d r. paul judge chief research officer barracuda networks the state of internet security: web...
TRANSCRIPT
Dr. Paul JudgeChief Research OfficerBarracuda Networks
The State of Internet Security: Web Attacks Take Over
Half of The Spam Disappeared
3
1 2 3 4 5 6 7 8 9 10 11 1220000000000
25000000000
30000000000
35000000000
40000000000
45000000000
50000000000
55000000000
52 Billion 26 Billion
2010
5 Innovations That Caused Security Gaps
Habits of Effective Hackers
Five Innovations That Created Security Risks
• One new domain each second• 196 million domain names• 47 million new sites last year
1. Rapid Growth
Source:Verisign
Rich site-to-browser interaction
Browser is the new operating system
Browser is active in the application, not simply a passive display tool
2. Dynamic Web Apps: AJAX
3. User-Generated Content
• Half of Top 100 sites based on UGC
• 500 million users on Facebook
• 100 million accounts on Twitter
• 2.5 billion photos uploaded each month to Facebook
• 30 million new ads per day on Craigslist
• 20% of the workforce works remotely
• 1 in 11 organizations had remote workers infected
• 46% of remote infections come from infected Web sites
4. Remote Employees
Smartphone and tablet computing blur the line between personal and business computing
Companies must reconsider policies for devices that are not owned by the company
5. New Devices
Habits Of Effective Hackers
1. Malicious Javascript
(Four Habits Of Effective Hackers)
• USAToday.com ad network compromised (idatrinity.com)
• Visitors served malicious javascript bundled with ad for Roxio Creator 2009
• Automatically directed users to Rogue AV Web site (antivirusquickscanv1.com) through malicious traffic distribution system (liveavantbrowser2.cn)
Malvertising
Exploited Site (1 of 4)
hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
instead of:
hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
Exploited Site (2 of 4)
Exploited Site (3 of 4)
hxxp://qxfcuc.info/f.cgi?jzo
The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).
The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to "Send a message to ICQ #559156803; stats available under ststst02."
Exploited Site (4 of 4)
Barracuda Labs Technology:Malicious Javascript Detector (MJD)
– Place content in a virtual browser environment – Perform behavioral analysis of javascript to
determine its intentions
Proxy
2. Search Engine Malware
(Four Habits Of Effective Hackers)
Search Volumes
• 88,000,000,000 Per Month On Google Sites
• 24,000,000,000 Per Month On Twitter
• 9,400,000,000 Per Month On Yahoo Sites
• 4,100,000,000 Per Month On Microsoft Sites
Sources: comScore, Twitter
Barracuda Labs Technology:Search Engine Malware Crawler
• Get Popular Search Terms Hourly• Search for Those Terms• Retrieve the Set of Search Results• Retrieve the Web Sites for the results• Analyze the Sites for Malicious Code• Add Malicious Sites to Barracuda
SPYDEF list
Data Set
4 Search Engines(Bing, Google, Twitter, Yahoo)
153 Days
157,154 Popular Topics
36,972,206 Search Results
• 34,627 malware samples found
• 1 in 1000 search results lead to malware
• 1 in 5 search topics lead to malware
Frequency of Search Engine Malware
Total Malware by Search Engine
Google38%
Yahoo30%
Bing24%
Twitter8%
Lebron James
Search Engine Malware (1 of 4)
26
Search Engine Malware (2 of 4)
27
Search Engine Malware (3 of 4)
Search Engine Malware (4 of 4)
Barracuda Labs Technology:Maltrace: Malware Analysis w. Virtualization
• Collect thousands of malware samples daily from honeypot network
• Load samples into Maltrace• Maltrace allows the malware to run on a virtual PC• Maltrace collects the network traffic generated• Maltrace creates signatures based on malicious traffic• Adds the signatures to URL, IP and fingerprint databases
3. Social Attacks
(Four Habits Of Effective Hackers)
Facebook Social Attacks
Photo ‘Tags’ Up To 50 People
Website Selling Fake Illegal Shoes
Automated Social Engineering
Malicious Facebook Apps
Likejacking
Twitter – Trending Topics (Step 1 of 3)
Twitter – Trending Topics (Step 2 of 3)
hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54
which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:
hxxp://my-systemscan.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D hxxp://my-newprotection.net/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D hxxp://trustsystem-protection.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2 qeNm6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJlG0%3D
Twitter – Trending Topics (step 3 of 3)
Barracuda Labs Technology:Twitter Reputation System
• Process Twitter Public Stream• Query Twitter User Database for Other Users• Analyze Users’ Activities• Analyze Web Links• Add Malicious Sites to Barracuda SPYDEF list
Twitter Growth
Red Carpet EraNovember 2008 – April 2009
• 54% of the Top 50 Twitter users joined
• Growth rate increased tenfold from 2% in Nov 08 to 21% in April 09
Twitter Crime Rate
• 2006 = 1.2%• 2007 = 1.7%• 2008 = 2.2%
Red Carpet Era:
During: Increased 66%• 2.0% to 3.4% Crime Rate
Four months later: Increased 350%• 12% Crime Rate in Oct 2009
Twitter Crime Rate: the number of accounts per hundred created during a particular period of time that are suspended
4. Web Exploit Kits
(Four Habits Of Effective Hackers)
Web Exploit Kit Overview
– Most exploits served by exploit kits – (ready-made tools sold/used by criminals to attack
vulnerable software components – Many exploit sites, but few exploit kit types
– a handful of kit types comprise the majority of exploit sites
– Examples • LuckySploit, Fragus, UniquePack, NucPack• Tornado, Fiesta, IcePack, FirePack, MPack
Barracuda Labs Technology:Exploit Kit Detector (EKD)
– Leverage the many-to-few relationship between exploit sites and exploit kit types
• Focus of the handful of kit types that correspond to the majority of exploit sites
– Use information invariant to these kits to detect instances of them in a site-independent fashion
Proxy
Summary
Who Is Behind This?
The Worlds Greatest Spammers:Where are they now?
Alan Ralsky Scott Richter
‘Godfather of Spam’ ‘King of Spam’
70 million emails per day 100 millions email per day
#1 of top spammers list #2 and #9 of top spammers list
$3 Million profit summer 2005 in pump and dump Chinese penny stocks
Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed
2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit
The Worlds Greatest Spammers:Where are they now?
Alan Ralsky Scott Richter
‘Godfather of Spam’ ‘King of Spam’
70 million emails per day 100 millions email per day
#1 of top spammers list #2 and #9 of top spammers list
$3 Million profit summer 2005 in pump and dump Chinese penny stocks
Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed
2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit
2009: Sentenced to 51 months in Federal prison
The Worlds Greatest Spammers:Where are they now?
Alan Ralsky Scott Richter
‘Godfather of Spam’ ‘King of Spam’
70 million emails per day 100 millions email per day
#1 of top spammers list #2 and #9 of top spammers list
$3 Million profit summer 2005 in pump and dump Chinese penny stocks
Over 40,000 ‘Iraq Most Wanted’ card decks sold before printed
2005 FBI raid and investigation 2003 New York Attorney General lawsuit2006 Microsoft lawsuit2008 Myspace lawsuit
2009: Sentenced to 51 months in Federal prison
2009: Founded “Lunatic Games”-a social gaming company
Barracuda Labs Threat Intelligence
Barracuda Labs Resources• Web Sites and Reports
– www.Barracuda.com– www.BarracudaLabs.com– www.BarracudaCentral.org– www.TweetBrawl.com– www.TweetGrade.com– Barracuda Labs Annual Threat Report
• Contact– Twitter: @Barracuda, @BarracudaLabs– Paul Judge, Chief Research Officer
• [email protected] • Twitter: @PaulJudge
Servers
Barracuda Web Application Firewall
Barracuda Web Application Firewalls
SSL AccelerationPipeliningCachingCompressionLoad Balancing
OWASP protectionVirus scanningData leakageCloakingXML Firewall
Remote Users
Teleworkers
Barracuda Web Security Flex
64
• Cloud-based content filtering and malware protection• On-network appliances when needed for local enforcement• Remote and mobile filtering• Centralized multi-site management and reporting • Unlimited deployment flexibility