Indian Cybercrime Scene

Vinoo Thomas Rahul Mohandas

Research Lead Research Scientist

McAfee Labs McAfee Labs

Caught In the Cross-Fire

Agenda

2

• Knowing the enemy – Who’s at your front door?

• India in the information age

• World “Wild” Web – Indian users caught in the cross fire

• India’s contribution to worldwide Spam, Botnet and DDOS attacks

• Regional malware

• Targeted attacks

• The future

http://www.internetworldstats.com/stats3.htm

India’s Growing Cyber Population

http://www.intgovforum.org/cms/2008/press/Worldwide%20Internet%20usage%2008.pdf

Why do Indians go online?

http://www.google.com/insights/search/#

What do Indians search online?

Breaking news? Think Malware

• Malware authors make use of breaking news or popular search

terms to ensure a higher return on investment.

• Popular news items that were misused include:

– Searches for Michael Jackson’s death lead to malware

– Benazir Bhutto assassination, Bangalore Blasts

– Indian celebrities and cricketers

Riskiest Indian Celebrities

7http://www.hindustantimes.com/cinema-news/mirchmasala/Ash-more-dangerous-than-Katrina/Article1-451587.aspx

Popular Indian Sites Compromised to Serve Malware

8

World “Wild” Web

• Risks on the Web are constantly changing. A site that is safe one

day, can be risky the next.

• It’s not always easy for consumers to identify which site is safe. Even

experienced users can be deceived if a trusted site was compromised to

serve malware.

• Thousands of legitimate web sites are compromised every day to serve

malware to unsuspecting users.

• High-profile Indian sites that been compromised to serve malware

include banks, security vendors, portals, businesses, as well as

educational and government sites.

Payload and impact of users getting infected

•Bots

•Backdoors

•Keyloggers

•Password Stealers

•Rogue Antivirus Products

•Rootkits

Payload

•Infected machine become part of a botnet

•Abused to send Spam, DDOS, host exploits, and act as launch pad for more attacks.

•Infected users often have no clue

Symptoms

Compromised users on a limited bandwidth Internet

plan can end up getting a huge bill at the end of

month – for no fault of theirs!!

W32/Conficker in India vs. rest of world

11

Conficker world infection map

12http://www.confickerworkinggroup.org/wiki/uploads/ANY/conficker_world_map.png

W32/Conficker.worm - Infection Data

http://www.team-cymru.org/Monitoring/Malevolence/conficker.html

Twitter-Facebook Episode

• Twitter, Facebook, Live Journal, YouTube, Fotki–what do they have in

common?

• Hosted an account of a pro-Georgian blogger who went under the

nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one

of Georgia’s pro-Russian breakaway republics).

• They all suffered a massive distributed denial-of-service (DDoS)

attack. The attack that was able to take down Twitter for several hours

and significantly slow down connectivity to YouTube, Live Journal and

Facebook .

http://www.avertlabs.com/research/blog/index.php/2009/08/07/collateral-damage/

India’s Contribution to DDoS

• India’s Contribution was 8%

http://www.avertlabs.com/research/blog/index.php/2009/08/07/collateral-damage/

India’s Spam Contribution

http://www.trustedsource.org`

United States 35%

Brazil 7%

India 7%

South Korea 5%

China 4%

Russia 3%

Turkey 3%

Thailand 2%

Romania 2%

Poland 2%

Others30%

Q2 2009

United States 34%

Brazil 7%

China 5%India

4%Russia

4%

Turkey 4%

South Korea

4%

Spain 2%

United Kingdom 2%

Colombia 2%

Others32%

Q1 2009

Phishers target Indian Banks

• Uses pure Social

engineering to deceive

users

• Stolen credentials make its

way to underground forums

and sold there

• Commercial Do-It-Yourself

Phish kits available for

Indian banks

• Increase in phish emails

observed during Verified

by Visa and MasterCard

SecureCode campaign.

17

Malware source code freely available

18

Malware is localized and targeted

• Exploits using MSWord, Excel,

PowerPoint, WordPad are

increasingly popular

• Multiple zero-day vulnerabilities

in office discovered and

exploited in 2009.

• Mostly spammed to users or

hosted on malicious website

• Attachment claims to contain

sensitive information on

Pakistani Air force.

• Exploits a patched vulnerability

in Microsoft ms06-028 bulletin.

Targeted Attacks: Microsoft Office

20

Targeted Attacks: Adobe PDF

21

• >80% users have Adobe

Acrobat installed

• Easy to social engineer user

as it’s considered trustworthy

• Over 5 new exploits released

this year alone including

zero-days.

• Most exploits use JavaScript

to spray shellcode on heap

• Heavily deployed in web

attack toolkits.

The future.......

Cyber Crime Altering Threat Landscape

23

•Over 1,500,000 unique

malware detections in 2008

⁄ 1H09 up 150% from 1H08

•Malware is heavily obfuscated

with packers and compression

technologies

•80% of threats are financially

motivated, up from 50% two

years ago with password

stealing Trojans being rampant

•6500+ new variants analyzed

daily78,381

271,197

1,500,000

1,200,000

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

2006 2007 2008 2009 1st Half

Unique Malware Detections

Why take to cybercrime?

Low Risk

+ High Reward

+ Opportunity

=

Safer than traditional crime

25

Cyber Crime – India Statistics

– India: 63% of businesses have seen an increase in threats from 2008 to 2009

– India: 40% of businesses in India had an incident that cost an average of $13,543 to fix and recover from and causing revenue loss.

– India is the 14th most dangerous domain for web surfing with 3.07% of Indian websites rated Red or Yellow by McAfee Site Advisor.

http://economictimes.indiatimes.com/Infotech/Internet/Chasing-the-cyber-criminal/articleshow/5166638.cms

Summary - What does this mean to you?

• The malware problem is here to stay – threats are becoming more

region specific and sophisticated.

• Monetary reward is the primary motivation for malware authors.

• India’s growing cyber population makes an attractive target.

• Need to improve user education and awareness at grassroots level.

26

McAfee In Action

27http://www.dsci.in/images/stories/mcafee_announces_grant_of_rs._2.5_mn_for_dsci.pdf

McAfee Initiative to Fight Cybercrimehttp://www.mcafee.com/us/about/corporate/fight_cybercrime/

28

McAfee Security Resources

Web Sites– McAfee: http://www.mcafee.com

– Threat Center: http://www.mcafee.com/us/threat_center/default.asp

– Submit a Sample: http://vil.nai.com/vil/submit-sample.aspx

– Scan Your PC: http://home.mcafee.com/Downloads/FreeScanDownload.aspx

Notifications– Security Advisories: http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

Word of Mouth– Blog: http://www.avertlabs.com/research/blog/

– Podcasts: http://podcasts.mcafee.com/

Q & A

Thank You!

vinoo@avertlabs.com rahul@avertlabs.com

Vinoo Thomas Rahul Mohandas