Dr. Paul JudgeChief Research OfficerBarracuda Networks

The State of Internet Security: Web Attacks Take Over

Half of The Spam Disappeared

3

1 2 3 4 5 6 7 8 9 10 11 1220000000000

25000000000

30000000000

35000000000

40000000000

45000000000

50000000000

55000000000

52 Billion 26 Billion

2010

5 Innovations That Caused Security Gaps

Habits of Effective Hackers

Five Innovations That Created Security Risks

• One new domain each second• 196 million domain names• 47 million new sites last year

1. Rapid Growth

Source:Verisign

Rich site-to-browser interaction

Browser is the new operating system

Browser is active in the application, not simply a passive display tool

2. Dynamic Web Apps: AJAX

3. User-Generated Content

• Half of Top 100 sites based on UGC

• 500 million users on Facebook

• 100 million accounts on Twitter

• 2.5 billion photos uploaded each month to Facebook

• 30 million new ads per day on Craigslist

• 20% of the workforce works remotely

• 1 in 11 organizations had remote workers infected

• 46% of remote infections come from infected Web sites

4. Remote Employees

Smartphone and tablet computing blur the line between personal and business computing

Companies must reconsider policies for devices that are not owned by the company

5. New Devices

Habits Of Effective Hackers

1. Malicious Javascript

(Four Habits Of Effective Hackers)

• USAToday.com ad network compromised (idatrinity.com)

• Visitors served malicious javascript bundled with ad for Roxio Creator 2009

• Automatically directed users to Rogue AV Web site (antivirusquickscanv1.com) through malicious traffic distribution system (liveavantbrowser2.cn)

Malvertising

Exploited Site (1 of 4)

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Exploited Site (2 of 4)

Exploited Site (3 of 4)

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to "Send a message to ICQ #559156803; stats available under ststst02."

Exploited Site (4 of 4)

Barracuda Labs Technology:Malicious Javascript Detector (MJD)

– Place content in a virtual browser environment – Perform behavioral analysis of javascript to

determine its intentions

Proxy

2. Search Engine Malware

(Four Habits Of Effective Hackers)

Search Volumes

• 88,000,000,000 Per Month On Google Sites

• 24,000,000,000 Per Month On Twitter

• 9,400,000,000 Per Month On Yahoo Sites

• 4,100,000,000 Per Month On Microsoft Sites

Sources: comScore, Twitter

Barracuda Labs Technology:Search Engine Malware Crawler

• Get Popular Search Terms Hourly• Search for Those Terms• Retrieve the Set of Search Results• Retrieve the Web Sites for the results• Analyze the Sites for Malicious Code• Add Malicious Sites to Barracuda

SPYDEF list

Data Set

4 Search Engines(Bing, Google, Twitter, Yahoo)

153 Days

157,154 Popular Topics

36,972,206 Search Results

• 34,627 malware samples found

• 1 in 1000 search results lead to malware

• 1 in 5 search topics lead to malware

Frequency of Search Engine Malware

Total Malware by Search Engine

Google38%

Yahoo30%

Bing24%

Twitter8%

Lebron James

Search Engine Malware (1 of 4)

26

Search Engine Malware (2 of 4)

27

Search Engine Malware (3 of 4)

Search Engine Malware (4 of 4)

Barracuda Labs Technology:Maltrace: Malware Analysis w. Virtualization

• Collect thousands of malware samples daily from honeypot network

• Load samples into Maltrace• Maltrace allows the malware to run on a virtual PC• Maltrace collects the network traffic generated• Maltrace creates signatures based on malicious traffic• Adds the signatures to URL, IP and fingerprint databases

3. Social Attacks

(Four Habits Of Effective Hackers)

Facebook Social Attacks

Photo ‘Tags’ Up To 50 People

Website Selling Fake Illegal Shoes

Automated Social Engineering

Malicious Facebook Apps

Likejacking

Twitter – Trending Topics (Step 1 of 3)

Twitter – Trending Topics (Step 2 of 3)

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54

which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:

hxxp://my-systemscan.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D hxxp://my-newprotection.net/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D hxxp://trustsystem-protection.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2 qeNm6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D

Twitter – Trending Topics (step 3 of 3)

Barracuda Labs Technology:Twitter Reputation System

• Process Twitter Public Stream• Query Twitter User Database for Other Users• Analyze Users’ Activities• Analyze Web Links• Add Malicious Sites to Barracuda SPYDEF list

Twitter Growth

Red Carpet EraNovember 2008 – April 2009

• 54% of the Top 50 Twitter users joined

• Growth rate increased tenfold from 2% in Nov 08 to 21% in April 09

Twitter Crime Rate

• 2006 = 1.2%• 2007 = 1.7%• 2008 = 2.2%

Red Carpet Era:

During: Increased 66%• 2.0% to 3.4% Crime Rate

Four months later: Increased 350%• 12% Crime Rate in Oct 2009

Twitter Crime Rate: the number of accounts per hundred created during a particular period of time that are suspended

4. Web Exploit Kits

(Four Habits Of Effective Hackers)

Web Exploit Kit Overview

– Most exploits served by exploit kits – (ready-made tools sold/used by criminals to attack

vulnerable software components – Many exploit sites, but few exploit kit types

– a handful of kit types comprise the majority of exploit sites

– Examples • LuckySploit, Fragus, UniquePack, NucPack• Tornado, Fiesta, IcePack, FirePack, MPack

Barracuda Labs Technology:Exploit Kit Detector (EKD)

– Leverage the many-to-few relationship between exploit sites and exploit kit types

• Focus of the handful of kit types that correspond to the majority of exploit sites

– Use information invariant to these kits to detect instances of them in a site-independent fashion

Proxy

Summary

Who Is Behind This?

The Worlds Greatest Spammers:Where are they now?

Alan Ralsky Scott Richter

‘Godfather of Spam’ ‘King of Spam’

70 million emails per day 100 millions email per day

#1 of top spammers list #2 and #9 of top spammers list

$3 Million profit summer 2005 in pump and dump Chinese penny stocks

Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed

2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit

The Worlds Greatest Spammers:Where are they now?

Alan Ralsky Scott Richter

‘Godfather of Spam’ ‘King of Spam’

70 million emails per day 100 millions email per day

#1 of top spammers list #2 and #9 of top spammers list

$3 Million profit summer 2005 in pump and dump Chinese penny stocks

Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed

2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit

2009: Sentenced to 51 months in Federal prison

The Worlds Greatest Spammers:Where are they now?

Alan Ralsky Scott Richter

‘Godfather of Spam’ ‘King of Spam’

70 million emails per day 100 millions email per day

#1 of top spammers list #2 and #9 of top spammers list

$3 Million profit summer 2005 in pump and dump Chinese penny stocks

Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed

2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit

2009: Sentenced to 51 months in Federal prison

2009: Founded “Lunatic Games”-a social gaming company

Barracuda Labs Threat Intelligence

Barracuda Labs Resources• Web Sites and Reports

– www.Barracuda.com– www.BarracudaLabs.com– www.BarracudaCentral.org– www.TweetBrawl.com– www.TweetGrade.com– Barracuda Labs Annual Threat Report

• Contact– Twitter: @Barracuda, @BarracudaLabs– Paul Judge, Chief Research Officer

• Pjudge@Barracuda.com • Twitter: @PaulJudge

Servers

Barracuda Web Application Firewall

Barracuda Web Application Firewalls

SSL AccelerationPipeliningCachingCompressionLoad Balancing

OWASP protectionVirus scanningData leakageCloakingXML Firewall

Remote Users

Teleworkers

Barracuda Web Security Flex

64

• Cloud-based content filtering and malware protection• On-network appliances when needed for local enforcement• Remote and mobile filtering• Centralized multi-site management and reporting • Unlimited deployment flexibility