DOCSLIB.ORG

Email Worm Modeling and Defense

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Email Worm Modeling and Defense CliffC.Zou∗,DonTowsley†, Weibo Gong∗ ∗Department of Electrical & Computer Engineering †Department of Computer Science University of Massachusetts, Amherst, MA 01003 {czou, gong}@ecs.umass.edu, [email protected] Abstract— Email worms constitute one of the major Internet little differences in terms of the propagation dynamics of email security problems. In this paper, we present an email worm worms. model that accounts for the behaviors of email users by con- Based on the above email worm model, we study the ef- sidering email checking time and the probability of opening email attachments. Email worms spread over a logical network fectiveness of “selective immunization defense”, i.e., selecting defined by email address relationship, which plays an important some most connected email users’ computers to make them role in determining the spreading dynamics of an email worm. immune to an email worm. The results explain why selective Our observations suggest that the node degrees of an email immunization defense against email worm propagation is quite network are heavy-tailed distributed. We compare email worm effective for a power law topology but not so good for the other propagation on three topologies: power law, small world and random graph topologies; and then study how the topology two topologies. affects immunization defense on email worms. The impact of The rest of the paper is organized as follows. Section II the power law topology on the spread of email worms is mixed: surveys related work. Section III presents the email worm email worms spread more quickly on a power law topology than propagation model. In Section IV, we explains why we choose on a small world topology or a random graph topology, but immunization defense is more effective on a power law topology power-law topology to represent the logical email network. We than on the other two. conduct extensive simulation studies and present the results in Section V. Then we study selective immunization defense I. INTRODUCTION against email worm attacks in Section VI. Finally, we make some discussions and conclude the paper with Section VII. “Email worms” are malicious computer programs that prop- agate through email: when an email user clicks a worm II. RELATED WORK program in the attachments of a worm email, the worm compromises the user’s computer and then finds all email Kephart, White and Chess studied viral infection based on addresses stored on this computer to send out worm email. epidemiology models from 1991 to 1993 [2][3][4], where Email has become an indispensable communication medium they considered virus spreading on random graph networks in our life. However, email worms keep attacking us with in- and local networks. After Code Red worm incident [1] in creasing intensity and using more advanced social engineering 2001, many researchers have studied worm propagation mod- tricks. Some famous email worms include Melissa in 1999, eling [5][6][7][8]. However, these papers studied “scan-based” “Love Letter” in 2000, “W32/Sircam” in 2001, “SoBig”in worms that propagate through random scanning — models of 2003, “MyDoom”, “Bagle” and “Netsky” in this year [1]. scan-based worms do not need to consider topological issues Like earthquake modeling or tornado modeling, a good and thus not suitable for modeling email worms. email worm model gives us deep understanding of email Wang et al. [9] simulated a simple virus propagation based worms, helps us evaluate the effectiveness of defense mecha- on a clustered topology and a tree-like hierarchic topology. nisms, and provides possible early warning to help us control Newman et al. [10] collected email address book data from a worm’s potential damage. In this paper, we first present a a university and showed that the campus-level email topology realistic email worm model that accounts for the behaviors has an exponential and a stretched exponential distribution for of email users by considering users’ email checking time and in-degree and out-degree, respectively. However, they didn’t the probability of opening email attachments. Then we carry consider email lists, which can dramatically increase edges in out extensive simulation studies. Email worms spread over a an email network. In addition, most email worms send out logical network defined by email addresses; our observation worm email to all addresses existed in a computer, not just shows that the Internet-scale email network might be heavy- in email address books. Thus the Internet-scale email network tailed distributed and we model it as a power law network. may follow a completely different topology. Briesemeister et To study how topology affects an email worm’s propagation, al. [11] used simulation to study epidemic spreading on scale- we compare worm spreading on power law, small world and free networks without considering other topologies and user random graph topologies. We derive the conclusion that email interactions. Satorras et al. [12] used SIS epidemic model to worms spread more quickly on a power law topology than study epidemic spreading in scale-free networks — the SIS on the other two topologies; the other two topologies have model is not suitable for modeling the propagation of one email worm because a cured host is not likely to become of the checking time interval Ti for user i, i =1, 2, ··· , |V |. Ti susceptible to the same email worm again. may follow different distributions. For example, it is a constant From an email worm’s point of view, the connectivity of a value when a user checks email once every morning or uses partly immunized email network is a “percolation” problem. email client programs to fetch and check email at a specified Newman et al. [13] derived the analytical solution of the time interval; it is exponentially distributed (i.e., checking “percolation threshold” for arbitrary topologies: if nodes are action is a Poisson process) if a user checks email at a random removed randomly from a network, the network will be broken time. In this paper we will study how different distributions into pieces when the fraction of removed nodes is higher than of email checking time interval affect the propagation of an the network’s “percolation threshold”. However, it is more email worm. effective and reasonable to “selectively immunize” nodes in an Since the number of email users in the Internet is very large email network rather than the uniform immunization studied and users’ behaviors are independent, we assume that the mean in [13]. Albert et al. [14] showed that a power law network checking email time E[Ti] of user i is generated by a Gaussian 2 is vulnerable under selective attack, which is consistent to our distributed random variable T , i.e., T ∼ N(µT ,σT ) (E[Ti]= conclusions. 0 when T<0). We assume that when a user checks his email, he checks all new email in his mailbox. III. EMAIL WORM PROPAGATION MODEL The opening probability Pi of user i is determined by: (1) We represent the topology of the logical email network by the user’s security awareness; and (2) the social engineering an undirected graph G =<V,E>. ∀v ∈ V , v denotes an tricks deployed by an email worm (e.g., “MyDoom” infected email user; ∀e =(u, v) ∈ E, u, v ∈ V , represents that two more users than any email worm before due to its advanced users u and v have the email address of each other in their social engineering techniques [1]). Therefore, for the propaga- d own computers. “Node degree” of a node means that this tion of one email worm, we assume Pi to be constant for user d d |V | node has edges connecting to other nodes. is the total i. Similar to E[Ti], we assume Pi of user i is generated by a 2 number of email users. For a reader’s convenience, Table I Gaussian distributed random variable P , i.e., P ∼ N(µP ,σP ) lists most notations used in this paper. (Pi =0when P<0 and Pi =1when P>1). An email user is called infected once the user opens an TABLE I email worm attachment; upon opening a worm attachment, NOTATIONS USED IN THIS PAPER an infected user immediately sends out worm email to all Symbol Explanation his neighbors. Let N0 denote the number of initially infected G G =<V,E> Undirected graph representing email network, users. Let random variable Nt denote the number of infected Nt Number of infected users at time t t N ≤ N ≤ α Power law exponent of a power law topology that has users at time during email worm propagation, 0 t complementary cumulative degree distribution F (d) ∝ d−α |V |, ∀t>0. It takes time before a recipient receives an email h N∞ Number of users uninfected when a worm finishes spreading worm sent out by an infected user; but the email transmission T i i =1, 2, ··· , |V | i Email checking time interval of user , time is usually much smaller compared with a user’s email Pi Probability of user i to open email worm attachments T Gaussian-distributed random variable that generates E[Ti], checking time interval, and thus, it is ignored in our model. 2 T ∼ N(µT ,σT ) (E[Ti]=0when T<0) P Gaussian-distributed random variable that generates Pi, 2 IV. EMAIL NETWORK TOPOLOGY DISCUSSION P ∼ N(µP ,σP ) (Pi =0when P<0 P =1 P>1 and i when ) f(d) d Dt Average degree of those nodes that are healthy before time t Let be the fraction of nodes with node degree but are infected at time t, ∀t>0 in email network graph G. The complementary cumulative ∞ L(p) Remained link ratio — fraction of links remained after distribution function (ccdf) is denoted by F (d)= f(i), removal of the top p percent most connected nodes i=d C(p) Connection ratio — fraction of remained nodes that are i.e., the fraction of nodes with degree greater than or equal connected after removal of the top p most connected nodes to d.
Recommended publications
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
  • Computer Viruses, in Order to Detect Them

    Computer Viruses, in Order to Detect Them

    Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
  • Combating Spyware in the Enterprise.Pdf

    Combating Spyware in the Enterprise.Pdf

    www.dbebooks.com - Free Books & magazines Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These eBooks are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations.
  • Symantec Internet Security Threat Report

    Symantec Internet Security Threat Report

    Symantec Internet EXECUTIVE SUMMARY Symantec Internet Security Threat Report September 2003 EXECUTIVE EDITOR Executive Summary Linda McCarthy Symantec Office of the CTO The Symantec Internet Security Threat Report provides a six-month update about Internet threat MANAGER, DEVELOPMENT activity1. It includes analysis of network-based attacks, a review of known vulnerabilities, and David Ahmad Symantec Security Response highlights of malicious code. This summary of that report can alert executives to impending threats and current trends. SENIOR THREAT ANALYST Cori Lynn Arnold Symantec Managed Security With over 20,000 sensors monitoring network activity in over 180 countries, Symantec has Services established one of the most comprehensive sources of Internet threat data in the world, giving SENIOR MANAGER, ANALYSIS Symantec's analysts a superior source of attack data from which to spot important trends. OPERATIONS These trends educate executives about potential threats and exposures, and using the data Brian Dunphy Symantec Managed Security can help them identify weaknesses in their own security architecture or policies. Services In August 2003, the Win32.Blaster blended threat rapidly spread worldwide, and several other SENIOR MANAGER, DEVELOPMENT Oliver Friedrichs highly severe worms followed. In only eight days the pace and frequency of these threats created Symantec Security Response havoc for systems administrators as well as for PC home users, with an estimated cost of damages 2 RESEARCH FELLOW running up to $2 billion . This report
  • Contents in This Issue

    Contents in This Issue

    NOVEMBER 2005 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT Virus Bulletin WHEN IRISH EYES ARE thanks the sponsors Is the boot on the other foot? SMILING of VB2005: A busy conference schedule, 3 NEWS combined with the famous warmth Microsoft assists Nigeria in fight against and hospitality of the Irish and a high-tech crime drop or two of the local ‘water’ were Errata – Windows 2003 Server a recipe for success for VB2005 in comparative review Dublin last month. page 14 3 VIRUS PREVALENCE TABLE LANGUAGE LOGGING 4 VIRUS ANALYSIS Using components of Windows multilingual Criss-cross support, it is possible to create a file that will capture keystrokes on a target system while using FEATURES the OS to protect that file from removal or deletion. Masaki Suenaga explains how an IME could be 6 IME as a possible keylogger used as a keylogger. 11 The false positive disaster: anti-virus vs. page 6 WinRar & co. THE TROUBLE WITH WINRAR 13 LETTERS Andreas Marx reports on his extensive false positive testing of anti-virus software. 14 CONFERENCE REPORT page 11 In Dublin’s fair city 16 PRODUCT REVIEW NOD32 for Windows NT/2000/XP/2003/x64 with centralized management This month: anti-spam news and events and 20 END NOTES & NEWS John Graham-Cumming looks at measuring and marketing spam filter accuracy. ISSN 0956-9979 COMMENT ‘It adds insult to the voices of those of us on the systems administrators’ side, which was equal in its representation on the panel.) injury when the So, putting aside the reporting of the subject, I’d like to major media outlets touch again on why accurate reporting is an issue for misrepresent the those of us on the administration side.
  • Who Wrote Sobig? Copyright 2003-2004 Authors Page 1 of 48

    Who Wrote Sobig? Copyright 2003-2004 Authors Page 1 of 48

    Who Wrote Sobig? Copyright 2003-2004 Authors Page 1 of 48 Who Wrote Sobig? Version 1.0: 19-August-2003. Version 1.1: 25-August-2003. Version 1.2: 19-November-2003. Version 1.3: 17-July-2004. This sanitized variation for public release. Scheduled for release: 1-November-2004. This document is Copyright 2003-2004 by the authors. The PGP key included within this document identifies the authors. Who Wrote Sobig? Copyright 2003-2004 Authors Page 2 of 48 Table of Contents Table of Contents................................................................................................................................................... 2 1 About This Document..................................................................................................................................... 3 2 Overview........................................................................................................................................................ 5 3 Spam and Virus Release History..................................................................................................................... 6 3.1 Identifying Tools .................................................................................................................................... 6 3.2 Identifying Individuals and Specific Groups ............................................................................................ 6 3.3 Identifying Open Proxies and Usage........................................................................................................ 8 3.4
  • THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O

    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O

    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser. Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected. Case Conficker The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources.
  • Media Diffusion of Computer Security Threats

    Media Diffusion of Computer Security Threats

    Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 1-1-2006 It came from the Internet : media diffusion of computer security threats Adam Paul Patridge Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Recommended Citation Patridge, Adam Paul, "It came from the Internet : media diffusion of computer security threats" (2006). Retrospective Theses and Dissertations. 19035. https://lib.dr.iastate.edu/rtd/19035 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. It came from the Internet: Media diffusion of computer security threats by Adam Paul Patridge A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Human Computer Interaction Program of Study Committee: Chad Harms, Major Professor Kim Smith Anthony Townsend Iowa State University Ames, Iowa 2006 Copyright ©Adam Paul Patridge, 2006. All rights reserved. 11 Graduate College Iowa State University This is to certify that the master's thesis of Adam Paul Patridge has met the thesis requirements of Iowa State University Signatures have been redacted for privacy 111 TABLE OF CONTENTS CHAPTER 1. INTRODUCTION 1 CHAPTER 2. LITERATURE REVIEW 4 COMPUTER SECURITY 4 Computer Security Threats 4 Lifespan of a Threat 6 DIFFUSION OF INNOVATION 7 History of Diffusion Research 8 Innovation Adoption Process 10 Diffusion of Innovation Components 12 Diffusion Criticisms 18 RESEARCH QUESTIONS 19 CHAPTER 3.
  • Zero-Day Malware Project Assignment

    Zero-Day Malware Project Assignment

    Zero-day Malware Project Assignment Trondheim, December 17, 2008 Norwegian University of Science and Technology Faculty of Information Technology, Mathematics and Electrical Engineering Department of Telematics Finn Michael Halvorsen, Rune Walsø Nerg˚ardand H˚avard Vegge NORWEGIAN UNIVERSITY OF SCIENCE AND TECHNOLOGY FACULTY OF INFORMATION TECHNOLOGY, MATHEMATICS AND ELECTRICAL ENGINEERING PROJECT ASSIGNMENT Students: Finn Michael Halvorsen, Rune Walsø Nerg˚ard and H˚avard Vegge Course: TTM4530 Title: Zero-day Malware Description: The current trend in malware is increased stealth for the purpose of creating large, undetected botnets. Coupled with the closing gap between time of vulnerability detection to time of available exploit, this leads to an increasing lag time for anti-malware vendors. The task is two-fold: 1. Design a laboratory testbed consisting of updated Microsoft Windows PCs, with updated anti-malware software installed, and then expose these systems to known suspicious sites, file-sharing systems, etc. 2. At a given time afterwards perform an offline malware search of the system with updated anti-malware tools to determine whether the system was infected with zero-day malware. Deadline: December 17, 2008 Submission date: December 17, 2008 Carried out at: Department of Telematics Supervisor: Martin Gilje Jaatun, SINTEF ICT Co-Supervisor: Jostein Jensen, SINTEF ICT Trondheim, December 11, 2008 Danilo Gligoroski Professor Abstract There has been an enormous increase in malware variants during the last year. This has made it even more difficult for the anti-malware vendors to maintain protection against the vast amount of threats. Various obfuscation techniques, such as polymorphism, con- tribute to this trend. The ongoing battle between malware creators and anti-virus vendors causes an increasing signature lag, which leads to vulnerable end-systems for home users as well as in corporate environments.
  • Desktop Security for Everyone

    Desktop Security for Everyone

    DesktopDesktop SecuritySecurity forfor EveryoneEveryone TylerTyler FarmerFarmer –– [email protected]@microsoft.com Sr.Sr. TechnologyTechnology SpecialistSpecialist IIII EducationEducation SolutionsSolutions GroupGroup MicrosoftMicrosoft CorporationCorporation AgendaAgenda StateState ofof thethe IndustryIndustry todaytoday Viruses,Viruses, WormsWorms && SpiesSpies –– ohoh my!my! HowHow toto ProtectProtect YourselfYourself StateState ofof thethe IndustryIndustry TodayToday ThreatThreat FollowsFollows ValueValue The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because, “That’s where the money is.” Today, the money is in Cyberspace The Internet provides for criminals the two capabilities most required for the conduct of criminal activities: Anonymity & Mobility DoDo TheThe MathMath SoBigSoBig virusvirus spammedspammed mailmail toto overover 100100 millionmillion inboxesinboxes IfIf 10%10% readread thethe mailmail andand clickedclicked thethe linklink = 10 million people IfIf 1%1% ofof peoplepeople whowho wentwent toto sitesite signedsigned upup forfor 33-- daysdays freefree trialtrial = (100,000 people) x ($0.50) = $50,000 IfIf 1%1% ofof freefree trialstrials signsign upup forfor 11 yearyear = (1,000 people) x ($144/yr) = $144,000/yr OpportunitiesOpportunities AreAre LimitlessLimitless NeedNeed Traffic?Traffic? BuyBuy it!it! NeedNeed AA FamilyFamily Business?Business? Situation:Situation: ItIt isis gettinggetting scary!scary! WhyMost does attacks this occurgap exist? here Product