evolving email threats and counter technology
TRANSCRIPT
-
7/30/2019 Evolving Email Threats and Counter Technology
1/51
Evolving email threats
and counter technology
James Todd IronPort Systems
-
7/30/2019 Evolving Email Threats and Counter Technology
2/51
Agenda
The State of SPAM
New Spamming Techniques
Predicative Security
Rebuilding Trust in Email
-
7/30/2019 Evolving Email Threats and Counter Technology
3/51
Zombies Execute Email Attacks
-
7/30/2019 Evolving Email Threats and Counter Technology
4/51
Viruses are Becoming More and
More Dangerous . . . 70% of all spam comes from virus infected PC zombies
75% of all viruses contain spam delivery engines
200% increase in spyware delivered by email in the past 6months
65% increase in keystroke loggers in 2005
200% increase in rootkits
-
7/30/2019 Evolving Email Threats and Counter Technology
5/51
Whats changed
Old Days
Hacking for fame, fun or profit Script Kiddies
Hackivists ,Black Hats, VXers
Today
Hacking for Profit Disorganized crime
Web mobs
Organized crime
The dark side of the Internet involves not only fraud and theft, pervasive pornography, andpedophile rings, but also drug trafficking and criminal organizations that are more intentupon exploitation than the disruption that is the focus of the hacking community.Phil Williams
Professor of International Security Studies
University of Pittsburgh
-
7/30/2019 Evolving Email Threats and Counter Technology
6/51
The Email Bounce Problem BDOS
Emails Other Billion DollarProblem Bounces are 9% of email
Anti-Spam Scanners Are NotEffective
Misdirected bounces look legitimate Do not trigger Anti-Spam scores
Originate from good reputation senders
-
7/30/2019 Evolving Email Threats and Counter Technology
7/51
Bounce DOS
20 fold increase
in the number
of mails
accepted
-
7/30/2019 Evolving Email Threats and Counter Technology
8/51
New Trends
Come along way since Sobig A
Viruses becoming very sophisticated & devastating Warezov virus stub sent via emailviral payload downloaded via http Rustock goal is to be a spam proxy & send spam but evade detection &
analysis
Both reside in memory & use alternate data streams for evasion
Viral message volume dropping keeps end user paranoia low and effectiveness high
Spam, phishing & spyware interwoven
-
7/30/2019 Evolving Email Threats and Counter Technology
9/51
The State of SPAM
-
7/30/2019 Evolving Email Threats and Counter Technology
10/51
0
10
20
30
40
50
60
Oct-
05
Nov-
05
Dec-
05
Jan-
06
Feb-
06
Mar-
06
Apr-
06
May-
06
Jun-
06
Jul-
06
Aug-
06
Sep-
06
Oct-
06
Spam Increases to 60 Billion per Day
Average Daily Spam Volume
+80%
billi
onsofmessag
es
-
7/30/2019 Evolving Email Threats and Counter Technology
11/51
0
100
200
300
400
500
600700
800
900
Oct-
05
Nov-
05
Dec-
05
Jan-
06
Feb-
06
Mar-
06
Apr-
06
May-
06
Jun-
06
Jul-
06
Aug-
06
Sep-
06
Oct-
06
Total Volume by Data Size Jumps
Data volume of spam (TB)+164%
Terabytes(1
0^12)ofspamse
ntperday Every day in October, spam data was equivalent to
35 US Libraries of Congress
-
7/30/2019 Evolving Email Threats and Counter Technology
12/51
0
5
10
15
20
25
30
Oct-
05
Nov-
05
Dec-
05
Jan-
06
Feb-
06
Mar-
06
Apr-
06
May-
06
Jun-
06
Jul-
06
Aug-
06
Sep-
06
Oct-
06
Image Spam Explodes 5 to 25%
ImageS
pam,%ofallspa
m
+421%
% Spam with an Embedded Image
-
7/30/2019 Evolving Email Threats and Counter Technology
13/51
URL Attacks Mutate More Rapidly
A Trend Called Domain Kiting Is on the Rise Brings the cost of registering a domain to *zero*
Domains are now advertised in spam for < 4hrs
Makes URL Blacklists/whitelists ineffective
* Source: IPWalk.com
-
7/30/2019 Evolving Email Threats and Counter Technology
14/51
New Spamming Techniques
-
7/30/2019 Evolving Email Threats and Counter Technology
15/51
Image Spam
-
7/30/2019 Evolving Email Threats and Counter Technology
16/51
Why?
Jonathan Lebed made $850,000 from Pump & DumpSubj: THE MOST UNDERVALUED STOCK EVER
Date: 2/03/00 3:43pm Pacific Standard Time
From: LebedTG1FTEC is starting to break out! Next week,
this thing will EXPLODE...
Currently FTEC is trading for just $2 1/2!
I am expecting to see FTEC at $20 VERY
SOON.
"Meyers Pollock Robbins" brokerage firm defrauded$176 million from investors using Pump & Dump
CEO Michael Ploshnick served 3 years prison
-
7/30/2019 Evolving Email Threats and Counter Technology
17/51
Image Spam Gets Sneakier
1. Polka dots 2. Slice & Dice
-
7/30/2019 Evolving Email Threats and Counter Technology
18/51
URL Spam
-
7/30/2019 Evolving Email Threats and Counter Technology
19/51
One Spam
Hashbuster text
from The Hobbit
Advertisement
Call to Action URL Advertising
Pharmaceutical Web Site
-
7/30/2019 Evolving Email Threats and Counter Technology
20/51
Six Spam
Call to
Action URL
Hashbuster text
-
7/30/2019 Evolving Email Threats and Counter Technology
21/51
The Spam Attack
Spam Content
1.5 billion messages over 2 weeks
~2000 unique content mutations changed every 12 minutes
1500 unique domains used changed every 15 minutes
Spam Source
100,000 infected PCs (zombies) in 119 countries
Command and Control (C&C) infrastructure
Web sites Web servers
DNS servers
Payment processing and customer service systems
-
7/30/2019 Evolving Email Threats and Counter Technology
22/51
-
7/30/2019 Evolving Email Threats and Counter Technology
23/51
$99
-
7/30/2019 Evolving Email Threats and Counter Technology
24/51
$80
-
7/30/2019 Evolving Email Threats and Counter Technology
25/51
Predicative Security
-
7/30/2019 Evolving Email Threats and Counter Technology
26/51
Predicative Security
CASE
MetaVerdict
How?
Where?
Who?
What?
Predicate what is good - Predicate what is bad
-
7/30/2019 Evolving Email Threats and Counter Technology
27/51
Image Spam ExampleTraditional Content Filters
WHAT?
HOW?
WHO?
WHERE?
No spam content foundin message
Doesnt match knownsignatures
UNKNOWN
Verdict
IP address not on anyblacklists
-
7/30/2019 Evolving Email Threats and Counter Technology
28/51
Predicative Security for Image Spam
WHAT?
HOW?
WHO?
WHERE?
All text inside an image
Random dots appearwithin the message
Nearly identical colorscheme in 100,000s
spamtrap msgs
Verdict
BLOCK
IP address recentlystarted sending email
Message originatedfrom dial-up IP address
Sending IP address
located in Russia
Message leaves traceof spamware tool
http://urllink.call.to.action.ipaddressisinrussia.com
-
7/30/2019 Evolving Email Threats and Counter Technology
29/51
Spectrum of colour spread throughout the entire image
-
7/30/2019 Evolving Email Threats and Counter Technology
30/51
Limited spectrum of Colours, drastic colour change,
produces ECG like pattern
-
7/30/2019 Evolving Email Threats and Counter Technology
31/51
Virus Outbreak ExampleTraditional AV Signature Update
9:30
10:20
11:10
12:00
12:50
13:40
14:30
15:20
Time (GMT)
VirusVolume
First AVSignature
Available
Kukudro-A: 6-27-06
0
20
40
60
80
100
120
20:00
23:45
3:30
7:15
11:00
14:45
18:30
22:15
Time (GMT)
VirusVolume
First AVSignature
Available
Bagle-GT: 4-21-06
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not
available, first publicly published alert time is used.
19:00
22:45
2:30
6:15
10:00
13:45
17:30
21:15
Time (GMT)
VirusVolume
First AVSignature
Available
FeebsDI-Q: 6-07-06
4:00
9:00
14:00
19:00
0:00
5:00
10:00
15:00
Time (GMT)
VirusVolume
First AVSignatureAvailable
Mytob-HJ: 4-19-06
-
7/30/2019 Evolving Email Threats and Counter Technology
32/51
Virus Outbreak Predicates
-
7/30/2019 Evolving Email Threats and Counter Technology
33/51
Outbreak Predicates
-
7/30/2019 Evolving Email Threats and Counter Technology
34/51
Predicates build context to take Action
T1 = 0zip (exe) files
T2 = 5 mins
-zip (exe) files
-Size 50 to 55 KB.
T3 = 15 minszip (exe) files
Size 50 to 55KB
Price in thename file
T4 = 8 hoursRelease messages
if signature
update is in place
Messages
Scanned &Deleted
Fine-grained Rules, Multiple Parameters:
Attachment Type, Attachment Size, URLs, Filenames & More
-
7/30/2019 Evolving Email Threats and Counter Technology
35/51
Outbreak Predicate Results
4:00
9:00
14:00
19:00
0:00
5:00
10:00
15:00
Time (GMT)
VirusVolume
First AVSignature
Available
Mytob-HJ: 32 hrs 57 mins Lead Time!
VOFProtection
Starts
9:30
10:20
11:10
12:00
12:50
13:40
14:30
15:20
Time (GMT)
VirusVolume
First AVSignature
Available
VOF
ProtectionStarts
Kukudro-A: 3 hrs 38 mins Lead Time!
19:00
22:45
2:30
6:15
10:00
13:45
17:30
21:15
Time (GMT)
VirusVolume
First AVSignature
Available
FeebsDI-Q: 21 hrs 59 mins Lead Time!
VOFProtection
Starts
20:00
23:45
3:30
7:15
11:00
14:45
18:30
22:15
Time (GMT)
VirusVolume
First AVSignature
Available
Bagle-GT: 18 hrs 28 mins Lead Time!
VOFProtectionStarts
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not
available, first publicly published alert time is used.
-
7/30/2019 Evolving Email Threats and Counter Technology
36/51
URL Spam Example
traditional content filter
Check URL blacklists
-
7/30/2019 Evolving Email Threats and Counter Technology
37/51
Web Predicates for URL spam
Predicates
Web Server Blacklist& Whitelists
Domain Blacklists
& Safelists Website Composition Data
Global Volume Data
Domain RegistrarInformation
Dynamic IP Addresses
Name Server Data
EMAIL DATA
Email Server Blacklists& Whitelists
Spikes in URLSfound in Emails
GoodReputation
+10
On a
Phishlist
No Executable Code
Registered to Fortune 500 Firm for 10 Years
Not Linked to Sites with Poor Reputation
PoorReputation
-10
Traffic Spike
Dynamic IP address
-
7/30/2019 Evolving Email Threats and Counter Technology
38/51
Bounce DOS
Based on BounceAddress Tag Validation
Proposed RFC
Envelope MAIL-FROM address changes so
[email protected] becomes [email protected]
-
7/30/2019 Evolving Email Threats and Counter Technology
39/51
Bounce Address Tag ValidationBounce DOS Protection
-
7/30/2019 Evolving Email Threats and Counter Technology
40/51
Rebuilding Trust in Email
-
7/30/2019 Evolving Email Threats and Counter Technology
41/51
Step1# Email and Web internet gateways must
share predicates to secure against evolving threats
cnn.com
Millions ofservers
Firewall
aaa.ac
zzz.zw
HTTP
SMTP
-
7/30/2019 Evolving Email Threats and Counter Technology
42/51
Phishing
URLs & DomainsMalware
URLs & Domains
Malware
User AgentsMalware CLSIDs
Malware Binaries,
Short checksums
Broad Set of Anti-Malware Predicates
Broad set of AntiSpam Predicates
SpamTrapsComplaint
ReportsMessage
Composition White/Blacklists Volume
Firewall
zzz.zw
Millions ofservers
aaa.ac
HTTP
SMTP
-
7/30/2019 Evolving Email Threats and Counter Technology
43/51
Step2# Establish encrypted email
applications
SecureEmailSecure DesktopMessaging
1
SecureDocuments
Statements, Invoices, etc.
2
MessageCentre
Integrated CustomerService Communication
3
Push
EnvelopeOffline andRegistered
S/MIME orOpenPGP
Certificate basedmail
Pull
WebSafe
Webmail
Secure MessagingApplication Platform
HTTP
SMTP
Without the need for Client software for any mail platfrom
-
7/30/2019 Evolving Email Threats and Counter Technology
44/51
Steps1&2 address
Business needs and concerns
Businesses rely on electronic communications for many oftheir business processes, however Concerns about security, especially BC and BB
Legislation and regulations impose tighter regimes forinformation security and governance Data Protection Act, ISO17799, Sarbanes-Oxley,
Businesses can see efficiency savings and new business and
revenue opportunities Statements 60p (paper) vs. 5p (electronic)
Customer service - 2.60 (call centre) vs. 6p (email)
-
7/30/2019 Evolving Email Threats and Counter Technology
45/51
-
7/30/2019 Evolving Email Threats and Counter Technology
46/51
-
7/30/2019 Evolving Email Threats and Counter Technology
47/51
-
7/30/2019 Evolving Email Threats and Counter Technology
48/51
-
7/30/2019 Evolving Email Threats and Counter Technology
49/51
-
7/30/2019 Evolving Email Threats and Counter Technology
50/51
A New Class Of Email EmergesSecure, Authenticated, Business Class Mail
Trusted Sender
Unknown Sender
+ DK Authentication
+ Encrpytion
+ Positive Reputation
Reliable, unrestricted service
- Unwilling to authenticate
or encrypt
Service restrictions and filtering
-
7/30/2019 Evolving Email Threats and Counter Technology
51/51
Questions
Thank You
James Todd
Technical ManagerIronPort Systems