scansafe annual global threat report 2009
TRANSCRIPT
PAGE 1
ANNUAL GLOBAL THREAT REPORT 2009THE WORLD’S LARGEST SECURITY ANALYSIS OF REAL-WORLD WEB TRAFFIC
PAGE 2
There’s an old saying that says“familiarity breeds contempt.” Perceived familarity can have an equally detrimental effect - lulling us into a false sense of complacency and blinding us to reality.
For many years there have been dire sounding warnings that cyberwar is looming somewhere on the horizon. Many have scoffed at those predictions; others have approached the topic with academic and even military interest. But what many have failed to realize is that cyberwar is already here and the battle is already being waged. At the frontlines are corporate assets: intellectual property, research, schematics, sensitive proprietary data, and confidential customer and employee information.
Modern malware is merely a tool – and only one of many – used by cybercriminals to carry out their attacks. To approach today’s security challenges as a malware problem is to completely miss the bigger picture – it is a criminally run sophisticated e-business network intent on gathering intellectual and corporate assets. It is not simply a malware problem per se; it is a large scale cyber-espionage assault and all countries are being adversely impacted.
In the 2009 ScanSafe Annual Global Threat Report, we intend to highlight some of the business practices that drive cybercrime, explore some of the human aspects that fuel many of these attacks, and present data that demonstrates the continued use of the Web as the attack vehicle.
Our goal is to help dispel the misconceptions and subsequent complacency that arise due to perceived familiarity with malware as merely a system-disrupting scourge. To fully combat today’s threats, we must recognize its 21st century purpose – criminal data and asset-targeting designed to achieve global economic advantage.
- Mary Landesman, Senior Security Researcher, ScanSafe STAT
FOREWORD
PAGE 3PAGE 3
KEY HIGHLIGHTS
45% of all Web malware encounters in 2009 were with exploits and iframes indicative of compromised websites;
Energy & Oil experienced an encounter rate 356% higher than normal for data theft trojans;
Companies in the Pharmaceutical & Chemical sector experienced a 322% heightened rate of encounter with data theft trojans;
Other sectors experiencing higher than average exposure to data theft trojans included Government at 252% higher and the Banking & Finance sector at 204% higher;
Malicious PDF files comprised 56% of Web-encountered exploits in 1Q09, growing to 80% of all exploits by 4Q09; Flash exploits encountered via the Web dropped from 40% in 1Q09 to 18% in 4Q09;
Web-encountered exploits in Word and Excel comprised less than 1% of all detected exploits for the year;
Malicious image files comprised 10% of all Web malware encountered in 2009;
The Gumblar attacks were the single largest at 14% of all Web malware blocks in 2009;
Compromises and malware encounters resulting from the Asprox and Zeus botnets comprised 2% and 1% of Web malware blocks, respectively;
Attacks continue to increase. A representative customer encountered 77 compromised websites in May 2007, compared to 1024 in May 2009. Direct encounters with data theft Trojans increased from 0 in May 2007 to 307 in May 2009.
PAGE 4
CONTENTSForeword
Key Highlights
Contents
Why this Report
Introduction
The Business of Malware
The Sole Proprietor
The Middleman
The Developer
The Buyer
Targeting the Attack
Promiscuous Friending
Exploiting the Wild Wild Web
Adobe a Target
The Office Space
Malicious Image Files
Building a Better Botnet
Gumblar
Asprox
Zeus
Malware Categories
Outbreak Intelligence
One Company’s Experience
The Vertical Threat
A Decade of Deception
Executive Summary
Glossary
About ScanSafe
2
3
4
5
6
8
12
14
17
20
22
23
24
26
27
28
PAGE 4
PAGE 5
WHY THIS REPORTThe ScanSafe Global Threat Report is an analysis of more than a trillion Web requests processed in 2009 by the ScanSafe Threat Center on behalf of the company’s corporate clients in over 80 countries across five continents.
Our leading position of providing security in-the-cloud provides unparalleled insight in the real-world Web threats faced by the today’s enterprise; this report represents the world’s largest security analysis of real-world Web traffic.
The ScanSafe Global Threat Report provides a view of the threats which businesses actually face, rather than those experienced in labs or other artificial environments. Our data is gathered from real-time analysis by our proprietary threat detection technology, Outbreak Intelligence™, of every single Web request processed by ScanSafe in 2009.
This approach differs to traditional methods of gathering information on Web-based threats, such as those methods afforded by distributed ‘honeypot’ networks. The artificial and contrived nature of honeypots, Web crawling, or similar technologies can lead to a skewed vision of the Web threat landscape which does not reflect actual user experience.
By using the analysis data generated by Outbreak Intelligence™ in the course of protecting our customers, ScanSafe can report on the threats that our users would have been exposed to had they not been using our security service. Our leading position of providing security
in-the-cloud provides unparalleled insight
in the real-world Web threats faced by the
today’s enterprise; this report represents
the world’s largest security analysis of
real-world Web traffic.
PAGE 5
PAGE 6
INTRODUCTION
“… the stolen data included e-mail
passwords, messages, and other
information tied to executives with access
to proprietary exploration and discovery
information.”
PAGE 6
PAGE 7
Sometime in mid-December 2009, search engine giant Google discovered a breach of their network which had subsequently led to the loss of sensitive intellectual property. The origin of the breach: an email containing a link that pointed to a hostile website. The resulting compromise enabled attackers to see inside Google’s network and, eventually, to target specific resources that enabled the theft of sensitive intellectual property.
During the course of their investigation, Google discovered more than 20 other high-profile companies had been similarly breached, including Adobe. Eventual statements from Google and Adobe described the attacks as highly targeted and highly sophisticated. Yet for anyone monitoring the state of cybercrime today, the methods employed were routine and the malware actions predictable. Indeed, components dropped in Hydraq.A, the malware described as used in those attacks, were components that have been found in other malware for the past two years – even contained in far more mundane scareware programs.
This is not to say the malware was easily detectable. But today, no malware is easily detectable. On average, even given four possible points of detection (the email, the website, the exploit and the dropper), the miss rate with traditional signature scanners is near 40%.
Pre-dating the Google/Adobe announced attacks were targeted attacks on energy and oil companies in late 2008 and early 2009. Those attacks went undisclosed until a January 2010 investigation by The Christian Science Monitor1 revealed details. According to that report, the stolen data “included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information.”
Neither the report of those attacks nor the sensitivity of the data targeted was a surprise to ScanSafe. In November 2008 we published the ScanSafe Vertical Risk Assessment2 which analyzed Web malware data to determine the risk posture of 21 industry verticals. Our analysis revealed that not only was Energy & Oil most at risk, but that particular vertical’s rate of exposure to new variants of data theft Trojans was four times the average for all verticals combined.
The heightened risk of data theft Trojan encounters continued throughout 2009; Energy & Oil experienced an encounter rate 356% higher than the rate for all customers combined.
Unlike Google and Adobe, the energy companies alleged to have been breached did not confess to the compromise. Indeed, few victim companies choose to self report. Instead, the breaches that get acknowledged publicly are generally only those which involve theft of consumer or employee data – and only then because the laws require it. This selective disclosure fuels the misconception that cybercriminals are only intent on stealing data intended for credit card fraud and identity theft. In reality, cybercriminals are casting a much wider net.
The heightened risk of data theft Trojan
encounters continued throughout 2009;
Energy & Oil experienced an encounter
rate 356% higher than the rate for all
customers combined.
INTRODUCTION
PAGE 7
1http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved2 http://www.scansafe.com/downloads/whitepapers/ScanSafe_STAT_Vertical_Risk_Assessment.pdf
PAGE 8
THE BUSINESS OF MALWARETo attempt to describe the business structure behind cybercrime is not unlike trying to describe the business structure behind any other global economy. It is, in fact, well beyond the scope and size of this report to attempt to do it justice (no pun intended). Instead, we will be forced to highlight only a few of the tactics used, in the hopes of helping readers understand the broadness of the methods employed. (For a more complete discussion, download the ScanSafe whitepaper, “Web 2.0wned: A History of Malware on the Web” 3).
The Sole Proprietor
These more independent criminals broker in stolen credit cards, phished banking credentials, and similar consumer-focused data theft transfers. These crimes tend to be less sophisticated and thus have a lower barrier to entry. As the laws of economics would suggest, this often leads to supplies being larger than demand, driving prices of the stolen credentials downward. As with traditional legitimate online commerce, stolen credentials come from across the globe and the sellers have their own eBay-style ratings systems to verify their ‘trustworthiness’ to buyers.
Figure 1
3 http://www.scansafe.com/downloads/whitepapers/A_History_of_Malware_on_the_Web.pdf
PAGE 9
THE BUSINESS OF MALWAREThe Middleman
Just as there are trucking companies that ship goods between a buyer and seller, there are cybercriminals that specialize in delivering exploit kits that join the attacker and victim. Consolidation even occurs as it often does among partners in any other business, as we see advertised in Figure 2.
And as would any other software maker, the exploit kit writers fully describe what’s included in their offering.
Offer additional reasons to buy their product (Figure 3).
And offer support services free of charge (Figure 4).
The cost for this exploit kit: a mere one hundred US dollars.
Figure 2
Figure 3
Figure 4
Figure 5
PAGE 10
THE BUSINESS OF MALWAREThe Developer
Malware authors typically employ a reseller to peddle the malware on behalf of the author – presumably in exchange for commission. In Figure 6, we see member “jboyz” reselling the latest (at the time) private version of the Zeus banking Trojan for a minimum $6,000. Additional features are extra, total cost for the full blown package is triple the amount.
It’s worth noting that while Zeus is typically considered a banking Trojan, capabilities enable it to steal whatever data the attacker wishes to target, as well as sniffing and retrieving FTP and POP3 credentials and capturing HTTP / HTTPS traffic.
Developers and their resellers may also take a more professional approach to selling. To entice their customers to move from free to fee versions of their software, the developers of the Turkojan keylogger family ask:
“Anti-virus and anti-spyware software label Turkojan Public Edition as potentially unwanted programs and sometimes they can remove them or prevent installing Turkojan server
on remote computer. So it can cause unwanted results. Now we have a special offer for you, don’t you want to have an undedected copy of Turkojan Private Edition?”
Available for purchase from the authors’ website are three versions: bronze, gold, and silver – each subsequent upgrade offers successively extended periods during which the product is guaranteed to be undectable by scanners or replaced free of charge.
The Buyer
The sole proprietor, middleman, and developer all have something to gain by publicly advertising their offerings. Conversely, there will be no such public displays from the buyer, particularly those criminals engaged in hardcore cyber-espionage such as the attacks leveraged against Google, Adobe, oil companies, and multiple other firms over the past year.
In “Hacking for Fun and Profit in China’s Underworld,” a Chinese cybercriminal identified only as “Majia”4 admits that government and military agencies are among those who contract for the types
of services he and other cybercriminals provide. But industrial espionage isn’t just a cross-border problem; competitors can also buy the services of cybercriminals to gain intel on product pricing strategies and proprietary development data.
In some cases, the buyer may contract directly with the malware developer. In January 2009, Heartland Payment Systems publicly announced a malware breach of their internal systems had resulted in large scale theft of credit card transactions processed on behalf of their merchant customers. It was later divulged that the malware used in those attacks was custom-created specifically for the Heartland heist.
In summary, there is no common denominator that defines the buyer – who they are and what data they are after is left only to their own imagination – and their ability to pay. But one thing is certain, today’s malware is highly customizable; once planted within the enterprise, this digital insider threat is able to operate silently and efficiently to siphon the most sensitive assets from that corporation.
Available for purchase from the authors’
website are three versions: bronze, gold,
and silver – each subsequent upgrade offers
successively extended periods during which
the product is guaranteed to be undectable by
scanners or replaced free of charge.
4 http://www.nytimes.com/2010/02/02/business/global/02hacker.html?pagewanted=1&hp
PAGE 11
THE BUSINESS OF MALWARE
Figure 6
Figure 7
PAGE 12
TARGETING THE ATTACK
PAGE 12
PAGE 13
Whether targeted to a specific individual or sent to a broad generic audience, social engineering attacks are designed to trick the user into taking some action that will prove harmful to themselves or others. The range of social engineering scams is broad: money laundering schemes disguised as help wanted ads, bogus notices from spoofed authorities such as the FBI or IRS, advance fee fraud schemes masquerading as death benefit notices, breaking news alerts that link to malicious websites – the list goes on.
The more targeted social engineering attacks can cause huge headaches for corporations. Instead of figuring out a way to break through the perimeter defenses, attackers are able to entice innocent inside employees to unwittingly grant them entry. A frequent target – highly placed executives with knowledge and access to the corporation’s most sensitive data assets.
The approach that allegedly tripped up oil execs and led to those networks being infiltrated was a simple email claiming to be a discussion of the “Economic Stabilization Act.” As with Google, Adobe, and so many other victim companies, that email contained a link to a booby-trapped website which foisted exploits onto any visitor that clicked through.
In May 2000, researchers for Interhack Corporation published advice on email-borne threats that is as true today as it was ten years ago. In summarizing “Why
Anti-Virus Cannot Stop the Spread of Email Worms,” the researchers warned, “As long as there are users who can be fooled, malware will continue to plague us.” Their advice: either get rid of the users or help them to avoid getting fooled.
Despite that still timely advice, user education is typically never attempted and certainly almost never with the most highly positioned senior executives. Yet these executives are the biggest – and often easiest – targets. Thanks to press releases, social networking sites, silo-style sites that collate information on public personalities, and search engines, finding enough information to compose a reasonably personalized targeted attack email has never been easier.
Promiscuous Friending
Back in the day when MySpace was first introduced, many worried about who would protect the kids from online con artists and criminals. Maybe we should be asking ourselves who will protect the adults.
At the Vegas BlackHat conference in August ‘08, researchers Shawn Moyer and Nathan Hamiel presented “Satan is On My Friends List: Attacking Social Networks.” Part of that demonstration focused on how trivially easy it was to spoof the profiles of well known people in the security industry. The point made
was there’s no real way (save offline verification) to ensure that the person on the other end of the ‘wire’ is really the person you think they are. The problem gets exponentially worse when dealing with promiscuous frienders who will accept any friend request, even from persons they only vaguely know and often from complete strangers.
Social networking sites can be a useful tool for keeping abreast of events in friends, family, or colleagues lives, whether personally or professionally. It can also be a useful tool for networking with associates met at business conferences or with whom you otherwise don’t have day-to-day contact. But to be used safely, any correspondence sent via the network should be treated as cautiously as any traditional email would – that means, don’t divulge confidential information, don’t click links in any unsolicited message received unexpectedly and never agree to install anything resulting from a link received in an unsolicited message.
The social networking sites are designed to make it easy to network. This ease means it’s equally easy for scammers to set up shop. Don’t assume that because it happens on a social networking site, that it must be safe. Quite the opposite is true. Offline, trust your real life friends to have your back. But online, trust no one.
Instead of figuring out a way to break through the
perimeter defenses, attackers are able to entice
innocent inside employees to unwittingly grant
them entry. A frequent target – highly placed
executives with knowledge and access to the
corporation’s most sensitive data assets.
TARGETING THE ATTACK
5http://www.interhack.net/pubs/email-trojan/
PAGE 14
EXPLOIT ING THE WILD WILD WEB
PAGE 14
PAGE 15
EXPLOIT ING THE WILD WILD WEB
The vast majority of modern malware encounters occur with exposure to compromised websites, which attackers outfit with hidden malicious iframes or external javascript source references. Typically, attackers use multiple layers of compromised or malicious websites in a single attack, thus the initially encountered (but unseen) iframe may silently cycle through two, three, or even more iframes and source reference hosts before the final exploits or malicious binary are delivered. This cross-domain attack and subsequent malware delivery is silent but deadly.
Adobe a Target
When malicious exploit code was encountered in 2009, vulnerabilities involving malformed PDF files (Adobe Reader / Adobe Acrobat) were the most frequently targeted, followed by vulnerabilities in Adobe Flash. Interestingly, as the rate of malicious PDF files increased in 2009, the rate of malicious Flash files decreased throughout the year.
As seen in figures 8 and 9, malicious PDF files comprised 56% of exploits in 1Q09, growing to 80% of all exploits by 4Q09. Conversely, Flash exploits dropped from 40% in 1Q09 to 18% in 4Q09. This trend is likely indicative of attackers’ preference for PDF exploit, probably due to a combination of increasing availability of vulnerabilities in Adobe Reader and Adobe Acrobat and the continued widespread use and acceptance of PDF files in both the workplace and consumer sectors.
CVE, maintained by the MITRE Corporations, retains a list of security vulnerabilities, assigning it a common identifier to facilitate information and data sharing. As of December 31, 2009, there were 288 total CVE records for vulnerabilities in Adobe products. Of those, 107 CVE numbers assigned to Adobe vulnerabilities were issued in 2009; only one was rated low, 25 were rated medium, and the remaining 81 were rated high. In 2008, there were only 58 vulnerabilities listed in CVE for vulnerabilities in Adobe products, 50 in 2007, 35 in 2006, 18 in 2005, with the remaining 20 CVE entries spread between 2004 to 1999. The problem of
recent surges in Adobe vulnerabilities has become of concern to many officials, prompting an unprecedented warning from Stephen Northcutt, president of the SANS Technology Institute. In the August 4, 2009 issue of SANS Newsbytes, Northcutt warned: “I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products where you can.”
Whether Adobe products can or should be avoided is a matter of debate. However, what does appear certain is that Adobe Reader and Adobe Acrobat are increasingly a favored exploit target for attackers. Accordingly, users should treat all PDF files with the same caution they would use with any other executable file type. Enhanced security of PDF can be obtained by disabling Adobe javascript in Reader and Acrobat and avoiding the use of browser plug-ins for those products.
Figure 8 - PDF / Flash Exploits Figure 9 - Adobe CVE Records
PAGE 16
EXPLOIT ING THE WILD WILD WEB
The Office Space
It is well understood that attackers typically employ exploits that target the most ubiquitous products. Given that these are Web-delivered exploits and Adobe Reader is the most ubiquitous document reader used on the Web, it stands to reason that the rate of PDF exploits would be high. However, exploits for Microsoft Office file formats, which also enjoy widespread use, were comparatively (and significantly) more rare in 2009. Collectively, Web-encountered exploits in Word and Excel comprised less than 1% of all detected exploits for the year.
Malicious Image Files
Malformed images also factored extensively in Web-delivered attacks throughout 2009, although not due to an exploit by definition. These images take advantage of features in the operating system, browser, and the Web server. As a result, MIME types can be forged, PHP can be nestled in text comment fields of legitimate GIF or JPG images, and PHP interpreters can override even concerted blacklisting efforts. Figure 10 shows the proportion of malicious image files to all other Web-delivered malware for each quarter of 2009.
In many cases, malicious image files are hosted on legitimate websites presumed to have been compromised. In most of those cases, it appears the attackers have replaced actual site images with the maliciously modified copies of the images. The imposter images display normally but behind the scenes, depending on the browser, the iframe contained in the image attempts to launch malcode from the attacker-owned site. Note that these malicious images are not the sole means of compromise, but typically act as an adjunct to the overall compromise.
Figure 10 - Malicious Image Files
0%
2%
4%
6%
8%
10%
12%
1Q09 2Q09 3Q09 4Q09
Malicious Image Files
PAGE 17
BUILDING A BETTER BOTNET
In most of those cases, it appears
the attackers have replaced actual
site images with the maliciously
modified copies of the images.
PAGE 17
PAGE 18
BUILDING A BETTER BOTNET
The traditional definition of a botnet is a collection of compromised client computers under the control of a common attacker (or common group of attackers). A typical botnet may be used for nefarious commercial purposes such as distributing spam or scareware. Botnets can also be used for distributed denial of service (DDoS) attacks, which can sometimes be rendered against competing sites or services for illicit financial gain. In addition to other uses (left only to the imagination of the attackers), botnets can also play a role in the compromise of legitimate websites or be used as part of a fast flux network to mask the origin of a particular malware host.
In 2009, Gumblar changed the traditional view of botnets, as the Gumblar attackers began uploading PHP backdoors to compromised websites for continued command and control of those sites. This enables the attackers to interchangeably use the compromised sites as the actual malware host, or as part of a redirection chain for exploit delivery, or both. This not only hampers remediation efforts – effectively giving the Gumblar attackers thousands of possible malware hosts – but it also can thwart standard reputation-style filters and thus increase the likelihood of exposure to the malware.
In 2009, the three most prolific botnets from a Web malware standpoint were Gumblar (14%), Asprox (2%), and Zeus (1%). While both Conficker and Koobface received the lion share’s of attention from a media perspective, actual encounters resulting from these botnets were extremely low, collectively representing only .05% of Web malware in 2009.
Gumblar
Gumblar is a multi-stage series of compromises that delivers malware designed to intercept Web traffic, steal FTP credentials, manipulate search engine results, and install backdoors on compromised computers and websites.
The malicious script embedded during the original compromise was placed on collateral .js or .php files called when the page was loaded, rather than directly on the default home page itself. This technique enabled attacks to avoid casual observation, but still have their malicious scripts rendered when users visited the site.
The technique also proved effective at bypassing signature detection. During Gumblar’s initial peak from April 24th through May 15th, signature scanners were unable to detect the Gumblar compromise. ScanSafe Outbreak Intelligence successfully detected and blocked all phases of the Gumblar attack.
In subsequent phases, Gumblar attackers began uploading PHP backdoors to compromised websites, providing attackers with continued control of the sites even if the original FTP passwords were changed.
At 14% of the total Web malware blocks for the year, the Gumblar attacks were the most prevalent attacks in 2009, peaking at 35% of all blocks in November 2009.
Figure 11 - Gumblar
PAGE 19
BUILDING A BETTER BOTNET
Asprox
The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload a SQL injection attack tool, which then queries search engines to find susceptible sites and exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors’ computers. Other bots are used as hosts for the malware. Asprox commonly uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses in an attempt to mask the actual host.
In terms of botnet-related Web malware, websites compromised as a result of Aprox were second largest at 2% of all Web malware blocks, peaking at 11% in October 2009.
Zeus
The Zeus botnet was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008. In early 2009, the Zeus botnet began employing an exploit toolkit known as Luckysploit, which uses standard RSA public/private key cryptography to encrypt the communication session with the browser.
Zeus bots are known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session as well as clipboard data pasted into the browser. While these actions facilitate Zeus’ activities concerning data theft, it could also lead to compromise of FTP credentials. For this reason, impacted sites may not just be spreading new Zeus banking trojans and bots, their management systems may also be infected. Zeus bots and trojans are also rootkit-enabled, which can hinder discovery efforts.
Zeus was the third largest single botnet impacting Web surfers in 2009. Zeus-related malware and sites compromised by the Zeus botnet comprised 1% of all Web malware blocks for the year. Beginning in the first quarter of 2009, the Zeus botnet began employing the LuckySploit framework to render exploits on unsuspecting Web surfers’ computers.
Figure 12 - Asprox Figure 13 - Zeus
PAGE 20
This report focuses solely on malicious software and excludes tracking cookies, Web bugs, non-malicious opt-in tracking or legitimate (but potentially unwanted) advertising supported software. Categories of malware in this report include the following:
• Trojans• Exploits / iframes• Redirectors• Downloaders• Clickers• Scareware (rogue scanners)
• Viruses
• Worms (including autorun worms which connect via the Web upon infection)
In 2009, 45% of all blocked Web malware encounters were with exploits and iframes indicative of compromised websites. The second highest category were direct encounters with Trojans engaged in data theft (backdoors and password stealers), which comprised 19% of all ScanSafe Web malware blocks for the year. Interestingly, because scareware is intentionally designed to be a very noticeable infector, these rogue scanners tend to get the lion share of attention in media and consumer reports, yet were only 7% of all Web malware encounters for 2009.
14%
3% 2%
2%
2%
2%
2%
2%1%
1%
Top Ten Web Malware
Trojan-Iframe.JS.Gumblar
PSW.Banker
OI-PSW.Keylogger.OF
Worm.AutoIt
Hoax.Win32.Krap.ah
OI-PSW.Win32.MultiBanker.SV
Backdoor.Win32.RaMag.a
PSW.Win32.Magania.bfrp
Trojan.HTML.IFrame.kr
MALWARE CATEGORIES
Figure 14 - Web Malware Blocks by Category
Figure 15 - Top Ten Web Malware
0% 10% 20% 30% 40% 50%
Clickfraud Trojan
Redirector
Virus & Worm
Downloader / Dropper
Rogue Scanner
Trojan - General
Backdoor & PWS
Exploit & Iframe
Web Malware Blocks by Category
In 2009, 45% of all blocked Web
malware encounters were with
exploits and iframes indicative of
compromised websites.
PAGE 21
MALWARE CATEGORIES
In 2009, 27% of all Web-
delivered malware blocked by
ScanSafe Outbreak Intelligence
was undetectable by signature
scanners at the time of encounter.
PAGE 21
Outbreak Intelligence
Today’s cybercriminals go to great lengths to ensure their malware goes undetected. As we previously demonstrated in Figure 7, malware creators may even offer service level agreements consisting of full replacement and money-back guarantees that the malware will not be picked up by traditional scanners.
In 2009, 27% of all Web-delivered malware blocked by ScanSafe Outbreak Intelligence was undetectable by signature scanners at the time of encounter. While 27% was the overall average for the year, during peak outbreak periods the rate of zero day malware blocks was much higher.
Outbreak Intelligence blocks on November 7th reached 97%. Second highest rate of zero day malware occurred on August 24, with 90% undetectable by traditional signatures. Figure 17 provides a day-by-day snapshot of zero day malware blocked by Outbreak Intelligence in 2009.
Signature, 73%
Outbreak Intelligence,
27%
Figure 16 - Outbreak Intelligence vs. Signature Blocks
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
01-Jan-09
15-Jan-09
29-Jan-09
12-Feb-09
26-Feb-09
12-Mar-09
26-Mar-09
09-Apr-09
23-Apr-09
07-May-09
21-May-09
04-Jun-09
18-Jun-09
02-Jul-09
16-Jul-09
30-Jul-09
13-Aug-09
27-Aug-09
10-Sep-09
24-Sep-09
08-Oct-09
22-Oct-09
05-Nov-09
19-Nov-09
03-Dec-09
17-Dec-09
Figure 17 - Outbreak Intelligence Blocks Throughout 2009
PAGE 22
To help contextualize the increased risks posed by Web-delivered malware, ScanSafe provides raw numbers from an actual 15,000 seat customer. We analyze that customer’s Web malware blocks in May of each of the target years (2007, 2008, 2009) to provide year-over-year comparisons for trending purposes.
As Figure 18 demonstrates, encounters with compromised websites have increased dramatically over the past three years. In May 2007, the customer encountered only 77 compromised websites, increasing to 481 compromised website encounters in 2008, and 1024 encounters in May 2009.
Direct encounters with data theft Trojans also increased year over year, from 0 direct encounters in May 2007 to 307 in May 2009.
A typical website compromise can impact tens of thousands of websites simultaneously. Multiple distinct (unrelated) attacks can also occur simultaneously. Throughout 2009, ScanSafe STAT recorded over a thousand unique attacks on average for each month of the year. In May 2007, our 15,000 seat focus customer encountered 11 unique separate attacks, compared to 197 unique attacks in May 2009.
Total encounters also increased year over year. The ScanSafe STAT focus customer experienced 205 total Web malware encounters in May 2007, 669 in May 2008, and 1719 total Web malware encounters in May 2009.
0
50
100
150
200
250
300
350
May 2007 May 2008 May 2009
Focus Company: Data Theft Trojans Encountered
ONE COMPANY’S EXPERIENCE
Figure 18 - Focus Company: Compromised Websites Encountered
Figure 19 - Focus Company: Data Theft Trojans Encountered
Figure 20 - Focus Company: Unique Attacks Encountered
Figure 21 - Focus Company: Total Encounters
0
200
400
600
800
1000
1200
May 2007 May 2008 May 2009
Focus Company: Compromised Websites Encountered
0
50
100
150
200
250
May 2007 May 2008 May 2009
Focus Company: Unique Attacks Encountered
0
200
400
600
800
1000
1200
1400
1600
1800
2000
May 2007 May 2008 May 2009
Focus Company: Total Encounters
PAGE 23
THE VERTICAL THREAT
For two years in a row, ScanSafe STAT malware block data reflects a disturbing trend – companies in highly sensitive verticals experience a much higher than average rate of Web malware encounters.
In 2009, Energy & Oil experienced a 3.5 times higher rate of direct encounters with data theft Trojans compared to all other verticals for the report period. Companies in the Pharmaceutical and Chemical sector experienced a 3.2 times heightened rate of encounter with this most serious category of malware.
Both the Pharmaceutical & Chemical industry and the Energy & Oil sector also experienced higher rates of encounter to unique variants of password stealers and backdoors, at a rate 14 times and 11 times higher than average, respectively. The higher rate of encounters with unique variants is likely indicative of greater targeting of these segments, as attackers typically introduce new variants in an attempt to evade malware detection.
The Government sector had a 2.5 times higher than average rate of encounters with data theft Trojans delivered via the Web, but had a 25% lower than average rate of encounters with unique variants of this category of malware. The Banking & Finance sector experienced a data theft Trojan encounter rate that was 204% higher than average. Encounters with unique variants of data theft Trojans were 211% higher than the norm for all customers combined.
In 2009, Energy & Oil experienced
a 356% greater rate of direct
encounters with data theft Trojans
compared to all other verticals for
the report period.
Energy and Oil
Pharmaceutical & Chemical
Government
Increased rate of exposure to data theft Trojans
Banking Finance
356%
322%
252%
204%
PAGE 24
A DECADE OF DECEPTION
As one decade closes and another begins, it provides an opportunity to look both to the future and to the past. For as the saying goes, “Those who cannot remember the past are condemned to repeat it.” 6
Modern malware is commercially motivated - instead of writing malware for ego gratification, today’s attackers are using malware to make money. Thus, in hindsight, the May 2000 Loveletter worm was a harbinger of things to come. The Loveletter worm combined social engineering (love letter for you) with a password-stealing trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm’s author.
In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm’s ability to infect Web pages. As such, Nimda can be viewed as a pioneer in malware’s eventual move to the Web.
January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers, even harvesting the victims own email contacts to add to the spammers’ mailing lists.
The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K’s code was the message, “Hey Netsky, f*ck off you b*tch, don’t ruine our business, wanna start a war?”
Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month’s tsunami in the Indian ocean, scammers began targeting peoples’ fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots.
By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed “230 dead as storm batters Europe.” Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the trojan family (and its associated botnet) its new name, Storm.
“...instead of writing malware for ego
gratification, today’s attackers are using
malware to make money.”
6 George Santayana: Life of Reason, Reason in Common Sense, Scribner’s, 1905
PAGE 25
A DECADE OF DECEPTION
In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed Web attacks. The release of free or low cost SQL injection tools in the Fall of 2007, followed by remote discovery tools such as Goolag in 2008, further cemented cloud-based malware delivery via the Web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases.
The 2009 Gumblar attacks can be viewed as the culmination of a decade’s evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetization, as well as long term potential profits via its ability to intercept, tamper with and steal Internet and network communications. Gumblar also includes the ultimate in social engineering – turning perfectly good, reputable websites against their visitors, and even against their very owners.
The 2009 Gumblar attacks can
be viewed as the culmination of
a decade’s evolution of criminal/
profit-motivated malware.
“Hey Netsky, f*ck off
you b*tch, don’t ruine
our business, wanna
start a war?”
-- Bagle.K author, 2004
PAGE 26
EXECUTIVE SUMMARY
If Loveletter was the harbinger of data theft to come in the last decade, Gumblar may well be the first harbinger of mass control of the Web in the new decade. As such, one can only conclude that the criminal harvesting of data via the Web will continue to be top priority for attackers in 2010 and beyond.
To counter threats on the Web, network architecture will likely undergo many changes in the coming decade. As a result, it can be expected that various forms of user authentication based on trust relationships will eventually emerge. As these efforts evolve, subsequent online personas will become increasingly attractive targets to would-be attackers. Identity theft programs will subsequently need to evolve beyond protection of one’s credit report, to include protecting one’s virtual identity from those who would spoof it for illicit gains.
It can also be expected that the Internet will increasingly become more device and service centric and less “desktop centric.” As that development unfolds, this will introduce a less homogenous environment for attackers, thus further propelling the (ab)use of the Web for criminal gain.
The digital divide will also likely continue to grow and resulting tensions will likely fuel further cyber-attacks, including even more increases in attacks designed for theft of intellectual property and attacks designed to disrupt access.
To confront the challenges of the coming years, we must reposition our thinking to match the new reality. We must forgo our perceived familiarities and see the issues that are already at hand – the criminal business of data harvesting and the siphoning off of intellectual property. Our defences must extend beyond the confines of brick and mortar and into the cloud to ensure end-to-end protection of our most sensitive assets and people, regardless of operating system, device, or geo-locale.
One can only conclude that the criminal
harvesting of data via the Web will
continue to be top priority for attackers in
2010 and beyond.
PAGE 26
PAGE 27
GLOSSARY
Backdoor Malware that provides surreptitious and unwanted access to a remote computer or device
Compromised Site A site which has been the victim of exploit of vulnerabilities, resulting in the distribution of malware
Heuristic An algorithm which may be signature or behavior-based, designed to detect a characteristic or specific set of criteria consistent with previously observed malware
Malicious Site Website distributing malware, whether intentionally or through compromise
Malware Software distributed for malicious intent
OI ScanSafe Outbreak Intelligence™; a collection of technologies designed to detect both known and unknown malware threats
Password Stealer Malware that monitors keystrokes, captures screenshots, or steals data, sending the captured details to attackers
Signature An algorithm used by signature-based scanners to detect a specific threat or specific family of threats
Trojan A non-replicating program which has intentionally malicious behavior
Virus Malware that infects other files or programs
Worm Malware that spontaneously copies itself to other folders, drives, shares, or accessible sites
Zero-Day A vulnerability or malware for which no patch, signature, or intelligence is available preliminary to initial detection
PAGE 28
ABOUT SCANSAFEScanSafe EMEA
Qube, 90 Whitfield StreetLondon,W1T 4EZ
T: +44 (0) 20 7034 9300F: +44 (0) 20 7034 9301
ScanSafe US950 Elm Avenue
San Bruno, CA 94066T: +1 650 989 7100F: +1 650 989 6543
ScanSafe (www.scansafe.com), now a part of Cisco, is the pioneer and largest global provider of SaaS Web Security, ensuring a safe and productive Internet environment for businesses. ScanSafe solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web. As a SaaS solution, ScanSafe eliminates the burden of purchasing and maintaining infrastructure in-house, significantly lowering the total cost of ownership. Powered by its proactive, multilayered Outbreak Intelligence™ threat detection technology, ScanSafe processes more than 20 billion Web requests and 200 million blocks each month for customers in over 100 countries.
The ScanSafe Security Threat Alert Team (STAT) is a key part of the ScanSafe Threat Center, which monitors the global state of Web traffic, 24 hours a day, seven days a week. STAT is comprised of a group of malware experts dedicated to analyzing trends and anomalies in Web traffic scanned by the ScanSafe Threat Center and the more than 200 million blocks each month. The team performs ongoing expert analysis of Internet threats, identifying trends in new malware tactics and developing technologies to prevent them.
STAT also provides timely information on significant, newly emerging Web-borne threats via the ScanSafe STAT blog - a tool designed to provide readers with the pulse on the overall Web threat landscape.
In 2009, the company was awarded “Best Content Security” solution by SC Magazine for the third consecutive year.
PAGE 28
© ScanSafe All rights reserved. ScanSafe, the ScanSafe logo and Outbreak Intelligence are trademarks of ScanSafe. All other trademarks are the property of their respective owners.