DOC PREVIEW
Stanford CS 155 - The Emerging Threat Landscape

This preview shows page 1-2-3-4-5-6 out of 17 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

The Emerging Threat LandscapeZulfikar Ramzan, Ph.D.Technical Director and ArchitectSecurity Technology and ResponseTuesday, June 03, 2008Zulfikar Ramzan - Threat Landscape 2008 22AgendaIntro11Shifting Threat Landscape22Malware: Growing Dangerously33Web attacks: The New Epicenter44Global Intelligence Network55The Road Ahead66Most of the data I’ll present comes from the Symantec Internet Security Report Edition XIII – covering Jul-Dec 20073Some Key TrendsUnderground economy and supply chain lowers bar for who can participate in cybercrimeLack of trust among underground economy participants may force additional organization Malicious software levels consistently rising– More malicious software in ‘08 than all previous years combined– By all accounts, ’09 will be same– Good vs. bad software inflection pointWeb will continue as an attack vector because of its popularity and content richnessTargeted attacks will likely be an issue and will necessitate defense-in-depth protectionAttackers starting at the supply chain (infected digital picture frames)Zulfikar Ramzan - Threat Landscape 2008 4$1.50-$306%5%Proxies61010-50% of drop amountN/A5%Drop (request or offer)N/R9$4-$308%5%Email Passwords38$0.83/MB-$10/MB6%5%Email Addresses57$1-$108%6%Mailers46$2.50/wk - $50/wk (hosting); $25 (design)6%7%Scams85$1-$8N/A7%Online Auction Site AccountsN/R4$1-$156%9%Full Identity73$0.40-$2022%13%Credit Cards12$10-$100021%22%Bank Accounts21PricesPrevious %Current %Goods and ServicesPreviousRank4Fraud Economy Menu & AdsZulfikar Ramzan - Threat Landscape 2008 55The Fraud Food ChainSpammerPhishing MessagesBotherderPhisherCashierEgg DropServerVictimsFraudWebsite (+ Trojan horse)Malware: Growing Dangerously & Dangerously GrowingZulfikar Ramzan - Threat Landscape 2008 77For the 2ndhalf of ’07,68% of the top 50 malicious code posed threat to confidential info-3% Ï from H1 ’07; -15% Ï from H2 ’06;Keystroke loggers represent 76% of the reported threats to confidential informationDesigned for data theft & unauthorized accessExposure by type69%80%71%69%79%71%67%76%68%76%88%76%87%88%86%0%10%20%30%40%50%60%70%80%90%100%Jul-Dec 2006 Jan-Jun 2007 Jul-Dec 2007PeriodExports user dataExports system dataExports email addressesKeyloggerAllows remote accessThe decline in all five categories could be attributable to a specific piece of malware being more targeted and having fewer capabilities (e.g., versus having all five capabilities); malware authors may be employing such techniques to make detection more difficult.Zulfikar Ramzan - Threat Landscape 2008 8Trojan.Silentbanker8Standard banking transactionZulfikar Ramzan - Threat Landscape 2008 9All banking transactions are routed through the remote systemTrojan.Silentbanker9Man in the MiddleAttacker-controlledremote systemRemoteStandard banking transactionZulfikar Ramzan - Threat Landscape 2008 10All banking transactions are routed through the remote systemTrojan.Silentbanker10Man in the MiddleAttacker-controlledremote systemLocalLocally installed malicious proxyRemoteTransactions are routed through the proxyZulfikar Ramzan - Threat Landscape 2008 11Account information is logged on the computerand then sent to the attackerThe attacker then uses this information to log into the account at a later dateTrojan.Silentbanker11Man in the MiddleLocalInformation StealingAccountAccountInfoInfoStandard banking transactionLocally installed malicious proxyTransactions are routed through the proxyZulfikar Ramzan - Threat Landscape 2008 12Account information is logged on the computerand then sent to the attackerInformation StealingAdvancedThe attacker then uses this information to log into the account at a later dateTrojan.Silentbanker12The bank sends a login page, with fields needed to log inThe local proxy intercepts the requestand appends additional fields to itWhen the user submits the information, it is also sent to the attacker The attacker can then use this information to log into the user’s bank account at a later dateUser requests login pageZulfikar Ramzan - Threat Landscape 2008 13The account details are changed, redirecting the transaction to another account The bank sends back confirmation for the transactionThe proxy modifies the account details, and sends on the confirmationInformation StealingAuthenticationAdvancedTwo-FactorTrojan.Silentbanker13AttackerAttacker’’ssAccountAccountAccountAccountInfoInfoConfirmationConfirmationFakedFakedConfirmationConfirmationThe user attempts a transaction, which is intercepted by the attacker The confirmation is modified, appearing as though the transaction is going to the initial accountAccountAccountInfoInfoThe bank sends a password by cell phone to complete the transactionThe user enters the passwordAttackerAttacker’’ssAccountAccountAnd then submits the final requestZulfikar Ramzan - Threat Landscape 2008 14Man-in-the-Middle Trojans in ActionZulfikar Ramzan - Threat Landscape 2008 15Staged Downloaders: When it rains, it pours15For the 1sthalf of ’07:35% of computers reporting potential malicious code infections reported more than onceMany of these likely the result of staged downloadersOnly 10% of malware samples Symantec sees actually exploit a technical vulnerability; the rest either piggyback or rely on social engineering…Zulfikar Ramzan - Threat Landscape 2008 1616Using IRS Fears to Install Malware: Backdoor.Robofo• 0.16% of spam blocked by Symantec contained malicious code (↓ from 0.43%)• 32% of malicious code that propagated did so over email (↑ from 30%)Zulfikar Ramzan - Threat Landscape 2008 1717Using Fear to “Copy Protect” Malware2. The Client:1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.2. May not disassemble / study the binary code of the bot builder.3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code ofyour bot will be immediately sent to antivirus companies.Web Attacks: The New EpicenterZulfikar Ramzan - Threat Landscape 2008


View Full Document

Stanford CS 155 - The Emerging Threat Landscape

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download The Emerging Threat Landscape
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view The Emerging Threat Landscape and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view The Emerging Threat Landscape 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?