1

Fighting Malware

Luis CorronsPandaLabs Technical Director

Who is behind this?Who is behind this?

YesterdayYesterday’’s Bad Guyss Bad GuysBlaster.B Nestky / Sasser CIH 29-A

Jeffrey Lee Parson Sven Jaschan Chen Ing-Hau Benny

TodayToday’’s Bad Guyss Bad Guys

Jeremy JaynesAndrew SchwarmkoffJames Ancheta

Phishing SpamSpam

Jeanson James Ancheta

Plead guilty to four felony charges of violating United States Code Section 1030, Fraud and Related Activity in Connection with Computers

Penalty:57 months in prison

Adam Botbyl

The government claimed that the crime could have caused more than $2.5 million in damages.

Penalty:26 months in prison

Cameron Lacroix

Plead guilty to hacking into the cell-phone account of celebrity Paris Hilton and participated in an attack on data-collection firm LexisNexis Group that exposed personal records of more than 300,000 consumers.

Penalty:11 months in a Massachusetts juvenile detention facility

Ehud Tenenbaum

Admitted to cracking US and Israeli computers, and plead guilty to conspiracy, wrongful infiltration of computerized material, disruption of computer use and destroying evidence.

Penalty:Six months of community service(in 2001)

August 2009:Pleaded guilty to a single count ofbank-card fraud for his role in asophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks.

A Real CaseA Real Case

The The ““Infected TeamInfected Team””MPackMPack

Dream DownloaderDream Downloader

LimboLimbo

Total Investment: 1,500$Total Investment: 1,500$

The The ““Infected TeamInfected Team””

The The ““Infected TeamInfected Team””

LetLet’’s do some mathss do some maths……China, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 = $703$0.01 * 70,300 = $703Finland, NorwayFinland, Norway……:: $0.05 * 70,300 = $3,515$0.05 * 70,300 = $3,515UK, FranceUK, France……:: $0.20 * 70,300 = $14,060$0.20 * 70,300 = $14,060USA, Canada:USA, Canada: $0.40 * 70,300 = $28,120$0.40 * 70,300 = $28,120

And the same numbers in 30 daysAnd the same numbers in 30 days……China, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 * 30 = $21,090$0.01 * 70,300 * 30 = $21,090Finland, NorwayFinland, Norway……:: $0.05 * 70,300 * 30 = $105,450$0.05 * 70,300 * 30 = $105,450UK, FranceUK, France……:: $0.20 * 70,300 * 30 = $421,800$0.20 * 70,300 * 30 = $421,800USA, Canada:USA, Canada: $0.40 * 70,300 * 30 = $843,600$0.40 * 70,300 * 30 = $843,600

The The ““Infected TeamInfected Team””

WhoWho’’s paying the s paying the ““Infected TeamInfected Team””? ?

Rogueware Infected Computers 3.50%Computers worldwide 1 billion (Forrester)

35,000,000 infected computers / monthly

Phishing victims (Gartner) 3.30%

35 million computers ≠ 35 million users

557,500 rogueware buyers / monthly

Let’s take just half: 17.5 million people

Rogueware Average Price $59.95

$59.95 * 557,000 = $34,621,125 PER MONTH

$415,453,500 PER YEAR

$81,388 USD in 6 days!

Malware figuresMalware figures

Malware figuresMalware figures

Malware figuresMalware figures

• 1,000,000 malicious links indexed by Google• 3,000,000 legitimate search terms hijacked• Targeted users looking for instructions (E.g. How to loosen a tension belt)• Served 100 new MSAntiSpyware2009 binaries in 24 hours

SEO attack against Ford Motor Company

Comments on Digg.com leading to Rogueware

• 500,000+ comments leading to Rogueware• Comments targeted news submission title and content

Twitter trending topics lead to Rogueware

• Messages (tweets) targetting trending topics on Twitter.com• 27,000 tweets per 24 hours• 60 unique samples detected over 72 hour period

Rogueware exploits Wordpress vulnerability to facilitate Blackhat SEO attack

• Affected Ned.org and TheWorkBuzz.com• Targeted a security vulnerability in an old version of Wordpress• Redirected all links to point to Rogueware servers

ConclusionConclusion

52

Thanks!Thanks!Luis Corrons

luis.corrons@pandasecurity.com

PandaLabs Blog:

http://www.pandalabs.com