indiancybercrimescene
TRANSCRIPT
Indian Cybercrime Scene
Vinoo Thomas Rahul Mohandas
Research Lead Research Scientist
McAfee Labs McAfee Labs
Caught In the Cross-Fire
Agenda
2
• Knowing the enemy – Who’s at your front door?
• India in the information age
• World “Wild” Web – Indian users caught in the cross fire
• India’s contribution to worldwide Spam, Botnet and DDOS attacks
• Regional malware
• Targeted attacks
• The future
http://www.internetworldstats.com/stats3.htm
India’s Growing Cyber Population
http://www.intgovforum.org/cms/2008/press/Worldwide%20Internet%20usage%2008.pdf
Why do Indians go online?
http://www.google.com/insights/search/#
What do Indians search online?
Breaking news? Think Malware
• Malware authors make use of breaking news or popular search
terms to ensure a higher return on investment.
• Popular news items that were misused include:
– Searches for Michael Jackson’s death lead to malware
– Benazir Bhutto assassination, Bangalore Blasts
– Indian celebrities and cricketers
Riskiest Indian Celebrities
7http://www.hindustantimes.com/cinema-news/mirchmasala/Ash-more-dangerous-than-Katrina/Article1-451587.aspx
Popular Indian Sites Compromised to Serve Malware
8
World “Wild” Web
• Risks on the Web are constantly changing. A site that is safe one
day, can be risky the next.
• It’s not always easy for consumers to identify which site is safe. Even
experienced users can be deceived if a trusted site was compromised to
serve malware.
• Thousands of legitimate web sites are compromised every day to serve
malware to unsuspecting users.
• High-profile Indian sites that been compromised to serve malware
include banks, security vendors, portals, businesses, as well as
educational and government sites.
Payload and impact of users getting infected
•Bots
•Backdoors
•Keyloggers
•Password Stealers
•Rogue Antivirus Products
•Rootkits
Payload
•Infected machine become part of a botnet
•Abused to send Spam, DDOS, host exploits, and act as launch pad for more attacks.
•Infected users often have no clue
Symptoms
Compromised users on a limited bandwidth Internet
plan can end up getting a huge bill at the end of
month – for no fault of theirs!!
W32/Conficker in India vs. rest of world
11
Conficker world infection map
12http://www.confickerworkinggroup.org/wiki/uploads/ANY/conficker_world_map.png
W32/Conficker.worm - Infection Data
http://www.team-cymru.org/Monitoring/Malevolence/conficker.html
Twitter-Facebook Episode
• Twitter, Facebook, Live Journal, YouTube, Fotki–what do they have in
common?
• Hosted an account of a pro-Georgian blogger who went under the
nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one
of Georgia’s pro-Russian breakaway republics).
• They all suffered a massive distributed denial-of-service (DDoS)
attack. The attack that was able to take down Twitter for several hours
and significantly slow down connectivity to YouTube, Live Journal and
Facebook .
http://www.avertlabs.com/research/blog/index.php/2009/08/07/collateral-damage/
India’s Contribution to DDoS
• India’s Contribution was 8%
http://www.avertlabs.com/research/blog/index.php/2009/08/07/collateral-damage/
India’s Spam Contribution
http://www.trustedsource.org`
United States 35%
Brazil 7%
India 7%
South Korea 5%
China 4%
Russia 3%
Turkey 3%
Thailand 2%
Romania 2%
Poland 2%
Others30%
Q2 2009
United States 34%
Brazil 7%
China 5%India
4%Russia
4%
Turkey 4%
South Korea
4%
Spain 2%
United Kingdom 2%
Colombia 2%
Others32%
Q1 2009
Phishers target Indian Banks
• Uses pure Social
engineering to deceive
users
• Stolen credentials make its
way to underground forums
and sold there
• Commercial Do-It-Yourself
Phish kits available for
Indian banks
• Increase in phish emails
observed during Verified
by Visa and MasterCard
SecureCode campaign.
17
Malware source code freely available
18
Malware is localized and targeted
• Exploits using MSWord, Excel,
PowerPoint, WordPad are
increasingly popular
• Multiple zero-day vulnerabilities
in office discovered and
exploited in 2009.
• Mostly spammed to users or
hosted on malicious website
• Attachment claims to contain
sensitive information on
Pakistani Air force.
• Exploits a patched vulnerability
in Microsoft ms06-028 bulletin.
Targeted Attacks: Microsoft Office
20
Targeted Attacks: Adobe PDF
21
• >80% users have Adobe
Acrobat installed
• Easy to social engineer user
as it’s considered trustworthy
• Over 5 new exploits released
this year alone including
zero-days.
• Most exploits use JavaScript
to spray shellcode on heap
• Heavily deployed in web
attack toolkits.
The future.......
Cyber Crime Altering Threat Landscape
23
•Over 1,500,000 unique
malware detections in 2008
⁄ 1H09 up 150% from 1H08
•Malware is heavily obfuscated
with packers and compression
technologies
•80% of threats are financially
motivated, up from 50% two
years ago with password
stealing Trojans being rampant
•6500+ new variants analyzed
daily78,381
271,197
1,500,000
1,200,000
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
2006 2007 2008 2009 1st Half
Unique Malware Detections
Why take to cybercrime?
Low Risk
+ High Reward
+ Opportunity
=
Safer than traditional crime
25
Cyber Crime – India Statistics
– India: 63% of businesses have seen an increase in threats from 2008 to 2009
– India: 40% of businesses in India had an incident that cost an average of $13,543 to fix and recover from and causing revenue loss.
– India is the 14th most dangerous domain for web surfing with 3.07% of Indian websites rated Red or Yellow by McAfee Site Advisor.
http://economictimes.indiatimes.com/Infotech/Internet/Chasing-the-cyber-criminal/articleshow/5166638.cms
Summary - What does this mean to you?
• The malware problem is here to stay – threats are becoming more
region specific and sophisticated.
• Monetary reward is the primary motivation for malware authors.
• India’s growing cyber population makes an attractive target.
• Need to improve user education and awareness at grassroots level.
26
McAfee In Action
27http://www.dsci.in/images/stories/mcafee_announces_grant_of_rs._2.5_mn_for_dsci.pdf
McAfee Initiative to Fight Cybercrimehttp://www.mcafee.com/us/about/corporate/fight_cybercrime/
28
McAfee Security Resources
Web Sites– McAfee: http://www.mcafee.com
– Threat Center: http://www.mcafee.com/us/threat_center/default.asp
– Submit a Sample: http://vil.nai.com/vil/submit-sample.aspx
– Scan Your PC: http://home.mcafee.com/Downloads/FreeScanDownload.aspx
Notifications– Security Advisories: http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
Word of Mouth– Blog: http://www.avertlabs.com/research/blog/
– Podcasts: http://podcasts.mcafee.com/