Security Trends X-Force

Transcription

1 Security Trends X-Force IBM Internet Security Systems (ISS) The IBM ISS X-Force research and development team drives IBM Security Innovation Research Technology Solutions Original Vulnerability Research Public Vulnerability Analysis Malware Analysis Threat Landscape Forecasting Protection Technology Research X-Force Protection Engines Extensions to existing engines New protection engine creation X-Force XPU s Security Content Update Development Security Content Update QA X-Force Intelligence X-Force Database Feed Monitoring and Collection Intelligence Sharing The X-Force team delivers reduced operational complexity helping to build integrated technologies that feature baked-in simplification 2 1

2 IBM X-Force Web Intelligence Lifecycle Deep Crawl of Known Malicious Websites Analyze New Exploit Techniques Provide New Protection Guidance Develop Protection Deliver Updates Classify MSS Links Find Related Websites (Deep Crawl) Search for Malware Find New Malicious Websites Block All Malicious Domains Apply Updates Monitor Browsing of: Million of End-users Thousands of Customers Hundreds of Countries Block Malicious Links Send Links to Cobion 3 X-Force R&D -- Unmatched Security Leadership The mission of the IBM Internet Security Systems X-Force research and development team is to: Research and evaluate threat and protection issues Deliver security protection for today s security problems Develop new technology for tomorrow s security challenges Educate the media and user communities X-Force Research 10B analyzed Web pages & images 150M intrusion attempts daily 40M spam & phishing attacks 43K documented vulnerabilities Millions of unique malware samples Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends 4 2

3 Looks Can Be Deceiving: Vulnerability Disclosures Decline but Exploitation Increases Declines in some of the largest categories of vulnerabilities Slowing disclosure rate is due to the disappearance of the low-hanging fruit from currently researched categories and existing applications Exploits targeting these vulnerabilities are increasing, especially SQL injection and ActiveX controls. High vulnerabilities are down 6% YOY Medium vulnerabilities are up to 62% of the vulnerabilities (8% YOY increase) YOY = year over year 5 Patches Still Unavailable for Half of Vulnerabilities Nearly half (49%) of all vulnerabilities disclosed in the first half of 2009 had no vendor-supplied patches to remedy the vulnerability *Vendors with twenty or more disclosures in 1H 2009 **IBM Disclosures 82, Unpatched 3, % Unpatched 3.7% Top 10 categories of operating systems account for 89% of all operating system vulnerability disclosures and 93% of all critical and high operating system disclosures in the first half of Percentage of Percentage of All Operating System Critical and High OS Vulnerabilities Microsoft 39% 14% Apple 18% 24% Sun Solaris 14% 26% Linux 14% 20% IBM AIX 7% 3% BSD 2% 4% Others 7% 11% 6 3

4 The Economics of Attacker Exploitation Document Reader vulnerabilities: Widely deployed Public exploits Fits the drive-by-download business model Exchange TNEF vulnerability: Widely deployed Valuable data No public exploit No plug and play business model 7 The drive-by-download process Desktop Users Downloader installed Exploit material Served Malware installed and activated Browse The Internet Web server with embedded iframe Malicious iframe host Web browser targeted 8 4

5 Malicious Web Links Increase by 508% YOY Personal homepages (typically hosted by communication service company domains) account for approximately half of all the domains hosting at least one malicious link Hosts that have 10 or more, pornography accounts for nearly 28% and gambling accounts for more than 14% One or More Malicious Links Ten or More Malicious Links 9 SQL Injection 10 5

6 SQL Injection 11 SQL Injection SQL Injection attack Monitored by IBM ISS Managed Security Services 12 6

7 SQL Injection Attack Tools * Automatic page-rank verification * Search engine integration for finding vulnerable sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc. 13 The Economics of Attacker Exploitation Document Reader vulnerabilities: Widely deployed Public exploits Fits the drive-by-download business model Exchange TNEF vulnerability: Widely deployed Valuable data No public exploit No plug and play business model 14 7

8 The Three Legged Stool 15 Web App Vulnerabilities Continue to Dominate 50.4% of all vulnerabilities are Web application vulnerabilities SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot 16 8

9 Web App Vulnerabilities Continue to Dominate Security and Spending are Unbalanced The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it's fixed. -Darkreading.com 17 The drive-by-download process Desktop Users Downloader installed Exploit material Served Malware installed and activated Browse The Internet Web server with embedded iframe Malicious iframe host Web browser targeted 18 9

10 Web Browsers are Complicated and Vulnerable Largest number of client-side vulnerabilities in the first half of 2009 affects Web browsers and their plugins Mozilla Firefox surpasses Microsoft Internet Explorer for the 1 st time. 19 Decline in Disclosures Does Not Impact Exploitation Decline in ActiveX disclosures does not appear to be making an impact on exploitation. Three of the five most popular exploits are ActiveX controls. First time that a PDF exploit is in the top 5 list. Most Popular Exploits Rank 2008 H H1 1. Microsoft MDAC RDS Dataspace ActiveX (CVE ) 2. Microsoft WebViewFolderIcon ActiveX (CVE ) 3. Internet Explorer "createcontrolrange" DHTML (CVE ) 4. RealPlayer IERPCtl ActiveX (CVE ) 5. Apple QuickTime RSTP URL (CVE ) Microsoft MDAC RDS Dataspace ActiveX (CVE ) Microsoft Snapshot Viewer ActiveX (CVE ) Adobe Acrobat and Reader Collab.Collect Info (CVE ) Microsoft IE7 DHTML Object Reuse (CVE ) RealPlayer IERPCtl ActiveX (CVE ) 20 10

11 Vulnerabilities in Document Readers Skyrocket Portable Document Format (PDF) vulnerabilities disclosed in the first half of 2009 has already surpassed disclosures from all of PDF disclosures traded places with Office document disclosures to take the top spot. Points to Consider: Users trust.pdf more than.exe PDF exploits becoming a popular method of attack 21 Adobe Security Update: APSB09-07 Jun Mao and Ryan Smith, idefense Labs (CVE ) Haifei Li of Fortinet's FortiGuard Global Security Research Team (CVE ) Apple Product Security Team (CVE ) Matthew Watchinski, Sourcefire VRT (CVE ) Alin Rad Pop, Secunia Research (CVE ) 0198) Will Dormann, CERT (CVE ) Nicolas Joly, VUPEN Security (CVE ) 0509) An anonymous researcher reported through TippingPoint s Zero Day Initiative (CVE ) Mark Dowd of the IBM Internet Security Systems X-Force (CVE , 0509, CVE , CVE , 0511, CVE , 0512, CVE , 0888, CVE ) 0889) 22 11

12 Popular drive-by-download exploit packs WebAttacker2 Mpack IcePack Localized to French in May 2008 Firepack Neosploit Black Sun Cyber Bot 23 IcePack First appeared in July 2007 Two Versions of IcePack Basic Version IcePack Lite Edition (only has exploits for MS and MS06-006) and sold for $30 Advanced version IcePack Platinum Edition, sold for around $400 Produced by IDT Group in Russian English and French available Licensed on a per-website Basis Contains Web browser optimized exploit pages /exploits/i.php Optimized for Internet Explorer Contains WinZip exploits, QuickTime overflow, MS WebViewFolderIcon, MS VML /exploits/movie.bin QuickTime overflow exploit /exploits/f.php Firefox optimized version of MS exploit /exploits/o.php Opera optimized version of MS exploit 24 12

13 Javascript Obfuscation 25 Increasing Prevalence of Attack Obfuscation The level of obfuscation found in Web exploits, and, especially, PDF files continues to rise. Some of these techniques are being passed to malicious multimedia files as well. From Q1 to Q2 alone, the amount of suspicious, obfuscated content monitored by IBM ISS Managed Security Services nearly doubled

14 The drive-by-download process Desktop Users Downloader installed Exploit material Served Malware installed and activated Browse The Internet Web server with embedded iframe Malicious iframe host Web browser targeted 27 Information Stealing Trojans and Fraud Tools Increasing Trojans make up 55% of all Malware Infostealers & Downloaders are the most common subcategories Infostealer Trojans target online games as well as banking credentials 28 14

15 Trojan Creator Kits Constructor/Turkojan V.4 New features Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell Advanced File Manager Online & Offline keylogger Information about remote computer Etc.. 29 Trojan Creator Kits 30 15

16 Commercial Anti-debugging Tools for Malware Authors Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/exes, system services, DLLs, OCXs, ActiveX controls, screen savers and device drivers). Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. 31 Malware Quality Assurance Check to see if the DIY malware can defeat commercial AV? 32 16

17 Spam Continues to Change to Avoid Detection Spam is up approximately 40% in % of spam classified as URL spam Using trusted domains and legitimate links continues to help avoid anti-spam technologies Brazil, the U.S., and India account for about 30% of worldwide spam Image-based Spam has returned Most Common Domains in URL Spam, 2009 H1 33 Phishing Disappears and then Reappears 34 17

18 Anonymity through botnet agents Anonymous Proxies Volume of proxy services increasing year over year SOCKS Jump Point Many tools and services rely upon compromised hosts (typically botnet agents) to provide SOCKS proxies as anonymous exit/jump points. 35 XSOX Botnet Anonymizer 36 11/4/

19 A Tale of Two Worms MS : Buffer Overrun In RPC Interface Could Allow Code Execution Patched July 2003 Specially crafted RPC requests MS Blaster Worm Released August 11 th 2003 Propagation rate peaked within 8 hours Microsoft: Between 8 and 16 million infections MS : Vulnerability in Server Service Could Allow Remote Code Execution Patched October 23, 2008 Specially crafted RPC requests Gimmiv.A Not very effective Conficker.A November 20 th - Not very effective Conficker was a non-story in December of 2008 Internet Security has improved in 2008 Widespread use of Windows Update Better use of security tools Firewalls, IPS, Antivirus This all changed on December 29 th with Conficker.B

20 39 IBM s Comprehensive Approach Mitigates the Threat People and Identity Threat: Cracking of weak Windows Domain passwords Solution: Good network access control management Data and Information Threat: Autorun - Peer to Peer drive mapping and Thumb-drives Solution: Managed central file sharing with good access controls, antivirus, and backup Application and Process Threat: Exploitation of remote code execution vulnerabilities Solution: Effective device inventory and policy compliance focused on vulnerability and patch management Network, Server, and End Point Threat: Automatic network propagation Solution: Intrusion Prevention at the Network, Server, and Host that can identify and preemptively prevent 0-day threats 40 20

21 41 X-Force 2008 Trend & Risk Report Summary Vulnerabilities are at a high plateau Secure Web presence has become the Achilles heel of corporate IT security Mass endpoint exploitation is happening not only through browser vulnerabilities, but also through malicious movies and documents like Adobe PDF files Successful exploitation typically leads to the installation of information-stealing Trojans The most prevalent malware category 42 21

22 2008 X-Force Annual Trend & Risk Report Mapping to IBM Portfolio Area of Risk IBM Security Solutions Vulnerabilities Web Application Vulnerabilities PC Vulnerabilities including Malicious Web Exploits Spam Unwanted Web Content Malware - IBM ISS Intrusion Prevention System (IPS) products: Proventia Network IPS, Proventia Server, RealSecure Server Sensor, Proventia Desktop & Proventia Multifunction (MFS) -IBM ISS Managed Protection Services for IPS - Tivoli Security Information and Event Manager (TSIEM) - Web application IPS security for Network, Server and MFS (April marketing launch) - Managed Protection Services for IPS - Rational Appscan for assessment -Rational Appscan Enterprise - Tivoli Security Information and Event Manager - Tivoli Security Policy Manager - IBM ISS Intrusion Prevention System (IPS) product lines (see above list under vulnerabilities) - Managed Protection Services for IPS - Managed Security Services for Web Security - Proventia Web Filter Mail security offerings: - Proventia Network Mail / Lotus Protector - Proventia Multifunction System (MFS) - Managed Security Services for Mail Security - Proventia MFS - Managed Security Services for Web Security - Proventia Web Filter - Proventia Desktop and MFS - Managed Security Services for Mail and Web Security - Proventia Network Mail / Lotus Protector - Proventia Web Filter 43 22