Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions

Transcription

1 Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions A l a d d i n. c o m / e S a f e

2 Overview Web security has been struggling for a long time with its own definition. Traditionally, Web security referred to the securing of websites, as attackers would try to break into a site by exploiting the logic of the application running on the site, or its infrastructure (the Web server).these days, with the decline in the amount of Web application vulnerabilities and the rise in client targeted attacks carried over the Internet, the definition of Web security has changed. Gartner has been the first to define an official market segment that focuses on the protection of enterprise networks from such Web-born threats as the Secure Web Gateway. This market segment has been the proving grounds for what is today the most prolific attack vector in computer security attacking computer systems through Web content. Threat Evolution The current Web threat can be traced back and compared to the evolution of Web 2.0. The following section exemplifies the correlation between the evolutions of the Internet to the evolution of malicious code. Initially, the Web consisted mainly of static content hosted on websites that delivered only that content and nothing more. The Web was static, with simple text, graphics and links between elements and content. A comparable situation at the threat scenario has been viruses. Traditional viruses were designed to attack the operating system and infect it with a piece of code that would reproduce itself, causing some kind of damage. The attack vector consisted on either physical delivery (using floppy disks and CD-ROMs infected with the viral file), or via , where a message would contain an attachment that infected the PC when run. At the time, malware solutions were anti-virus software of sorts that focused on providing the end-user with updated signatures for the viruses and blocked their execution when the AV software saw the viral files. When Web applications began to appear, it was a clear indication of the Web s maturing process. Content was no longer static it was dynamically generated at the server side, and could adapt to the users and provide them with more sophisticated content tailored for their request. The threat vector evolved as well. Now, instead of simple viruses, malicious code was delivered in forms that were tailored to mimic the Web experience. Spyware and Adware were the most popular threats, tracking users actions and taking control over their Web experience by manipulating them into viewing advertisements, then collecting information on their activities, and sending that data back for spam and advertisement purposes. Antivirus programs were still one of the most efficient ways to cope with these threats, and the solutions began to put more focus on browser-related technologies such as BHOs (Browser Helper Objects), ActiveX, and Cookies, as part of the solutions they offered protecting against Spyware and Adware as well as viruses. When Web 2.0 technologies started to appear, the Web took a turn into user-generated content. Websites were no longer the sole responsibility of their creator, but more of a platform for users to adapt content to their individual preferences. The Internet shifted from its linear form into an a-linear way of working as the concept of an HTTP transaction was turned into an a-synchronous entity with AJAX. At this phase, user interaction no longer required content to be requested or sent back to the browser, and viewed content could be manipulated in the background without disrupting the flow of events that the user was experiencing with the Web site. esafe In parallel, as Web content gained more potent processing power, the traditional malware found a new weak spot to attack. Browsers (even modern ones) were usually based on technologies that started with the first iteration of the Internet, and needed to support the many add-ons that modern Web 2.0 sites required in order to provide a satisfactory user experience (no modern Web 2.0 site would look remotely usable without JavaScript and most of the times Flash). This situation, along with the many opportunities given by third party software existing on this very same platform from Apple s QuickTime to Adobe s Flash caused a new brand of malicious code to evolve:

3 MalWeb. MalWeb is not constrained by the necessity to compile and package attacks into easy signature files, and, as it is scripted in plain text, it allows the same exploit code for a vulnerability to be expressed in any number of ways. Even after the traditional antivirus programs started signing keywords prone to be used by malware, as well as whole snippets of code, MalWeb found a new home in code obfuscation that scrambled any piece of malicious code into an infinite string of incomprehensible text that would turn back into code at the client and exploit the end user. Modern Developments of MalWeb When attackers found MalWeb to be the most efficient way of delivering malicious code to their victims, it shifted the scales of corporate security. communications required traditional security means to remain in place (in which the security requirements are almost solely focused on SPAM), while more scrutiny has been put on gateway AV, and URL filtering technologies that tried to stop attacks either at the initial communication (preventing users from going to questionable sites), or at the point where the MalWeb that already exploited the PC would try to bring in additional, more traditional malware (the AV scanning files going through the network). At that stage, attackers had the upper hand, and started commoditizing attack tools as exploits packaged in an easy-to-deploy, easy-to-manage software suite, that enabled not only click and deliver MalWeb infections, but also advanced reporting and tracking in order to maximize the return on investment for these tools. It has come to a point where business-to-business (or more appropriately criminal-to-criminal) transactions occur with currency in infected PCs or harvested data, and are usually priced according to its status as a business or an end-user system that was victimized. Security measures at this point in time have to shy away from the traditional measures of signing code, or even running heuristics on known exploits. Possessing a security system that understands MalWeb and Web 2.0 is a key factor in implementing a Secure Web Gateway solution that can not only block and clean up MalWeb ridden content, but also understands how legitimate Web 2.0 applications work, and deliver users with as fast and complete an experience as they demand. In addition, the ability to inspect all the traffic going to and from the Internet not just on the more traditional HTTP and HTTPS communication paths, but also on other ports has turned out to be a significant requirement from an SWG solution as P2P (Peer to Peer) traffic and back-channels for infected systems are not limited to using Web traffic exclusively. Traffic going in and out of the organization needs as thorough inspection as regular Web traffic does, as it is key for controlling Web applications, P2P and IM (Instant Messenger) communications. Looking Forward MalWeb is the natural evolution of malware that has been adapted to the ever-expanding Web 2.0 world. Different from malware, which is created in one place and the distributed in its final form, MalWeb is only born when it reaches its victim. Current signature and filtering techniques are not helpful in eradicating it, because it is created only when it is triggered - when served up by the browser, which runs it and presents it to user. The unique ingredients of MalWeb come from different sources, so it presents in different form each time, making it one of the most critical security threats organizations face today when it comes to securing perimeters and Internet communications. The complexity of Web 2.0 has lent MalWeb it s most important capabilities: carrying over the same media and form as legitimate code is at modern websites and granting it enough power to take advantage of system-level vulnerabilities simply by running on Web browsers and their add-ons that are required for modern Web 2.0 functionality. MalWeb is as adaptive and dynamic as the Web applications it resides in, and like a biological enemy, its goal is to find ways to bypass your immune system your browser protection mechanisms. The key to protection against MalWeb is to develop an equally intelligent defense ensure that all traffic on all ports is being inspected, that content in transit is being analyzed, correlated and cleaned, and that this inspection is covering both inbound and outbound traffic, such as P2P and IM (Instant Messenger) communications. A l a d d i n. c o m / e S a f e

4 About the Attack Intelligence Research Center The Aladdin Attack Intelligence Research Center (AIRC) is a premier facility for Internet threat detection and cybercrime investigation. The mission of the AIRC is to deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in Aladdin s content security solutions. Based in Tel Aviv, the AIRC is comprised of global security researchers and law enforcement and cybercrime specialists dedicated to finding and eradicating Internet threats that compromise legitimate business safety. AIRC goes beyond traditional threat detection to provide business intelligence around evolving threats, predict future trends in Internet security, and uncover the inner workings and affects of the business of ecrime. For more information, visit About Aladdin Aladdin Knowledge Systems (NASDAQ: ALDN) is an information security leader with offices in 12 countries, a worldwide network of channel partners, and numerous awards for innovation. Aladdin etoken is the world s #1 USB-based authentication solution, offering identity and access management tools that protect sensitive data. Aladdin HASP SRM boosts growth for software developers and publishers through strong anti-piracy protection, IP protection, and secure licensing and product activation. Aladdin esafe delivers real-time intelligent Web gateway security that helps protect data and networks, improve productivity, and enable compliance. Visit esafe

5 9/2008 Aladdin Knowledge Systems, Ltd. All rights reserved. Aladdin and esafe are registered trademarks of Aladdin Knowledge Systems, Ltd. All other names are trademarks or registered trademarks of their respective owners. For more contact information, visit: North America: , UK: Germany: France: Benelux: Spain: Italy: Portugal: Israel: China: India: Japan: Mexico: All other inquiries: