trends help the wise prepare

2
c y b e r t r u s t r i s k i n d e x 8 Infosecurity Today July/August 2006 Mark Zimmerman Risk Intelligence, Cybertrust S potting, capturing and fixing an in- triguing new exploit may be satisfy- ing and useful, but if the distraction means you leave the door open to more common threats, you aren't doing your job. The following graphs show which exploits were most prevalent in May 2006.As such IT managers should guard against them more diligently,as well note emerging trends and take the necessary precautions. Probes that search for Server Message Block (SMB) ports, which in- dicate systems running the Windows operating system, remain top of the internet threat spectrum. Once an at- tacker finds a system with SMB char- acteristics, he or she will send in ex- tra probes to try to take advantage of common Windows vulnerabilities. These include buffer overflow, remote procedure calls, and Internet Explorer vulnerabilities. SMB exploit traffic of this nature is four times more common than the next-most common malcode traffic, which involves MS-SQL probes and at- tacks. Most of this traffic is due to remnants of the Slammer worm. Slammer first hit businesses in January 2003 and continues to search via UDP port 1434 for systems with MS-SQL Server installed. Some good news: as figure 1 indicates, SQL probe traffic has been declining steadily for several months. But because it is the second most prevalent exploit being seen, IT man- agers should still remain vigilant and update corporate anti-virus (AV) and firewall policies. Third is Unicode/Evasive URL format- ting.Traffic in this category includes at- tempts by an attacker to substitute pur- posely obfuscated data within a URL in an attempt to evade detection safe- guards. For example, entering a URL in hexadecimal format, or changing the di- rectory structure within a valid URL, may allow access to parts of the web server not intended or allowed by the administrator. Malcode traffic of this nature has continued to rise gradually throughout the first quarter of the year. IT man- agers should ensure all web server ap- plications and interfaces are up to date, and review user interface validation rules and forms.Tools such as URLSCAN for IIS and IDS systems are also useful in protecting Web servers from these threats. Fourth most common threats are at- tempts to perform SQL injections into an internet-accessible database server. Attackers hope that data verification procedures will nevertheless allow un- verified or un-sanitized user input. Vulnerabilities of this type can cause buffer overflows.As a result they may open higher access levels than intended, or, in the worst case, the attacker may be able to take control of the entire server. Figure 1: MS-SQL Probes and attacks down 23% from April IT managers need to understand how malcode and exploit activity changes if they are to prioritize correctly their efforts to protect their employers' information assets. “IT managers should guard against them more diligently, as well note emerging trends” Trends help the wise prepare

Upload: mark-zimmerman

Post on 06-Jul-2016

213 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Trends help the wise prepare

cy

be

rt

ru

st

r

is

k

in

de

x8

Info

security To

day

July/August 2006

Mark Zimmerman Risk Intelligence, Cybertrust

Spotting, capturing and fixing an in-triguing new exploit may be satisfy-

ing and useful, but if the distractionmeans you leave the door open tomore common threats, you aren't doingyour job.

The following graphs show whichexploits were most prevalent in May2006.As such IT managers shouldguard against them more diligently, aswell note emerging trends and take thenecessary precautions.

Probes that search for ServerMessage Block (SMB) ports, which in-dicate systems running the Windowsoperating system, remain top of theinternet threat spectrum. Once an at-tacker finds a system with SMB char-acteristics, he or she will send in ex-tra probes to try to take advantage ofcommon Windows vulnerabilities.These include buffer overflow, remoteprocedure calls, and Internet Explorervulnerabilities.

SMB exploit traffic of this nature isfour times more common than thenext-most common malcode traffic,which involves MS-SQL probes and at-tacks. Most of this traffic is due toremnants of the Slammer worm.Slammer first hit businesses inJanuary 2003 and continues to searchvia UDP port 1434 for systems withMS-SQL Server installed.

Some good news: as figure 1 indicates, SQL probe traffic has been

declining steadily for several months.But because it is the second mostprevalent exploit being seen, IT man-agers should still remain vigilant andupdate corporate anti-virus (AV) andfirewall policies.

Third is Unicode/Evasive URL format-ting.Traffic in this category includes at-tempts by an attacker to substitute pur-posely obfuscated data within a URL inan attempt to evade detection safe-guards. For example, entering a URL inhexadecimal format, or changing the di-rectory structure within a valid URL,may allow access to parts of the webserver not intended or allowed by theadministrator.

Malcode traffic of this nature hascontinued to rise gradually throughoutthe first quarter of the year. IT man-agers should ensure all web server ap-plications and interfaces are up to date,and review user interface validationrules and forms.Tools such as

URLSCAN for IIS and IDS systems arealso useful in protecting Web serversfrom these threats.

Fourth most common threats are at-tempts to perform SQL injections intoan internet-accessible database server.Attackers hope that data verificationprocedures will nevertheless allow un-verified or un-sanitized user input.

Vulnerabilities of this type cancause buffer overflows.As a resultthey may open higher access levelsthan intended, or, in the worst case,the attacker may be able to take control of the entire server.

Figure 1: MS-SQL Probes and attacks down 23% from April

IT managers need to understand how malcode and exploit activity changes if they are to prioritizecorrectly their efforts to protect their employers' information assets.

“IT managers shouldguard against themmore diligently, as

well note emergingtrends”

Trends help the wiseprepare

Page 2: Trends help the wise prepare

cy

be

rt

ru

st

r

is

k

in

de

xIn

fosecu

rity Tod

ayJuly/A

ugust 20069

Traffic of this nature rose graduallyfrom just more than 400,000 observedincidents in the last quarter of 2005 tomore than 640,000 just last month.

The miscreants know the informa-tion stored in databases is valuable.Ashackers shift from hacking for pleasureto hacking for profit, database attackshave increased. In many instances theseattacks originate not from the hacker'slocation but are spawned using hi-jacked 'zombie' systems under the at-tacker's control.

A review and strengthening of data-base application and client interfacevalidation rules will help to alleviateany potential issues of this type.

The fifth and final category of traf-fic discussed here is HTTP protocolattacks. Much like evasive URL format-ting traffic, incidents of this type tryto use weaknesses in web servers toaccess data or services not ordinarilyallowed. For instance, an HTTP servermight mistakenly translate HTTP URLsdirectly into file system calls, thus al-lowing an unintended elevation ofprivileges.Traffic of this type has in-creased 16% within the last month.

These five incident categories ac-count for more than 83% of malwaretraffic seen 'in the wild' or outsidethe confines of an organization's pro-tection perimeter in May 2006.While

these are the key internet threats, ITmanagers in Europe need to be awarethat there are other important trendsto observe that require increased vigi-lance in future.

DNS-specific probes and attacksAttacks on the Domain Name Servicecontinue to register on detection sys-tems. Genuine servers that supply thisservice on the internet are integral fortranslating host computer names andaddresses. Into this category of at-tacks are attempts to launch Denialsof Services (DoS) attacks against gen-uine servers, and attempts to imitateor spoof genuine sites to redirect un-suspecting clients towards nefarioustraps.While attack activity on thisscore was constant during February,March and April, there was a spike inMay.

SMTP Transport-originatedprobes/attacksSMTP mail servers are valuable prizesfor spammers that want to practicetheir dark art in a convenient butclandestine manner. In this categoryare attempts to gain access to clientaccounts, as well as Denial-of-Serviceattacks against the server itself.

Events of this type have been fairlystatic over the last few months, butthere was a rise of over 100% in May.

Although there is no way of knowingfor sure, it could have been due to apush by the miscreants to expand theirspam production in reaction to black-listing and system clean-up which re-duces the number of systems availablefor them to abuse.

Attacks aimed at Apache HTTPDattacks Microsoft IIS is no longer the onlyweb hosting software fending off at-tacks.Third party web server applica-tions like Apache are not immune.Most incidents in this category areDenial-of-Service attacks that stopgenuine users from accessing re-sources and services.

Incidents of this type peaked inJanuary of 2006 and fell off rapidly,but they appear to be on the riseagain.This may be just another exam-ple of the agnosticism of the miscre-ants; they don't care what's runningprovided they can take it over.This isclear from the pattern than in somemonths the cycle turns for or againsta server and operating system.

SummaryWhile Microsoft products are still themost popular targets for most exploitsseen on Internet, there are more andmore malware that target infrastructureand application protocols.

We make the following simple rec-ommendations:

• Remain vigilant and review corporateAV and firewall policies

• Ensure all web server applicationsand interfaces are up to date and review and strengthen user interfacevalidation rules and forms

• Look into the use of tools such asURLSCAN for IIS and IDS systems

• Review and strengthen database application and client interface validation rules.•

Figure 2: Unicode/Evasive URL formatting issues rose 10%

Figure 3: SQL Injections incidents remain constant

“SMTP mail serversare valuable prizesfor spammers thatwant to practicetheir dark art”