DOCSLIB.ORG

Microsoft Security Intelligence Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Security Intelligence Report MICROSOFT SECURITY INTELLIGENCE REPORT Volume 9 (January 2010 through June 2010) www.microsoft.com/sir About Security Intelligence Report volume 9 Malware Key findings covers – Vulnerability Disclosures – Usage Trends for Windows update, and Microsoft update – Security Breach Trends – Malware and Potentially Unwanted Software trends – Email Threats – Malicious and Compromised Websites – Phishing Sites and Traffic – Analysis of Malware Hosts Report Report – Analysis od Drive-By Downloads Sites – Automated SQL Injection Attacks Contains data and intelligence from the past several years, but focuses on the first two quarters of 2010 Intelligence (1Q10, 2Q10) Security Security Intelligence Report volume 9 Data sources Spyware and Potentially Main Customer Segment Malicious Software Available at Unwanted Software Main No Product Name Distribution Additional Scan and Real-time Scan and Real-time Methods Consumers Business Charge Remove Protection Remove Protection Prevalent Windows Malicious Software WU/AU ● Malware ● Removal Tool Download Center Families Download Center Windows Defender ● ● ● ● Windows Vista/ Windows 7 Windows Live OneCare ● ● ● ● Cloud safety scanner Microsoft Security Essentials ● ● ● ● ● ● Cloud Forefront Online Protection for ● ● ● Cloud Exchange Forefront Client Security ● ● ● ● ● Volume Licensing Report Report Hotmail - more than 280 million active users Internet Explorer the world’s most popular browser with SmartScreen, Microsoft Phishing Filter Microsoft Forefront Online Security for Exchange scans billions of e-mail messages a year Intelligence MSRT has a user base of more than 600 million unique computers worldwide Bing billions of web-pages scanned each month Security Security Intelligence Report Website Website About Security Intelligence Report volume 9 Acting on feedback Brand new format – Featured Intelligence • The Botnet Threat • How the Waledac botnet was taken down by Microsoft – Risk Management • How Microsoft IT and Microsoft Support Services deal with botnets • Botnet checklist for IT professionals – Global Threat Assessment on botnets • Botnet intelligence from 15 countries and regions Report Report – Malware Key Findings Fully referenced and updated Microsoft Security Intelligence Report website Intelligence www.microsoft.com/sir Security Centers Supporting TwC Security TwC Security Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Malware Microsoft Security Protection Center Engineering Center (MMPC) (MSEC) Report Report Intelligence Microsoft Security Response Center (MSRC) Security Security Intelligence Report SOFTWARE VULNERABILITY DISCLOSURE TRENDS www.microsoft.com/sir Industry Wide Software Vulnerability Disclosures 4.000 Industry-wide vulnerability disclosures by half-year, 1H06-2H09 3450 3474 3.500 3188 2919 2962 3.000 2707 2546 2.500 2360 2.000 1.500 Report Report 1.000 500 Intelligence 0 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Software Vulnerability Disclosures 2.000 1882 1.800 1562 1677 1587 1693 1.600 1494 1447 High 1402 Low (0 (9.9 +) 1.400 - 3.9) 1266 5,6% 5,3% 1.200 1289 1144 1208 Medium (4 - 1191 High6.9) (7 - 10) 1.000 1090 800 Report Report Mediu High 600 m (4 - (7 - 6.9) 9.8) 48,5% 40,6% 400 195 Intelligence 124 126 200 98 109 98 83 89 Low (0 - 3.9) 0 Security 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Software Vulnerability Disclosures 2.500 2388 2154 2.000 1820 1649 1486 1480 1.500 1379 1345 1279 1271 1225 1187 1151 1127 Low Complexity Medium Complexity 1.000 Report Report 709 500 353 Intelligence 95 88 97 76 95 34 40 High Complexity 0 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Software Vulnerability Disclosures Operating system, Browser and Application Disclosures 3.500 3079 3110 3.000 2807 2547 2573 2.500 2351 2161 1943 2.000 Application vulnerabilities 1.500 Report Report 1.000 Browser 500 310 vulnerabilities 259 276 256 242 207 237 196 Operating system vulnerabilities Intelligence 112 96 79 0 122 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Software Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale 3.500 3.280 3.322 3.042 3.000 2.822 2.869 2.594 2.417 2.500 2.215 Non-Microsoft 2.000 1.500 Report Report 1.000 500 Intelligence 170 152 146 129 145 97 93 113 Microsoft 0 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Microsoft Vulnerability Exploit Details 100% 90% 80% 70% 60% Full Disclosure 50% 40% Vulnerability Broker Cases Report Report 30% 20% Other Coordinated 10% Disclosure Intelligence 0% 1H06 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Full Disclosure 100 169 164 82 110 128 80 101 86 Vulnerability Broker Cases 25 24 17 30 71 43 41 45 30 Other Coordinated Disclosure 208 241 217 247 323 264 270 377 295 Security Microsoft Vulnerability Exploit Details 120 114 104 98 100 97 85 78 80 Security Bulletins Unique CVEs 58 60 57 51 46 47 42 41 Report Report 36 40 35 34 32 27 20 Intelligence 0 1H06 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Microsoft Vulnerability Exploit Details 3,5 3,1 3,0 2,8 2,5 2,3 2,2 2,2 2,1 2,0 1,8 1,6 1,5 1,5 Report Report 1,0 0,5 Intelligence 0,0 1H06 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Update Service Usage Over Time 180% 160% 140% 120% Microsoft Update 100% Windows Update only 80% Report Report 60% 40% Intelligence 20% 0% 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Update Service Usage Over Time 240,7% 240% WSUS 221,5% 220% 202,0% 200% 182,4% 180% Windows Update 166,6% 162,9% + Microsoft Update 160,6% 160% 149,9% 147,3% Report Report 140,7% 140,4% Windows Installed 140% 131,3% 131,8% Base 127,1% 122,9% 118,3% 120% 120,9% 114,0% 110,6% Intelligence 105,1% 100,0% 100% 2H06 1H07 2H07 1H08 2H08 1H09 2H09 1H10 Security Security Intelligence Report SECURITY BREACH TRENDS www.microsoft.com/sir Security Breach Trends 350 299 300 250 250 232 200 156 150 121 Negligence Report Report 103 92 100 90 71 52 Attack 50 Intelligence 0 1H08 2H08 1H09 2H09 1H10 Security Security Breach Trends 400 350 300 250 Missing 200 Malware 150 Email 100 Accidental Web Lost Equipment 50 Postal Mail 0 Report Report 1H08 2H08 1H09 2H09 1H10 Disposal Missing 4 0 2 0 0 Fraud Malware 4 4 7 5 6 Email 15 13 11 13 6 “Hack” Accidental Web 53 47 31 19 12 Lost Equipment 31 51 36 28 13 Stolen Equipment Postal Mail 22 16 25 12 16 Intelligence Disposal 28 10 38 15 21 Fraud 27 41 43 16 22 “Hack” 61 58 40 50 24 Stolen Equipment 146 113 89 69 53 Security Security Intelligence Report MALICIOUS AND POTENTIALLY UNWANTED SOFTWARE www.microsoft.com/sir Malicious And Potentially Unwanted Software The 11 locations with the most computers cleaned by Microsoft desktop anti-malware products in 2Q10 Computers Cleaned Computers Cleaned Country/Region Change (1Q10) (2Q10) 1 United States 11,025,811 9,609,215 -12.8% ▼ 2 Brazil 2,026,578 2,354,709 16.2% ▲ 3 China 2,168,810 1,943,154 -10.4% ▼ 4 France 1,943,841 1,510,857 -22.3% ▼ 5 Spain 1,358,584 1,348,683 -0.7% ▼ 6 United Kingdom 1,490,594 1,285,570 -13.8% ▼ Report Report 7 Korea 962,624 1,015,173 5.5% ▲ 8 Germany 949,625 925,332 -2.6% ▼ 9 Italy 836,593 794,099 -5.1% ▼ 10 Russia 700,685 783,210 11.8% ▲ Intelligence 11 Mexico 768,646 764,060 -0.6% ▼ Security Malicious And Potentially Unwanted Software Significant differences in threat patterns worldwide 45% Misc. Trojans 40% Worms 35% Misc. Potentially Unwanted 30% Software Trojan Downloaders & 25% Droppers Password Stealers 20% & Monitoring Tools Adware 15% Report Report Backdoors 10% Viruses 5% Exploits 0% Intelligence Spyware Security Security Intelligence Report • Malicious And Potentially Unwanted Software Unwanted Potentially And Malicious Worldwide infection rate average 9.6 CCM for 2Q10 9.6 CCM for average rate infection Worldwide Malicious And Potentially Unwanted Software Most Improved between 1Q09 and 2Q10 by CCM (100,000 MSRT executions) 60,0 50,0 40,0 30,0 Brazil 20,0 Report Report Saudi Arabia Guatemala Russia 10,0 Worldwide Jordan Intelligence 0,0 1Q09 2Q09 3Q09 4Q09 1Q10 2Q10 Security Malicious And Potentially Unwanted Software Highest infection rates 1Q09-2Q10 by CCM (100,000 MSRT executions) 60,0 50,0 40,0 Turkey Spain Korea Taiwan 30,0 Brazil 20,0 Report Report 10,0 Worldwide Intelligence 0,0 1Q09 2Q09 3Q09 4Q09 1Q10 2Q10 Security Malicious And Potentially Unwanted Software Category trends 40% 35,3% 35% 32,3% 29,5% 29,9% 30% Misc. Trojans Worms 24,0% 24,2% 24,4% 25% Misc. Potentially Unwanted Software 20,8% 21,1% 21,0% Trojan 20% 19,6% 18,0% Downloaders& Droppers 16,0% 13,3% Password Stealers 15% 13,1% 12,7% Monitoring Tools 11,4% & 10,9% Adware Report Report 10% 6,1% 5,3% 4,9% 6,0% Backdoors Viruses 3,1% 5% 2,5% Exploits 1,2% 1,0% 0,6% Intelligence Spyware 0% 3Q09 4Q09 1Q10 2Q10 Circular Markers Square Markers Represent Potentially Represent Malware Unwanted Software Security Data from All Microsoft Security Products Top 10 Families worldwide in 2Q10 Family Most Significant Category 1Q10 2Q10 1 Year Trend 1 Win32/Taterf Worms 1,495,286 2,320,953 2 Win32/Frethog Password Stealers & Monitoring Tools 2,010,989 1,997,669 3 Win32/Renos Trojan Downloaders & Droppers 2,691,987 1,888,339 4 Win32/Rimecud Worms 1,807,773 1,748,260 5 Win32/Autorun Worms 1,256,356 1,645,851 6 Win32/Hotbar Adware 1,015,055 1,482,681 Report Report 7 Win32/FakeSpypro Miscellaneous Trojans 1,244,353 1,423,528 8 Win32/Conficker Worms 1,496,877 1,663,349 Intelligence 9 Win32/Alureon Miscellaneous Trojans 1,463,885 1,035,079 10 Win32/Zwangi Misc.
Recommended publications
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A. Alahmadi Enrico Mariconti Riccardo Spolaor University of Oxford, UK University College London, UK University of Oxford, UK [email protected] [email protected] [email protected] Gianluca Stringhini Ivan Martinovic Boston University, USA University of Oxford, UK [email protected] [email protected] ABSTRACT through DDoS (e.g. DDoS on Estonia [22]), email spam (e.g. Geodo), Botnets continue to be a threat to organizations, thus various ma- ClickFraud (e.g. ClickBot), and spreading malware (e.g. Zeus). 10,263 chine learning-based botnet detectors have been proposed. How- malware botnet controllers (C&C) were blocked by Spamhaus Mal- ever, the capability of such systems in detecting new or unseen ware Labs in 2018 alone, an 8% increase from the number of botnet 1 botnets is crucial to ensure its robustness against the rapid evo- C&Cs seen in 2017. Cybercriminals are actively monetizing bot- lution of botnets. Moreover, it prolongs the effectiveness of the nets to launch attacks, which are evolving significantly and require system in detecting bots, avoiding frequent and time-consuming more effective detection mechanisms capable of detecting those classifier re-training. We present BOTection, a privacy-preserving which are new or unseen. bot detection system that models the bot network flow behavior Botnets rely heavily on network communications to infect new as a Markov Chain. The Markov Chains state transitions capture victims (propagation), to communicate with the C&C server, or the bots’ network behavior using high-level flow features as states, to perform their operational task (e.g.
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
  • Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities. Attackers have interest in identifying networks and hosts to expose vulnerabilities : . Network scans . Worms . Trojans . Botnet Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources Security is implemented like an “add on” module for the Internet. Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures Help the cyber security policy-making process, and to raise public awareness Questions : . Do malicious sources generate the attacks uniformly ? . Is there any pattern specific i.e. recurrence event ? . Is there any correlation between the number of some attacks over specific time ? Many systems and phenomena (events) are distributed according to a “power law” When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law A power law applies to a system when: . large is rare and . small is common Collection of System logs from Networked Intrusion Detection System (IDS) The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP) Period : January, 2012 - September, 2012 . Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c y = .x(-c) If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log() The slope of the log-log plot is the power exponent c Destination Port Distribution .
  • Éric FREYSSINET Lutte Contre Les Botnets

    Éric FREYSSINET Lutte Contre Les Botnets

    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Classification of Malware Persistence Mechanisms Using Low-Artifact Disk

    Classification of Malware Persistence Mechanisms Using Low-Artifact Disk

    CLASSIFICATION OF MALWARE PERSISTENCE MECHANISMS USING LOW-ARTIFACT DISK INSTRUMENTATION A Dissertation Presented by Jennifer Mankin to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical and Computer Engineering in the field of Computer Engineering Northeastern University Boston, Massachusetts September 2013 Abstract The proliferation of malware in recent years has motivated the need for tools to an- alyze, classify, and understand intrusions. Current research in analyzing malware focuses either on labeling malware by its maliciousness (e.g., malicious or benign) or classifying it by the variant it belongs to. We argue that, in addition to provid- ing coarse family labels, it is useful to label malware by the capabilities they em- ploy. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present Dione, a flexible rule-based disk I/O monitoring and analysis infrastructure. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and re- constructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of Dione, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. ii Given the trustworthy behavioral traces obtained by Dione, we convert file system- level events to high-level capabilities.
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
  • Diapositiva 1

    Diapositiva 1

    Feliciano Intini Responsabile dei programmi di Sicurezza e Privacy di Microsoft Italia • NonSoloSecurity Blog: http://blogs.technet.com/feliciano_intini • Twitter: http://twitter.com/felicianointini 1. Introduction - Microsoft Security Intelligence Report (SIR) 2. Today‘s Threats - SIR v.8 New Findings – Italy view 3. Advancements in Software Protection and Development 4. What the Users and Industry Can Do The 8th volume of the Security Intelligence Report contains data and intelligence from the past several years, but focuses on the second half of 2009 (2H09) Full document covers Malicious Software & Potentially Unwanted Software Email, Spam & Phishing Threats Focus sections on: Malware and signed code Threat combinations Malicious Web sites Software Vulnerability Exploits Browser-based exploits Office document exploits Drive-by download attacks Security and privacy breaches Software Vulnerability Disclosures Microsoft Security Bulletins Exploitability Index Usage trends for Windows Update and Microsoft Update Microsoft Malware Protection Center (MMPC) Microsoft Security Response Center (MSRC) Microsoft Security Engineering Center (MSEC) Guidance, advice and strategies Detailed strategies, mitigations and countermeasures Fully revised and updated Guidance on protecting networks, systems and people Microsoft IT ‗real world‘ experience How Microsoft IT secures Microsoft Malware patterns around the world with deep-dive content on 26 countries and regions Data sources Malicious Software and Potentially Unwanted Software MSRT has a user base
  • Proposal of N-Gram Based Algorithm for Malware Classification

    Proposal of N-Gram Based Algorithm for Malware Classification

    SECURWARE 2011 : The Fifth International Conference on Emerging Security Information, Systems and Technologies Proposal of n-gram Based Algorithm for Malware Classification Abdurrahman Pektaş Mehmet Eriş Tankut Acarman The Scientific and Technological The Scientific and Technological Computer Engineering Dept. Research Council of Turkey Research Council of Turkey Galatasaray University National Research Institute of National Research Institute of Istanbul, Turkey Electronics and Cryptology Electronics and Cryptology e-mail:[email protected] Gebze, Turkey Gebze, Turkey e-mail:[email protected] e-mail:[email protected] Abstract— Obfuscation techniques degrade the n-gram malware used by the previous work. Similar methodologies features of binary form of the malware. In this study, have been used in source authorship, information retrieval methodology to classify malware instances by using n-gram and natural language processing [5], [6]. features of its disassembled code is presented. The presented The first known use of machine learning in malware statistical method uses the n-gram features of the malware to detection is presented by the work of Tesauro et al. in [7]. classify its instance with respect to their families. n-gram is a fixed size sliding window of byte array, where n is the size of This detection algorithm was successfully implemented in the window. The contribution of the presented method is IBM’s antivirus scanner. They used 3-grams as a feature set capability of using only one vector to represent malware and neural networks as a classification model. When the 3- subfamily which is called subfamily centroid. Using only one grams parameter is selected, the number of all n-gram vector for classification simply reduces the dimension of the n- features becomes 2563, which leads to some spacing gram space.
  • Security Chapter

    Security Chapter

    Barbarians at the Gateway (and just about everywhere else): A Brief Managerial Introduction to Information Security Issues1 a gallaugher.com case provided free to faculty & students for non-commercial use © Copyright 1997-2009, John M. Gallaugher, Ph.D. – for more info see: http://www.gallaugher.com/chapters.html Draft version last modified: Dec. 7 , 2009 – comments welcome [email protected] Note: this is an earlier version of the chapter. All chapters updated Dec. 2009 are now hosted (and still free) at http://www.flatworldknowledge.com. For details see the ‘Courseware’ section of http://gallaugher.com INTRODUCTION LEARNING OBJECTIVES: After studying this section you should be able to: 1. Recognize that information security breaches are on the rise. 2. Understand the potentially damaging impact of security breaches. 3. Recognize that information security must be made a top organizational priority. Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope‐shaped antenna infiltrated the store’s network via an insecure Wi‐Fi base station. The attack launched what would become a billion‐dollar plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T.J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers, and pilfered driver’s license and other private information from an additional 450,000 customers2. TJX, at the time a $17.5 billion, Fortune 500 firm, was left reeling from the incident. The attack deeply damaged the firm’s reputation.
  • Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    2-3 nicterReport —TransitionAnalysisofCyberAttacksBasedon Long-termObservation— NAKAZATO Junji and OHTAKA Kazuhiro In this report, we provide a statistical data concerning cyber attacks and malwares based on a long-term network monitoring on the nicter. Especially, we show a continuous observation report of Conficker, which is a pandemic malware since November 2008. In addition, we report a transition analysis of the scale of botnet activities. Keywords Incident analysis, Darknet, Network monitoring, Malware analysis 1 Introduction leverages the traffic as detected by the four black hole sensors placed on different network We have been monitoring the IP address environments as shown by Fig. 1. space that is reachable and unused on the ● Sensor I : Structure where live nets and Internet (i.e. darknets) on a large-scale to darknets coexist in a class B understand the overall impact inflicted by network infectious activities including malware. This ● Sensor II : Structure where only darknets report analyzes the darknet traffic that has exist in a class B network been monitored and accumulated over six ● Sensor III : Structure where a /24 subnet years by an incident analysis center named in a class B network is a dark- *1 the nicter[1][2] to provide changing trends of net cyber attacks and fluctuation of attacker host ● Sensor IV : Structure where live nets and activities as obtained by long-term monitor- darknets coexist in a class B ing. In particular, we focus on Conficker, a network worm that has triggered large-scale infections The traffic obtained by these four sensors since November 2008, and report its impact on is analyzed by different analysis engines[3][4] the Internet and its current activities.