Trends Predictions November Mike La Pilla iDefense Malicious Code

2008 Trends / 2009 Predictions 17 November 2008 Mike La Pilla iDefense Malicious Code Operations Team VeriSign FIRST Team Last Year’s Predictions Reviewed + [summary table from trends paper] Increase in insider incidents, due primarily to increased disclosure Continued maturation of cyber criminals including bulletproof hosting and other formal infrastructure supporting criminal activity Increase in malicious code attacks in proportion to social engineering (i.e., phishing) Politically motivated distributed denial of service attacks Growth of the Chinese underground with a shift toward financial motivation Little or no state-sponsored hacking from China Increased aggressiveness from Muslim hackers Deepening ties between secular Arab hackers and their pro-terrorist counterparts Hacktivists to employ targeted malicious code and spear-phishing attacks against key officials/executives Malicious activity to accompany any major geopolitical event Large amounts of spam will continue to use common file extensions (.pdf, .doc, .zip, etc.) Shift toward transaction hijacking (in response to TFA adoption) Prediction Status Inconclusive Correct Correct Correct Correct Inconclusive Correct Correct Incorrect Correct Inconclusive Correct 2 Last Year’s Predictions Reviewed Prediction Continued targeting of social networking platforms Leveling of DNS vulnerabilities and abuse Continued use of IM for distribution of malicious URLs and files Attacks against mobile banking offerings Introduction of more "month of" initiatives Increase in the number of known vulnerabilities Widespread adoption of fast-flux by organized phishing groups Aggregation of stolen phishing information (names/addresses) to create targeted attacks Increased stealth of attacks Focus on Vista exploitation in the latter half of the year Continued increase in multi-stage attacks Increase in public reports of bots attacking from within Fortune 500 networks Increased government involvement in Industrial Control System security Decline of IRC-based command and control (C&C) servers in favor of peer-to-peer (P2P) and Web communications Emergence of an aftermarket for tools and toolkits for novice criminals Status Correct Incorrect Correct Inconclusive Incorrect Correct Correct Inconclusive Correct Inconclusive Correct Incorrect Correct Correct Correct 3 Review of 2008 Major Events 4 2 Major Cisco Scares + Sebastian Muñiz Rootkit Presentation + Counterfeit Hardware 5 Intel Microcode Bugs 6 Kaminsky DNS Vulnerability Official BIND Patch Released Apply Yes No Negative Press / Unprotected Users Load Handling Problem Server Problems / User Complaints Apply Beta Fix Yes No Protected , Major Production Systems on Beta Patch 7 Russia-Georgia Conflict + State-Sponsored or Independent Cyber Attacks? + Both Affect Citizens and Government 8 Major Law Enforcement Accomplishments 9 2008 Trends + Media Headlines Are A Fraction of Story + International Headlines Miss Many Key Regional Events 10 Transaction Hijacking Banking Malware + In 2008, 8 Countries on 4 Continents Targeted + Both Custom Tools and Ready-To-Buy Toolkits Used 11 Hacking Multi-Factor Authentication + Consumers Under Contact Attack + 2008 Shows Increase in Business-2-Business Attacks Victim E-Mail Attacker Bank Web Site 12 Fake & Rogue Antivirus/Antispyware 13 2008 Social Networking Malware & Spam + Orkut, MySpace, Facebook, Etc 14 2008 Social Networking Malware & Spam 15 2008 – Mass SQL Injection Attacks + Chinese Exploit Attacks + Asprox Attacks Visit SQL Injected Web Site Loads Exploits From Other Site Infect Computer Reverse Proxy Fast-Flux Network Send Spam Inject Other Sites Host Exploits Host Phishing Pages 16 Fast Flux Networks Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver Zom 1 bie Zom 1 bie Zom 2 bie Zom 2 bie Mother Ship ` Client Zom n bie Zom n bie 17 Fast Flux Networks Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver Zom 1 bie Zom 1 bie Zom 2 bie Zom 2 bie Mother Ship ` Client Zom n bie Zom n bie 18 Fast Flux Networks Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver Zom 1 bie Zom 1 bie Zom 2 bie Zom 2 bie Mother Ship ` Client Zom n bie Zom n bie 19 Fast Flux Networks Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver Zom 1 bie Zom 1 bie Zom 2 bie Zom 2 bie Mother Ship ` Client Zom n bie Zom n bie 20 Fast Flux Networks Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver Zom 1 bie Zom 1 bie Zom 2 bie Zom 2 bie Mother Ship ` Client Zom n bie Zom n bie 21 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = X.X.X.X TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 22 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = X.X.X.X TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 23 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = Y.Y.Y.Y TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 24 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = Y.Y.Y.Y TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 25 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = Y.Y.Y.Y TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 26 Fast Flux Networks – Single Flux Local DNS S erver Bank.com fakeBank.com fakeBank .comNam S e erver fakeBank IP = Y.Y.Y.Y TTL = Small Zom 1 bie Zom 1 bie X.X.X.X Zom 2 bie Zom 2 bie Y.Y.Y.Y ` Client Zom n bie Mother Ship Z.Z.Z.Z Zom n bie 27 Fast Flux Networks – Double Flux .comTLD Nam Server e Local DNS S erver Name Servers Bank.com fakeBank.com Re-Directors Name Server IP = Q.Q.Q.Q TTL = Small Zom 1 bie Q.Q.Q.Q Zom 1 bie X.X.X.X Zom 2 bie R.R.R.R ` Client Zom n bie Zom 2 bie Y.Y.Y.Y Mother Ship S.S.S.S Z.Z.Z.Z Zom n bie 28 Fast Flux Networks – Double Flux .comTLD Nam Server e Local DNS S erver Name Servers Bank.com fakeBank.com Re-Directors fakeBank IP = Y.Y.Y.Y TTL = Small Name Server IP = Q.Q.Q.Q TTL = Small Zom 1 bie Q.Q.Q.Q Zom 1 bie X.X.X.X Zom 2 bie R.R.R.R ` Client Zom n bie Zom 2 bie Y.Y.Y.Y Mother Ship S.S.S.S Z.Z.Z.Z Zom n bie 29 Fast Flux Networks – Double Flux .comTLD Nam Server e Local DNS S erver Name Servers Bank.com fakeBank.com Re-Directors Name Server IP = R.R.R.R TTL = Small Zom 1 bie Q.Q.Q.Q fakeBank IP = Z.Z.Z.Z TTL = Small Zom 2 bie Zom 1 bie X.X.X.X R.R.R.R ` Client Zom n bie Zom 2 bie Y.Y.Y.Y Mother Ship S.S.S.S Z.Z.Z.Z Zom n bie 30 Fast-Flux Networks – Easy to Rent 31 Target Expansion + 2008 Exponential Growth in Attacks Against Latin American Countries + Africa, Middle East, Eastern Europe, Asia Many New Targets + We Must Study Changes in Countries To Determine Why + Overall Growth and Internet Usage Are Important Factors + Economies and Adoption of Online Banking Also Important 32 Torpig Master Boot Record Rootkit + Global Target List Includes Argentina, Brazil, Chile, Costa Rica 33 Internet Growth Source: www.internetworldstats.com 34 Internet Growth Within Latin America Source: www.internetworldstats.com 35 What Makes Countries Valuable? 36 2009 Predictions + iDefense Will Publish Matrix Like Slide 2 & 3 for 2009 In One Month + Today Is First Public Preview of Most Important Issues in 2009 37 2009 – Separation of Top and Bottom + Tipping Point of Untalented Hackers / Resellers / Professionals + Forum Lock Down + New Reseller Market + Emerging Countries Targeted by Everyone Else 38 2009 – Cyber Espionage and Misinformation Campaigns + Media Repeatedly Blaming Hacking on Russia and Chinese + Hackers Use This To Advantage + May Cause Actual CyberAttacks As Revenge 39 2009 – Consumer Mobile Phone Attacks + People Make This Prediction Every Year + 2009 is Different 40 2009 - Terrorism + Recruitment + Financing + Cyber Attacks + More Fatwas like Al-Azhar University 41 2009 - IPv6 Rollout Impact Significantly Larger 4.3 billion addresses (3.4x10^38) addresses 42 2009 – International Domain Names Source: http://idn.icann.org 43 2009 – Other + Maturity of Cyber Cartels + Major Infrastructure Changes + New “Enemy” Countries 44 Conclusions + European, Brazilian, North American, Australian Attacks Evolve + Other Countries Targeted As Result + Actual Cyber Terrorism Movement + Consumer Smart Phones Targeted + IPv6, IDN Bring New Challenges + Social Networking Still Big Factor + Arrests Slow But Changing Landscape 45 Questions and Answers Mike La Pilla mlapilla@idefense.com