Geneva, 9(pm)-10 February 2009
InternationalTelecommunicationUnion
Fighting cybercrime in 2009
Magnus Kalkuhl,Senior Virus Analyst
Kaspersky Lab
ITU-T Workshop on“New challenges for Telecommunication Security
Standardizations"
Geneva, 9(pm)-10 February 2009
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 2
Number of signatures 1998 - 2008
19981999
20002001
20022003
20042005
20062007
2008
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 3
Cybercrime business
Malware is written for one goal:Making money
Cybercrime business is organized, but more as “crime that is organized” rather than “organized crime”
There is no centralized control by a“Dr no” character
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 4
The dirty approach
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 5
The silent approach
After infection a computer is used for...
Sending spam mailsPerforming DDoS attacksFast flux networksProxy computerStealing the owner's credit card data, bank account or “World of Warcraft” password
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 6
Example: Drive by download
Browser
Exploit: Small program that breaks the barriers of a browser (or other program) and executes own code
InternationalTelecommunicationUnion
Several systems available: MPack, Icepack etc.Offered for 500 – 1.000 EUR
Example: Drive by download
InternationalTelecommunicationUnion
Several systems available: MPack, Icepack etc.Offered for 500 – 1.000 EUR
Example: Drive by download
InternationalTelecommunicationUnion
InternationalTelecommunicationUnion
InternationalTelecommunicationUnion
Shadow botnet
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 12
Botnet CPU performance
GFLOPS
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
Shadow botnet (100.000 bots)European supercomputer (Jugene, Jülich)Series3Series4
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 13
Botnet CPU performance
GFLOPS
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
500000Shadow botnet (100.000 bots)European supercomputer (Jugene, Jülich)Kido botnet (AV-Test.org estimation)Series4
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 14
Botnet CPU performance
GFLOPS
0
1000000
2000000
3000000
4000000
5000000
6000000
7000000
8000000
9000000
10000000Shadow botnet (100.000 bots)European supercomputer (Jugene, Jülich)Kido botnet (AV-Test.org estimation)Kido botnet (F-Secure es-timation)
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 15
What can AV companies do?
Protecting servers and client computers against initial infection
Education: Teaching security awareness
Monitoring botnets – without touching them
Information exchange with CERTs, authoriries and other researchers
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 16
What else could be done
Separation of the internet into virtual islands
International cyberspace police who is able to act quickly in cases of emergency
New law that allows authorities to notifiy botnet victims after gaining control over a botnet control center
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 17
The limits of control
There will always be uncontrolled networks (with lots of malware)
Usage of “savage nets” will be prohibited by some governments – but that won't stop its existence
The only place for people who have been banned from the “official” Internet
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 18
Conclusion
AV companies can prevent initial infections
International botnets require international cooperations
“Virtual islands” and more control will lead to a fragmenation of the internet as we know it today
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 19
Thank you very much!