SlideShare uma empresa Scribd logo
1 de 69
Sophos Security Threat Report 2013
January 2013
Sophos update
Protecting businesses for over 27 years


• First European-based vendor of security solutions for Businesses
    • Headquarter in Oxford, UK
    • Billings in excess of 400M US$ (300M €)

• Global with strong European base
    • 100 millions users
    • 1,600 employees worldwide
    • 5 SophosLabs Centers, including 2 in the EU
      Oxford, Budapest, Boston, Vancouver, Sydney
    • 8 R&D Centers, including 6 in the EU
      Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver

• Dedicated to Businesses



2
Triple Leader
                  Endpoint                                                              Data                                                          UTM




        Magic Quadrant for                                       Magic Quadrant for                                           Magic Quadrant for
    Endpoint Protection Platforms                               Mobile Data Protection                                    Unified Threat Management


        Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012).
        The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.


3
Triple Champion
               Endpoint                                                             Data                                                         UTM




     Vendor Lanscape for                                      Vendor Landscape for                                      Vendor Landscape for
    Endpoint Anti-Malware                                      Endpoint Encryption                                     Next Generation Firewalls


     Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012).
     The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report.


4
Security Threat Report




        www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx

5
Agenda
    Web
    Blackhole
    Java
    Ransomware
    ZeroAccess
    Mac OS X
    Android
    Cloud
    Targeted Attacks
    Long Tail
    Perspectives for 2013
    Conclusions
6
Threats continue to grow
SophosLabs analyze 250,000+ new malware samples every day




       250,000

7
Spam is diminished but
not defeated
• Authorities are successfully fighting back
    In July, the dismantling of Grum botnet Control and Command center in
    the Netherlands, then in Panama and Russia succeeded in
    reducing spam volume by 17%


• But targeted attacks such as spear phishing
  are growing



8
Web is the new Email
    Web is the the predominant mechanism to infect users




                        Spam                               85%




                                           Web


9
Compromised legitimate sites
SophosLabs detect 30,000 new infectious Web pages every day




 Browse via Search engine                                Browse direct




10
Drive-by downloads
Exploit kits make it trivial for anyone to exploit users over the web


     • Exploit packs can be bought relatively cheaply
     • No skill required
     • Content created to target relevant browser and
       application vulnerabilities
     • „Silent‟ infection of victims




11
Social Engineering
Prevalent on social network attacks




                                              clickjacking




                                      Social engineering
12     Fake polls
Redirecting victims
„Controlling‟ user traffic


     Compromise legitimate web sites   Search engine optimization (SEO)




13
Protection Strategies
Layered Protection: block an attack at any step in the delivery chain


     Compromise legitimate web sites       Search engine optimisation (SEO)




14
Protection Strategies
Where do Sophos product technologies work in protecting customers?


     Compromise legitimate web sites             Search engine optimisation (SEO)




                       Antimalware Scan
                       Malicious URL Filtering
                       Host IPS (runtime)
15
                       Security Patches
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
16
Blackhole
27% of infected sites and redirections




17
Toolkits & Polymorphism

• Blackhole attacks multiply thanks to widely spread Toolkits

• They make an extended use of JavaScript obfuscation
  capabilities in their attempts to evade detection with
  server-side Polymorphism




 18
MaaS (Malware as a Service)




     Price list for Blackhole

19
Vulnerabilities
Blackhole exploits vulnerabilites in PDF, Flash, Java …




                                                          ?
                     hcp://…
20
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
21
Blackhole (v1.x)
Targets a large array of vulnerabilities, including a majority on Java

    CVE           Cible                                       Description
CVE-2012-4681     Java      Java forName, getField vulnerability
CVE-2012-0507     Java      Java AtomicReferenceArray vulnerability
CVE-2011-3544     Java      Oracle Java SE Rhino Script Engine Remote Code Execution vuln
CVE-2011-2110     Flash     Adobe Flash Player unspecified code execution (APSB11-18)
CVE-2011-0611     Flash     Adobe Flash Player unspecified code execution (APSA11-02)
CVE-2010-3552     Java      Skyline
CVE-2010-1885    Windows    Microsoft Windows Help and Support Center (HCP)
CVE-2010-1423     Java      Java Deployment Toolkit insufficient argument validation
CVE-2010-0886     Java      Unspecified vulnerability
CVE-2010-0842     Java      JRE MixerSequencer invalid array index
CVE-2010-0840     Java      Java trusted Methods Chaining
CVE-2010-0188     PDF       LibTIFF integer overflow
CVE-2009-1671     Java      Deployment Toolkit ActiveX control
CVE-2009-4324     PDF       Use after free vulnerability in doc.media.newPlayer
CVE-2009-0927     PDF       Stack overflow via crafted argument to Collab.getIcon
CVE-2008-2992     PDF       Stack overflow via crafted argument to util.printf
CVE-2007-5659     PDF       collab.collectEmailInfo
CVE-2006-0003       IE      MDAC
22
Instant exploit of vulnerabilities
What is the future of Java?


     • August 2012
      •   CVE-2012-4681 zero-day
      •   Rapidly targeted
      •   Metasploit
      •   Exploit kits



     “It took less than 12 hours from the time the proof of concept for the latest
     Java zero-day vulnerabilities went public for exploits of those vulnerabilities

     to be included in a commercial crimeware kit.”


23
Blackhole 2.0
September 2012 – New version of the exploit kit announced !


 • Less predictable URLs
 • Harder to track
 • Harder to block via IDS
 • More aggressive blacklisting
     • “Monitor” mode

 • Slimmer
     • Less vulnerabilities

 • Etc.
24
Blackhole (v2.x)
Reportedly slimming down volume of exploits targeted

    CVE          Cible                                      Description
CVE-2012-4681    Java     Java forName, getField vulnerability
CVE-2012-0507    Java     Java AtomicReferenceArray vulnerability
CVE-2011-3544    Java     Oracle Java SE Rhino Script Engine Remote Code Execution vuln
CVE-2011-2110    Flash    Adobe Flash Player unspecified code execution (APSB11-18)
CVE-2011-0611    Flash    Adobe Flash Player unspecified code execution (APSA11-02)
CVE-2010-3552    Java     Skyline
CVE-2010-1885   Windows   Microsoft Windows Help and Support Center (HCP)
CVE-2010-1423    Java     Java Deployment Toolkit insufficient argument validation
CVE-2010-0886    Java     Unspecified vulnerability
CVE-2010-0842    Java     JRE MixerSequencer invalid array index
CVE-2010-0840    Java     Java trusted Methods Chaining
CVE-2010-0188    PDF      LibTIFF integer overflow
CVE-2009-1671    Java     Deployment Toolkit ActiveX control
CVE-2009-4324    PDF      Use after free vulnerability in doc.media.newPlayer
CVE-2009-0927    PDF      Stack overflow via crafted argument to Collab.getIcon
CVE-2008-2992    PDF      Stack overflow via crafted argument to util.printf
CVE-2007-5659    PDF      collab.collectEmailInfo
CVE-2006-0003      IE     MDAC
Blackhole payloads
Payloads distributed by Blackhole between August-Sep 2012

                   Downloader
                      2%
                                 Other
            ZeroAccess
                                  9%
                6%                                Zbot
                                                  25%
             Backdoor
                6%


                        FakeAV
                         11%
                                               Ransomware
                                                  18%
                            Sinowal
                              11%
                                         PWS
                                         12%



26
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targetd Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
27
Ransomware
 The new scareware?


 • Malware that locks/encrypts user data
 • Pay ransom to access files


         Simple                 Medium          Complex
         • Password             • XOR           • RC4
           protected archives   • shift         • Public key crypto




                                Recover data?




28
Ransomware
 Multilingual!




29
Ransomware: Matsnu
 Lockout page shown to user




30
Ransomware: Matsnu
 Behind the scene

 • Connection to C&C server
     • HTTP, RC4 encrypted
 • Receives remote commands:
     • IMAGES
     • GEO
     • LOCK
     • UNLOCK
     • URLS
     • EXECUTE
     • KILL
     • UPGRADE
     • UPGRADEURL
     • LOAD
     • WAIT
     • MESSAGE
31
Ransomware: Matsnu
 File encryption

      Manifest file
      original_filename1.ext
      new_filename1.ext
      key

      original_filename2.ext
      new_filename2.ext
      key
      … …

     • Recovery tool?
       • No!
       • Decryption/recovery requires:
         •   Grab data value from HTTP request
         •   B64 decode (->MASTER_KEY)
         •   Grab machine ID from HTTP request
         •   RC4 decrypt the MASTER_KEY with this
         •   Append constant string
         •   RC4 decrypt manifest file with machine ID key
         •   DWORD transposition
         •   RC4 decrypt this using the MASTER_KEY
         •   Locate file you wish to decrypt in the manifest file
         •   Grab RC4 key for file, append constant string
32       •   RC4 decrypt file
Agenda
     Web
     Blackhole
     Java
     Ransomware
                             Nothing
     ZeroAccess               to see
                               here
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
33
ZeroAccess
ZeroAccess is a Rootkit family
typically dropped in the system by a Blackhole attack




                                 Nothing
                                  to see
                                   here


34
Hiding
ZeroAccess evolves its hiding techniques depending on the OS




                   32 bit                              64 bit


                                                               Global Assembly
         Malicious driver          Injected DLL
                                                                   Cache




     Encrypted      Linked
     file system                            Hide ‘in plain sight’
                    folder


35
Peer-to-Peer Botnet
ZeroAccess uses a distributed or peer-to-peer control model for resilience




36
Traps
ZeroAccess use aggressive techniques to defend themselves,
such as setting up traps for security software




37
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
38
After Fake AV for Mac ...
MacDefender, MacSecurity and more




39
Flashback (OSX/Flshplyer)
Flashback on a malware epidemic on Mac OSX


 • 600,000 Mac OS X systems infected in spring 2012
     • These systems have been exploited in a very large scale botnet

 • First appearance at the end of 2011

 • Pretended to be a Flash installer

 • Passive and silent download
     • Exploited several Java vulnerabilities on Mac OS X
     • In March, exploit of a vulnerability corrected only in April by Apple

 • 2.1% of Mac systems were infected at the infection peak
     (Estimation based on Sophos free antimalware for Mac)


40
Morcut (OSX/Morcut-A)
More sophisticated and potentially more dangerous


• Designed for spying
     • Monitors virtually every way a user communicates

• First appearance in July 2012

• Posed as a Java Archive file (JAR)
     • Pretended to be signed by Verisign
     • Deployed kernel driver components to hide and run
       without administrator‟s authentication

• Reflects an extremely thorough understanding of Mac
  programming techniques, capabilities, and potential weaknesses

• Perfect tool for targeted attacks
41
And more ...
Distribution of the 4,900 malwares for Mac OS X
that spread in the first week of August 2012




42
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
43
Mobile Malware
     60,000                                           54,900
     50,000

     40,000

     30,000

     20,000

     10,000

         0
              2011                   2012
              Jan  Apr   Jul   Oct   Jan  Apr   Jul    Oct

44
Threat Exposure Rate
 In the USA and Australia, this rate exceeds those of PCs




45
Why Android?

• Adding applications to marketplace is easy
• Repackaged apps
• Alternative Android application markets
• Forums and file sharing sites
• “Cracked” apps
• Alternative markets
• Android app landscape similar to Windows

46
Android Malware
                Spyware     mTAN
             Andr/DroidRt
           Andr/NewyearL-          Others
                 B
     Andr/Gmaster-A

       Andr/KongFu
                       Andr/Kmin

                                            Andr/Boxer
                            Andr/Fake




47
Andr/Boxer & Andr/Fake
Premium SMS Trojans


                             Andr/Boxer              Andr/Fake
     Percentage in total     56.8%                   17.5%
     Number of
                             >3                      0-4
     Premium SMS
                             Russia, Ukraine and
     Targeted Countries                              Russia
                             Kazakhstan
                             • Determine premium     • Download and
                               number based on the     install applications
     Other Functionalities     Mobile Country Code   • Access website
                             • Access website        • masquerade as a
                                                       legitimate app




48
Andr/KongFu
Sophisticated & Multifunctional




49
Andr/FkToken-A - mTAN
Mobile transaction authentication number sent
by banks to authenticate online bank transactions


 • Catch SMS message

 • Send SMS message

 • Delete SMS message

 • Contact remote sites to get
   list of info like attack‟s phone
   number and websites

 • Also it looks like it will          A trial sample detected as Andr/FkToken-A
   download and install apk


50
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
51
Storage in the Cloud
     Which solution(s) other than email are you using to exchange professional data?

         Portable Devices (USB keys …) 77%
         A corporate solution (FTP server …) 38%
         Online storage services (Dropbox…) 27%
         Remote access solution (VPN …) 16%
         Other 4%
     Source: Sophos online poll - 1,005 total count



     When you ask your IT department for help, how long are you willing to wait before looking for
     a solution on your own?

         Less than 5 minutes 22%
         Between 5 and 30 minutes 40%
         Between 30 minutes and 1 hour 13%
         Between 1 hour and 1 day 14%
         1 day 5%
         I never move without their answer, however long 7%
     Source: Sophos online poll - 1,005 total count


52
Do you worry about Dropbox?

                            Are files
     Where is the
                           protected?
     data stored?




         Are you
                          Is sensitive
     allowed to use
                         data already in
           it?
                           the cloud?



53
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targeted Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
54
Targeted drive-by attack
More cases are revealed




55
Targeted drive by attack
Indirect targeting


                           • Hack aeronautical site
                 HACK      • Redirect + exploits uploaded to site


                           • TARGET company browses site
                     HIT


                           • Zero-day vulnerability hits TARGET
                EXPLOIT    • CVE-2012-1889 (MS XML Core Services)


                           • TARGET compromised
                     PWN




56
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targetd Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
57
75% of attacks are unique
           Malware attacks (binary)
80%
70%
60%
50%
40%
30%
20%
10%
 0%
      1    2        3        4        5   >5
Server-side Polymorphism
• Weaknesses of old-style polymorphic worms
     • Polymorphism engine part of the code
      • Can be reversed by persistent researchers
     • Must be decrypted in memory
      • Emulate the code until the invariant is found
     • Detection can be based on the decryption loop

• Server side-polymorphism
     • Responsible for the explosion of variants
      • 250,000 new malware samples are analyzed every day by SophosLabs
     • No direct access to the polymorphic engine
     • Frequent updates

59
Obfuscated JavaScript
 • Endless source of obfuscation techniques




 • Anti-emulation techniques
     •   Recursive function calls
     •   Hooking events (eg. amount of mouse movements )
     •   Elapsed time checks
     •   etc …
60
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targetd Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
61
Thirteen predictions for
1. Attack toolkits continue to proliferate
2. Modernization and hardening of operating systems
3. Cloud-based malware testing changes the threat protection model
4. Increased focus on layered security
5. One step forward, two steps back
6. Mobile attacks become more advanced
7. Web servers back in the crosshairs
8. Integrate ‘all of the things’
9. Diverse business models and irreversible malware
10. Skills problem becomes more apparent
11. Cyber criminal anti-forensics
12. More advanced hacktivism and political Debate
13. Arguments over big data vs. analytics and confusion
62
Agenda
     Web
     Blackhole
     Java
     Ransomware
     ZeroAccess
     Mac OS X
     Android
     Cloud
     Targetd Attacks
     Long Tail
     Perspectives for 2013
     Conclusions
63
Protect Users at all levels
Deploy solutions at all levels, covering the entire threat lifecycle




Reduce attack surface               Protect everywhere                Stop attacks and breaches            Keep people working




 URL Filtering    Web Application   Endpoint Web     Encryption           Data Control   Access control    Automation    WiFi security
                     Firewall        Protection       for cloud



     Anti-spam    Patch Manager     Mobile Control   Virtualization       Anti-malware   User education     Visibility   Local self-help




                    Application                       Mobile app                                            Clean up        Technical
 Device Control                     Secure branch                          Intrusion        Firewall
                     Control                           security                                                              support
                                       offices                             prevention




     Encryption      Tamper            Free                                  Email       Live Protection                      Small
                    protection       Home use            VPN                                               Performance       updates
                                                                           encryption




64
Reduce attack surface
Deploy solutions with preventive features

                                                                              Anti-Malware




                                                           Unified Engine
                                                                               Anti-Spyware

          Sophos Entreprise Console                                           Anti-Rootkit
                                                                                  HIPS
                                                                             Web Protection
                                                                            Application Control




                                        Integrated Mangement
                                                                             Device Control
                                                                                  DLP
                                                                              URL Filtering

                                                                            Patch Assessment
                                                                             Client Firewall
                                                                                  NAC
                                                                               Encryption

65
Protect all the Devices or your EndUsers
The emergence of BYOD requires to protect an ever larger number of devices




                      Corporate Mobiles
                                                       Employee Mobiles




     Corporate PC or Laptop                                       Employee Device




66
                        Corporate Servers   Virtualized systems
Control Web Applications
Control Web access and Web applications usage



         Endpoint                Web access        Web Applications




 • Anti-malware             • Anti-malware        • Real time monitoring
 • Host IPS                 • HTTPS Scan          • Block / Allow
 • Malicious URL blocking   • Anonymizing         • Manage risks
 • Application control        Proxies blocking      dynamically
 • URL Filtering            • URL Filtering       • Limit bandwidth
 • DLP                      • Content filtering   • Manage priorities
Educate Users
Use Sophos free Education toolkits and resources




     DOs and DON’T
                        Mobiles        Data        Social Networks
     (Best practices)




68
Staying ahead of the curve
Staying ahead of the curve
                                         US and Canada
      facebook.com/securitybysophos     1-866-866-2802
                                      NASales@sophos.com

      Sophos on Google+


                                       UK and Worldwide
      linkedin.com/company/sophos
                                        + 44 1235 55 9933
                                       Sales@sophos.com

      twitter.com/Sophos_News


      nakedsecurity.sophos.com


                                                    69

Mais conteúdo relacionado

Mais procurados

The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Sophos Benelux
 
Preparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionPreparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionSophos
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Sophos EndUser Protection
Sophos EndUser ProtectionSophos EndUser Protection
Sophos EndUser ProtectionSophos
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SWITCHPOINT NV/SA
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
Get the Most From Your Firewall
Get the Most From Your FirewallGet the Most From Your Firewall
Get the Most From Your FirewallSophos
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012dvanwyk30
 
Sophos Security Day Belgium - The Hidden Gems of Sophos
Sophos Security Day Belgium - The Hidden Gems of SophosSophos Security Day Belgium - The Hidden Gems of Sophos
Sophos Security Day Belgium - The Hidden Gems of SophosSophos Benelux
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Dell sonicwall connected security
Dell sonicwall connected securityDell sonicwall connected security
Dell sonicwall connected securityMotty Ben Atia
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Mais procurados (19)

The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection Overview
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Preparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionPreparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless Protection
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Sophos EndUser Protection
Sophos EndUser ProtectionSophos EndUser Protection
Sophos EndUser Protection
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Get the Most From Your Firewall
Get the Most From Your FirewallGet the Most From Your Firewall
Get the Most From Your Firewall
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012
 
Sandbox
SandboxSandbox
Sandbox
 
Sophos Security Day Belgium - The Hidden Gems of Sophos
Sophos Security Day Belgium - The Hidden Gems of SophosSophos Security Day Belgium - The Hidden Gems of Sophos
Sophos Security Day Belgium - The Hidden Gems of Sophos
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise Portfolio
 
Dell sonicwall connected security
Dell sonicwall connected securityDell sonicwall connected security
Dell sonicwall connected security
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

Semelhante a 2013 Security Threat Report Presentation

Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Codemotion
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCloud Security Alliance, UK chapter
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurityVincent Kwon
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptxAppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptxEthioTelecom_Getahun Biratu
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Three Simple Steps to Prevent Targeted Attacks
Three Simple Steps to Prevent Targeted AttacksThree Simple Steps to Prevent Targeted Attacks
Three Simple Steps to Prevent Targeted AttacksArgyle Executive Forum
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 

Semelhante a 2013 Security Threat Report Presentation (20)

Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurity
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptxAppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
Three Simple Steps to Prevent Targeted Attacks
Three Simple Steps to Prevent Targeted AttacksThree Simple Steps to Prevent Targeted Attacks
Three Simple Steps to Prevent Targeted Attacks
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 

Mais de Sophos

Your Money or Your File! Highway Robbery with Blackhole and Ransomware
Your Money or Your File! Highway Robbery with Blackhole and RansomwareYour Money or Your File! Highway Robbery with Blackhole and Ransomware
Your Money or Your File! Highway Robbery with Blackhole and RansomwareSophos
 
2013 Security Threat Report
2013 Security Threat Report2013 Security Threat Report
2013 Security Threat ReportSophos
 
Is Your Network Ready for BYOD?
Is Your Network Ready for BYOD?Is Your Network Ready for BYOD?
Is Your Network Ready for BYOD?Sophos
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't StopSophos
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes MobileSophos
 
Exposing the Money Behind Malware
Exposing the Money Behind MalwareExposing the Money Behind Malware
Exposing the Money Behind MalwareSophos
 
BYOD - Protecting Your School
BYOD - Protecting Your SchoolBYOD - Protecting Your School
BYOD - Protecting Your SchoolSophos
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Sophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos
 
Complete Security
Complete SecurityComplete Security
Complete SecuritySophos
 
IT Security DOs und DON’Ts (Italian)
IT Security DOs und DON’Ts (Italian)IT Security DOs und DON’Ts (Italian)
IT Security DOs und DON’Ts (Italian)Sophos
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 

Mais de Sophos (12)

Your Money or Your File! Highway Robbery with Blackhole and Ransomware
Your Money or Your File! Highway Robbery with Blackhole and RansomwareYour Money or Your File! Highway Robbery with Blackhole and Ransomware
Your Money or Your File! Highway Robbery with Blackhole and Ransomware
 
2013 Security Threat Report
2013 Security Threat Report2013 Security Threat Report
2013 Security Threat Report
 
Is Your Network Ready for BYOD?
Is Your Network Ready for BYOD?Is Your Network Ready for BYOD?
Is Your Network Ready for BYOD?
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes Mobile
 
Exposing the Money Behind Malware
Exposing the Money Behind MalwareExposing the Money Behind Malware
Exposing the Money Behind Malware
 
BYOD - Protecting Your School
BYOD - Protecting Your SchoolBYOD - Protecting Your School
BYOD - Protecting Your School
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Sophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos Mobile Control - Product Overview
Sophos Mobile Control - Product Overview
 
Complete Security
Complete SecurityComplete Security
Complete Security
 
IT Security DOs und DON’Ts (Italian)
IT Security DOs und DON’Ts (Italian)IT Security DOs und DON’Ts (Italian)
IT Security DOs und DON’Ts (Italian)
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
 

Último

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 

Último (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 

2013 Security Threat Report Presentation

  • 1. Sophos Security Threat Report 2013 January 2013
  • 2. Sophos update Protecting businesses for over 27 years • First European-based vendor of security solutions for Businesses • Headquarter in Oxford, UK • Billings in excess of 400M US$ (300M €) • Global with strong European base • 100 millions users • 1,600 employees worldwide • 5 SophosLabs Centers, including 2 in the EU Oxford, Budapest, Boston, Vancouver, Sydney • 8 R&D Centers, including 6 in the EU Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver • Dedicated to Businesses 2
  • 3. Triple Leader Endpoint Data UTM Magic Quadrant for Magic Quadrant for Magic Quadrant for Endpoint Protection Platforms Mobile Data Protection Unified Threat Management Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012). The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. 3
  • 4. Triple Champion Endpoint Data UTM Vendor Lanscape for Vendor Landscape for Vendor Landscape for Endpoint Anti-Malware Endpoint Encryption Next Generation Firewalls Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012). The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report. 4
  • 5. Security Threat Report www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx 5
  • 6. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 6
  • 7. Threats continue to grow SophosLabs analyze 250,000+ new malware samples every day 250,000 7
  • 8. Spam is diminished but not defeated • Authorities are successfully fighting back In July, the dismantling of Grum botnet Control and Command center in the Netherlands, then in Panama and Russia succeeded in reducing spam volume by 17% • But targeted attacks such as spear phishing are growing 8
  • 9. Web is the new Email Web is the the predominant mechanism to infect users Spam 85% Web 9
  • 10. Compromised legitimate sites SophosLabs detect 30,000 new infectious Web pages every day Browse via Search engine Browse direct 10
  • 11. Drive-by downloads Exploit kits make it trivial for anyone to exploit users over the web • Exploit packs can be bought relatively cheaply • No skill required • Content created to target relevant browser and application vulnerabilities • „Silent‟ infection of victims 11
  • 12. Social Engineering Prevalent on social network attacks clickjacking Social engineering 12 Fake polls
  • 13. Redirecting victims „Controlling‟ user traffic Compromise legitimate web sites Search engine optimization (SEO) 13
  • 14. Protection Strategies Layered Protection: block an attack at any step in the delivery chain Compromise legitimate web sites Search engine optimisation (SEO) 14
  • 15. Protection Strategies Where do Sophos product technologies work in protecting customers? Compromise legitimate web sites Search engine optimisation (SEO) Antimalware Scan Malicious URL Filtering Host IPS (runtime) 15 Security Patches
  • 16. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 16
  • 17. Blackhole 27% of infected sites and redirections 17
  • 18. Toolkits & Polymorphism • Blackhole attacks multiply thanks to widely spread Toolkits • They make an extended use of JavaScript obfuscation capabilities in their attempts to evade detection with server-side Polymorphism 18
  • 19. MaaS (Malware as a Service) Price list for Blackhole 19
  • 20. Vulnerabilities Blackhole exploits vulnerabilites in PDF, Flash, Java … ? hcp://… 20
  • 21. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 21
  • 22. Blackhole (v1.x) Targets a large array of vulnerabilities, including a majority on Java CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC 22
  • 23. Instant exploit of vulnerabilities What is the future of Java? • August 2012 • CVE-2012-4681 zero-day • Rapidly targeted • Metasploit • Exploit kits “It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.” 23
  • 24. Blackhole 2.0 September 2012 – New version of the exploit kit announced ! • Less predictable URLs • Harder to track • Harder to block via IDS • More aggressive blacklisting • “Monitor” mode • Slimmer • Less vulnerabilities • Etc. 24
  • 25. Blackhole (v2.x) Reportedly slimming down volume of exploits targeted CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC
  • 26. Blackhole payloads Payloads distributed by Blackhole between August-Sep 2012 Downloader 2% Other ZeroAccess 9% 6% Zbot 25% Backdoor 6% FakeAV 11% Ransomware 18% Sinowal 11% PWS 12% 26
  • 27. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 27
  • 28. Ransomware The new scareware? • Malware that locks/encrypts user data • Pay ransom to access files Simple Medium Complex • Password • XOR • RC4 protected archives • shift • Public key crypto Recover data? 28
  • 30. Ransomware: Matsnu Lockout page shown to user 30
  • 31. Ransomware: Matsnu Behind the scene • Connection to C&C server • HTTP, RC4 encrypted • Receives remote commands: • IMAGES • GEO • LOCK • UNLOCK • URLS • EXECUTE • KILL • UPGRADE • UPGRADEURL • LOAD • WAIT • MESSAGE 31
  • 32. Ransomware: Matsnu File encryption Manifest file original_filename1.ext new_filename1.ext key original_filename2.ext new_filename2.ext key … … • Recovery tool? • No! • Decryption/recovery requires: • Grab data value from HTTP request • B64 decode (->MASTER_KEY) • Grab machine ID from HTTP request • RC4 decrypt the MASTER_KEY with this • Append constant string • RC4 decrypt manifest file with machine ID key • DWORD transposition • RC4 decrypt this using the MASTER_KEY • Locate file you wish to decrypt in the manifest file • Grab RC4 key for file, append constant string 32 • RC4 decrypt file
  • 33. Agenda Web Blackhole Java Ransomware Nothing ZeroAccess to see here Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 33
  • 34. ZeroAccess ZeroAccess is a Rootkit family typically dropped in the system by a Blackhole attack Nothing to see here 34
  • 35. Hiding ZeroAccess evolves its hiding techniques depending on the OS 32 bit 64 bit Global Assembly Malicious driver Injected DLL Cache Encrypted Linked file system Hide ‘in plain sight’ folder 35
  • 36. Peer-to-Peer Botnet ZeroAccess uses a distributed or peer-to-peer control model for resilience 36
  • 37. Traps ZeroAccess use aggressive techniques to defend themselves, such as setting up traps for security software 37
  • 38. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 38
  • 39. After Fake AV for Mac ... MacDefender, MacSecurity and more 39
  • 40. Flashback (OSX/Flshplyer) Flashback on a malware epidemic on Mac OSX • 600,000 Mac OS X systems infected in spring 2012 • These systems have been exploited in a very large scale botnet • First appearance at the end of 2011 • Pretended to be a Flash installer • Passive and silent download • Exploited several Java vulnerabilities on Mac OS X • In March, exploit of a vulnerability corrected only in April by Apple • 2.1% of Mac systems were infected at the infection peak (Estimation based on Sophos free antimalware for Mac) 40
  • 41. Morcut (OSX/Morcut-A) More sophisticated and potentially more dangerous • Designed for spying • Monitors virtually every way a user communicates • First appearance in July 2012 • Posed as a Java Archive file (JAR) • Pretended to be signed by Verisign • Deployed kernel driver components to hide and run without administrator‟s authentication • Reflects an extremely thorough understanding of Mac programming techniques, capabilities, and potential weaknesses • Perfect tool for targeted attacks 41
  • 42. And more ... Distribution of the 4,900 malwares for Mac OS X that spread in the first week of August 2012 42
  • 43. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 43
  • 44. Mobile Malware 60,000 54,900 50,000 40,000 30,000 20,000 10,000 0 2011 2012 Jan Apr Jul Oct Jan Apr Jul Oct 44
  • 45. Threat Exposure Rate In the USA and Australia, this rate exceeds those of PCs 45
  • 46. Why Android? • Adding applications to marketplace is easy • Repackaged apps • Alternative Android application markets • Forums and file sharing sites • “Cracked” apps • Alternative markets • Android app landscape similar to Windows 46
  • 47. Android Malware Spyware mTAN Andr/DroidRt Andr/NewyearL- Others B Andr/Gmaster-A Andr/KongFu Andr/Kmin Andr/Boxer Andr/Fake 47
  • 48. Andr/Boxer & Andr/Fake Premium SMS Trojans Andr/Boxer Andr/Fake Percentage in total 56.8% 17.5% Number of >3 0-4 Premium SMS Russia, Ukraine and Targeted Countries Russia Kazakhstan • Determine premium • Download and number based on the install applications Other Functionalities Mobile Country Code • Access website • Access website • masquerade as a legitimate app 48
  • 50. Andr/FkToken-A - mTAN Mobile transaction authentication number sent by banks to authenticate online bank transactions • Catch SMS message • Send SMS message • Delete SMS message • Contact remote sites to get list of info like attack‟s phone number and websites • Also it looks like it will A trial sample detected as Andr/FkToken-A download and install apk 50
  • 51. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 51
  • 52. Storage in the Cloud Which solution(s) other than email are you using to exchange professional data? Portable Devices (USB keys …) 77% A corporate solution (FTP server …) 38% Online storage services (Dropbox…) 27% Remote access solution (VPN …) 16% Other 4% Source: Sophos online poll - 1,005 total count When you ask your IT department for help, how long are you willing to wait before looking for a solution on your own? Less than 5 minutes 22% Between 5 and 30 minutes 40% Between 30 minutes and 1 hour 13% Between 1 hour and 1 day 14% 1 day 5% I never move without their answer, however long 7% Source: Sophos online poll - 1,005 total count 52
  • 53. Do you worry about Dropbox? Are files Where is the protected? data stored? Are you Is sensitive allowed to use data already in it? the cloud? 53
  • 54. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 54
  • 55. Targeted drive-by attack More cases are revealed 55
  • 56. Targeted drive by attack Indirect targeting • Hack aeronautical site HACK • Redirect + exploits uploaded to site • TARGET company browses site HIT • Zero-day vulnerability hits TARGET EXPLOIT • CVE-2012-1889 (MS XML Core Services) • TARGET compromised PWN 56
  • 57. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 57
  • 58. 75% of attacks are unique Malware attacks (binary) 80% 70% 60% 50% 40% 30% 20% 10% 0% 1 2 3 4 5 >5
  • 59. Server-side Polymorphism • Weaknesses of old-style polymorphic worms • Polymorphism engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop • Server side-polymorphism • Responsible for the explosion of variants • 250,000 new malware samples are analyzed every day by SophosLabs • No direct access to the polymorphic engine • Frequent updates 59
  • 60. Obfuscated JavaScript • Endless source of obfuscation techniques • Anti-emulation techniques • Recursive function calls • Hooking events (eg. amount of mouse movements ) • Elapsed time checks • etc … 60
  • 61. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 61
  • 62. Thirteen predictions for 1. Attack toolkits continue to proliferate 2. Modernization and hardening of operating systems 3. Cloud-based malware testing changes the threat protection model 4. Increased focus on layered security 5. One step forward, two steps back 6. Mobile attacks become more advanced 7. Web servers back in the crosshairs 8. Integrate ‘all of the things’ 9. Diverse business models and irreversible malware 10. Skills problem becomes more apparent 11. Cyber criminal anti-forensics 12. More advanced hacktivism and political Debate 13. Arguments over big data vs. analytics and confusion 62
  • 63. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 63
  • 64. Protect Users at all levels Deploy solutions at all levels, covering the entire threat lifecycle Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security Firewall Protection for cloud Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help Application Mobile app Clean up Technical Device Control Secure branch Intrusion Firewall Control security support offices prevention Encryption Tamper Free Email Live Protection Small protection Home use VPN Performance updates encryption 64
  • 65. Reduce attack surface Deploy solutions with preventive features Anti-Malware Unified Engine Anti-Spyware Sophos Entreprise Console Anti-Rootkit HIPS Web Protection Application Control Integrated Mangement Device Control DLP URL Filtering Patch Assessment Client Firewall NAC Encryption 65
  • 66. Protect all the Devices or your EndUsers The emergence of BYOD requires to protect an ever larger number of devices Corporate Mobiles Employee Mobiles Corporate PC or Laptop Employee Device 66 Corporate Servers Virtualized systems
  • 67. Control Web Applications Control Web access and Web applications usage Endpoint Web access Web Applications • Anti-malware • Anti-malware • Real time monitoring • Host IPS • HTTPS Scan • Block / Allow • Malicious URL blocking • Anonymizing • Manage risks • Application control Proxies blocking dynamically • URL Filtering • URL Filtering • Limit bandwidth • DLP • Content filtering • Manage priorities
  • 68. Educate Users Use Sophos free Education toolkits and resources DOs and DON’T Mobiles Data Social Networks (Best practices) 68
  • 69. Staying ahead of the curve Staying ahead of the curve US and Canada facebook.com/securitybysophos 1-866-866-2802 NASales@sophos.com Sophos on Google+ UK and Worldwide linkedin.com/company/sophos + 44 1235 55 9933 Sales@sophos.com twitter.com/Sophos_News nakedsecurity.sophos.com 69

Notas do Editor

  1. Facebook also suffers from rogue applications.Messages posted to people’s walls, providing some link to an applicationApplication purports to be some enticing videoWhen you try and play, requests permission to access info, post to wall etcAlso pops up fake online survey, pretending to be a FB anti-spam verification surveyWhy? Scammers will get money for each scam completed!
  2. The next part of our attack scenario is the installation and use of the ZeroAccess rootkit. However, before we go on it is important to remember that this is simply an example scenario. There are many ways in which ZeroAccess can be delivered, Blackhole is commonly used but is by no means the only method. We have seen various social engineering schemes, including uploading the rootkit installer to torrent sites masquerading as cracks or key generators for popular software. Likewise, ZeroAccess is not the only malware that is delivered from Blackhole.ZeroAccess itself, although most commonly known as a rootkit, combines the features of a rootkit and a peer to peer botnet to provide an attacker with a difficult to detect foothold on a PC from which to install further malware of their choosing. As such it is, like Blackhole, just another link in the attack chain. This particular link is designed to conceal its own presence and the presence of the malware it is instructed to download and install.The term rootkit originates in the Unix world where it was used to describe a set of software designed to obtain and keep root, or administrator, access to a computer. Now the term is used to describe malware that conceals its presence in an attempt to evade security scanners.As we’ll see shortly ZeroAccess is under active development. In SophosLabs we have seen hundreds of thousands of unique ZeroAccess related binaries in the last year.
  3. Lets take a look at how ZeroAccess hides itself. It is this feature that leads malware distributors to use tools like ZeroAccess rather than simply spread the final stages of their attacks directly. The additional concealment of a rootkit makes it more likely that their attack will remain unnoticed, allowing them to either steal more information or take advantage of a compromised network for a longer period of time. The techniques used by ZeroAccess have changed as it has evolved and they vary depending on whether the operating system is 32 or 64 bit.Older versions of the kit install a malicious driver on 32 bit systems and subvert the operating system’s access to the disk. The components of the kit and the malware it installs are then stored in either a newly created encrypted file system or in a specially linked folder which has been modified to make it inaccessible to the operating system. The contents of these areas are available only to ZeroAccess using its own driver and therefore are invisible to both the operating system and security scanners that use the operating system to read the disk. This type of infection is usually discovered by scanning the operating system kernel to search for the malicious driver.On 64bit systems the enhancements in kernel security make it more difficult for the criminals behind ZeroAccess to install drivers. Instead, they employ some of the standard operating system features to conceal the kit’s presence from a casual observer. To do this the files are placed into the Global Assembly Cache, an area used for storing information about installed .NET assemblies. When this area is browsed using Windows Explorer the operating system will automatically switch to the Assembly Cache Viewer and display assembly information rather than the true contents of the folder, thus hiding any additional files, including ZeroAccess. More recent versions of ZeroAccess use a strategy that works on both 32 and 64 bit platforms, probably to simplify the development process. These versions add a malicious DLL to system processes and hijack the loading process for a legitimate COM object in order to activate itself. Some of the later versions also used advanced file system features such as extended attributes to hide their data. While the later techniques are not stealth in the technical sense they still serve to conceal the presence of ZeroAccess from a casual inspection. We can speculate that the authors of ZeroAccess have learned from their progression to 64bit that a truly stealthy rootkit is not necessary for them to build sufficiently large botnets and make profit from them.
  4. An aspect of ZeroAccess that makes it resilient lies in the organization of its botnet infrastructure.ZeroAccess operates as a botnet, meaning that to be useful it must have some way to receive commands. For many botnets the command and control infrastructure that they use is their weakness. Remove the key command and control servers and the individual PCs are left without instructions. The botnet still exists but it cannot be used and is therefore useless to criminals. To avoid this weakness ZeroAccess, and some other recent botnets, use a distributed or peer-to-peer control model. By using distributed control ZeroAccess is resilient to attempts to destroy the botnet. Individual nodes can be cleaned up and removed from the network but it cannot be killed at a single stroke.This reduces the fragility of the botnet by removing the option to ‘cut off the head of the snake’. However, it does have some weaknesses too. The individual nodes of the botnet have to know of some other nearby nodes in order to receive instructions and those instructions may take time to propagate. Also, nodes that do not have direct internet access cannot act as servers for nodes in other networks. To account for this each installation of ZeroAccess contains a configuration file with addresses of 256 previous nodes to ensure that it will be able to contact another infected computer for instructions. For ZeroAccess the peer-to-peer model is used mainly to enable distribution of other malware or for click fraud, that is, getting the infected PC to visit a website or access online ads generate advertising income for the affiliate serving those ads. It is also used to distribute spam bots which use the infected PCs to send spam. It is likely that the click fraudsters, spammers and malware authors are renting space on the ZeroAccessbotnet and thereby funding the profits of its authors and the continued development of ZeroAccess.
  5. Some versions of ZeroAccess use aggressive techniques to defend themselves on each infected endpoint. It is common for malware to attempt to disable security software, usually the malware simply has a list of security programs that it will attempt to kill if it finds they are running. This is a crude technique and can be fooled by using software that implements some randomness in its file and process names, a common technique in anti-rootkit software. To counter this ZeroAccess sets up a tripwire for security software. It creates a dummy or trap process which does nothing useful and then monitors whether any programs attempt to access the dummy process. Anything that takes the bait is assumed to be a security scanner and ZeroAccess then tries to disable the scanner by both terminating its running processes and changing its access permissions so that it cannot be run again. However, this kind of damage to security software may have been too obvious in revealing the presence of a rootkit and is not used in more recent versions of ZeroAccess.
  6. There are few things which make malware for Android more common than for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of applications is not very strict.It is very easy to become an Android developer and publish applications. It’s also easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.Cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on Forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicious applications.Overall, the situation with Android applications is very similar to early days of Windows.It is not surprising that we are seeing increasing numbers of Android malware in our labs.
  7. Of course ransomware isn’t the only threat using technology in an attempt to defeat security software. Blackhole itself and many other threats extensively use polymorphism to hide their code. Like ransomware, this isn’t a brand new technique but we are now seeing it in ever increasing numbers, especially in web-based attacks.We can see here the result of research done by SophosLabs studying around 7 million attacks over a 3 month period. It shows how many attacks are launched by each individual version of a threat. Three quarters of binaries are unique to the victim of that particular attack. As we can see the numbers drop away rapidly for 2, 3 or more victim organizations. What this means in practice is that if you encounter malware there’s a 75% chance that no-one else anywhere has seen that exact piece of malware before. In effect, a unique attack has been generated just for you. The actual effects of the attack will be exactly the same as those that everyone else sees but the form it takes will be slightly different. This is all done to avoid detection by security software.
  8. 1. Attack toolkits continue to proliferateOver the past year, we’ve seen significant investment by cybercriminals in toolkits like the Blackhole Exploit Pack. Features such as scriptable web services APIs, malware quality assurance platforms, anti-forensics and self-protection mechanisms are becoming readily available. Slick reporting interfaces and ‘premium features’ are fostering new innovation and ensuring that the barrier to cyber crime entry is low and the quality of malicious code is growing. This trend will continue in 2013, with new toolkits being developed and older toolkits being strengthened.2. Modernization and hardening of operating systemsOne positive trend for 2013 is the modernization and hardening of operating systems. This year, there was a plethora of vulnerabilities that made headlines, such as the recent string of Java vulnerabilities (the 2012 equivalent of Adobe in 2011). Despite the attention these received, exploiting vulnerabilities in general became harder as people adopted more modern operating systems with new security features. The availability of DEP, ASLR, Sandboxing and new trusted boot mechanisms made exploitations more challenging. In 2013, cybercriminals will be able to find a vulnerability, but more often struggle to produce 'useful' exploit code. These mechanisms can be bypassed, but the development time and the number of vulnerabilities that can be weaponized will be smaller. We may well see more of a focus on quality social engineering to compensate for harder automated exploitation.3. Cloud-based malware testing changes the threat protection modelIn 2012, malware testing platforms were widely used to test malicious code before it was released in the wild to make detection by anti-malware products much harder. These testing platforms are now growing more feature-rich, introducing money back guarantees and continuous testing features, making cyber criminals even more agile. These platforms have forced the use of more behavioral and reputation-based security mechanisms, a trend that will accelerate in 2013. Watch out for more bi-directional security data exchanges between endpoints and security labs and new strategies in intelligence gathering to equal the efforts of cyber criminals.4. Increased focus on layered securityThe aforementioned attack tools plus the trend of targeted, low-volume attacks means we will see more attacks where the malware authors will gain long-term access to systems (a trend most definitely now established). As a result, 2013 will see a stronger focus on layered security systems that detect malware across the entire threat lifecycle, not just the initial point of entry. There was a recent incident where the initial exploit and malware were entirely missed (they were genuinely new and well tested) but the attacker was caught when he started to use command and control to try and dump password hashes. Even features like application control and reputation can be useful against targeted attacks.5. One step forward, two steps backWe all know the story. The pace of adoption of new technologies, devices and operating systems is only increasing, a trend that will naturally continue in 2013. The challenge however is that many of the new devices and protocols we introduce are making basic mistakes, which allow simple attacks we had previously eliminated to once again be effective. For example, there are lots of new devices configured not to encrypt email usernames/ passwords in transport. This problem is trivially mitigated with configuration, but the traditional processes and controls (or knowledge) are not implicitly covering these new scenarios. The security community needs to watch these new technologies closely in 2013 as they are already in production in most cases.6. Mobile attacks become more advancedMost mobile attacks to date have been comparable to 1990s PC malware or simple attacks. They can largely be avoided by correct device configuration and management. The increased adoption of mobile control and security solutions will force mobile malware authors to alter their strategies in order to remain effective. This is also likely as the mobile device becomes a more interesting platform for attackers to target in terms of pay off. In 2013, it is likely we will see mobile malware start to borrow more techniques from its PC cousin (though volumes are likely still to remain low with more of a focus on attacks than malware). The open versus walled garden control model will continue to be tested with both ends of the spectrum creating opportunities for cyber criminals to capitalize.7. Web servers back in the crosshairsAttacking web servers to distribute malware has been the default for some time – we find a new infected website every couple of seconds. While most businesses have protection for traditional PC environments and endpoints, many neglect to adequately protect their web server environments. In 2012, we saw a large number of web server and database hacks. Like most trends, malware attacks come in cycles, and it has become fashionable to extract credentials from web servers. This trend was gaining momentum in 2012 and it shows no signs of slowing down for 2013.8. Integrate ‘all of the things’Mobile devices, applications and social networks (amongst others) continue to become more integrated, which will potentially breed new opportunities for cyber criminals in 2013. New technologies—like NFC being integrated into mobile platforms and increasingly creative use of GPS services to connect our digital and physical lives—means there will be new opportunities for cyber criminals to compromise our security and/or privacy. This is true not just for mobile devices, but also for traditional computing. Digital systems are gaining the ability to have far more kinetic impact in the real world. In 2013, we need to watch not just the evolution of existing attacks but new types appearing with which we haven’t previously dealt.9. Diverse business models and irreversible malwareFor many years, the majority of malicious code has been financially oriented–stealing credit cards, bank details and other credentials. Theft of intellectual property or intelligence has notably been on the agenda (particularly over the last 24 months), but represents a much smaller portion of malware. Business models and motives for malicious code are however diversifying. One particularly concerning category is ransomware. Ransomware encrypts your data and demands money to unlock your files, forcing you to pay the criminals or to restore from a backup, a process can go poorly in many enterprises. Whereas early samples were low in numbers and easy to reverse and remove, the latest versions are more widespread and use public key cryptography. In some cases their damage is irreversible. We can expect to see more of this class of malware and potentially similar evolutions in 2013.10. Skills problem becomes more apparentAs the platforms and technologies that we use and need to secure are diversifying, so too are the targets of the attackers. Securing platforms like Linux is increasingly on the priority list of many organizations (not necessarily from malware, but from hackers) and getting staff with up-todate skills will be an increasing issue. Staff will need to plan to train on mobile platforms, new computing delivery models and even protocols such as IPv6 as they become more relevant. With perhaps the greatest degree of change occurring in computing platforms in the enterprise since we moved from the mainframe, the next couple of years will bring many new lessons to learn.11. Cyber criminal anti-forensics Cyber criminals and hackers are now using those techniques we’ve developed in the security industry against us. Reputation lists that block forensics teams, labs and security researchers from accessing malicious code networks are being shared between crime packs, presenting more challenges for those doing forensic investigation and trying to chase down incidents. Forensics specialists, law enforcement and vendors need to work carefully to avoid falling into cyber criminals traps.12. More advanced hacktivism and political Debate It goes without saying that hacktivism has a huge place in the public eye and that it is likely to continue to escalate next year. Interestingly, political debates are raging over whether methods like DDoS are legitimate online versions of protest. Over the year we saw hacktivists employ a wide range of techniques beyond DDoS, though many organizations still perceive this as the primary threat from hacktivists. There has been an upward trend in more advanced hacktivist attacks and we can expect more nasty surprises and news headlines next year. Organizations should not limit their field of thinking on hacktivists to DDoS.13. Arguments over big data vs. analytics and confusionWith the challenge of malicious code and attackers bypassing traditional single-layer controls, lots of organizations are discussing the hot topic of the moment: ‘big data’. You’ve likely seen some of the marketing hype around big data, with many claiming magical solutions to the security problem by just combining lots of information together. This process somehow works together to then output actionable and useful intelligence, even though the original data was often poor in quality. Many organizations are still chasing basics like patching. In 2013, the hype turns to reality. As more companies slowly develop the business process and organizational maturity to benefit from these forms of analysis.