From Traditional Malware

to Targeted Attacks

Raimund Genes

Chief Technology Officer

Trend Micro

Internet

PC

PC

PC

Internet

Gateway

Exchange

Server

150 infected Mails

CRIMEWARE

D

amag

e ca

use

d b

y C

yber

crim

e

2001 2003 2004 2005 2007 2010

Vulner abi l i t i es W orm

Outbreaks

Spam

Mass Mai lers

Spyware

Intel l igent

Botnets

W eb

Threats

Evolution to Cybercrime

2011+

Targeted At tacks

Mobi le At tacks

Trustwave 2013 Global Security Report:

Average time from initial breach to detection was 210 days, more than 35 days longer than in 2011.

Malware / Bot / APT Behavior Comparison Table APT Bot Malware

Distribution With organized planning Mass distribution over regions Mass distribution over regions

Services interruption No No Yes

Attack Pattern Targeted (only a few groups/organizations)

Not targeted (large area spread-out)

Not targeted (large area spread-out)

Target Audience Particular Organization/Company Individual credentials including online banking account information

Random

Frequency of attacks Many times Once Once

Weapon -Zero-day exploit -Drop embedded RAT -Dropper or Backdoor

Multiple-Exploits, All in one By Malware design

Detection Rate Lower than 10% within one month Around 86% within one month Around 99% within one month

Some Documented Advanced Persistent Threat Campaigns (Real-world Examples)

• LURID – threat actors launched around 300 campaigns targeting different industries in different countries

• Luckycat – threat actors used diverse infrastructure (from throwaway free hosting to dedicated VPSs)

• Taidoor – threat actors primarily targeted government organizations located in Taiwan

• IXESHE – threat actors used compromised computers inside the network to evade network detection

Advanced Persistent Threat

Targeted Attacks

The attacker knows what he’s looking for!

South Korea – Hacktivism, Cyber Sabotage, or Cyberterrorism?

Sometimes an “unusual” targets

Typical Industrial Control System (ICS)

• In a small city in US with 8000 citizens

• It has to look like a real system

• And by “accident” the system has a link to the Internet

Let’s simulate a Water Pressure Control station

Building a SCADA Honeypot…

Attacks from

US, 9

LAOS, 6

UK, 4 CHINA, 17

NETHERLANDS, 1

JAPAN, 1

BRAZIL, 2

POLAND, 1

VIETNAM, 1

RUSSIA, 3

PALESTINE, 1 CHILE, 1 CROATIA, 1 NORTH KOREA, 1

What to expect next?

Your phone as your wallet

Android Malware

120,000 350,000

Vehicle past and now TOYOTA'S Vehicle(1955)

TOYOTA'S Hybrid Vehicle(2011)

None of

computers included over 70 of

computers included

Tire Pressure

Monitoring System

UNAUTHORIZED

APPS, Multimedia File

Smartphone,

USB

Immobilizer

Cutter

DOOR LOCKS

Smart Key

CHAdeMO : Quick charging method for battery

powered electric vehicles

KEY

FOB

TELEMATICS

SYSTEM

OBDII , CAN, ECU

Vehicle Area Network

iVehicle

Embedded OS selected by car industry

SELECTED

IVI Standard Organization

Security Assessment

Kernel > 2.6.35.3

Gain Privilege > 18

• All the ECU turned into Fail-Safe-Mode.

• Engine fan and headlamp kept working.

• Meter(e.g. speed) needle keeps wobbling

Overflow attack to CAN bus

If someone wants to get in, he get’s in!

So do we do a lot of stuff just to satisfy the auditors?

LATIN AMERICA

EUROPE

APAC

NORTH AMERICA

GLOBAL

Thank You