Upload
haphuc
View
219
Download
2
Embed Size (px)
Citation preview
Purewire, Inc. www.purewire.com
The Evolving Threat Landscape
www.purewire.com
Agenda
• About
• Threat Landscape - Prelude, Overview
- Impact on Traditional Defense in Depth
- Recent Changes
• Purewire Web Security Service (PWSS)
• Q&A
About
• Purewire - User-focused web security Software-as-a-Service (SaaS) - Used by enterprises, SMB and service providers
• Paul Royal - Principal Researcher at Purewire
• Identify emergent threats and design methods that enhance the PWSS
AWARDS & ACCOLADES
Top 10 IT Security Companies to Watch Startup of the Week
Cool Vendor in Security SaaS
DEMOgod
Top 10 “Most Innovative”
Best Security Startup
Purewire, Inc. www.purewire.com
Part 1 - Threat Landscape
www.purewire.com
Threat Landscape Prelude – Social Engineering
• May 2009 - Purewire customer reports that USAToday.com intermittently blocked by
Purewire Web Security Service (PWSS) - What happened?
• USAToday.com ad network (idatrinity.com) compromised • Visitors served malicious javascript bundled with ad for Roxio Creator 2009 • Automatically directed users to Rogue AV website (antivirusquickscanv1.com)
through malicious traffic distribution system (liveavantbrowser2.cn) - Neither clicking nor hovering over ad required to activate malicious code
Threat Landscape Prelude – Social Engineering Cont’d
• July 2009 - Twitter messages with links claiming to offer pictures and videos of Erin
Andrews begin appearing - Links redirect to malicious websites (e.g., sunny-tube-world.com) serving
malware disguised as Erin Andrews video - Second-stage malware embedded as RC4-encrypted data in the comment
fields of dynamically-generated GIF files
Threat Landscape Prelude – Zero Day Attacks
• July 2009 - Executive receives email with PDF attachment
• Email’s subject, recipient’s ethnicity compels him to view attachment • PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash
interpreter, compromises the system and phones home to controller
- Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player
- Vulnerability traced back to bug reported to Adobe in December 2008
Threat Landscape Prelude – Zero Day Attacks Cont’d
• Zero Day Attacks for July 2009 - July 6 – Microsoft Video (DirectShow) ActiveX Control • Discovered through in-the-wild exploits
- July 13 – Microsoft Office Web Components (OWC) Control • Attacks appeared before the MS advisory
- July 17 – Firefox 3.5 JITJavascript Compiler Component • Weaponized within hours of discovery
- July 22 – Adobe Acrobat Reader, Flash Player AVM2 • Aforementioned attacks via PDF files, compromised websites
• Waledac • P2P-over-HTTP spamming botnet
- Believed to have ties to the creators of Storm
• Propagates via social engineering - Uses geo-location, temporally relevant events (e.g., bomb blast in <your
city>, July 4th fireworks videos) to make attacks more compelling
•
Threat Landscape Prelude – Botnets Cont’d
• Conficker - Worm/botnet hybrid - Propagates via software vulnerabilities, portable media,
network shares with weak passwords - Can be used to place other malware on the
compromised system
• Recent Activity - March 2009: Appearance of Conficker C • Introduced P2P file sharing mechanism
– April 2009: Downloaded additional malware • Waledac, Spyware Protect 2009
Threat Landscape Prelude – Botnets Cont’d
• Platform - Predominantly Microsoft Windows
- Emergent threats beginning to target Mac OS X (e.g., OSX.Iservice) and mobile devices (e.g., SymbOS/Yxes.A)
• Propagation – Social engineering
• Standard (emails with ecards), innovative (torrents offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger)
– Rapid, short-term exploitation of critical vulnerabilities • Conficker’s use of MS08-067 allowed it to grow to 500,000 hosts in
a single week
Threat Landscape Overview
• Installation – Thread injection into a benign/trusted process • Can be part of the unpacking process (code is deobfuscated
into a newly allocated section)
• Internet Explorer is a common target
• Activities – Information theft, spam, clickfraud
– RogueAV software sales • Affiliate programs offer commissions as high as 90%
• Using botnets as installation medium can earn individuals $100,000/week
Threat Landscape Overview Continued
• Network-Level Protection – Firewall • Evaded by C&C protocol congruency
– IPS/IDS • Evaded by custom encodings
• Host-Level Protection – User Access Control • Analogous to “informed consent”
– AntiVirus • Uses complex, heuristics-based detection along with signature
matching
Modern Threats and Traditional Defense-In-Depth
• What does current host-based AV buy you? – Protection from 20th century malware
• Project: ZeroPack – Proof-of-Concept obfuscation tool • Makes malware appear benign to AV tools
– Developed for DefCon 16’s Race to Zero contest
ZeroPack
Traditional Defense-In-Depth: Host-based AV
• Server-side Polymorphism – Attacks the heart of the traditional host-based AV model by
automating mutations
• When done professionally: Waledac
Techniques for Threat Scalability
Collected on 12/30/2008
Collected on 2/25/2009
• Botnets – Getting smaller (harder to detect) with some exceptions
(e.g., Conficker is 1M+) – Increasingly detect instrumentation/VMs to stymie attempts
at automated analysis • Automated SQL Injection – Used by Danmec/Asprox malware to build and maintain
infrastructure • Rootkits – Several large botnets (Kraken and Storm) abandoned their
rootkit components – Less than 25% of malware requires administrator access to
function (January 2009)
Threat Landscape Changes
Purewire, Inc. www.purewire.com
Part 2 – Purewire Web Security Service
www.purewire.com
Web Security is Evolving
Purewire Web Security Service: Compliance Enforcement and Threat Prevention for Web Traffic
The person on the other side of the transaction
The Web destination
The objects that are
downloaded
Purewire is the only vendor to address the complete Web security threat landscape:
Market Disruptive Solution: People, Places, Things
Social Graph Analysis
Persistence Analysis
Social Activity Image Analysis
Monitor Web
Real-time Behavior
Classification
Multi-Identity Reputation
Score
- Enterprises - Honeypots - Web crawlers
- Research scientists - Advanced algorithms
- Millions detected per day - Reputation of Internet Identities is
dynamically computed
Commerce
Collaboration
Communication DIM
ENSI
ON
S
IP Email ID
IDENTITY
People: Purewire User Analyzer (User Reputation System)
Reaching the Long Tail: • Dynamic, real-time classification • Reputation scores calculated based on actual content
Places: Going Beyond Manual Categorization
Layer1 Layer2 Layer3
Visibility
DepthofAnalysis
AJAX‐AwareAnalysis
Anti‐MalwareAnti‐Virus
• Interactionbased• AJAXapps• ScriptandSessionAware
• Heuristicsbased• Commandlevel
• Signaturebased• Stringscanning
Things: Going Beyond Traditional AV Sigs & Object-based Anti-malware
Purewire Technology Family
Purewire, Inc. www.purewire.com
Questions?
www.purewire.com