordinated attack targeting a rapidly growing list of companies, including

Google, Adobe, Juniper and many others

Exploits a zero-day vulnerability in Microsoft IE (CVE 2010-0249)

“Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability”

Lures users to malicious websites via directed emails and IM messages, installs

Trojan malware on systems, uses the Trojan to gain remote access

Uses remote access to gain entry to corporate systems, steal intellectual

property (including source code), and penetrate user accounts

3131

Mid-2009


What is Stuxnet?

A highly complex virus targeting Siemens’ SCADA software.

The threat exploits a previously unpatched vulnerability in Siemens SIMATIC

WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft

Windows, two of which have been patched at this time (CVE-2010-2568, CVE-

2010-2729).

Uses a rootkit to conceal its presence, as well as two stolen digital certificates.

Spreads through USB devices

3232

Mid-2009


The Big Picture

Confidential McAfee Internal Use Only34

According to the DAT Readme figures

January 2010

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

45,000,000

50,000,000Jan-0

8

Feb-0

8

Mar-

08

Apr-

08

May-0

8

Jun-0

8

Jul-08

Aug-0

8

Sep-0

8

Oct-

08

Nov-0

8

Dec-0

8

Jan-0

9

Feb-0

9

Mar-

09

Apr-

09

May-0

9

Jun-0

9

Jul-09

Aug-0

9

Sep-0

9

Oct-

09

Nov-0

9

Dec-0

9

Jan-1

0

Feb-1

0

Mar-

10

Apr-

10

May-1

0

Jun-1

0

Jul-10

Aug-1

0

Sep-1

0

Unique Malicious Binaries Discovered(cumulative)

Explosion of Malicious Binaries


Global Threat Intelligence


Evolution of Threat Intelligence

Phase 3

Predictive

Phase 2

Proactive

Today1980s

Phase 1

Reactive

• Detection of known threats

• Signature-based technology

• Ex: AV, IPS, Spam Sigs

• Detection of unknown threats

• Real-time, global & local behavioral analysis

• Reputation-based

defenses

• Ex: TrustedSource,

Artemis, SiteAdvisor

• Prediction of new threats

• Global real-time cross-vector behavioral threat correlation

• Ex: Global Threat

Intelligence

36


What is Global Threat Intelligence?

Footprint that spans the entire Internet; including millions of

sensors gathering threat information

Across all threat vectors

Malware, web security, spam/phishing, network/IPS signatures, IP,

vulnerability management

Delivered utilizing a real-time “in-the-cloud” model for threat

collection and distribution

Provides reputation based predictive security

Distributed via a complete suite of endpoint and network

security products

Must have a global, threat research team dedicated solely to


37

37


McAfee Labs


Vulnerability

Research

Regulatory

Compliance

Research

Host and

Network Intrusion

Research

Malware

Research

Spam Research

Global

Threat

Intelligence

Web

Security

Research

Internet

• 90,000 samples/day

• Projected to increase by 300% from 2008 to 2009

• Rated over 21 million sites

• Cover 95% of the Internet

• Close to 10 million spam emails per day

• 50M enterprise nodes

• 100M consumer nodes


Internet

No detection with existing DATs, but the file is “suspicious”

2

3Fingerprint of file is created and sent using Artemis

4Artemis reviews this fingerprint

and other inputs statistically

across threat landscape

5 Artemis

identifies threat

and notifies client

User receives new file via email or web1

Artemis

McAfee Artemis Technology

6 VirusScan processes

information and

removes threat

Artemis

Collective Threat

Intelligence

Artemis is enabled on the endpoint without any additional client side install


Artemis

Artemis – Compresses “Protection Gap”

Malware in

the wildMalwar

e

discove

red

Protecti

on is

availabl

e

Protection is

downloadedProtection

is deployed

t1 t3t0 t4

Protection

delivered in

real-time

t1 t2


Artemis

Compressing Protection Gap – Case Study

Filename Malware TypeSubmitted by

Customer without Artemis

Detected by Artemis

Artemis Advantage

xxx.scr spy-agent.bv.dnldr Trojan 10/13/08 06:26 10/12/08 06:0024 hours 26 minutes

video.exe Generic downloader.ab Trojan 10/6/08 13:08 10/6/08 11:531 hour 15 minutes

ecard.exe generic.dx Trojan 9/26/08 13:08 9/26/08 07:445 hours 24 minutes

ecard.exe new malware.j Trojan 9/26/08 08:21 9/26/08 07:44 37 minutes

postcard.exe generic pup.x Trojan 9/25/08 11:21 9/24/08 10:4323 hours 37 minutes

xxx.exe spy-agent.bw Trojan 9/22/08 08:16 9/20/08 22:0034 hours 16 minutes

e-card.exe fakealert-ab.dr Trojan 9/18/08 08:43 9/17/08 13:3819 hours 5 minutes

• Customer submitted 7 malware samples in a 30-day period

• Artemis would have protected them from all those threats

• Artemis protection was available on average of 14 hours

before customer sent the sample to McAfee


New Suspicious fingerprint noted

1

Automation evaluates prevalence of fingerprint

2

Fingerprint marked as malicious.

3

Subsequent customers protected before malware is widespread. Protection provided in minutes

4

Artemis

Analytics and telemetry


Zbot Seeding


-

-


World’s first multi-identity reputation system

Atlanta

San Jose

London

Hong Kong

IntelliCenter

Mail, Web, Intrusions, Malware

Largest network of corporate & consumer sensors

• Highest quality data• Most sophisticated behavioral analysis

Chicago

Frankfurt

• Terabytes Processed Daily

• Real-time analytics

• 5+ yrs of transactional data

• Hundreds of Servers

• 7 Data Centers

• Multi-layered redundancy

Burstiness

Behavioral Correlation

Social

NetworksVolume PersistenceBreadth

0.0 0.2 0.4 0.6 0.8 1.0

0.0

0.2

0.4

0.6

0.8

1.0

0.2

0.4

0.6

0.8

0.0 0.2 0.4 0.6 0.8 1.0

0.0

0.2

0.4

0.6

0.8

1.0

TrustedSource TechnologyMost Complete Sensor Network Deployed in 100+ countries

44

44


Telemetry Scope

• Volume

• Web: 75 billion web reputation queries/month

• Mail: 20 billion mail reputation queries/month

• Malware: 2.5 billion malware reputation queries/month

• Intrusions: 300 million IPS attacks/month,

100 million IP/port reputation queries/month

Total: 100 billion queries

• Breadth & Depth

• Web: 20 million endpoints + 70 thousand gateways

• Malware: 40 million endpoints

• Mail: 30 million nodes

• Intrusions: 4 million nodes

Total: 100 million nodes, 120 countries

45


What we know…

• Every known malware

• Every IP address/domain that has sent mail through sensor

• Every URL/IP address visited by 90 million people

• Every IP address with malware detected

• Every message fingerprint and URL within it received by 50

million users

• Every domain registered

• Every BGP internet route publicized

• Every file hosted on 30+ million most visited URLs

• Every suspicious executable file resident on 40 million

machines

20+ years

6+ years

5+ years

4+ years

3+ years

2+ years

2+ years

1+ years

Visibility History

46


Attribute Correlation

IP Address

• Botnet/DDoS activity

• Mail/spam sending activity

• Web access activity

• Malware hosting activity

• Network probing activity

• Presence of malware

• DNS hosting activity

• Intrusion attacks launched

Malware

• IP addresses distributing

• URLs hosting malware

• Mail/spam including it

• Botnet affiliation

• IPS attacks caused

Domain/URL

• Mail/spam sending activity

• Web access/referer activity

• Malware hosting activity

• Hosted files

• Popups

• Affiliations

• DNS hosting activity

IPS Attacks/Vulnerabilities

• IP addresses of attackers

• Vulnerability utilized

• Botnet affiliation

• Malware responsible

47


Threat & Defense Forecast


5 Year Malware Forecast (Future)2010

Influences

Mo

tiva

tio

ns

Thre

ats

Poly-patching trojans

Vecto

rs Spam all over the web

(Poisoned content pervasive)

Companies adopt Windows 7

Powershell

Behavioral AV mainstream

Behavioral AV bypasses published

2015

Threats circumvent behavioral AV

Greater attempts at whitelist poisoning

Financial

Government espionage

Increase in file-less threats

Greater use of evasion and misdirection;

anti-anti defenses

Wider use of whitelisting

Mobile

Powershell rejuvenates script malware

Infrastructure

SaaS growth

Entertainment

systems

(TV, Game, etc)

Embedded security


Malware History Lessons Learned

Game changing events occur infrequentlyInternet moves file sharing away from removable media

New removable media devices bring the vector back

Macro and script defences enough to change threat direction

Major OS and application releases can greatly affect landscape

Greater availability of personal information leads to more convincing social engineering attacks

Social engineering attacks remain a constant throughout the landscape

Underlying themesThreats leverage widely adopted technology; technology gets defensive; threats react

Partial defence often viewed as non-existent. Even when desktops are protected, gateways must block too.

Threats linger. Even when conversion rates are very low, if it’s cheap to produce the threat, it may very well be around for years (namely exploits).

When it seems like a vector is past its prime, it may very well come back in force (email worms).

History repeats; old tactics come back in vogue. Users forget. (at the moment users are taken back by receiving threats from their circle of friends)


What may lie ahead

However, people make money in legit ways, attackers look to capitalize

Interactive TV will lead to new attack surface

Ad injection

Ad redirection

Reputation / Trust abuse

Popular sites

Social Networking sites

Establish trust with the intent of violating later

Search engine manipulation


-

-


Important Links

• Threat Center: http://www.mcafee.com/us/threat_center/default.asp

• McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/

• McAfee Security Journal:

http://www.mcafee.com/us/research/mcafee_security_journal/index.html

• AudioParasitics: http://podcasts.mcafee.com/audioparasitics/

• McAfee 2 Minute Warning: http://podcasts.mcafee.com/

• McAfee Security Advisories:

http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

http://www.mcafee.com/us/threat_center/default.asp

http://www.avertlabs.com/research/blog/

http://www.avertlabs.com/research/blog/



http://podcasts.mcafee.com/audioparasitics/

http://podcasts.mcafee.com/audioparasitics/

http://podcasts.mcafee.com/

http://podcasts.mcafee.com/

http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx


Q&A

The Evolving Threat Landscape - nwacc.org · Games (MMORPG) 28 The Morphing Threat Landscape 10/8/2010 Currency Value (USD) City of Heroes influence 2631579 Dark Age of Camelot platinum

Documents