ibm x-force ® 2012 cyber security threat landscape michael montecillo – ibm security services...
TRANSCRIPT
IBM X-Force® 2012Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012
© 2009 IBM Corporation
Building a smarter planetIBM X-Force web intelligence lifecycle
Develop Protection
Deliver Updates
Apply Updates
Monitor Browsing of:
- Million of End-users
- Thousands of Customers
- Hundreds of Countries
Block Malicious Links
Send Links to X-Force
Deep Crawl of Known Malicious Websites
Analyze NewExploit Techniques
Provide NewProtection Guidance
Classify MSS Links
Find Related Websites(Deep Crawl)
Search for Malware
Find New Malicious Websites
Block All Malicious Domains
© 2009 IBM Corporation
Building a smarter planetX Force Research
3
The mission of the IBM X-Force® research and
development team is to:
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
X-Force Research
14B analyzed Web pages & images
40M spam & phishing attacks
75K documented vulnerabilities
13B security events daily
Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends
© 2009 IBM Corporation
Building a smarter planet2011 Year of the Security Breach
4
© 2009 IBM Corporation
Building a smarter planetWho is attacking our networks?
5
© 2009 IBM Corporation
Building a smarter planetSQL injection attacks against web servers
6
© 2009 IBM Corporation
Building a smarter planetShell Command Injection attacks
7
© 2009 IBM Corporation
Building a smarter planetSSH brute force activity
8
© 2009 IBM Corporation
Building a smarter planetExplosion of phishing based malware distribution and click fraud
9
© 2009 IBM Corporation
Building a smarter planetAnonymous proxies on the rise
10
Approximately 4 times more anonymous proxies than seen 3 years ago
Some used to hide attacks, others to evade censorship
Signature detects situations where clients are attempting to access websites through a chain of HTTP proxies
Could represent – legitimate (paranoid) web surfing– attackers obfuscating the source
address of launched attacks against web servers
© 2009 IBM Corporation
Building a smarter planet
Vulnerability disclosures down in 2011
11
Total number of vulnerabilities decline — but it’s cyclical
– We have witnessed a two year, high-low cycle in vulnerability disclosures since 2006
© 2009 IBM Corporation
Building a smarter planet
Public exploit disclosures
12
Total number of exploit releases down to a number not seen since 2006
– Also down as a percentage of vulnerabilities
© 2009 IBM Corporation
Building a smarter planet
Better Patching
13
© 2009 IBM Corporation
Building a smarter planetDecline in web application vulnerabilities
14
In 2011, 41% of security vulnerabilities affected web applications
– Down from 49% in 2010– Lowest percentage seen since 2005
© 2009 IBM Corporation
Building a smarter planetMany major operations have important security blindspots
15
IBM scanned 678 websites – Fortune 500 & 178 popular sites
40% contain client-side JavaScript vulnerabilities
Third party code is primary culprit
© 2009 IBM Corporation
Building a smarter planet
Mobile OS vulnerabilities & exploits
16
Continued interest in Mobile vulnerabilities as enterprise users request a “bring your own device” (BYOD) strategy for the workplace
Attackers finding these devices represent lucrative new attack opportunities
Attackers finding these devices represent lucrative new attack opportunities
© 2009 IBM Corporation
Building a smarter planetZeus Crimeware Service
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
© 2009 IBM Corporation
Building a smarter planet
Mobile OS vulnerabilities & exploits
18
© 2009 IBM Corporation
Building a smarter planet
Connect with IBM X-Force research & development
19
Follow us at @ibmsecurity and
@ibmxforce
Download X-Force security trend & risk reports
http://www.ibm.com/security/xforce
Subscribe to the security channel for latest security
videos www.youtube.com/ibmsecuritysolutions
Attend in-person events
http://www.ibm.com/events/calendar/
Subscribe to X-Force alerts at http://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Join the Institute for Advanced Security
www.instituteforadvancedsecurity.com
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware
20
Blackhole Exploit Kit
•First appeared in August 2007•Advertised as a “Systems for Network Testing”•Protects itself with blacklists and integrated antivirus •Comes in Russian or English•Currently the most purchased exploit pack
Flexible Pricing Plan•Purchase
• $1500/annual• $1000/semi-annual• $700/quarterly
•Lease• $50/24 hours• $200/1 week• $300/2 weeks• $400/3 weeks• $500/month
*($35 domain name change fee if necessary)
Blackhole Exploit Kit
•First appeared in August 2007•Advertised as a “Systems for Network Testing”•Protects itself with blacklists and integrated antivirus •Comes in Russian or English•Currently the most purchased exploit pack
Flexible Pricing Plan•Purchase
• $1500/annual• $1000/semi-annual• $700/quarterly
•Lease• $50/24 hours• $200/1 week• $300/2 weeks• $400/3 weeks• $500/month
*($35 domain name change fee if necessary)
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware - Sample
21
Discovery: 15 June 2012 Site: Passionforstudy.com Host: hosted-by.krhosting.biz ASN: 58182
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware – Sample (Problems)
22
Your AV will not like this. This will trigger alerts in your IPS
– Snort• “Possible Request for Blackhole Exploit Kit
Landing Page”• “DRIVEBY Blackhole - Landing Page Recieved -
applet and flowbit”– ISS
• Blackhole-exploit-kit-detected• The several attack vectors
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware – IPS Alert
23
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:2;)
What you need to recognize:– Looking for a URI with the following regular expression
• pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; – Looking for a content and flowbit
• “<applet”• isset,et.exploitkitlanding
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware - Exploits
24
CVE 2012-0507 Java CVE 20120-1423 Java CVE 2010-0886 Java CVE-20120-0842 Java CVE-2010-0840 Java CVE-2010-1885 CVE-2010-1423 CVE-2009-1671 Java CVE-2009-0927 Adobe Reader CVE-2008-2992 Adobe Reader CVE-2007-5659 Adobe Reader CVE-2006-0003 IE MDAC
© 2009 IBM Corporation
Building a smarter planetBlackhole Crimeware – A Look at the Attack
25
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware – A Look at the Attack
26
© 2009 IBM Corporation
Building a smarter planet
Blackhole Crimeware – Exploit Breakdown
27
Source: http://www.ic3.gov/media/2012/120420.aspx
*It is estimated 60% of Java users have not yet patched CVE-2012-0507
Source: http://www.infosecisland.com/blogview/21118-IC3-Blackhole-Exploit-Kit-123-Released.html
© 2009 IBM Corporation
Building a smarter planet
The drive-by-download process
Desktop Users
Browse The Internet Malicious iframehost
Web server withembedded iframe
Web browsertargeted
Downloaderinstalled
Malwareinstalled and activated
Exploit materialServed
The drive-by-download process
© 2009 IBM Corporation
Building a smarter planet
Michael Montecillo
Twitter:
@Montejam
(FOLLOW ME!)
29
© 2009 IBM Corporation
Building a smarter planet
Connect with IBM X-Force research & development
30
Follow us at @ibmsecurity and
@ibmxforce
Download X-Force security trend & risk reports
http://www.ibm.com/security/xforce
Subscribe to the security channel for latest security
videos www.youtube.com/ibmsecuritysolutions
Attend in-person events
http://www.ibm.com/events/calendar/
Subscribe to X-Force alerts at http://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Join the Institute for Advanced Security
www.instituteforadvancedsecurity.com
© 2009 IBM Corporation
Building a smarter planet
31