2. Q2-2013 Key Trends
•
The Dark Seoul attack against banks and media companies in South Korea
•
Backdoor Trojans and banking malware were the most popular mobile threats
this quarter
•
Ransomware, which holds a computer hostage until the victim pays to free it,
is getting worse.
•
Spam levels are bouncing back
2
3. Q2-2013 Key Trend:
The Dark Seoul Attack
•
The forensic data indicates that Dark Seoul was actually just the latest attack to emerge
from a malware development project that has been named Operation Troy.
•
McAfee Labs investigation into the Dark Seoul incident uncovered a longterm attempt at
domestic spying, based on code that originated in 2009, against military targets in South
Korea.
•
McAfee Labs research learned that the Dark Seoul attack was preceded by years of
attempted cyberespionage.
•
For details, read the McAfee Labs report “Dissecting Operation Troy: Cyberespionage in
South Korea”.
3
4. Q2-2013 Key Trend:
Backdoor Trojans and Banking Malware
•
Backdoor” Trojans, which steal data without the victim’s knowledge, and malware that goes
after banking login information have made up the largest portion of all new mobile malware
families.
•
Halfway through 2013 McAfee Labs already collected almost as many mobile malware
samples as in all of 2012.
•
In Q2 2013 we added more than 17,000 Android samples to our database.
•
Malware shows no sign of changing its steady growth, which has risen steeply during the
last three quarters. At the end of this quarter we now have more than 147 million samples in
our malware “zoo.”
4
5. Q2-2013 Key Trend:
Ransomware is getting worse!
•
Ransomware has become an increasing problem during the last several quarters, and the
situation continues to worsen.
•
The number of new, unique samples this quarter is greater than 320,000, more than twice
as many as last quarter.
•
During the past two quarters we have catalogued more ransomware than in all previous
periods combined.
•
Reason for ransomware’s growth:
• It’s a very efficient means for criminals to earn money because they use various
anonymous payment services. This method of cash collection is superior to that used
by fake AV products, for example, which must process credit card orders for the fake
software.
• An underground ecosystem is already in place to help with services such as pay-perinstall on computers that are infected by other malware, such as Citadel, and easy-touse crime packs are available in the underground market. These advantages mean
that the problem of ransomware will not disappear anytime soon.
5
6. Q2-2013 Key Trend:
Spam levels are bouncing back
•
This quarter volume reached 2 trillion messages in April, the highest figure we’ve seen since
2010.
•
We continue to report on the variety of spam subjects and botnet prevalence in selected
countries around the world.
•
Examining results by country, our statistics show marked differences from quarter to quarter.
Ukraine and Belarus are the most dramatic examples; each had an increase of greater than
200 percent this period.
6
7. Interested in the latest threats?
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2013.pdf
8. Malware Tsunami
McAfee Labs discovers over 100,000 samples every day
2000
2001
2002
2003
2004
2005
2006
2011
2013
McAfee Confidential—Internal Use Only
9. Explosion of IP Devices
95% are unprotected
1 BILLION
DEVICES
50 BILLION
CONNECTED
DEVICES
McAfee Confidential—Internal Use Only
10. Malware Tsunami
(100.000 Threats) * (50 Billion Devices)= X
2000
2001
2002
2003
2004
2005
2006
2013
McAfee Confidential—Internal Use Only
11. Rethink Security—a New Paradigm
THE CONCEPT OF SIGNATURES IS BROKEN
AMOUNT OF
SAMPLES PER DAY
AND TIME TO
PROTECTION
ZERO-DAY
EXPLOITS
KERNEL BASED
ATTACKS
1997
2007
2013 (YTD)
50,000 known
Threat Samples
450,000 known
Threat Samples
147 million known
Threat Samples
30 days to cross the office
Minutes around the Globe
THE NEW
NATURE OF
ATTACKS
The future?
Seconds around the Globe
Milliseconds???
McAfee Confidential—Internal Use Only
12. What it Takes to Make Your Organization Safe
GLOBAL THREAT INTELLIGENCE
THREAT
REPUTATION
Network Activity
Affiliations
Geo-location
Application
Domain
Data Activity
Ports/Protocol
IP Address
Web Reputation
URL
Web Activity
Network
IPS
Firewall
300M IPS
attacks/mo.
300M IPS
attacks/mo.
File Reputation
DNS Server
Sender Reputation
Mail Activity
Email Address
Web
Gateway
Mail
Gateway
Host
AV
Host
IPS
3rd Party
Feed
2B botnet C&C
IP reputation
queries/mo.
20B message
reputation
queries/mo.
2.5B malware
reputation
queries/mo.
300M IPS
attacks/mo.
Geo location
feeds
McAfee Confidential—Internal Use Only
13. What it Takes to Make Your Organization Safe
GLOBAL THREAT INTELLIGENCE
THREAT
REPUTATION
10–30% Detection Improvement
Average 5.3 Day Reduction in Time to Protection
Protection will rely on the cloud increasingly in the future
GTI can be used for both new detections and false alarm avoidance
Network
IPS
Firewall
300M IPS
attacks/mo.
300M IPS
attacks/mo.
Web
Gateway
Mail
Gateway
Host
AV
Host
IPS
3rd Party
Feed
2B botnet C&C
IP reputation
queries/mo.
20B message
reputation
queries/mo.
2.5B malware
reputation
queries/mo.
300M IPS
attacks/mo.
Geo location
feeds
McAfee Confidential—Internal Use Only