恶意软件的安全威胁和防护恶意软件的安全威胁和防护

EnterpriseSegmentPresentedbyPanWongTrendMicroDate:16Nov20052EnterpriseSegmentAgenda1.1.NetworkVirusthreatNetworkVirusthreat2.2.HottestthreatHottestthreat––Spyware!Spyware!3.3.MobileSecuritythreatMobileSecuritythreat4.4.AlltimethreatAlltimethreat--SpammailsSpammails5.5.SummarySummary6.6.Q&AQ&AEnterpriseSegmentNetworkViruses4EnterpriseSegmentSoaringImpactOfMaliciousCodeAttacksSasserInfectedover1millioncomputersinonly2days.TheSasserwormwassoeffectiveitwasabletoinfectcomputersevenifno-onewasusingit!5EnterpriseSegmentTheHeadlines:WindowsTheHeadlines:WindowsATMsATMsraiseSecurityraiseSecurityConcernsConcerns6EnterpriseSegmentTHEPROBLEM:OUTBREAKSSTOPBUSINESSCONTINUITY•NetworkWormOutbreaksHaveBeenSevere–Estimated$3.5B1indamagesfromSasseralone–InfamousExamples:CodeRed,Nimda,Slammer,Blaster,Nachi,Sasser–Estimated1000+NetworkWorms,Variants,andExploits(asof10/01/04)2Sources:CNN.com,BBC.com1-ComputerEconomics;2-TrendLabs7EnterpriseSegment336daysNimda185daysSlammerBusinessesCan’tKeepUpAnymoreSource:TrendMicroWindowbetweenvulnerabilityannouncementandoutbreakisshrinkingVulnerabilityAnnouncedMSBlaster.A26daysVulnerabilityAnnouncedVulnerabilityAnnounced18daysSasserVulnerabilityAnnouncedVulnerabilityAnnounced4days!Zobot.A8EnterpriseSegmentApplicationvs.NetworkLayerVirusScanningApplicationLayerScanningNetworkLayerScanningDatatransferredoverthenetworkisbrokeninto“packets”….File/Applicationlayerscanning(antivirusproducts)requiresreassemblyintoafile–anetworkviruscanresideonasingle“packet”andenteradestinationundetectedNetworklayerscanningexamineseach“packet”,identifyingnetworkviruses•Bothapplicationandnetworklayerthreatsexisttoday•Bothapplicationandnetworklayersolutionsarerecommendedforcomprehensiveprotection9EnterpriseSegmentTraditionalVirusScanningPhysicalNetworkApplicationFilePhysicalNetworkApplicationDiskDiskFileComputer1Computer2NetworkViruspacketsbypasstraditionalscanning10EnterpriseSegmentNetworkVirusScanningPhysicalNetworkApplicationFilePhysicalNetworkApplicationDiskDiskFileHost1Host2NetworkViruspacketsaredroppedatnetworklayer11EnterpriseSegmentInfectedWorkstationControlManagerServer(Patched)UnpatchedWorkstationUnpatchedWorkstationNetworkVirusScanningDeployedinVirustrafficblockedbyNetworkVirusScanningControlManagerAlertedCleanupToolDeployedVirustrafficstopped!12EnterpriseSegmentNetworkVirusScanningistheCure!EnterpriseSegmentSpywares14EnterpriseSegmentWithProfitcomes…..•Professionalcriminals,virtualsyndicates•Proliferationofprograms,createdfasterthanever–Onlyafewthousandvirusesandwormseverhitthewild–100,000sofspyware/adwareprogramsmayexistalready•Moresophisticatedandsneakiertechniques–Designedtodeceive,hide–Designedtoremain,regenerate,resistdeinstallation–Designedtomodify,track,steal,takecontrol,redirect,reporthome15EnterpriseSegmentWithProfitcomes…..•Professionalcriminals,virtualsyndicates•Proliferationofprograms,createdfasterthanever–Onlyafewthousandvirusesandwormseverhitthewild–100,000sofspyware/adwareprogramsmayexistalready•Moresophisticatedandsneakiertechniques–Designedtodeceive,hide–Designedtoremain,regenerate,resistdeinstallation–Designedtomodify,track,steal,takecontrol,redirect,reporthome16EnterpriseSegmentSpyware:Whatdoesitdo?•Trackthesitesyouvisit•Monitorkeystrokes•Scanandreadcookies,clipboard,browserhistoryfile•Relaypersonal/confidentialinformationtoathirdparty•BombardyouwithPop-ups•Changebrowsersettings•Createunwantediconsandlinksonyourdesktop17EnterpriseSegmentSpyware:Howdousersgetinfected?•Drive-bydownloads,ActiveX•Peer-to-Peer/IMdownloads•Freeloaders/Parasitestolegitimateapplicationinstallations(e.g.Kazaa)•Freesoftwaredownloads(e.g.emoticons)•Softwarevulnerabilities•IfEULAispresentedatall,itisoftentooconfusingtoknowwhatyouarereallygettinginto18EnterpriseSegmentSpyware:Howdousersgetinfected?19EnterpriseSegmentHowDoesSpywareComparetoVirusesandOther“Malware”?•Fromatechnicalstandpoint,spywareisvirtuallyidenticaltovirusesandothermalware–Samekindsoffiles,folders,registryentries,processes–Samekindofdetectiontechniques–Samekindofremovaltechniques•SpywarehasmoreofanimpactonsystemperformancemorethanatypicalvirusdoesFrequentlyAlwaysNeverSpywareRarelySometimesOftenMalware(Virus,Worm)CrashorSlowDownthePC(side-effect)StealDataorControlofPC(designedfor)DestroyDataorBandwidth(designedfor)20EnterpriseSegmentAnti-spywarestrategyWebGatewayWebGatewayDamageCleanupDamageCleanupServerServerDesktopDesktopAntiAnti--spywarespyware1.BlockspywarefromenteringnetworkBlockURLstoknownsources2.Preventspywarefrominstalling/loadingScandiskandmemoryforresidentspyware3.Blockphonehomeattempts4.AutomatedCleanup5.Consolidatedreporting21EnterpriseSegmentWebSecurityGateway--StoppingIncomingSpyware22EnterpriseSegmentWebSecurityGateway--StoppingOutgoingSpywareActivityandInitiatingaCleanup23EnterpriseSegmentMobileSecurityThreats24EnterpriseSegmentTheSmartphonePopulationGrows52.4%CAGR2003-2008Smartphonesarethefastestgrowingsegment25EnterpriseSegmentMobileSpamMakesHeadlines•MobileSpambecomesaconcernstoendusersandoperators26EnterpriseSegmentVlascoSkudooBoot