Threat H Protecting the irreplaceable

Size: px
Start display at page:

Download "Threat H2 2012. Protecting the irreplaceable www.f-secure.com"

Transcription

1 Threat Report H Protecting the irreplaceable

2 F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Protection around the clock Response Labs work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected.

3 foreword Today, the most common way of getting hit by malware is by browsing the Web. It hasn t always been this way. Years ago, floppy disks were the main malware vector. Then sharing of executable files. Then attachments. But for the past five years, the Web has been the main source of malware. The Web is the problem largely because of Exploit Kits. Kits such as BlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automate the process of infecting computers via exploits. There is no exploit without a vulnerability. Ultimately, vulnerabilities are just bugs, that is, programming errors. We have bugs because programs are written by human beings, and human beings make mistakes. Software bugs have been a problem for as longs as we have had programmable computers and they are not going to disappear. Bugs were not very critical until access to the Internet became widespread. Before, you could have been working on a word processor and opening a corrupted document file, and as a result, your word processor would have crashed. Even if annoying, such a crash would not have been too big of a deal. You might have lost any unsaved work in open documents, but that would have been it. Mikko HyppÖnen Chief Research Officer However, things changed as soon as the Internet entered the picture. Suddenly, bugs that used to be just a nuisance could be used to take over your computer. Yet, even the most serious vulnerabilities are worthless for the attacker, if they get patched. Therefore, the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. Software bugs have been a problem for as longs as we have had programmable computers and they are not going to disappear. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, the users have had five days to react. If there is no patch available, the users have no time at all to secure themselves; literally, zero days. This is where the term Zero Day Vulnerability comes from: users are vulnerable, even if they have applied all possible patches. One of the key security mechanisms continues to be patching. Make sure all your systems are always fully up-to-date. This drastically reduces the risk of getting infected. But for Zero Day vulnerabilities, there are no patches available. However, antivirus products can help against even them. We re in a constant race against the attackers. And this race isn t going to be over any time soon. FOREWORD 3

4 Executive Summary executive summary Three things visibly stand out in this past half year: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. In this report, we go through the distribution methods and payment schemes of ZeroAccess s affiliate program, as well as its two main profitgenerating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notable botnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet). Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems, in which the combined total of detections for the Javaspecific CVE and CVE vulnerabilities and the Majava generic detections, which also identify samples that exploit Java-related vulnerabilities, account for one third of the samples identified during this period. Exploit kits plays a big role in this prevalence. In addition, exploits against other programs such as the PDF document reader (CVE ) or Windows TrueType font (CVE ) made notable impacts in H2 2012, as detailed further in this report. With regards to banking-trojans, a botnet known as Zeus which is also the name for the malware used to infect the user s machines is the main story for Analysis of the geography for Zeus s infection distribution highlights the United States, Italy and Germany as the most affected countries. In addition to its banking-trojan capabilities, the Zeus malware also functions as a backdoor, allowing it to be directly controlled from the botnet s command and control (C&C) servers. An examination of the different sets of backdoor commands used by Zeus derivatives (known as Citadel and Ice IX) gives more detail of what other malicious actions this malware can perform. In terms of online security, we look at the more ambiguous side of the ever-growing popularity of website hosting, and how its increasingly affordable and user-friendly nature also makes it well suited to supporting malware hosting and malvertising. We also take a look at multi-platform attacks, in which a coordinated attack campaign is launched against multiple platforms (both desktop and mobile), often with multiple malware. And finally on the mobile scene, the Android and Symbian platforms continue to be the main focus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variants identified in executive summary 4

5 Contents This Threat Report highlights trends and new developments seen in the malware threat landscape by analysts in F-Secure Labs during the second half of Also included are case studies covering selected noteworthy, highly-prevalent threats from this period. contributing AUTHORS Broderick Aquilino Karmina Aquino Christine Bejerasco Edilberto Cajucom Su Gim Goh Alia Hilyati Timo Hirvonen Mikko Hypponen Sarah Jamaludin Jarno Niemela Mikko Suominen Chin Yick Low Sean Sullivan Marko Thure Juha Ylipekkala foreword 3 Executive Summary 4 Contents 5 Incidents Calendar 6 In Review 7 Of Note 10 the password 11 COrporate espionage 12 Case Studies 14 Bots 15 ZeRoAccess 17 Zeus 21 Exploits 25 WeB 28 Multi-Platform attacks 32 Mobile 35 Sources 38 contents 5

6 Incidents Calendar H incidents calendar (July-December)* jul Aug SEPT OCT NOV DEC FBI support for DNSChanger ended Multi-platform Intel/OS X backdoor found Commercial multi-platform surveillance tools found Iran-targeted malware reported Indian government accounts hacked Out-of-band Patch Friday Imuler.B backdoor found on OS X Malware signed with Adobe certificate Samsung TouchWiz exploit reported Syrian Internet,mobile connections cut off Berlin poice warned of Android banking trojans Cool Exploit kit rivalling Blackhole New Mac Revir threat found New Linux rootkit found Gauss threat targeted the London Olympics Blackhole updated faster than flaws patched Java update closed 3 vulnerabilities Huawei controversy in US Congress ITU Telecom World 12 raised Internet/government concerns Dexter malware hit point of sales (POS) Australian hospital s records ransomed Mac threat found on Dalai Lama-related webite Matt Honan hack highlighted flaws in accounts systems Online In the news PC threats Mobile threats Hacktivism & espionage One rogue ad hits Finnish web traffic Eurograbber attack on European banks reported Samsung Exynos exploit reported Sources: See page 38. incidents calendar 6

7 In Review changes in the threat landscape Unlike the first half of 2012, the second half of the year saw no major malware outbreaks on any platform. Instead, a handful of incidents took place during this time period, most of which were notable as indications of how inventive the attackers have been in finding ways to compromise a user s machine, data or money. These incidents included the hack into the Wired Matt Honan s Gmail and Apple accounts, which exposed loopholes in those account systems; the Adobe-certified malware episode, in which attackers went to the extent of stealing Adobe s digital certificate in order to sign malware used in targeted attacks; and the Eurograbber attack, in which a variant of the Zeus crimeware was reportedly used to steal money from various corporations and banks in Europe. An interesting development in 2012 has been the increasing public awareness of cyber-security and the various implications of being vulnerable to attack over a borderless Internet. News reports of alleged online or malware-based attacks against Iranian facilities drew attention to state-sponsored cyber-attacks. A conference gathering the various telecommunications entities to discuss basic infrastructure issues raised concerns about Internet governance, and the role of governments in it. The past year also saw US politicians, not generally considered the most tech-savvy of users, raise concerns over perceived reliance on IT solutions for sensitive government systems being provided by foreign corporations seen as potentially unreliable. Though it is probably a positive development that more people are becoming exposed to topics that have long been considered irrelevant or academic, only time will tell what will result from the increased awareness. Rather than a single major event, perhaps the most noteworthy aspect of H is the way that the various trends we saw emerging in the first two quarters of the year have continued to grow apace that is, the growth of botnets, the standardization of vulnerability exploitation and the increasing establishment of exploit kits. When it comes to botnets, the news has been mixed at best. The last few years have seen concerted efforts by players from different fields telecommunications, information security and even government organizations to take down or at least hamper the activities of various botnets, which have compromised millions of user s computers and been used to perform such activities as monetary fraud and online hacking. These combined efforts resulted in totally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus and DNSChanger. Unfortunately, despite these commendable efforts, the botnets have been regularly resurrecting, often with new strategies or mechanisms for garnering profit. In addition, the operators running these botnets have been aggressively marketing their products to other hackers and malware distributors. Their efforts include offering affiliate programs with attractive pay-per-installation rates and rent-a-botnet schemes that allow attackers to use the combined power of the infected hosts to perform attacks or other nefarious activities. These sophisticated business tactics have garnered significant returns. In some cases, such as ZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the cases studies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets. Another change we saw last year was the increasing use of vulnerability exploitation, often in tandem with established social engineering tactics. Unlike previous years, when most of the infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit- In review 7

8 Top 10 detections in H2 2012, & top countries* ZeroAccess 27% FR us se dk others Majava 26% US fr fi se others Downadup 11% br fr my it others BlackHole 9% fr fi se nl others CVE % us se fr de others CVE % fr se nl fi others CVE % fr se fi nl others CVE % fi us fr se others PDF Exploits 3% fi fr se de others Sinowal 3% 0 nl se fi others 100 % *Based on statistics from F-Secure s cloud lookup systems from July to December related detections accounted for approximately 28% of all detections F-Secure s cloud lookup systems saw in H In addition, malware designed to exploit vulnerabilities related to the Java development platform made up about 68% of all exploit-related detections recorded by our systems in the second half of last year. If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in H in more detail, two detections which specifically identify samples exploiting the Java-specific CVE and CVE vulnerabilities alone account for 9% of the malware identified by the top 10 detections. In addition, the Majava generic detections, which identify samples that exploit known vulnerabilities, including the Java-specific CVE and CVE vulnerabilities, account for another 26% of the top 10 detections, as well as having the dubious honor of being the second most common detection overall reported by our backend systems. The sheer volume of Java-related detections indicate both the widespread popularity of that platform and its susceptibility to the malicious inventiveness of malware authors. Interestingly enough, when considering exploit attacks in general, though we saw attacks exploiting numerous vulnerabilities in multiple platforms and programs in 2012, the vast majority of the cases were related to only four vulnerabilities CVE and CVE , which are Windows-related vulnerabiltiies, and the previously mentioned Java vulnerabilities, CVE and CVE All of these vulnerabilities, incidentally, have already had security patches released by their relevant vendors. in review 8

9 This skewed preference in attack targeting can be directly attributed to the popular usage of exploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for these vulnerabilities, in some cases faster than the vendors were able to patch them. It s perhaps not too surprising then that BlackHole-related detections account for 9% of all samples detected by the top 10 detections of H For more information on these exploits, see the Exploits case study on page 25. And as a closing note, a quick look at our detection statistics for Mac indicates that even though Windows machines continues to be the main target for attacks, the Mac platform is increasingly coming in for a share of unwanted attention. Apart from the major Flashback outbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform, as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. By contrast, in 2011, we recorded only 59 new unique variants discovered on that platform. Mac Malware by type, Jan - Dec z Backdoor, 85% Total= 121 variants* Trojan, 7% Others 4% Rogue, 4% *The total is counted based on unique variants detected from Jan to Dec 2012, rather than total file count. Riskware and repackaged installers are not counted; multi-component malware are only counted once. in review 9

10 Of Note the Password 11 COrporate espionage 12

11 the password dead man walking Password Computer passwords are something like fifty years old. And until a little over twenty years ago, they were very often a shared resource where multiple people used the same password (or set of passwords) for access to computer systems. The use of individual passwords was actually something of an innovation at the time. Then came the World Wide Web, and with it, the ever growing need for more and more account passwords. As time has passed and our online lives have grown, it is now not at all uncommon for people to have dozens of passwords to keep track of. And what s worse is that all of those passwords should be strong passwords and people shouldn t reuse them between accounts. It s too much! The second half of 2012 provided more than enough evidence to demonstrate the problem of passwords. Hacks, breaches, database dumps these are terms that average individuals (not just techies) are now familiar with. With today s processing power, passwords that are strong enough to withstand brute force attacks are too difficult for the human brain to remember. Even if the passwords are strong, our systems of authenticating account resets are flawed. A strong password is useless if social engineering tactics can be used to reset those passwords. Determine which accounts that are your critical points of failure, and make sure they are all well defended. Two factor authentication is good, but even that is not a bulletproof solution. It is important to use every option available. For example, Google s Gmail allows users to create their own security question for password resets. There is absolutely no reason why this question needs to be based on reality. It can just as easily be another password. One which is written down and stored safely at home, where only you have access to it. And if you are a parent of teenage children you really should have the talk with them about their use of passwords. The habits they form now will have a big impact on their future online lives. Hopefully, one day soon, a true successor will rise to take the password s place and we will all be able to let the password die a dignified death. Unfortunately, we are more likely to experience fits and starts towards a new solution. Prepare yourself now, 2013 isn t going to be kind for those who are unprepared. The password is dead and we all know it. But unfortunately, its successor has yet to turn up. So what s to be done in the meantime? Triage. Use a password manager such as KeePass or Password Safe Kill old accounts that you no longer use Untangle cross-linked accounts Consider using a secret address for account maintenance Be careful about what you share on social media. If you share, don t rely on personal information for your account password resets Use two-factor authentication options if available Recommended Reading Hacked: passwords have failed and it s time for something new [1] Matt Honan discusses the account hack that disrupted his digital life and its implications for online security Google declares war on the password [2] Find out more about Google s experiment with device-based account authentication SOURCES [1] Wired; Matt Honan; Hacked: passwords have failed and it s time for something new; published 17Jan 2013; [2] Wired; Robert McMillan; Google declares war on the password; published 18 Jan 2013; Password 11

12 COrporate espionage In Q4 2012, we watched the nature of corporate espionage attacks change. Before, almost all recorded corporate espionage cases were based on using specially crafted documents containing exploits and a malware payload. Now, spies have started to leverage vulnerabilities in web browsers and browser plugins to achieve their aims in so-called watering hole attacks. Watering hole attacks are called such because instead of compromising a random website and infecting anyone who happens to visit the site, the attackers are more discriminating Cross-referencing this list [of known attack domains] against the Alexa.com s list of 1 million most common domains showed that 99.6% of these potential C&C sites were outside of Alexa s top domains. in both the users being targeted and the site used as the infection vector. The attackers specifically attack a site which is commonly used by employees of the actual target organization. When these employees visit the compromised site, their browser or computer is then attacked, typically by exploiting a vulnerability that allows trojans or backdoors to be installed on the machine. From that point on, the installed malware becomes the gateway for attackers to reach their real target: the internal network and/or communications of the compromised employee s companies. rise of the watering hole attack Numerous examples of corporate espionage attacks have been reported in the F-Secure Weblog over the years, many of them involving poisoned file attachments sent directly to the targeted organizations. These attacks contrast sharply with the most recent case of a watering hole attack the 21st December 2012 compromise of the Council of Foreign Relations (CFR) website [1]. In this attack, the website was injected with a previously unknown exploit that affected versions 6, 7 and 8 of the Internet Explorer (IE) web browser. Compromising the website itself was not the attacker s final objective; it was merely used as a conduit to infect the website s visitors, which naturally include members of the CSR itself. And considering that CSR counts among its members both current and former US political elite and the founders of multinational companies, the list of potential targets is very interesting. The rise of web-based attacks in corporate espionage raises two points: first, this trend means that any corporation with an online presence that serves such potentially interesting targets may be at risk of unwittingly serving as an attack conduit, and secondly; obviously, such organizations must now find a way to mitigate such a risk, in order to protect themselves and their clients. Espionage Figure 1: Screenshots of an and malicious file attachment used in a targeted attack Corporate espionage 12

13 How a watering hole attack works Targeted Organization Espionage www Exploit kit www Attacker Attacker gains access to compromised computer Compromised computer For companies with online resources that may be vulnerable to watering hole attacks, it is very important to invest in web and server security. Performing regular audits to verify that your web server is serving only what it should is also highly recommended. Defending against watering hole attacks does not require anything new that should not already be in place to protect against more mundane web attacks which target zero day vulnerabilities, thereby circumventing detection-based security coverage. A corporate security suite with behavioral based detection should of course be a part of the protection solution, as it can still provide a measure of protection by actively looking for and red-flagging suspicious behavior, rather than static reliance on known features to identify a malicious file. But when we consider dealing with advanced and persistent attackers, one layer of protection is not enough. At a minimum, corporate users should use Microsoft s free Exploit Mitigation Toolkit (EMET) to harden their system s memory handling for client applications such as web browsers, web browser plugins and document readers. A second, very effective method of ruining the spy s day is to use DNS whitelisting in the company s DNS server so that only specific, approved public sites can be accessed on the user s machine. This precaution directly interferes with the spy s ability to communicate with its installed trojan(s), as well as helping to prevent information stolen from the machine being sent out to the attacker s command and control (C&C) server. Done right, this method also has the advantage of not interfering with the way most users work or browse the Internet. At F-Secure, we maintain a list of known attack domains potentially associated with corporate espionage. Cross-referencing this list against Alexa.com s list of 1 million most common domains showed that 99.6% of these potential C&C sites were outside of Alexa s top domains. So if your organization is in possession of information that might be interesting to other companies, we recommend a custom DNS whitelisting solution that is relaxed enough to allow your users to work, but still strict enough to block unknown domains. And while attackers can use C&C channels that are trickier to block, such as Twitter or Facebook, this simple precaution does make it more difficult for attackers to operate. SOURCE [1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012; Corporate espionage 13

14 Case Studies Bots 15 ZeRoAccess 17 Zeus 21 Exploits 25 WeB 28 Multi-Platform attacks 32 Mobile 35

15 BotS The world of bots in 2012 In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costing millions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many of these botnets, often in a more aggressive form and with new malicious products, updated packaging or marketing and distribution strategies and more efficient money-making mechanisms. ZeroAccess Of all the botnets we saw this year, definitely the fastest growing one was ZeroAccess, which racked up millions of infections globally in 2012, with up to 140,000 unique IPs in the US and Europe, as seen on the infection map at right [27]. Bots The actual malware that turns a users s computers into a bot is typically served by malicious sites which the user is tricked into visiting The malicious site contains an exploit kit, usually Blackhole, which targets vulnerabilities on the user s machine while they re visiting the site. Once the machine is compromised, the kit drops the malware, which then turns the computer into a ZeroAccess bot. The bot then retrieves a new list of advertisements from ZeroAccess s command and control (C&C) server every day. The ZeroAccess botnet reportedly clicks 140 million ads a day. As this is essentially click fraud, it has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. Click fraud has been on the rise as the online advertisement vendors realistically have no way to differentiate between a legitimate click and a fraudulent one. Another revenue source for ZeroAccess is its ability to mine for Bitcoin, a virtual currency that is managed in a peer-to-peer (P2P) infrastructure. Bitcoin miners harness the computational power from the bots to perform complex calculations to find a missing block to verify Bitcoin transactions, and that would reward them in more Bitcoin currency that is agreed within the same peer to peer network, and these can be converted to cash. More than half of the botnet is dedicated to mining Bitcoin for profit. Further details of ZeroAccess s profitgenerating activities can be found in the case study on page 17. Zeus Moving on, Zeus (and its rival cum partner, SpyEye) are perhaps still the most talked about banking-trojans in Zeus has been referred to as the God of Do-it-Yourself botnets. Despite various takedown efforts, as of the end of December 2012, The ZeuS Tracker project has seen almost Figure 1: Google Earth map of ZeroAccess infections in the US [1]. Red markers indicate an infected unique IP address or cluster of IP addresses. 900 ZeuS C&C servers around the world. This number may not be truly reflective of the botnet s size, as the latest version of Zeus includes a peer to peers protocol that maintains communication within the botnet itself, allowing a bot to fetch configuration files and update from other infected hosts in the botnet. This feature was dubbed Gameover and removes the need for a centralized C&C infrastructure, making it harder for security researchers to track the botnet. Apart from the introduction of the Gameover feature, the main change with Zeus has been tweaks done to make the malware more user-friendly, in effect making it an attractive resource even for wannabe attackers with low technical capabilities. With its fancy control and administration panel, well documented manual and a builder, Zeus allows both amateur and expert attackers to craft, design and build executables to infect the victim computers in a very short amount of time. Citadel, the third derivative of Zeus, sets itself apart by enabling a more rapid deployment of new features and customization through an enhanced user interface, again with the aim of helping novice hackers get in the game of deploying their crimeware. This dynamic config functionality allows botmasters to create web injections on the fly, a vital ability in today s online crime landscape as bots are also taken down Bots 15

16 quickly. The most important feature for Citadel however is the availability of a Customer Relationship Management system through the use of a social network platform to support reporting and fixing bugs. This kit is definitely professional grade, and we expect to see a continuous rise in infections by Citadel in the near future. The Carberp-infected mobile app is distributed on the Android platform, with most of the targeted users being customers of European and Russian banks. As online banking continues to rise in many countries, making such online transactions attractive targets to cybercriminals, banking-related botnets such as Carberp are expected to continue growing in Carberp Following the success of the Zeus and Spyeye, Carberp is most notable for making a comeback with a tweaked product and marketing approach. First appearing in 2011 a regular datastealing banking malware, Carberp s spread was temporarily hampered by a takedown effort from Russian agencies in early Unfortunately, in December this botnet was discovered to have resurrected with a new ability to infect a computer s boot record, a component that launches even before the main operating system (OS) starts, making any malware in the boot record harder to detect and remove. DorkBot Then there is DorkBot, which was discovered spreading through Skype in October The malware steals user account and passwords from FaceBook, Twitter, Netflix and various Instant Messaging (IM) channels. From an infected social networking account, DorkBot sent out images to the users contacts list asking the contacts if the attached image was their profile pic. Falling for this cliched social engineering tactic resulted in an executable installing a backdoor and the DorkBot worm on the user s machine, which was then enrolled in a botnet. Bots Carberp s authors or operators also changed the way the malware was distributed in order to attract more usage from other malware distributors. Carberp was previously only available as a standalone malware through private underground marketplaces. Since its resurrection, Carberp has pursued a new malware-as-a-service model that allows users to lease use of the botnet itself for prices ranging from USD 2000 to up to USD 10,000 a month. In addition, the buyer is offered a choice of botnet configurations. The priciest format includes the bootkit functionality, which has boosted its market price to about USD 40,000. Though the prices may seem steep, this rental scheme appears to be particularly attractive to less tech-savvy users who simply want a means to an end - that is, to install more trojans on more victim machines. Carberp has also spread to the mobile platform in the form of man in the mobile attacks. For a Carberp-in-the-mobile (CitMo) attack to work, the user must have both a mobile app and a computer infected with the desktop version of the Carberp malware. Once the mobile app is installed, it is able to intercept SMS messages containing mtan s (mobile Transaction Authorization Numbers), which are sent by banks as an authentication measure used to validate online transactions performed by the user. The intercepted mtan is then forwarded to a remote server, from which it is later retrieved and used by the Carberp trojan installed on the same user s computer in order to gain access to the user s banking account. Unlike previously mentioned botnets, DorkBot makes its profit through ransom literally by locking down the victim s computer, allegedly for the presence of illegal content such as pornography or pirated music. It then demands a fine of $200 to be paid within 48 hours, failing which the victims would be reported to a government enforcement agency for further prosecution. DorkBot is also capable of making more money out of its infected hosts by using their combined power to perpetrate click fraud, which incidentally creates an attractive revenue source for the authors. Mobile botnets And finally, though it is still at an embryonic stage in comparison, we are also seeing botnets operating on the mobile platform, specifically Android. These mobile botnets do exactly what botnets did when they first appeared on computers - that is, generate spam. The SpamSoldier malware sends SMS messages to a hundred Android devices (in the US) at a time. The sender has no idea of this activity, as the sent SMS messages are deleted immediately once sent, making the sky high phone bills that result an unpleasant surprise. These spam messages may also contain social engineering content, including links that lead to other malware, therefore compounding the malicious effect of these spambots. SOURCE [1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012; Bots 16

17 ZeRoAccess The most profitable botnet malware in the wild ZeroAccess is one of today s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attention for its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When too many researchers focused on this self-protection capability however, ZeroAccess author decided to drop the feature and focus more on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change [1], ZeroAccess became easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2P technique [2]. This success can be largely attributed to its affiliate program. Affiliate program: ZeroAccess success story Affiliate programs are a well-known marketing strategy and are widely used by many e-commerce websites [3]. Essentially, a business owner with an e-commerce site to promote commissions other site owners to help drive customers to it (and hopefully eventually make a purchase). The website owners are then compensated for providing these customer leads. The variety of distribution schemes and methods used by the numerous affiliates have contributed to the volume of trojandropper variants detected by antivirus products every day. All driven by the same motive which is to collect attractive revenue share from the gang. ZeroAccess Figure 1: A botnet operator seeking partners in an underground forum Adopting this concept, ZeroAccess s author or operator(s) has managed to distribute the program to a large number of machines with the help of its enlisted partners. The ZeroAccess gang advertises the malware installer in Russian underground forums, actively looking for distributor partners. Their objective is to seek other cybercriminals who are more capable in distributing the malware and do so more efficiently. The malware distributors generally consist of experienced affiliates, each of them employing their own methods of distributing the Zeroaccess installers, in order to fulfill the recruiter s requirements. The most popular distribution methods we ve seen involve exploit kits, spam s, trojans-downloaders, and seeding fake media files on P2P file-sharing services and on video sites, though the specific details in each case depend on the distributor handling the operations. Methods used by ZeroAccess distributors Downloader trojan Exploit kit Fake media file or keygen or crack P2P file sharing service Spam Distribution methods Dropping a downloader trojan onto a machine, which proceeds to download and install the botnet Using an exploit kit (e.g., Blackhole) in a drive-by-download attack Hosting infected files in P2P file sharing services using enticing names, such as microsoft.office.2010.vl.editi.keygen. exe Abusing a P2P file sharing website to host the ZeroAccess installer Sending spam s containing an attachment or a link that could enable further exploitation ZeroAccess 17

18 ZeroAccess botnet affiliate program structure ZeroAccess botnet operator $$$ underground forum Distributor A Distributor B Distributor C Distributor n Exploit kits Spam s Downloader trojan P2P network Click fraud Bitcoin mining Victims ZeroAccess The partners are compensated based on a Pay-Per-Install (PPI) service scheme [4] and the rate differs depending on the geographical location of the machine on which the malware was successfully installed. A successful installation in the United States will net the highest payout, with the gang willing to pay USD 500 per 1,000 installations in that location. Given the rate of pay, it is no surprise that ZeroAccess is widespread in the US alone [5]. After the US, the commission rate sorted from highest to lowest are Australia, Canada, Great Britain, and others. Some distributors even post screenshots of the payment they ve received in underground forums to show the reliability of their recruiter. The ZeroAccess gang can afford to pay such high incentives to its recruits because the army of bots created by the affiliate s efforts is able to generate even more revenue in return. Once the malware is successfully installed on the victim machines, ZeroAccess will begin downloading and installing additional malware onto the machines, which will generate profit for the botnet operators through click fraud and Bitcoin mining operations. Figure 2: Proof of payments made by recruiter Botnet operators prefer the click fraud payload because since 2006 [6], it has been a proven way to generate income from the pay-per-click (PPC) or the cost-per-click advertising. ZeroAccess 18

19 Bitcoin mining has too many constraints. For instance, the success of generating a bitcoin depends on the difficulty level of the target specified in the Bitcoin network and might even require some luck [7]. Furthermore, the victim s machine needs to run on a decent CPU power, preferably with GPU or FPGA hardware, in a reasonable amount of time [8]. Even with a large number of botnets, the difficulty factors in solving Bitcoin blocks hinder Bitcoin mining operation from performing as well as click fraud which only requires the victims to have an internet connection and a web browser. Despite the difficulties in Bitcoin mining, the fact that the ZeroAccess botnet was modified to drop its problematic self-protection feature and introduce the Bitcoin mining operations indicates that ZeroAccess s operators are very ambitious to keep the botnet growing and are not afraid of taking risks. Conclusion Given ZeroAccess s current success as a huge, fully functional profit-generating machine, it s unlikely that we ll see it going away anytime soon. The ZeroAccess malware - which poses the most direct threat to the users - will continue to exist as a hidden danger on malicious or boobytrapped websites. The affiliate program that encourages the spread of malware will continue to attract more cybercriminals due to the botnet operators established reputation for reliably paying its affiliates and adjusting commission rates to maintain their attractiveness. And finally, the criminal organizations behind the botnet have demonstrated that they re willing to experiment and modify their product in order to increase their ability to make money. As such, we expect the ZeroAccess botnet to grow and evolve, with new features or feature updates being introduced in the near future. Zeroaccess infections, top countries by percentage (%) % Italy 5% Romania 35% US 5% Canada 6% India 8% Japan *Based on statistics gathered from national ASN-registered networks. 38% Others zeroaccess s profit-generating activities, by percentage (%) % Bitcoin mining 83% Click fraud ZeroAccess Sources [1] F-Secure Weblog; Threat Research; ZeroAccess s Way of Self-Deletion; published 13 June 2012; [2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We re Gonna Need a Bigger Planet; published 17 September 2012; [3] Wikipedia; Affiliate Marketing; [4] Wikipedia; Compensation Methods; [5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012; [6] MSNBC; Associated Press; Google settles advertising suit for $90 million; published 8 March 2006; [7] Bitcoin Wiki; Target; [8] Wikipedia; Bitcoin; ZeroAccess 19

20 ZEROACCESS INFECTIONS In the USA, Japan, and europe* USA Europe japan ZeroAccess *Red markers indicate an infected unique IP address or cluster of IP addresses. ZeroAccess 20

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent

More information

Security A to Z the most important terms

Security A to Z the most important terms Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from

More information

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015 Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders

More information

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.

More information

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS May 2012 As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel s features, bug

More information

What you need to know to keep your computer safe on the Internet

What you need to know to keep your computer safe on the Internet What you need to know to keep your computer safe on the Internet Tip 1: Always install Operating System updates The most important steps for any computer user is to always install updates, especially security

More information

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Botnets: The Advanced Malware Threat in Kenya's Cyberspace Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................

More information

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and

More information

Spyware: Securing gateway and endpoint against data theft

Spyware: Securing gateway and endpoint against data theft Spyware: Securing gateway and endpoint against data theft The explosion in spyware has presented businesses with increasing concerns about security issues, from data theft and network damage to reputation

More information

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

BUGAT TROJAN JOINS THE MOBILE REVOLUTION BUGAT TROJAN JOINS THE MOBILE REVOLUTION June 2013 RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat s developers managed to develop and deploy mobile malware designed to

More information

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions Your home is your business and your farm is your network. But who has access to it? Can you protect

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data Avoiding Malware in Your Dental Practice 10 Best Practices to Defend Your Data Avoiding Malware in Your Dental Practice Like most small business owners, you must protect your dental practice s computer

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

Agenda. John Veldhuis, Sophos The playing field Threats Mobile Device Management. Pagina 2

Agenda. John Veldhuis, Sophos The playing field Threats Mobile Device Management. Pagina 2 Mobile Security Agenda John Veldhuis, Sophos The playing field Threats Mobile Device Management Pagina 2 The Changing Mobile World Powerful devices Access everywhere Mixed ownership User in charge Powerful

More information

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa Surviving and operating services despite highly skilled and well-funded organised crime groups Romain Wartel, CERN CHEP 2015, Okinawa 1 Operation Windigo (2011 - now) 30,000+ unique servers compromised

More information

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA

More information

DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS

DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat

More information

ANDRA ZAHARIA MARCOM MANAGER

ANDRA ZAHARIA MARCOM MANAGER 10 Warning Signs that Your Computer is Malware Infected [Updated] ANDRA ZAHARIA MARCOM MANAGER MAY 16TH, 2016 6:05 Malware affects us all The increasing number of Internet users worldwide creates an equal

More information

Figure 1: A screenshot of a known Zeus variant called Citadel

Figure 1: A screenshot of a known Zeus variant called Citadel Title: Online Data Theft and ZeuS Dropzones (WORKING PAPER) By: Steve Chon, Roderic Broadhurst Organisation: ANU Cybercrime Observatory, Australian National University Website: http://cybercrime.anu.edu.au

More information

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data Avoiding Malware in Your Dental Practice 10 Best Practices to Defend Your Data Avoiding Malware in Your Dental Practice Like most small business owners, you must protect your dental practice s computer

More information

Anti-exploit tools: The next wave of enterprise security

Anti-exploit tools: The next wave of enterprise security Anti-exploit tools: The next wave of enterprise security Intro From malware and ransomware to increasingly common state-sponsored attacks, organizations across industries are struggling to stay ahead of

More information

Almost 400 million people 1 fall victim to cybercrime every year.

Almost 400 million people 1 fall victim to cybercrime every year. 400,000000 Almost 400 million people 1 fall victim to cybercrime every year. A common way for criminals to attack people is via websites, unfortunately this includes legitimate sites that have been hacked

More information

Using big data analytics to identify malicious content: a case study on spam emails

Using big data analytics to identify malicious content: a case study on spam emails Using big data analytics to identify malicious content: a case study on spam emails Mamoun Alazab & Roderic Broadhurst Mamoun.alazab@anu.edu.au http://cybercrime.anu.edu.au 2 Outline Background Cybercrime

More information

PHISH LOCKERS OUT IN THE WILD

PHISH LOCKERS OUT IN THE WILD PHISH LOCKERS OUT IN THE WILD August 2013 RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed Phish Lockers, used at the hands of cybercriminals to steal credentials.

More information

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform WHITE PAPER Cloud-Based, Automated Breach Detection The Seculert Platform Table of Contents Introduction 3 Automatic Traffic Log Analysis 4 Elastic Sandbox 5 Botnet Interception 7 Speed and Precision 9

More information

Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS

Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS A Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS Even with today s breakthroughs in online communication, email is still one of the main ways that most

More information

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure Guide To Keeping Your Social Media Accounts Secure Social media is an integral part of the strategic communications and public affairs missions of the Department of Defense. Like any asset, it is something

More information

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security 2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security For 10 years, Microsoft has been studying and analyzing the threat landscape of exploits, vulnerabilities, and malware.

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA IT TRENDS AND FUTURE CONSIDERATIONS Paul Rainbow CPA, CISA, CIA, CISSP, CTGA AGENDA BYOD Cloud Computing PCI Fraud Internet Banking Questions The Mobile Explosion Mobile traffic data in 2011 was nearly

More information

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction

More information

Top tips for improved network security

Top tips for improved network security Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a

More information

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth Modern Cyber Threats how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure Axel Wirth Healthcare Solutions Architect Distinguished Systems Engineer AAMI 2013 Conference

More information

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have

More information

Protection for Mac and Linux computers: genuine need or nice to have?

Protection for Mac and Linux computers: genuine need or nice to have? Protection for Mac and Linux computers: genuine need or nice to have? The current risk to computers running non-windows platforms is small but growing. As Mac and Linux computers become more prevalent

More information

GlobalSign Malware Monitoring

GlobalSign Malware Monitoring GLOBALSIGN WHITE PAPER GlobalSign Malware Monitoring Protecting your website from distributing hidden malware GLOBALSIGN WHITE PAPER www.globalsign.com CONTENTS Introduction... 2 Malware Monitoring...

More information

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What

More information

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available

More information

Top five strategies for combating modern threats Is anti-virus dead?

Top five strategies for combating modern threats Is anti-virus dead? Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

Property of Secure Network Technologies-Do Not Distribute or Post Without Written Permission-Copyrights and Trademark Apply

Property of Secure Network Technologies-Do Not Distribute or Post Without Written Permission-Copyrights and Trademark Apply Malware - Mules & Money Mobile Edition v2.0 By Steve Stasiukonis What We Do Security Assessments & Penetration Tests Incident Response Digital Investigation & Forensic Services Technical Surveillance Countermeasure

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

CYBER SECURITY THREAT REPORT Q1

CYBER SECURITY THREAT REPORT Q1 CYBER SECURITY THREAT REPORT Q1 Moving Forward Published by UMC IT Security April 2015 0 U.S. computer networks and databases are under daily cyber-attack by nation states, international crime organizations,

More information

Secure Your Mobile Workplace

Secure Your Mobile Workplace Secure Your Mobile Workplace Sunny Leung Senior System Engineer Symantec 3th Dec, 2013 1 Agenda 1. The Threats 2. The Protection 3. Q&A 2 The Mobile Workplaces The Threats 4 Targeted Attacks up 42% in

More information

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com

More information

16 CLOUD APPS YOU NEED TO KNOW IF EMPLOYEES ARE USING

16 CLOUD APPS YOU NEED TO KNOW IF EMPLOYEES ARE USING 16 CLOUD APPS YOU NEED TO KNOW IF EMPLOYEES ARE USING One of the biggest risks that companies face today is the growing popularity and availability of cloud-based applications shadow IT. These applications

More information

September 20, 2013 Senior IT Examiner Gene Lilienthal

September 20, 2013 Senior IT Examiner Gene Lilienthal Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank

More information

Security Business Review

Security Business Review Security Business Review Security Business Review Q4: 2014 2 By Bitdefender Labs Security Business Review Botnet Anonymization Raises New Security Concerns Executive Overview While botnets, which are large

More information

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor

More information

Security Practices for Online Collaboration and Social Media

Security Practices for Online Collaboration and Social Media Cisco IT Best Practice Collaboration Security Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 2013 Cisco and/or its affiliates. All rights reserved.

More information

Microsoft Security Intelligence Report volume 7 (January through June 2009)

Microsoft Security Intelligence Report volume 7 (January through June 2009) Microsoft Security Intelligence Report volume 7 (January through June 2009) Key Findings Summary Volume 7 of the Microsoft Security Intelligence Report provides an in-depth perspective on malicious and

More information

Summary of the State of Security

Summary of the State of Security Summary of the State of Security Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016 1 1 Summary of the State of Security Tram Jewett, MS., CISA, 11 years IT audit and

More information

Why should I care about PDF application security?

Why should I care about PDF application security? Why should I care about PDF application security? What you need to know to minimize your risk Table of contents 1: Program crashes present an opportunity for attack 2: Look for software that fully uses

More information

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service

More information

Statistical Analysis of Internet Security Threats. Daniel G. James

Statistical Analysis of Internet Security Threats. Daniel G. James Statistical Analysis of Internet Security Threats Daniel G. James ABSTRACT The purpose of this paper is to analyze the statistics surrounding the most common security threats faced by Internet users. There

More information

Unknown threats in Sweden. Study publication August 27, 2014

Unknown threats in Sweden. Study publication August 27, 2014 Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large

More information

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA Malware Threat Landscape Growth and Targets % 25 Of real-world malware is caught by anti-virus Malware

More information

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC) Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC) Cyber in the News 1 Tactics, Techniques and Procedures These observed tactics, techniques

More information

ZNetLive Malware Monitoring

ZNetLive Malware Monitoring Introduction The criminal ways of distributing malware or malicious software online have gone through a change in past years. In place of using USB drives, attachments or disks to distribute viruses, hackers

More information

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft OVERVIEW 2 1. Cyber Crime Unit organization 2. Legal framework 3. Identity theft modus operandi 4. How to avoid online identity theft 5. Main challenges for investigation 6. Conclusions ORGANIZATION 3

More information

Endpoint Security Management

Endpoint Security Management Endpoint Security Management LANDESK SOLUTION BRIEF Protect against security threats, malicious attacks and configuration vulnerabilities through strong endpoint security control and maintenance. Protect

More information

Beyond the Hype: Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,

More information

IBM Security re-defines enterprise endpoint protection against advanced malware

IBM Security re-defines enterprise endpoint protection against advanced malware IBM Security re-defines enterprise endpoint protection against advanced malware Break the cyber attack chain to stop advanced persistent threats and targeted attacks Highlights IBM Security Trusteer Apex

More information

Securing Your Business s Bank Account

Securing Your Business s Bank Account Commercial Banking Customers Securing Your Business s Bank Account Trusteer Rapport Resource Guide For Business Banking January 2014 Table of Contents 1. Introduction 3 Who is Trusteer? 3 2. What is Trusteer

More information

Cyber Security. Maintaining Your Identity on the Net

Cyber Security. Maintaining Your Identity on the Net Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD

More information

MALICIOUS REDIRECTION A Look at DNS-Changing Malware

MALICIOUS REDIRECTION A Look at DNS-Changing Malware MALICIOUS REDIRECTION A Look at DNS-Changing Malware What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a

More information

Computer Viruses: How to Avoid Infection

Computer Viruses: How to Avoid Infection Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you

More information

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD April 2013 As cybercriminals will have it, phishing attacks are quite the seasonal trend. It seems that every April, after showing a slight decline

More information

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success HACKER INTELLIGENCE INITIATIVE The Secret Behind 1 1. Introduction The Imperva Application Defense Center (ADC) is a premier research organization for security analysis, vulnerability discovery, and compliance

More information

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

PROTECT YOUR COMPUTER AND YOUR PRIVACY! PROTECT YOUR COMPUTER AND YOUR PRIVACY! Fraud comes in many shapes simple: the loss of both money protecting your computer and Take action and get peace of and sizes, but the outcome is and time. That

More information

Stopping zombies, botnets and other email- and web-borne threats

Stopping zombies, botnets and other email- and web-borne threats Stopping zombies, botnets and other email- and web-borne threats Hijacked computers, or zombies, hide inside networks where they send spam, steal company secrets, and enable other serious crimes. This

More information

OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875

OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875 OCT Training & Technology Solutions Training@qc.cuny.edu (718) 997-4875 Understanding Information Security Information Security Information security refers to safeguarding information from misuse and theft,

More information

Five Trends to Track in E-Commerce Fraud

Five Trends to Track in E-Commerce Fraud Five Trends to Track in E-Commerce Fraud Fraud is nothing new if you re in the e-commerce business you probably have a baseline level of fraud losses due to stolen credit cards, return fraud and other

More information

A Case for Managed Security

A Case for Managed Security A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction

More information

Innovations in Network Security

Innovations in Network Security Innovations in Network Security Michael Singer April 18, 2012 AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

More information

Emerging Trends in Malware - Antivirus and Beyond

Emerging Trends in Malware - Antivirus and Beyond Malware White Paper April 2011 Emerging Trends in Malware - Antivirus and Beyond One need only listen to the news or read the latest Twitter and media updates to hear about cyber crime and be reminded

More information

January 2011 Report #49. The following trends are highlighted in the January 2011 report:

January 2011 Report #49. The following trends are highlighted in the January 2011 report: January 2011 Report #49 Spam made up 81.69% of all messages in December, compared with 84.31% in November. The consistent drop in spam made us wonder, did spammers take a holiday break? Global spam volume

More information

A TASTE OF HTTP BOTNETS

A TASTE OF HTTP BOTNETS Botnets come in many flavors. As one might expect, these flavors all taste different. A lot of Internet users have had their taste of IRC, P2P and HTTP based botnets as their computers were infected with

More information

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document

More information

Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion

Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies

More information

Practical tips for a. Safe Christmas

Practical tips for a. Safe Christmas Practical tips for a Safe Christmas CONTENTS 1. Online shopping 2 2. Online games 4 3. Instant messaging and mail 5 4. Practical tips for a safe digital Christmas 6 The Christmas holidays normally see

More information

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies

More information

DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers

DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction

More information

Perception and knowledge of IT threats: the consumer s point of view

Perception and knowledge of IT threats: the consumer s point of view Perception and knowledge of IT threats: the consumer s point of view It s hard to imagine life without digital devices, be it a large desktop computer or a smartphone. Modern users are storing some of

More information

Real World and Vulnerability Protection, Performance and Remediation Report

Real World and Vulnerability Protection, Performance and Remediation Report Real World and Vulnerability Protection, Performance and Remediation Report A test commissioned by Symantec Corporation and performed by AV-Test GmbH Date of the report: September 17 th, 2014, last update:

More information

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next Your Data Under Siege: Guard the Gaps with Patch Management 1.0

More information

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security A World of Constant Threat We live in a world on constant threat. Every hour of every day in every country around the globe hackers

More information

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration

More information

Kaspersky Lab. Contents

Kaspersky Lab. Contents KASPERSKY DDOS INTELLIGENCE REPORT Q3 2015 Contents Contents... 1 Q3 events... 2 Attacks on financial organizations... 2 Unusual attack scenario... 2 XOR DDoS bot activity... 2 DDoS availability... 3 Statistics

More information

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Lee Zelyck Network Administrator Regina Public Library Malware, Spyware, Trojans

More information

Malware & Botnets. Botnets

Malware & Botnets. Botnets - 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online

More information

Practical guide for secure Christmas shopping. Navid

Practical guide for secure Christmas shopping. Navid Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security

More information

DDoS Attacks Can Take Down Your Online Services

DDoS Attacks Can Take Down Your Online Services DDoS Attacks Can Take Down Your Online Services Dr. Bill Highleyman Managing Editor, Availability Digest Continuity Insights New York 2014 October 8, 2014 editor@availabilitydigest.com Who Am I? Dr. Bill

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information