CyberSecurity Malaysia | An Agency Under MOSTI
Organizer:
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
The Scenes of Cyber Crime
5 July 2011
Toralv Dirro
EMEA Security Strategist, McAfee Labs
Organizer:
Endorsed by:
People First,
Performance Now
Low Risk + High Profit -> Crime
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Cyber Crime Altering Threat Landscape
Virus and Bots
PUP
Trojan
500,000
400,000
300,000
200,000
100,000
2000
2001
2002
2003
2004
2005
2006
Malware Growth (Main Variations)
3
3
July 5, 2011
2007
Organizer:
Endorsed by:
Cyber Crime Altering Threat Landscape
People First,
Performance Now
Virus and Bots
PUP
Ministry od Science,
Technology and Innovation
Trojan
2,200,000
2,000,000
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
2000
2001
2002
20032008
2004
2005
2006
Malware Growth (Main Variations)
4
4
Source: McAfee Labs
July 5, 2011
2007
Organizer:
Endorsed by:
Cyber Crime Altering Threat Landscape
People First,
Performance Now
Virus and Bots
PUP
Trojan
3,200,000
3,000,000
2,800,000
2,600,000
2,400,000
2,200,000
2,000,000
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
2008
2009
Malware Growth (Main Variations)
5
5
5
Source: McAfee Labs
July 5, 2011
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Malware Growth Continues
The growth in the number of new malware continues unabated. McAfee Labs identifies approximately
55,000 pieces of new malware each day. At its current pace the total number of malware samples in the
McAfee zoo will reach 75 million by the end of 2011.
Total Malware Samples in the Database
70,000,000
60,000,000
50,000,000
40,000,000
30,000,000
20,000,000
Mar‐11
Feb‐11
Jan‐11
Dec‐10
Nov‐10
Oct‐10
Sep‐10
Aug‐10
Jul‐10
Jun‐10
May‐10
Apr‐10
Mar‐10
Feb‐10
0
Jan‐10
10,000,000
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Malware Growth Continues
The growth in the number of new malware continues unabated. McAfee Labs identifies approximately
55,000 pieces of new malware each day. At its current pace the total number of malware samples in the
McAfee zoo will reach 75 million by the end of 2011.
55,000 pieces of new malware each day.
70,000,000
60,000,000
50,000,000
40,000,000
30,000,000
20,000,000
Mar‐11
Feb‐11
Jan‐11
Dec‐10
Nov‐10
Oct‐10
Sep‐10
Aug‐10
Jul‐10
Jun‐10
May‐10
Apr‐10
Mar‐10
Feb‐10
0
Jan‐10
10,000,000
Organizer:
Endorsed by:
People First,
Performance Now
The Malware Market
Trojan and Exploit Kits easily available
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
New Crimeware Kits
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Malware / Crimeware
• URLZone
• The Trojan calls back to its command and control server for specific
instructions on exactly how much to steal from the victim's bank account
without raising any suspicion, and to which money mule account to send
it the money. Then it forges the victim's on-screen bank statements so
the person and bank don't see the unauthorized transaction.
http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a)
This statement shows a transaction of
53.94 Euros when actually 8,571.31
Euros was removed from the account.
The balance has been changed by the
Trojan.
(
http://www.geek.com/articles/news/
malware-now-covers-its-tracks-inbank-statements-20090930/)
10
10
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 1
Maintenance, please wait
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 2
Math for security reasons…
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
ZeuS - “human” MITM – Step 3
For Security Reasons: Your phone number please
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 4
Acknowledge with iTAN 10
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 5
Added successful
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
ZeuS - “human” MITM – Step 6
Unfortunately we are closed for maintenance
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM Admin Panel
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Android 3rd Most Popular Mobile Target
Overall mobile malware activity growth slowed to 5% quarter over quarter, but
there was a marked increase in the activity on the Android platform, which moved
from the #5 most popular target to #3.
The mobile attack strategies are starting to mirror the approaches historically
used to attack PC operating systems. A maliciously altered application obtains
root access and then connects the device to a botnet-like command center,
which issues subsequent instructions to extract data from the device or (over
time) extend the attack to other devices.
Mobile Malware Targets
Total Mobile Malware Samples
1,200
1,000
Symbian OS
Java 2 Mobile Edition
Android
Python
WinCE
MSIL
VBS
BlackBerry
Linux
800
600
400
200
Q1
'09
Q2
'09
Q3
'09
Q4
'09
Q1
'10
Q2
'10
Q3
'10
Q4
'10
Q1
'11
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Mobile Crimeware
Geinimi : A new Trojan affecting Android devices has recently
Q1 emerged in China
Geinimi is the first Android malware in the wild that displays
botnet-like capabilities. Once the malware is installed on a
user s phone, it has the potential to receive commands
from a remote server that allow the owner of that server to
control the phone.
• Send location coordinates (fine location)
• Send device identifiers (IMEI and IMSI)
• Download and prompt the user to install an app
• Prompt the user to uninstall an app
• Enumerate and send a list of installed apps to the server
• Read and collect SMS messages
• Send and delete selected SMS messages
• Pull all contact information and send it to a remote server
(number, name, the time they were last contacted)
• Place a phone call
• Silently download files
• Launch a web browser with a specific URL
Credit for screenshot:
http://m.hauri.co.kr/info/virus_view.html?
intSeq=1881&code=4
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Mobile Crimeware
A variant of the ZeuS trojan is targeting the mobile phone based,
Q1 two-factor
authentication used by Polish ING Bank Slaski
Polish Security Consultant,
Piotr Konieczny reported that
operators of the Zeus botnet
are attempting to reach into the
mobile sphere with two new
variants targeting users on
Window Mobile and Symbian
phones. Zeus in the
Mobile (or Zitmo), are again
attempting to authenticate bank
transactions by intercepting the
mTan authentication code sent
to mobile devices.
Credit for screenshot:
http://niebezpiecznik.pl/post/zeusstraszy-polskie-banki/
An mTAN (mobile Transaction Authentication Number) is used by some online banking
services in Europe to authorize financial transactions by sending an SMS to the
customer s phone. TANs were put in to add an extra layer of security in order to complete
large transactions. It is believed that Zitmo was developed to circumvent this added layer
of security implemented by the banks.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
$70mio International Cybercrime Ring
Busted
• October 1st 2010: Operation Trident Breach
– Investigations began in May 2009
– 60 criminals charged, 10 arrested
– International Partnership with SBU and other authorities
•
The Federal Bureau of Investigation, including the New York Money Mule Working Group, the Newark Cyber
Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of
Ukraine, the SBU, and the United Kingdom s Metropolitan Police Service participated in the operation.
– The cyber thieves targeted small- to medium-sized companies,
municipalities, churches, and individuals, infecting their
computers using a version of the Zeus Botnet. The malware
captured passwords, account numbers, and other data used to
log into online banking accounts. This scheme resulted in the
attempted theft of $220 million, with actual losses of $70 million
from victims bank accounts
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Fake Malware Detection Software
Fake anti-virus, also known as bogus or rogue security software, had a very strong quarter and its
growth shows no real signs of slowing. This will remain an actively developing area of malware due to
the amount of money cybercriminals can earn with these fake technologies.
Unique Fake Alert Samples Discovered
400,000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Organizer:
Endorsed by:
People First,
Performance Now
Questions? More Info?
• Read the McAfee Labs Security Blog
– http://blogs.mcafee.com/mcafee-labs
• Listen to the AudioParasitics Podcast
– http://www.audioparasitics.com
• Read the Monthly Spam Report
– http://www.mcafee.com
• Read the McAfee Quarterly Threat Report
– http://www.mcafee.com
• Read the McAfee Security Journal
– http://www.mcafee.com
• Watch the Stop H*Commerce Series
– http://www.stophcommerce.com
23
Ministry od Science,
Technology and Innovation
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
The Scenes of Cyber Crime
5 July 2011
Toralv Dirro
EMEA Security Strategist, McAfee Labs
Organizer:
Endorsed by:
People First,
Performance Now
Low Risk + High Profit -> Crime
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Cyber Crime Altering Threat Landscape
Virus and Bots
PUP
Trojan
500,000
400,000
300,000
200,000
100,000
2000
2001
2002
2003
2004
2005
2006
Malware Growth (Main Variations)
3
3
July 5, 2011
2007
Organizer:
Endorsed by:
Cyber Crime Altering Threat Landscape
People First,
Performance Now
Virus and Bots
PUP
Ministry od Science,
Technology and Innovation
Trojan
2,200,000
2,000,000
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
2000
2001
2002
20032008
2004
2005
2006
Malware Growth (Main Variations)
4
4
Source: McAfee Labs
July 5, 2011
2007
Organizer:
Endorsed by:
Cyber Crime Altering Threat Landscape
People First,
Performance Now
Virus and Bots
PUP
Trojan
3,200,000
3,000,000
2,800,000
2,600,000
2,400,000
2,200,000
2,000,000
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
2008
2009
Malware Growth (Main Variations)
5
5
5
Source: McAfee Labs
July 5, 2011
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Malware Growth Continues
The growth in the number of new malware continues unabated. McAfee Labs identifies approximately
55,000 pieces of new malware each day. At its current pace the total number of malware samples in the
McAfee zoo will reach 75 million by the end of 2011.
Total Malware Samples in the Database
70,000,000
60,000,000
50,000,000
40,000,000
30,000,000
20,000,000
Mar‐11
Feb‐11
Jan‐11
Dec‐10
Nov‐10
Oct‐10
Sep‐10
Aug‐10
Jul‐10
Jun‐10
May‐10
Apr‐10
Mar‐10
Feb‐10
0
Jan‐10
10,000,000
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Malware Growth Continues
The growth in the number of new malware continues unabated. McAfee Labs identifies approximately
55,000 pieces of new malware each day. At its current pace the total number of malware samples in the
McAfee zoo will reach 75 million by the end of 2011.
55,000 pieces of new malware each day.
70,000,000
60,000,000
50,000,000
40,000,000
30,000,000
20,000,000
Mar‐11
Feb‐11
Jan‐11
Dec‐10
Nov‐10
Oct‐10
Sep‐10
Aug‐10
Jul‐10
Jun‐10
May‐10
Apr‐10
Mar‐10
Feb‐10
0
Jan‐10
10,000,000
Organizer:
Endorsed by:
People First,
Performance Now
The Malware Market
Trojan and Exploit Kits easily available
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
New Crimeware Kits
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Malware / Crimeware
• URLZone
• The Trojan calls back to its command and control server for specific
instructions on exactly how much to steal from the victim's bank account
without raising any suspicion, and to which money mule account to send
it the money. Then it forges the victim's on-screen bank statements so
the person and bank don't see the unauthorized transaction.
http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a)
This statement shows a transaction of
53.94 Euros when actually 8,571.31
Euros was removed from the account.
The balance has been changed by the
Trojan.
(
http://www.geek.com/articles/news/
malware-now-covers-its-tracks-inbank-statements-20090930/)
10
10
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 1
Maintenance, please wait
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 2
Math for security reasons…
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
ZeuS - “human” MITM – Step 3
For Security Reasons: Your phone number please
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 4
Acknowledge with iTAN 10
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM – Step 5
Added successful
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
ZeuS - “human” MITM – Step 6
Unfortunately we are closed for maintenance
Organizer:
Endorsed by:
People First,
Performance Now
ZeuS - “human” MITM Admin Panel
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Android 3rd Most Popular Mobile Target
Overall mobile malware activity growth slowed to 5% quarter over quarter, but
there was a marked increase in the activity on the Android platform, which moved
from the #5 most popular target to #3.
The mobile attack strategies are starting to mirror the approaches historically
used to attack PC operating systems. A maliciously altered application obtains
root access and then connects the device to a botnet-like command center,
which issues subsequent instructions to extract data from the device or (over
time) extend the attack to other devices.
Mobile Malware Targets
Total Mobile Malware Samples
1,200
1,000
Symbian OS
Java 2 Mobile Edition
Android
Python
WinCE
MSIL
VBS
BlackBerry
Linux
800
600
400
200
Q1
'09
Q2
'09
Q3
'09
Q4
'09
Q1
'10
Q2
'10
Q3
'10
Q4
'10
Q1
'11
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Mobile Crimeware
Geinimi : A new Trojan affecting Android devices has recently
Q1 emerged in China
Geinimi is the first Android malware in the wild that displays
botnet-like capabilities. Once the malware is installed on a
user s phone, it has the potential to receive commands
from a remote server that allow the owner of that server to
control the phone.
• Send location coordinates (fine location)
• Send device identifiers (IMEI and IMSI)
• Download and prompt the user to install an app
• Prompt the user to uninstall an app
• Enumerate and send a list of installed apps to the server
• Read and collect SMS messages
• Send and delete selected SMS messages
• Pull all contact information and send it to a remote server
(number, name, the time they were last contacted)
• Place a phone call
• Silently download files
• Launch a web browser with a specific URL
Credit for screenshot:
http://m.hauri.co.kr/info/virus_view.html?
intSeq=1881&code=4
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Mobile Crimeware
A variant of the ZeuS trojan is targeting the mobile phone based,
Q1 two-factor
authentication used by Polish ING Bank Slaski
Polish Security Consultant,
Piotr Konieczny reported that
operators of the Zeus botnet
are attempting to reach into the
mobile sphere with two new
variants targeting users on
Window Mobile and Symbian
phones. Zeus in the
Mobile (or Zitmo), are again
attempting to authenticate bank
transactions by intercepting the
mTan authentication code sent
to mobile devices.
Credit for screenshot:
http://niebezpiecznik.pl/post/zeusstraszy-polskie-banki/
An mTAN (mobile Transaction Authentication Number) is used by some online banking
services in Europe to authorize financial transactions by sending an SMS to the
customer s phone. TANs were put in to add an extra layer of security in order to complete
large transactions. It is believed that Zitmo was developed to circumvent this added layer
of security implemented by the banks.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
$70mio International Cybercrime Ring
Busted
• October 1st 2010: Operation Trident Breach
– Investigations began in May 2009
– 60 criminals charged, 10 arrested
– International Partnership with SBU and other authorities
•
The Federal Bureau of Investigation, including the New York Money Mule Working Group, the Newark Cyber
Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of
Ukraine, the SBU, and the United Kingdom s Metropolitan Police Service participated in the operation.
– The cyber thieves targeted small- to medium-sized companies,
municipalities, churches, and individuals, infecting their
computers using a version of the Zeus Botnet. The malware
captured passwords, account numbers, and other data used to
log into online banking accounts. This scheme resulted in the
attempted theft of $220 million, with actual losses of $70 million
from victims bank accounts
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Trend: Fake Malware Detection Software
Fake anti-virus, also known as bogus or rogue security software, had a very strong quarter and its
growth shows no real signs of slowing. This will remain an actively developing area of malware due to
the amount of money cybercriminals can earn with these fake technologies.
Unique Fake Alert Samples Discovered
400,000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Organizer:
Endorsed by:
People First,
Performance Now
Questions? More Info?
• Read the McAfee Labs Security Blog
– http://blogs.mcafee.com/mcafee-labs
• Listen to the AudioParasitics Podcast
– http://www.audioparasitics.com
• Read the Monthly Spam Report
– http://www.mcafee.com
• Read the McAfee Quarterly Threat Report
– http://www.mcafee.com
• Read the McAfee Security Journal
– http://www.mcafee.com
• Watch the Stop H*Commerce Series
– http://www.stophcommerce.com
23
Ministry od Science,
Technology and Innovation