evolving email threats and counter technology

7/30/2019 Evolving Email Threats and Counter Technology

1/51

Evolving email threats

and counter technology

James Todd IronPort Systems


2/51

Agenda

The State of SPAM

New Spamming Techniques

Predicative Security

Rebuilding Trust in Email


3/51

Zombies Execute Email Attacks


4/51

Viruses are Becoming More and

More Dangerous . . . 70% of all spam comes from virus infected PC zombies

75% of all viruses contain spam delivery engines

200% increase in spyware delivered by email in the past 6months

65% increase in keystroke loggers in 2005

200% increase in rootkits


5/51

Whats changed

Old Days

Hacking for fame, fun or profit Script Kiddies

Hackivists ,Black Hats, VXers

Today

Hacking for Profit Disorganized crime

Web mobs

Organized crime

The dark side of the Internet involves not only fraud and theft, pervasive pornography, andpedophile rings, but also drug trafficking and criminal organizations that are more intentupon exploitation than the disruption that is the focus of the hacking community.Phil Williams

Professor of International Security Studies

University of Pittsburgh


6/51

The Email Bounce Problem BDOS

Emails Other Billion DollarProblem Bounces are 9% of email

Anti-Spam Scanners Are NotEffective

Misdirected bounces look legitimate Do not trigger Anti-Spam scores

Originate from good reputation senders


7/51

Bounce DOS

20 fold increase

in the number

of mails

accepted


8/51

New Trends

Come along way since Sobig A

Viruses becoming very sophisticated & devastating Warezov virus stub sent via emailviral payload downloaded via http Rustock goal is to be a spam proxy & send spam but evade detection &

analysis

Both reside in memory & use alternate data streams for evasion

Viral message volume dropping keeps end user paranoia low and effectiveness high

Spam, phishing & spyware interwoven


9/51

The State of SPAM


10/51

0

10

20

30

40

50

60

Oct-

05

Nov-

05

Dec-

05

Jan-

06

Feb-

06

Mar-

06

Apr-

06

May-

06

Jun-

06

Jul-

06

Aug-

06

Sep-

06

Oct-

06

Spam Increases to 60 Billion per Day

Average Daily Spam Volume

+80%

billi

onsofmessag

es


11/51

0

100

200

300

400

500

600700

800

900

Oct-

05

Nov-

05

Dec-

05

Jan-

06

Feb-

06

Mar-

06

Apr-

06

May-

06

Jun-

06

Jul-

06

Aug-

06

Sep-

06

Oct-

06

Total Volume by Data Size Jumps

Data volume of spam (TB)+164%

Terabytes(1

0^12)ofspamse

ntperday Every day in October, spam data was equivalent to

35 US Libraries of Congress


12/51

0

5

10

15

20

25

30

Oct-

05

Nov-

05

Dec-

05

Jan-

06

Feb-

06

Mar-

06

Apr-

06

May-

06

Jun-

06

Jul-

06

Aug-

06

Sep-

06

Oct-

06

Image Spam Explodes 5 to 25%

ImageS

pam,%ofallspa

m

+421%

% Spam with an Embedded Image


13/51

URL Attacks Mutate More Rapidly

A Trend Called Domain Kiting Is on the Rise Brings the cost of registering a domain to *zero*

Domains are now advertised in spam for < 4hrs

Makes URL Blacklists/whitelists ineffective

* Source: IPWalk.com


14/51

New Spamming Techniques


15/51

Image Spam


16/51

Why?

Jonathan Lebed made $850,000 from Pump & DumpSubj: THE MOST UNDERVALUED STOCK EVER

Date: 2/03/00 3:43pm Pacific Standard Time

From: LebedTG1FTEC is starting to break out! Next week,

this thing will EXPLODE...

Currently FTEC is trading for just $2 1/2!

I am expecting to see FTEC at $20 VERY

SOON.

"Meyers Pollock Robbins" brokerage firm defrauded$176 million from investors using Pump & Dump

CEO Michael Ploshnick served 3 years prison


17/51

Image Spam Gets Sneakier

1. Polka dots 2. Slice & Dice


18/51

URL Spam


19/51

One Spam

Hashbuster text

from The Hobbit

Advertisement

Call to Action URL Advertising

Pharmaceutical Web Site


20/51

Six Spam

Call to

Action URL

Hashbuster text


21/51

The Spam Attack

Spam Content

1.5 billion messages over 2 weeks

~2000 unique content mutations changed every 12 minutes

1500 unique domains used changed every 15 minutes

Spam Source

100,000 infected PCs (zombies) in 119 countries

Command and Control (C&C) infrastructure

Web sites Web servers

DNS servers

Payment processing and customer service systems


22/51


23/51

$99


24/51

$80


25/51



26/51


CASE

MetaVerdict

How?

Where?

Who?

What?

Predicate what is good - Predicate what is bad


27/51

Image Spam ExampleTraditional Content Filters

WHAT?

HOW?

WHO?

WHERE?

No spam content foundin message

Doesnt match knownsignatures

UNKNOWN

Verdict

IP address not on anyblacklists


28/51

Predicative Security for Image Spam

WHAT?

HOW?

WHO?

WHERE?

All text inside an image

Random dots appearwithin the message

Nearly identical colorscheme in 100,000s

spamtrap msgs

Verdict

BLOCK

IP address recentlystarted sending email

Message originatedfrom dial-up IP address

Sending IP address

located in Russia

Message leaves traceof spamware tool

http://urllink.call.to.action.ipaddressisinrussia.com


29/51

Spectrum of colour spread throughout the entire image


30/51

Limited spectrum of Colours, drastic colour change,

produces ECG like pattern


31/51

Virus Outbreak ExampleTraditional AV Signature Update

9:30

10:20

11:10

12:00

12:50

13:40

14:30

15:20

Time (GMT)

VirusVolume

First AVSignature

Available

Kukudro-A: 6-27-06

0

20

40

60

80

100

120

20:00

23:45

3:30

7:15

11:00

14:45

18:30

22:15

Time (GMT)

VirusVolume

First AVSignature

Available

Bagle-GT: 4-21-06

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not

available, first publicly published alert time is used.

19:00

22:45

2:30

6:15

10:00

13:45

17:30

21:15

Time (GMT)

VirusVolume

First AVSignature

Available

FeebsDI-Q: 6-07-06

4:00

9:00

14:00

19:00

0:00

5:00

10:00

15:00

Time (GMT)

VirusVolume

First AVSignatureAvailable

Mytob-HJ: 4-19-06


32/51

Virus Outbreak Predicates


33/51

Outbreak Predicates


34/51

Predicates build context to take Action

T1 = 0zip (exe) files

T2 = 5 mins

-zip (exe) files

-Size 50 to 55 KB.

T3 = 15 minszip (exe) files

Size 50 to 55KB

Price in thename file

T4 = 8 hoursRelease messages

if signature

update is in place

Messages

Scanned &Deleted

Fine-grained Rules, Multiple Parameters:

Attachment Type, Attachment Size, URLs, Filenames & More


35/51

Outbreak Predicate Results

4:00

9:00

14:00

19:00

0:00

5:00

10:00

15:00

Time (GMT)

VirusVolume

First AVSignature

Available

Mytob-HJ: 32 hrs 57 mins Lead Time!

VOFProtection

Starts

9:30

10:20

11:10

12:00

12:50

13:40

14:30

15:20

Time (GMT)

VirusVolume

First AVSignature

Available

VOF

ProtectionStarts

Kukudro-A: 3 hrs 38 mins Lead Time!

19:00

22:45

2:30

6:15

10:00

13:45

17:30

21:15

Time (GMT)

VirusVolume

First AVSignature

Available

FeebsDI-Q: 21 hrs 59 mins Lead Time!

VOFProtection

Starts

20:00

23:45

3:30

7:15

11:00

14:45

18:30

22:15

Time (GMT)

VirusVolume

First AVSignature

Available

Bagle-GT: 18 hrs 28 mins Lead Time!

VOFProtectionStarts

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not

available, first publicly published alert time is used.


36/51

URL Spam Example

traditional content filter

Check URL blacklists


37/51

Web Predicates for URL spam

Predicates

Web Server Blacklist& Whitelists

Domain Blacklists

& Safelists Website Composition Data

Global Volume Data

Domain RegistrarInformation

Dynamic IP Addresses

Name Server Data

EMAIL DATA

Email Server Blacklists& Whitelists

Spikes in URLSfound in Emails

GoodReputation

+10

On a

Phishlist

No Executable Code

Registered to Fortune 500 Firm for 10 Years

Not Linked to Sites with Poor Reputation

PoorReputation

-10

Traffic Spike

Dynamic IP address


38/51

Bounce DOS

Based on BounceAddress Tag Validation

Proposed RFC

Envelope MAIL-FROM address changes so

[email protected] becomes [email protected]


39/51

Bounce Address Tag ValidationBounce DOS Protection


40/51

Rebuilding Trust in Email


41/51

Step1# Email and Web internet gateways must

share predicates to secure against evolving threats

cnn.com

Millions ofservers

Firewall

aaa.ac

zzz.zw

HTTP

SMTP


42/51

Phishing

URLs & DomainsMalware

URLs & Domains

Malware

User AgentsMalware CLSIDs

Malware Binaries,

Short checksums

Broad Set of Anti-Malware Predicates

Broad set of AntiSpam Predicates

SpamTrapsComplaint

ReportsMessage

Composition White/Blacklists Volume

Firewall

zzz.zw

Millions ofservers

aaa.ac

HTTP

SMTP


43/51

Step2# Establish encrypted email

applications

SecureEmailSecure DesktopMessaging

1

SecureDocuments

Statements, Invoices, etc.

2

MessageCentre

Integrated CustomerService Communication

3

Push

EnvelopeOffline andRegistered

S/MIME orOpenPGP

Certificate basedmail

Pull

WebSafe

Webmail

Secure MessagingApplication Platform

HTTP

SMTP

Without the need for Client software for any mail platfrom


44/51

Steps1&2 address

Business needs and concerns

Businesses rely on electronic communications for many oftheir business processes, however Concerns about security, especially BC and BB

Legislation and regulations impose tighter regimes forinformation security and governance Data Protection Act, ISO17799, Sarbanes-Oxley,

Businesses can see efficiency savings and new business and

revenue opportunities Statements 60p (paper) vs. 5p (electronic)

Customer service - 2.60 (call centre) vs. 6p (email)


45/51


46/51


47/51


48/51


49/51


50/51

A New Class Of Email EmergesSecure, Authenticated, Business Class Mail

Trusted Sender

Unknown Sender

+ DK Authentication

+ Encrpytion

+ Positive Reputation

Reliable, unrestricted service

- Unwilling to authenticate

or encrypt

Service restrictions and filtering


51/51

Questions

Thank You

James Todd

Technical ManagerIronPort Systems

[email protected]