EVILSEED: A Guided Approach to Finding Malicious Web Pages

Size: px
Start display at page:

Download "EVILSEED: A Guided Approach to Finding Malicious Web Pages"

Transcription

1 + EVILSEED: A Guided Approach to Finding Malicious Web Pages Presented by: Alaa Hassan Supervised by: Dr. Tom Chothia

2 + Outline Introduction Introducing EVILSEED. EVILSEED Architecture. Effectiveness of EVILSEED. Discussion and Limitations. Conclusion.

3 + Searching the Web How would you identify a page to be malicious? Are the current techniques for identifying malicious pages effective in your opinion?

4 + Identifying Malicious Web Pages is A Challenging Task The web is a very large place. Everyday new pages whether legitimate and malicious are added to the web in a daunting pace. Attackers regularly perform scans for vulnerable hosts in which they can exploit to store malicious pages. Infected hosts are organized in complex malicious meshes to increase the chances of users landing on them.

5 + Searching the Web A Three Step Process Using crawlers, URLs are collected in mass amounts. Fast prefiltering to quickly discard pages that are very likely to be legitimate. Oracles: Slowly and carefully analyze the remaining pages and detect malicious content using special tools, such as Honeyclients. Effective approach but not efficient: Resource consuming. Time consuming. Costly.

6 + A Much More Efficient Approach EVILSEED is a guided approach to finding malicious web pages, in a much more efficient way: Improves the efficiency of web crawling phase. Starts from a set of known malicious pages. o Legit compromised web pages. o Pages set up by cybercriminals. Generate search engine queries to find pages that share certain similarities with the known malicious pages, Guided Search rather than random search. Allows gathering URLs with high toxicity.

7 + Advantages of EVILSEED URLs found are much more likely to be malicious than a web page found by randomly crawling. Fixed amount of resources. Much faster. Could be beneficial to search engines.

8 + Why EVILSEED Works? Malicious pages usually share similarities o Attackers usually search the web for patterns associated with vulnerable web applications that can be exploited by injecting malicious code into their pages. o Attackers use exploit toolkits to create their attack pages. o Many compromised pages are often linked to the same malicious page. Made use of available up to date tools and datasets in the guided search process o Passive DNS feeds. o Google & Bing crawler infrastructure. (indexed a large portion of the web, always up to date).

9 + EVILSEED Components Seed: The (evil) seed is a set of pages that have been previously found to be malicious. Gadgets: The core of EVILSEED, they o extract info from the seed pages, o build the search engine queries based on that info, Expansion. o Gather back the URLs caught in the guided search process and pass them to the oracle for further analysis. Oracle: Further analysis is done. o Google s safe Browsing Blacklist. o Wepawet: service for detecting and analyzing web-based threats. o Custom built tool to detect fake AV sites.

10 + EVILSEED Architecture

11 + Gadgets EVILSEED implements five gadgets: Links Gadget: uses the web topology (web graph) to find pages that link to malicious resources. Content Dorks Gadget: identifying vulnerable and exploited web applications. Search Engine Optimization (SEO) Gadget: analyzes seed pages that belong to blackhat Search Engine Optimization campaigns. Domain Registrations Gadget: identifies suspicious sequences of domain registrations. DNS Queries Gadget: analyzes traces of DNS requests to locate pages that lead to a malicious domain.

12 + Link Gadget Locates Malware Hubs (pages that contain links to several malicious URLs.). Seed: All URLs known to be malicious. Expansion: o Searches for malware hubs that link to the seed pages. o Forms search queries that are sent to Google, Bing and Yacy to distribute the load. o Retrieves the URLs and extracts all outgoing links from each URL.

13 + Content Dorks Gadget Automates the generation of relevant Google Dorks Can automatically identify suitable dorks. Google dorks are the center of the Google Hacking database. Many hackers use google to find vulnerable webpages and later use these vulnerabilities for hacking.

14 + Content Dorks Gadget Seed: Legitimate webpages that are compromised by attackers. (landing pages) o Contain indexable content o Remain online longer o Such sites share characteristics that can be identified. Expansion: queries are based on n-grams of words extracted from indexable content. n grams :type of probabilistic language model for predicting the next item in a sequence in an order (n-1). o Term extraction (extracts terms that best summarize the content of the page). o n-gram selection (extracts all sequences (of length n) of words from a landing page, ranks them according to their likelihood of occurring in a malicious page vs. benign page.

15 + Search Engine Optimization Gadget cybercriminals use a variety of techniques to drive traffic to the malicious pages under their control. blackhat Search Engine Optimization (SEO) techniques o Attackers host many different web pages, optimized for different search terms, on each web site in a campaign. o Attackers host pages optimized for the same search terms on different web sites in a campaign. o Pages in a campaign often link to each other. SEO kits use semantic cloaking o Exploited web sites respond with completely different content depending on the source of a request.

16 + Search Engine Optimization Gadget Seed: at least one malicious URL that is part of a live SEO campaign. Redirection based cloaking which is mostly used in blackhat SEO campaigns. o Visit the URL three times, with different value. If two or more different landing pages appear, cloaking is detected. Expansion: One cloaked URL will lead to other malicious page from the same campaign.

17 + Domain Registrations Gadget Blacklists are one the most well known techniques to protect against web malware. Domain based blacklists contain domains that are discovered to host malicious content. Seed: all the domains that are known to host malicious pages, and domain registration records which are freely available online. Expansion: extracting and flagging domains of malicious URLs, then creating URLs by taking the closest malicious registered URL and replacing its domain with the one flagged. This gadget does not use the search engines but uses the guided search process when creating the URLs.

18 + DNS Queries Gadget Analyzes recursive DNS traces to identify the domain names of compromised landing pages that are likely to lead to malicious pages. Seed: all domains known to host malicious pages. Expansion: large number of infected pages contain links to a single, malicious page, and that DNS traces (partially) expose these connections.

19 + Effectiveness of EVILSEED There are two key components that measure effectiveness of EVILSEED: Toxicity: fraction of the URLs submitted to the oracles that are malicious. Higher values of toxicity imply that the resources needed to analyze a page are used more efficiently. Expansion: average number of new malicious URLs that EVILSEED finds for each seed. A higher seed expansion indicates that for each malicious seed URL a larger number of malicious URLs are found. There is a trade-off between toxicity and seed expansion.

20 + A Test Run.. EVILSEED ran in parallel with a traditional crawler for 25 days. Malicious URLs found by the crawler, were added to EVILSEED seeds. Oracle used: Wepawet, Google Safe Browsing, Custom fake AV detector. All gadgets were used, except DNS queries gadget ( no access to DNS trace datasets) and domain registrations gadget (not fully developed)

21 + A Test Run.. Assessed against two approaches of finding malicious webpages: o Random Search (Sending queries to search engines). o Traditional crawler with fast prefilter. To generate web queries: o Random alphabetic phrases, composed of 1 to 5 words, of length from 3 to 10 characters (e.g., asdf qwerou ); o Random phrases with words taken from the English dictionary, from 1 to 5 words (e.g., happy cat ); o Trending topics taken from Twitter and Google Hot Trends (e.g., black friday 2011 ); o Manually-generated Google dorks, taken from an online repository (e.g., allinurl:forcedownload.php?file=, which locates vulnerable WordPress sites)

22 + Results EVILSEED: o submitted 226,140 URLs to the oracles,. o 3,036 URLs were found malicious. o toxicity of 1.34%. The Crawler & prefilter: o submitted 437,251 URLs to the oracles,. o 604 URLs were found malicious (these are the URLs we use as seeds for EVILSEED). o toxicity of 0,14%, which is an order of magnitude less than EVILSEED. The web search: o submitted 63,936 URLs to the oracles,. o 219 URLs were found malicious. o toxicity of 0.34%

23 + Results EVILSEED clearly outperforms in toxicity both crawling (1.34% vs. 0.14%) and web searching (1.34% vs. 0.34%). Adding even relatively few new pages to the set of evil seeds enabled EVIL SEED to locate significant numbers of additional malicious pages.

24 + Does EVILSEED find malicious URLs on different domains? EVILSEED: 6.14 malicious pages per domain. Crawler & fast prefilter: 6.16 malicious pages per domain. results show that EVILSEED maintains the same domain coverage as the crawler.

25 + Links Gadget evaluation Three main categories have been used by the link gadgets to locate malicious content: o Unmaintained websites: The gadget found malicious content of such website. o Domains that publish blacklists of malicious domains: the gadget was able to automatically discover and parse these sources. o Domains that list additional info about a domain: for a given domain, it locates: All domain on the same IP. Domain hosted in the same subnet. Domains with similar spelling.

26 + Content Dorks Gadget evaluation The most important factor in the success of this gadget was found to be n, the length of n-grams. Smaller n-grams are usually found in more pages. Toxicity for the results of queries ranged from 1,21% for 2- grams to 5,83% for 5-grams. Shorter n-grams means that more pages will compete for the top spots in the search engine rankings. The first ten most-successful dorks in term of toxicity were five 2-grams and five 3-grams.

27 + SEO Gadget evaluation During the Test run, this gadget performed poorly as its seed at the time it was found, did not belong to a live SEO campaign. Fetched hourly the top trends for Twitter and Google Hot Trends, searched for them on Google, and analyzed the results with our cloaking detection heuristic. Then fed the URLs as seeds to SEO Gadget. The ratio of the malicious pages found over the visited pages is 0,93%, which is two orders of magnitude higher than the crawler (0,019% ).

28 + Domain Registrations Gadget evaluation Domain registrations for the top-level domains.com.,.net.,.org.,.info. and.us were collected over a year s time. Gadget identified malicious URLs on 10, 435 domains using 1, 002 domains as seeds. Hypothesis: Malicious domains are registered close in time to each other. o o Given 1 malicious domain, at least one of the registrations that come immediately before or after it is also malicious. Data collected over the year, showed that these two events are correlated. Which concludes: domains that have been registered immediately before and after a known malicious domain are much more than 35 times likely to also serve malicious content.

29 + DNS Queries Gadget evaluation Testing: Internet Service Provider (ISP) provided access to a DNS trace collected from its network during 43 days in February and March ,472,280 queries sent by 30,000 clients. Trace was made available towards the end of the collection period, which caused a delay between the collection of data and the time when the gadget was run. Seed: 115 known malicious domains from the trace. Expansion: gadget generated 4,820 URLs on 2,473 domains. Result: o o o o o 171 URLs on 62 domains were identified malicious. Only 25 out of the 115 led to finding malicious URLs. The most effective domain guided the gadget to locate 46 malicious URLs on 16 different servers. 21 domains led to multiple malicious URLs The delay explains why no malicious URLs were found for the remaining 90 URLs.

30 + Discussion and Limitations Security analysis: EVILSEED works by searching and finding malicious URLs. o Attacker with full control of an exploited website can hide the pages in which they won t be indexed by search engines. o Attackers could also try to perform evasion attacks against the detection techniques employed by our oracle (Wepawet, our custom fake AV page detector, and the Safe Browsing system). Would attackers go for hiding their pages from search engines? What if we connect EVILSEED to another oracle?

31 + Discussion and Limitations Seed quality: The effectiveness of our gadgets is dependent on the quality and diversity of the malicious seed that they use as input. Results over time: For EVILSEED to be useful, it need a constant stream of high quality URLs rather than exhausting its effect after one or few runs.

32 + Discussion and Limitations Performance and Scalability: The bottleneck of EVILSEED is the cost of performing in depth analysis with an oracle. EVILSEED runs on two servers: o Crawler: gathers millions of URLs. o Gadget: 100k URLs per search engine. Deployment: Search Engines could deploy EVILSEED. This might diminish its effectiveness but it also means that the vectors EVILSEED targets were mitigated.

33 + Conclusion An important component of defense is the ability to identify as many malicious web pages on the Internet as possible in an efficient manner. The goal of EVILSEED was to improve the effectiveness of the search process for malicious web pages by leveraging a seed of known, malicious web pages and extracting characterizing similarities that these pages share.

34 + Thank you..

EVILSEED: A Guided Approach to Finding Malicious Web Pages

EVILSEED: A Guided Approach to Finding Malicious Web Pages 2012 IEEE Symposium on Security and Privacy EVILSEED: A Guided Approach to Finding Malicious Web Pages Luca Invernizzi UC Santa Barbara invernizzi@cs.ucsb.edu Stefano Benvenuti University of Genova ste.benve86@gmail.com

More information

EvilSeed: A Guided Approach to Finding Malicious Web Pages

EvilSeed: A Guided Approach to Finding Malicious Web Pages EvilSeed: A Guided Approach to Finding Malicious Web Pages L. Invernizzi 1 S. Benvenuti 2 M. Cova 3,5 P. Milani Comparetti 4,5 C. Kruegel 1 G. Vigna 1 1 UC Santa Barbara 2 University of Genova 3 University

More information

CS 558 Internet Systems and Technologies

CS 558 Internet Systems and Technologies CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.

More information

Threat Spotlight: Angler Lurking in the Domain Shadows

Threat Spotlight: Angler Lurking in the Domain Shadows White Paper Threat Spotlight: Angler Lurking in the Domain Shadows Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant

More information

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,

More information

Deciphering and Mitigating Blackhole Spam from Email-borne Threats

Deciphering and Mitigating Blackhole Spam from Email-borne Threats Deciphering and Mitigating Blackhole Spam from Email-borne Threats Samir Patil Symantec Deciphering and Mitigating Blackhole Spam from Email-borne Threats 1 Outline 1 Background 2 Detection Challenges

More information

HackAlert Malware Monitoring

HackAlert Malware Monitoring HackAlert Malware Monitoring Understanding the reselling opportunity for Online Security Services GlobalSign. A GMO Internet Inc group company. Reselling Malware Monitoring The GlobalSign Partner Program

More information

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2 FAQ WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2 WHAT IS UPTIME AND SPEED MONITORING 2 WHEN I TRY TO SELECT A SERVICE FROM

More information

Introduction: 1. Daily 360 Website Scanning for Malware

Introduction: 1. Daily 360 Website Scanning for Malware Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover

More information

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

THREAT VISIBILITY & VULNERABILITY ASSESSMENT THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings

More information

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T.

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T. Reputation and Blacklist Monitoring Basic Professional Business Enterprise Reputation Monitoring Blacklist Monitoring Standard Malware Detection Scan for known Malware Scan for known viruses All pages

More information

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way

More information

How To Create A Spam Detector On A Web Browser

How To Create A Spam Detector On A Web Browser Design and Evaluation of a Real-Time URL Spam Filtering Service Geraldo Franciscani 15 de Maio de 2012 Teacher: Ponnurangam K (PK) Introduction Initial Presentation Monarch is a real-time system for filtering

More information

Web Vulnerability Scanner by Using HTTP Method

Web Vulnerability Scanner by Using HTTP Method Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,

More information

Basheer Al-Duwairi Jordan University of Science & Technology

Basheer Al-Duwairi Jordan University of Science & Technology Basheer Al-Duwairi Jordan University of Science & Technology Outline Examples of using network measurements /monitoring Example 1: fast flux detection Example 2: DDoS mitigation as a service Future trends

More information

Next Generation IPS and Reputation Services

Next Generation IPS and Reputation Services Next Generation IPS and Reputation Services Richard Stiennon Chief Research Analyst IT-Harvest 2011 IT-Harvest 1 IPS and Reputation Services REPUTATION IS REQUIRED FOR EFFECTIVE IPS Reputation has become

More information

Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware.

Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Fraser Howard & Onur Komili SophosLabs fraser.howard@sophos.com, onur.komili@sophos.com Executive

More information

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................

More information

Search engine optimization: Black hat Cloaking Detection technique

Search engine optimization: Black hat Cloaking Detection technique Search engine optimization: Black hat Cloaking Detection technique Patel Trupti 1, Kachhadiya Kajal 2, Panchani Asha 3, Mistry Pooja 4 Shrimad Rajchandra Institute of Management and Computer Application

More information

Domain Name Abuse Detection. Liming Wang

Domain Name Abuse Detection. Liming Wang Domain Name Abuse Detection Liming Wang Outline 1 Domain Name Abuse Work Overview 2 Anti-phishing Research Work 3 Chinese Domain Similarity Detection 4 Other Abuse detection ti 5 System Information 2 Why?

More information

NTT R&D s anti-malware technologies

NTT R&D s anti-malware technologies NTT R&D s anti-malware technologies Jan. 21, 2015 NTT Secure Platform Laboratories Takeo HARIU Threats causes most of cyber attacks Major infection routes are web browsing, URL links in email messages,

More information

User Documentation Web Traffic Security. University of Stavanger

User Documentation Web Traffic Security. University of Stavanger User Documentation Web Traffic Security University of Stavanger Table of content User Documentation... 1 Web Traffic Security... 1 University of Stavanger... 1 UiS Web Traffic Security... 3 Background...

More information

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

GETTING REAL ABOUT SECURITY MANAGEMENT AND BIG DATA GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA" A Roadmap for "Big Data" in Security Analytics ESSENTIALS This paper examines: Escalating complexity of the security management environment, from threats

More information

Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages

Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara {gianluca, chris, vigna}@cs.ucsb.edu

More information

Don DeBolt and Kiran Bandla 29 September 2010

Don DeBolt and Kiran Bandla 29 September 2010 BlackHat SEO: Abusing Google Trends to Serve Malware Don DeBolt and Kiran Bandla 29 September 2010 Agenda BlackHat SEO Logic and Components Background Research Methodology Findings Conclusion Logic flow

More information

FIRST WORKING DRAFT FOR PUBLIC COMMENT. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports.

FIRST WORKING DRAFT FOR PUBLIC COMMENT. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports Introduction Malware poses a serious threat to the open Internet; a large and growing share of malware is distributed

More information

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling White Paper As spam continues to evolve, Barracuda Networks remains committed to providing the highest level of protection

More information

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA Email {wei.xu, ksanders, yzhang}@ paloaltonetworks.com ABSTRACT Malicious domains

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

THE OPEN UNIVERSITY OF TANZANIA

THE OPEN UNIVERSITY OF TANZANIA THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather

More information

How Attackers are Targeting Your Mobile Devices. Wade Williamson

How Attackers are Targeting Your Mobile Devices. Wade Williamson How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best

More information

We Know It Before You Do: Predicting Malicious Domains

We Know It Before You Do: Predicting Malicious Domains We Know It Before You Do: Predicting Malicious Domains Abstract Malicious domains play an important role in many attack schemes. From distributing malware to hosting command and control (C&C) servers and

More information

Shellshock. Oz Elisyan & Maxim Zavodchik

Shellshock. Oz Elisyan & Maxim Zavodchik Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable

More information

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................

More information

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015 SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015 The Usual Players Indebtedness for driving on toll road Transaction receipts Notice to appear Major and Emerging Trends

More information

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery

More information

APPLICATION PROGRAMMING INTERFACE

APPLICATION PROGRAMMING INTERFACE DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With

More information

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them Davide Canali, Davide Balzarotti Aurélien Francillon Software and System Security Group EURECOM,

More information

Whose IP Is It Anyways: Tales of IP Reputation Failures

Whose IP Is It Anyways: Tales of IP Reputation Failures Whose IP Is It Anyways: Tales of IP Reputation Failures SESSION ID: SPO-T07 Michael Hamelin Lead X-Force Security Architect IBM Security Systems @HackerJoe What is reputation? 2 House banners tell a story

More information

Hope for the best, prepare for the worst:

Hope for the best, prepare for the worst: Hope for the best, prepare for the worst: Why your customers will demand self-service back-up Presented by Ridley Ruth, COO 2014 a record year for hacking! 100K+ WordPress sites infected by mysterious

More information

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4) Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware

More information

Radware s Behavioral Server Cracking Protection

Radware s Behavioral Server Cracking Protection Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information

More information

SOLUTIONS FOR TOMORROW

SOLUTIONS FOR TOMORROW SEO, or Search Engine Optimization, is the proactive practice of optimizing a web site based on a targeted keyword strategy by improving internal and external factors in order to increase the traffic a

More information

Network Monitoring using MMT:

Network Monitoring using MMT: Network Monitoring using MMT: An application based on the User-Agent field in HTTP headers Vinh Hoa LA Ɨ Raul FUENTES Ɨ PhD Student Prof. Ana CAVALLI Ɨ Ƭ Supervisor Ɨ Telecom SudParis, IMT Ƭ Montimage

More information

10 Things Every Web Application Firewall Should Provide Share this ebook

10 Things Every Web Application Firewall Should Provide Share this ebook The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security

More information

Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion

Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling As spam continues to evolve, Barracuda Networks remains committed to providing the highest level of protection

More information

Endpoint Threat Detection without the Pain

Endpoint Threat Detection without the Pain WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Using big data analytics to identify malicious content: a case study on spam emails

Using big data analytics to identify malicious content: a case study on spam emails Using big data analytics to identify malicious content: a case study on spam emails Mamoun Alazab & Roderic Broadhurst Mamoun.alazab@anu.edu.au http://cybercrime.anu.edu.au 2 Outline Background Cybercrime

More information

So today we shall continue our discussion on the search engines and web crawlers. (Refer Slide Time: 01:02)

So today we shall continue our discussion on the search engines and web crawlers. (Refer Slide Time: 01:02) Internet Technology Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No #39 Search Engines and Web Crawler :: Part 2 So today we

More information

Securing Your Business with DNS Servers That Protect Themselves

Securing Your Business with DNS Servers That Protect Themselves Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate

More information

Enterprise-Grade Security from the Cloud

Enterprise-Grade Security from the Cloud Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security

More information

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection Trend Micro, Incorporated Marco Dela Vega and Norman Ingal Threat Response Engineers A Trend Micro Research Paper I November

More information

Juice: A Longitudinal Study of an SEO Campaign. David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego

Juice: A Longitudinal Study of an SEO Campaign. David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego Juice: A Longitudinal Study of an SEO Campaign David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 1 Background A Black Hat Search Engine Optimization (SEO) campaign

More information

Actionable information for security incident response

Actionable information for security incident response Actionable information for security incident response Cosmin Ciobanu 2015 European Union Agency for Network and Information Security www.enisa.europa.eu European Union Agency for Network and Information

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

OPTIMIZATION SEARCH ENGINE WHAT IS SEO? www.databerry.com (855) 350.0707 email: sales@databerry.com

OPTIMIZATION SEARCH ENGINE WHAT IS SEO? www.databerry.com (855) 350.0707 email: sales@databerry.com SEARCH ENGINE OPTIMIZATION WHAT IS SEO? SEO SERVICES Keyword & Competition Analysis Website Optimization On-going Optimization KEYWORD ANALYSIS Traffic Analysis Competitive Analysis Ranking Analysis Site

More information

Protection, Usability and Improvements in Reflected XSS Filters

Protection, Usability and Improvements in Reflected XSS Filters Protection, Usability and Improvements in Reflected XSS Filters Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University May 2, 2012 1 / 19 Riccardo Pelizzi Improvements

More information

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number

More information

Technology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications

Technology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security

More information

Securing Your Business with DNS Servers That Protect Themselves

Securing Your Business with DNS Servers That Protect Themselves Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate

More information

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM May 2015 Nguyễn Tiến Đức ASEAN Security Specialist Agenda Modern Malware: State of the Industry Dynamic Threat Intelligence on the Firewall

More information

Don t scan, just ask A new approach of identifying vulnerable web applications. 28th Chaos Communication Congress, 12/28/11 - Berlin

Don t scan, just ask A new approach of identifying vulnerable web applications. 28th Chaos Communication Congress, 12/28/11 - Berlin Don t scan, just ask A new approach of identifying vulnerable web applications Summary It s about identifying web applications and systems Classical network reconnaissance techniques mostly rely on technical

More information

Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections

Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections Zhou Li, Sumayah Alrwais, XiaoFeng Wang, Eihal Alowaisheq Indiana University at Bloomington RSA Laboratories Abstract

More information

Web Client Attacks. Scribed by Gelareh Taban. April 21, 2008. 1 Web Server Attacks continued

Web Client Attacks. Scribed by Gelareh Taban. April 21, 2008. 1 Web Server Attacks continued Web Client Attacks Scribed by Gelareh Taban April 21, 2008 1 Web Server Attacks continued We first conclude our discussion of detection of web server attacks from the previous lecture, which focused on

More information

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent

More information

Domain Footprinting for Web Applications and Web Services

Domain Footprinting for Web Applications and Web Services Domain Footprinting for Web Applications and Web Services Abstract A wide array of services, from banking and finance transactions to auctions and ticket reservations, are being offered to customers online.

More information

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier Application Note TrustedSource in McAfee Firewall Enterprise McAfee version 8.1.0 and earlier Firewall Enterprise This document uses a question and answer format to explain the TrustedSource reputation

More information

WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper. WHITE PAPER Using DNS RPZ to Protect An Osterman Research White Paper Published June 2015 SPONSORED BY SPON sponsored by sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058

More information

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security Foreword p. xvii Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security Information to Management p. 5 Example of an

More information

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen Eldad Chai, VP Product Incapsula Application Delivery from the Cloud 2 DDoS 101 ISP Network Devices Web servers Applications

More information

Wie Cyber-Kriminelle IT-Security Systeme umgehen. Andreas Maar Senior Security Engineer

Wie Cyber-Kriminelle IT-Security Systeme umgehen. Andreas Maar Senior Security Engineer Wie Cyber-Kriminelle IT-Security Systeme umgehen Andreas Maar Senior Security Engineer Stonesoft in brief Global Solution provider World-class Customer Support Track record of technology innovation Average

More information

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW Jürgen Seitz Systems Engineering Manager Evolution of Network Security Next-Gen Firewall Application Visibility and Control User-based

More information

Securing Your Business with DNS Servers That Protect Themselves

Securing Your Business with DNS Servers That Protect Themselves Product Summary: The Infoblox Secure DNS Solution mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate queries.

More information

Putting Web Threat Protection and Content Filtering in the Cloud

Putting Web Threat Protection and Content Filtering in the Cloud Putting Web Threat Protection and Content Filtering in the Cloud Why secure web gateways belong in the cloud and not on appliances Contents The Cloud Can Lower Costs Can It Improve Security Too?. 1 The

More information

Content Security: Protect Your Network with Five Must-Haves

Content Security: Protect Your Network with Five Must-Haves White Paper Content Security: Protect Your Network with Five Must-Haves What You Will Learn The continually evolving threat landscape is what makes the discovery of threats more relevant than defense as

More information

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)

More information

Cisco Protects Internal Infrastructure from Web-Based Threats

Cisco Protects Internal Infrastructure from Web-Based Threats Cisco IT Case Study Cisco Protects Internal Infrastructure from Web-Based Threats Cisco IT Case Study / Security / IronPort S670 Web Security Appliance: Cisco is working to become a borderless enterprise,

More information

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents

More information

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management Scanless Vulnerability Assessment A Next-Generation Approach to Vulnerability Management WHITEPAPER Overview Vulnerability scanning, or the process of identifying a list of known security gaps in the network

More information

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor

More information

SiteLock SECURE Partner Program FAQ

SiteLock SECURE Partner Program FAQ SiteLock SECURE Partner Program FAQ Industry-leading website and business reputation protection for your valued customers Why should I become a SECURE Reseller? There have never been more threats to website

More information

Fighting Advanced Threats

Fighting Advanced Threats Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.

More information

Bad Ads Spotlight: Ad Cloaking Abuses. May 2015. TrustInAds.org. Keeping people safe from bad online ads

Bad Ads Spotlight: Ad Cloaking Abuses. May 2015. TrustInAds.org. Keeping people safe from bad online ads Bad Ads Spotlight: Ad Cloaking Abuses May 2015 TrustInAds.org Keeping people safe from bad online ads OVERVIEW Online advertising platforms use a number of technologies to ensure the right content is shown

More information

Application Security Backgrounder

Application Security Backgrounder Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International

More information

Best Practices Top 10: Keep your e-marketing safe from threats

Best Practices Top 10: Keep your e-marketing safe from threats Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Zscaler Internet Security Frequently Asked Questions

Zscaler Internet Security Frequently Asked Questions Zscaler Internet Security Frequently Asked Questions 1 Technical FAQ PRODUCT LICENSING & PRICING How is Zscaler Internet Security Zscaler Internet Security is licensed on number of Cradlepoint devices

More information

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper SHARE THIS WHITEPAPER On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper Table of Contents Overview... 3 Current Attacks Landscape: DDoS is Becoming Mainstream... 3 Attackers Launch

More information

Advanced Persistent Threats

Advanced Persistent Threats White Paper INTRODUCTION Although most business leaders and IT managers believe their security technologies adequately defend against low-level threats, instances of (APTs) have increased. APTs, which

More information

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Doyourwebsitebot defensesaddressthe changingthreat landscape? WHITEPAPER Doyourwebsitebot defensesaddressthe changingthreat landscape? Don tletbotsturnaminorincident intoamegasecuritybreach 1.866.423.0606 Executive Summary The website security threat landscape has

More information

Anatomy of Comment Spam

Anatomy of Comment Spam Hacker Intelligence Initiative Anatomy of Comment Spam 1. Executive Summary Spam is defined as irrelevant or unsolicited messages sent over the Internet, typically to large numbers of users, for the purposes

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

Be Prepared for Java Zero-day Attacks

Be Prepared for Java Zero-day Attacks Threat Report Be Prepared for Java Zero-day Attacks Malware Analysis: Malicious Codes spread via cloud-based data storage services December 19, 2013 Content Overview... 3 Distributing Malicious E-mails

More information

Secure Web Gateways Buyer s Guide >

Secure Web Gateways Buyer s Guide > White Paper Secure Web Gateways Buyer s Guide > (Abbreviated Version) The web is the number one source for malware distribution. With more than 2 million 1 new pages added every day and 10,000 new malicious

More information