DOCSLIB.ORG

Security Intelligence Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Microsoft Security Intelligence Report July–December 2006 An in-depth perspective of software vulnerabilities, malicious code threats, and potentially unwanted software, focusing on the second half of 2006 Microsoft Security Intelligence Report The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2007 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Active Directory, ActiveX, Forefront, Internet Explorer, OneCare, the Security Shield logo, SmartScreen, Win32, Windows, Windows Live, Windows Live OneCare, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Authors Vinny Gullotto Ziv Mador Microsoft Security Research & Response Microsoft Security Research & Response Jeff Jones George Stathakopoulos Trustworthy Computing Microsoft Security Response Center Mary Landesman Jeff Williams Microsoft Security Research & Response Microsoft Security Research & Response Contributors Chuck Bassett Yuhui Huang Microsoft Forefront Client Security Microsoft Security Research & Response Dave Berkowitz Aaron Hulett Trustworthy Computing Microsoft Security Research & Response Subratam Biswas Jonathan Keller Microsoft Security Research & Response Microsoft Security Research & Response Daniel Bohm David Kennedy Exchange Hosted Services (EHS) Microsoft Legal and Corporate Affairs Matthew Braverman Jimmy Kuo Microsoft Security Research & Response Microsoft Security Research & Response Christopher Budd Mady Marinescu Trustworthy Computing Microsoft Security Research & Response Alexandru Carp Charles McColgan Microsoft Security Research & Response Exchange Hosted Services (EHS) Doug Cavit Mark Miller Trustworthy Computing Trustworthy Computing Brendan Foley Michael Mitchell Microsoft Security and Access Product Marketing Microsoft Legal and Corporate Affairs Jason Garms Gina Narkunas Windows Engineering Microsoft Online Services Group Jason Geffner Adam Overton Microsoft Security Research & Response Microsoft Security Research & Response Kjersti Gunderson Tim Rains Waggener Edstrom Trustworthy Computing Jim Hahn Bo Rohlfsen Windows Client Windows Live OneCare Brett Harris Stephen Toulouse Microsoft Security Research & Response Trustworthy Computing Richard Harrison Pat Winkler Content Master Microsoft Security Research & Response Rob Hensing Jaime Wong Microsoft Security Technology Unit Microsoft Security Research & Response Microsoft Security Intelligence Report Table of Contents About This Report 1 Scope . 1 Reporting.Period . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... 1 Data.Sources. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... 1 Executive Foreword 4 Executive Summary 5 Software.Vulnerabilities.Highlights. ... ... ... ... ... ... ... ... ... ... ... ... 5 Malicious.Software.Highlights. ... ... ... ... ... ... ... ... ... ... ... ... ... 6 Potentially.Unwanted.Software.Highlights. ... ... ... ... ... ... ... ... ... 7 Vulnerability Trends for 2006 7 Vulnerability.Disclosures.by.Year. ... ... ... ... ... ... ... ... ... ... ... ... 8 Vulnerability.Disclosures.by.Month. ... ... ... ... ... ... ... ... ... ... ... ... 9 Vulnerability.Disclosures.by.Week.. .. .. .. .. .. .. .. .. .. .. .. ...9 Vulnerability.Disclosures.by.Day.of.the.Week. ... ... ... ... ... ... ... ... ..10 Vulnerability.Disclosures.by.Severity .. .. .. .. .. .. .. .. .. .. .. ...11 Complexity.to.Exploit.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ...13 Operating.System.(OS).vs ..Non-OS.Disclosures. ... ... ... ... ... ... ... .....14 Summary.and.Conclusion. 14 Malicious Software 15 Malicious.Software.Categories. ... ... ... ... ... ... ... ... ... ... ... ... .....15 Malicious.Software.Activity. ... ... ... ... ... ... ... ... ... ... ... ... ... .....16 Microsoft Security Intelligence Report i Potentially Unwanted Software 38 Windows.Defender.Arrives . ... ... ... ... ... ... ... ... ... ... ... ... ... .....39 Software.Detected.by.Windows.Defender . ... ... ... ... ... ... ... ... .....39 Categories.of.Potentially.Unwanted.Software. ... ... ... ... ... ... ... ... ..42 Geographic.Data . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .....44 A.Focus.on.Rogue.Security.Software.. .. .. .. .. .. .. .. .. .. .. ...46 Executive Afterword 50 Conclusion . 52 Appendix A: Microsoft Antimalware Offerings 54 Windows.Malicious.Software.Removal.Tool. 54 Windows.Defender.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ...54 Windows.Live.OneCare . 55 Windows.Live.OneCare.Safety.Scanner.. .. .. .. .. .. .. .. .. .. ...56 Microsoft.Exchange.Hosted.Filtering . ... ... ... ... ... ... ... ... ... ... .....57 Microsoft.Forefront.Client.Security. ... ... ... ... ... ... ... ... ... ... ... ..58 Microsoft.Forefront.Security.for.Exchange.Server . ... ... ... ... ... ... .....59 Microsoft.Forefront.Security.for.SharePoint. 60 Appendix B: Windows Vista Security Features 62 Microsoft Security Intelligence Report About This Report Scope The last Security Intelligence Report published by Microsoft® focused on data and trends observed in the first half of 2006 specific to malicious software or potentially unwanted software. That report can be found at http://go.microsoft.com/?linkid=6543860. We continue to focus on malicious software data and trends in this report, but we have also expanded the scope of the report to include data and trends for software vulnerabilities. Note On November 30, 2006, Windows Vista™ was made available to business customers with volume license agreements. Windows Vista became generally available on January 30, 2007. Although this report does make reference to Windows Vista, a full analysis of relevant data from Windows Vista will be included in a future version of this report. Reporting Period This Security Intelligence Report contains data and trends observed over the past several years, but focuses on the second half of 2006 [2H06]. The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to either the first (1) or second (2) half of the year, and YY denotes the year. For example, 1H06 represents the period covering the first half of 2006 (January 1 through June 30), while 2H05 represents the period covering the second half of 2005 (July 1 through December 31). Data Sources Software Vulnerabilities The efforts to identify and fix vulnerabilities lacked a common naming mechanism until a consortium led by The Mitre Corporation began publishing the Common Vulnerabilities and Exposure (CVE) list, which drives a common naming mechanism that can be leveraged by multiple vulnerability databases and security products. The CVE naming conventions provide the most comprehensive list of vulnerabilities worldwide, across software products of all types. This report uses the CVE naming conventions when identifying individual vulnerabilities. Microsoft Security Intelligence Report The analysis in this report uses a set of data that has been created by compiling, customizing, and cross-checking several sources of data available on the Internet: ■ Common Vulnerabilities and Exposures Web site (http://cve.mitre.org). A large portion of the data analyzed originates from the CVE list maintained at this site, which is currently sponsored by the United States Department of Homeland Security (DHS). The naming mechanisms and external references to sources for additional information were particularly valuable. ■ National Vulnerability Database (NVD) Web site (http://nvd.nist.gov/). This database superset of the CVE list, which provides additional objective information concerning vulnerabilities, was the source used to determine severity ratings and to exploit complexity assessment. The NVD is also sponsored by the United States DHS, and their data is downloadable in an XML format at http://nvd.nist.gov/download.cfm. ■ Security Web sites. The following sites, as well as many others, were utilized for detailed verification and validation of vulnerability specifics: ■ http://www.securityfocus.com ■ http://www.securityfocus.com/archive/1 (Bugtraq mailing list) ■ http://www.secunia.com ■ http://www.securitytracker.com
Recommended publications
  • Unified, Easy-To-Manage Endpoint Security

    Unified, Easy-To-Manage Endpoint Security

    Unified, Easy-to-Manage Endpoint Security Microsoft® Forefront™ Protect Business Continuity with Improved Management Client Security protects of Endpoint Security laptops, desktops, and file The release of the next generation of on Windows firewall activities. The agent servers with integrated Forefront client security protects business incorporates proven technologies already protection against laptops, desktops, and file servers against in use on millions of computers worldwide malware. It simplifies viruses, spyware, rootkits, and other and is backed by efficient and effective control of endpoint malware. The solution includes: threat response from the Microsoft security and provides n A single agent that provides antivirus Malware Protection Center. better visibility into the and antispyware protection, vulnerability Forefront Client Security is designed to overall protection of the assessment and remediation, and host simplify administration and save valuable environment. Defenses firewall management. time through its single management are easily managed from n A central management server that console and policy configuration, the Microsoft Forefront enables administrators to configure, central update infrastructure, and Management Console update, and report on agent activity automated endpoint discovery. It also code-named “Stirling.” across the enterprise. integrates with existing investments in Microsoft technologies. The two components work together to www.microsoft.com/ provide unmatched visibility and control To reduce risk,
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Symantec Report on Rogue Security Software July 08 – June 09

    Symantec Report on Rogue Security Software July 08 – June 09

    REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: Symantec Report on Rogue Security Software July 08 – June 09 Published October 2009 Confidence in a connected world. White Paper: Symantec Enterprise Security Symantec Report on Rogue Security Software July 08 – June 09 Contents Introduction . 1 Overview of Rogue Security Software. 2 Risks . 4 Advertising methods . 7 Installation techniques . 9 Legal actions and noteworthy scam convictions . 14 Prevalence of Rogue Security Software . 17 Top reported rogue security software. 17 Additional noteworthy rogue security software samples . 25 Top rogue security software by region . 28 Top rogue security software installation methods . 29 Top rogue security software advertising methods . 30 Analysis of Rogue Security Software Distribution . 32 Analysis of Rogue Security Software Servers . 36 Appendix A: Protection and Mitigation. 45 Appendix B: Methodologies. 48 Credits . 50 Symantec Report on Rogue Security Software July 08 – June 09 Introduction The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs. This includes an overview of how these programs work and how they affect users, including their risk implications, various distribution methods, and innovative attack vectors. It includes a brief discussion of some of the more noteworthy scams, as well as an analysis of the prevalence of rogue security software globally. It also includes a discussion on a number of servers that Symantec observed hosting these misleading applications. Except where otherwise noted, the period of observation for this report was from July 1, 2008, to June 30, 2009. Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network.
  • Watch out for Fake Virus Alerts

    Watch out for Fake Virus Alerts

    State of West Virginia Cyber Security Tip ALERT West Virginia Office of Information Security and Controls – Jim Richards, WV Chief Information Security Officer WATCH OUT FOR FAKE VIRUS ALERTS Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective (i.e. free virus scan) but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions. How does rogue security software get on my computer? Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web. The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer. Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer. What does rogue security software do? Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect. Some rogue security software might also: Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
  • 1.Computer Virus Reported (1) Summary for This Quarter

    1.Computer Virus Reported (1) Summary for This Quarter

    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
  • Detecting Botnets Using File System Indicators

    Detecting Botnets Using File System Indicators

    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
  • Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015 2515 TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor Zhen Ling, Junzhou Luo, Member, IEEE,KuiWu,Senior Member, IEEE, Wei Yu, and Xinwen Fu Abstract— Tor is a popular low-latency anonymous communi- I. INTRODUCTION cation system. It is, however, currently abused in various ways. OR IS a popular overlay network that provides Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we designed Tanonymous communication over the Internet for and implemented a novel system, TorWard, for the discovery and TCP applications and helps fight against various Internet the systematic study of malicious traffic over Tor. The system censorship [1]. It serves hundreds of thousands of users and can avoid legal and administrative complaints, and allows the carries terabyte of traffic daily. Unfortunately, Tor has been investigation to be performed in a sensitive environment such abused in various ways. Copyrighted materials are shared as a university campus. An intrusion detection system (IDS) is used to discover and classify malicious traffic. We performed through Tor. The black markets (e.g., Silk Road [2], an comprehensive analysis and extensive real-world experiments to online market selling goods such as pornography, narcotics validate the feasibility and the effectiveness of TorWard. Our or weapons1) can be deployed through Tor hidden service. results show that around 10% Tor traffic can trigger IDS alerts. Attackers also run botnet Command and Control (C&C) Malicious traffic includes P2P traffic, malware traffic (e.g., botnet servers and send spam over Tor.
  • Spyware and Adware Continue to Present Substantial Harms to Internet Users and to the Internet As a Whole

    Spyware and Adware Continue to Present Substantial Harms to Internet Users and to the Internet As a Whole

    Testimony of Benjamin Edelman before the United States Senate Committee on Commerce, Science and Transportation June 11, 2008 Benjamin Edelman Baker Library 445 Assistant Professor 1 Soldier’s Field Rd Harvard Business School Boston, MA 02163 Chairman Inouye, Senator Pryor, Members of the Committee: My name is Benjamin Edelman. I am an assistant professor at the Harvard Business School, where my research focuses on the design of electronic marketplaces, including designing online marketplaces to assure safety, reliability, and efficiency. My full biography and publication list are at http://www.benedelman.org/bio and http://www.benedelman.org/publications . Today the committee considers the important problems of Internet spyware and deceptive adware – scourges that threaten the reliability, trustworthiness, and overall utility of many users’ Internet’s access. My bottom line: Despite some recent progress, spyware and adware continue to present substantial harms to Internet users and to the Internet as a whole. Many improper practices are already prohibited under existing statutes including the FTC Act, state consumer protection statutes, and state anti-spyware legislation. These statutes have given rise to a series of cases, both public and private, that have somewhat reined in the problems of spyware and adware. Tough Federal legislation could assist in bringing spyware and adware purveyors to justice, and in further deterring creation and support of this noxious software. But the bill at hand addresses only a portion of the problem, while in some ways reducing the effectiveness of existing efforts. By prohibiting specific individual practices, the bill invites perpetrators to comply with the letter of the law while continuing to harm and deceive consumers.
  • Microsoft Security Intelligence Report

    Microsoft Security Intelligence Report

    Microsoft Security Intelligence Report Volume 12 July through December, 2011 www.microsoft.com/sir Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2012 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. JULY–DECEMBER 2011 i Authors Dennis Batchelder David Felstead Ken Malcolmson Tim Rains Microsoft Protection Bing Microsoft Trustworthy Microsoft Trustworthy Technologies Computing Computing Paul Henry Shah Bawany Wadeware LLC Nam Ng Frank Simorjay Microsoft Windows Safety Microsoft Trustworthy Microsoft Trustworthy Platform Nitin Kumar Goel Computing Computing Microsoft Security Joe Blackbird Response Center Mark Oram Holly Stewart Microsoft Malware Microsoft Trustworthy Microsoft Malware Protection Center Jeff Jones Computing Protection Center Microsoft Trustworthy Eve Blakemore Computing Daryl Pecelj Matt Thomlinson Microsoft Trustworthy Microsoft IT Information Microsoft Trustworthy Computing Jimmy Kuo Security and Risk Computing Microsoft Malware Management Joe Faulhaber Protection Center Scott Wu Microsoft Malware Dave Probert Microsoft Malware Protection Center Marc Lauricella Microsoft
  • Gone Rogue: an Analysis of Rogue Security Software Campaigns (Invited Paper)

    Gone Rogue: an Analysis of Rogue Security Software Campaigns (Invited Paper)

    Gone Rogue: An Analysis of Rogue Security Software Campaigns (Invited Paper) Marco Cova∗, Corrado Leitay, Olivier Thonnardz, Angelos Keromytisy and Marc Daciery ∗University of California, Santa Barbara, [email protected] ySymantec Research Labs, fCorrado Leita,Angelos Keromytis,Marc [email protected] zRoyal Military Academy, Belgium, [email protected] Abstract technique consists of attracting victims on malicious web sites that exploit vulnerabilities in the client In the past few years, Internet miscreants have software (typically, the browser or one of its plugins) developed a number of techniques to defraud and to download and install the rogue programs without make a hefty profit out of their unsuspecting victims. any user intervention. A troubling, recent example of this trend is cyber- Rogue AV programs are distributed by cyber- criminals distributing rogue security software, that is criminals to generate a financial profit. In fact, after malicious programs that, by pretending to be legitimate the initial infection, victims are typically tricked into security tools (e.g., anti-virus or anti-spyware), deceive paying for additional tools or services (e.g., to upgrade users into paying a substantial amount of money in to the full version of the program or to subscribe to an exchange for little or no protection. update mechanism), which are most often fictitious or While the technical and economical aspects of rogue completely ineffective. The cost of these scams range security software (e.g., its distribution and monetiza- from $30–$100. tion mechanisms) are relatively well-understood, much Despite its reliance on traditional and relatively less is known about the campaigns through which this unsophisticated techniques, rogue AV has emerged as type of malware is distributed, that is what are the un- a major security threat, in terms of the size of the derlying techniques and coordinated efforts employed affected population (Symantec’s sensors alone reported by cyber-criminals to spread their malware.
  • F-Secure Anti-Virus for Microsoft Exchange

    F-Secure Anti-Virus for Microsoft Exchange

    F-Secure Anti-Virus for Microsoft Exchange Administrator’s Guide "F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation. Copyright © 1993-2008 F-Secure Corporation. All rights reserved. Portions Copyright © 1991-2006 Kaspersky Lab. This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2006 The Apache Software Foundation. All rights reserved. This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2006 The PHP Group. All rights reserved. This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file. All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the “Artistic License”.