ibm x-force ® 2012 cyber security threat landscape michael montecillo – ibm security services...

IBM X-Force® 2012Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012

© 2009 IBM Corporation

Building a smarter planetIBM X-Force web intelligence lifecycle

Develop Protection

Deliver Updates

Apply Updates

Monitor Browsing of:

- Million of End-users

- Thousands of Customers

- Hundreds of Countries

Block Malicious Links

Send Links to X-Force

Deep Crawl of Known Malicious Websites

Analyze NewExploit Techniques

Provide NewProtection Guidance

Classify MSS Links

Find Related Websites(Deep Crawl)

Search for Malware

Find New Malicious Websites

Block All Malicious Domains


Building a smarter planetX Force Research

3

The mission of the IBM X-Force® research and

development team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

X-Force Research

14B analyzed Web pages & images

40M spam & phishing attacks

75K documented vulnerabilities

13B security events daily

Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends


Building a smarter planet2011 Year of the Security Breach

4


Building a smarter planetWho is attacking our networks?

5


Building a smarter planetSQL injection attacks against web servers

6


Building a smarter planetShell Command Injection attacks

7


Building a smarter planetSSH brute force activity

8


Building a smarter planetExplosion of phishing based malware distribution and click fraud

9


Building a smarter planetAnonymous proxies on the rise

10

Approximately 4 times more anonymous proxies than seen 3 years ago

Some used to hide attacks, others to evade censorship

Signature detects situations where clients are attempting to access websites through a chain of HTTP proxies

Could represent – legitimate (paranoid) web surfing– attackers obfuscating the source

address of launched attacks against web servers


Building a smarter planet

Vulnerability disclosures down in 2011

11

Total number of vulnerabilities decline — but it’s cyclical

– We have witnessed a two year, high-low cycle in vulnerability disclosures since 2006



Public exploit disclosures

12

Total number of exploit releases down to a number not seen since 2006

– Also down as a percentage of vulnerabilities



Better Patching

13


Building a smarter planetDecline in web application vulnerabilities

14

In 2011, 41% of security vulnerabilities affected web applications

– Down from 49% in 2010– Lowest percentage seen since 2005


Building a smarter planetMany major operations have important security blindspots

15

IBM scanned 678 websites – Fortune 500 & 178 popular sites

40% contain client-side JavaScript vulnerabilities

Third party code is primary culprit



Mobile OS vulnerabilities & exploits

16

Continued interest in Mobile vulnerabilities as enterprise users request a “bring your own device” (BYOD) strategy for the workplace

Attackers finding these devices represent lucrative new attack opportunities

Attackers finding these devices represent lucrative new attack opportunities


Building a smarter planetZeus Crimeware Service

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary



Mobile OS vulnerabilities & exploits

18



Connect with IBM X-Force research & development

19

Follow us at @ibmsecurity and

@ibmxforce

Download X-Force security trend & risk reports

http://www.ibm.com/security/xforce

Subscribe to the security channel for latest security

videos www.youtube.com/ibmsecuritysolutions

Attend in-person events

http://www.ibm.com/events/calendar/

Subscribe to X-Force alerts at http://iss.net/rss.php or

Frequency X at http://blogs.iss.net/rss.php

Join the Institute for Advanced Security

www.instituteforadvancedsecurity.com



Blackhole Crimeware

20

Blackhole Exploit Kit

•First appeared in August 2007•Advertised as a “Systems for Network Testing”•Protects itself with blacklists and integrated antivirus •Comes in Russian or English•Currently the most purchased exploit pack

Flexible Pricing Plan•Purchase

• $1500/annual• $1000/semi-annual• $700/quarterly

•Lease• $50/24 hours• $200/1 week• $300/2 weeks• $400/3 weeks• $500/month

*($35 domain name change fee if necessary)

Blackhole Exploit Kit

•First appeared in August 2007•Advertised as a “Systems for Network Testing”•Protects itself with blacklists and integrated antivirus •Comes in Russian or English•Currently the most purchased exploit pack

Flexible Pricing Plan•Purchase

• $1500/annual• $1000/semi-annual• $700/quarterly

•Lease• $50/24 hours• $200/1 week• $300/2 weeks• $400/3 weeks• $500/month

*($35 domain name change fee if necessary)



Blackhole Crimeware - Sample

21

Discovery: 15 June 2012 Site: Passionforstudy.com Host: hosted-by.krhosting.biz ASN: 58182



Blackhole Crimeware – Sample (Problems)

22

Your AV will not like this. This will trigger alerts in your IPS

– Snort• “Possible Request for Blackhole Exploit Kit

Landing Page”• “DRIVEBY Blackhole - Landing Page Recieved -

applet and flowbit”– ISS

• Blackhole-exploit-kit-detected• The several attack vectors



Blackhole Crimeware – IPS Alert

23

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:2;)

What you need to recognize:– Looking for a URI with the following regular expression

• pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; – Looking for a content and flowbit

• “<applet”• isset,et.exploitkitlanding



Blackhole Crimeware - Exploits

24

CVE 2012-0507 Java CVE 20120-1423 Java CVE 2010-0886 Java CVE-20120-0842 Java CVE-2010-0840 Java CVE-2010-1885 CVE-2010-1423 CVE-2009-1671 Java CVE-2009-0927 Adobe Reader CVE-2008-2992 Adobe Reader CVE-2007-5659 Adobe Reader CVE-2006-0003 IE MDAC


Building a smarter planetBlackhole Crimeware – A Look at the Attack

25



Blackhole Crimeware – A Look at the Attack

26



Blackhole Crimeware – Exploit Breakdown

27

Source: http://www.ic3.gov/media/2012/120420.aspx

*It is estimated 60% of Java users have not yet patched CVE-2012-0507

Source: http://www.infosecisland.com/blogview/21118-IC3-Blackhole-Exploit-Kit-123-Released.html



The drive-by-download process

Desktop Users

Browse The Internet Malicious iframehost

Web server withembedded iframe

Web browsertargeted

Downloaderinstalled

Malwareinstalled and activated

Exploit materialServed

The drive-by-download process



Michael Montecillo

[email protected]

Twitter:

@Montejam

(FOLLOW ME!)

29



Connect with IBM X-Force research & development

30

Follow us at @ibmsecurity and

@ibmxforce

Download X-Force security trend & risk reports

http://www.ibm.com/security/xforce

Subscribe to the security channel for latest security

videos www.youtube.com/ibmsecuritysolutions

Attend in-person events

http://www.ibm.com/events/calendar/

Subscribe to X-Force alerts at http://iss.net/rss.php or

Frequency X at http://blogs.iss.net/rss.php

Join the Institute for Advanced Security

www.instituteforadvancedsecurity.com



31

ibm x-force ® 2012 cyber security threat landscape michael montecillo – ibm security services...

Documents

ibm corporation

smarter planet decline

binary slide

security vulnerabilities

smarter planet better

security protection

malicious domains slide

primary culprit slide