Purewire, Inc. www.purewire.com

The Evolving Threat Landscape

www.purewire.com

Agenda

•  About

•  Threat Landscape - Prelude, Overview

- Impact on Traditional Defense in Depth

- Recent Changes

•  Purewire Web Security Service (PWSS)

•  Q&A

About

•  Purewire - User-focused web security Software-as-a-Service (SaaS) - Used by enterprises, SMB and service providers

•  Paul Royal - Principal Researcher at Purewire

•  Identify emergent threats and design methods that enhance the PWSS

AWARDS & ACCOLADES

Top 10 IT Security Companies to Watch Startup of the Week

Cool Vendor in Security SaaS

DEMOgod

Top 10 “Most Innovative”

Best Security Startup

Purewire, Inc. www.purewire.com

Part 1 - Threat Landscape

www.purewire.com

Threat Landscape Prelude – Social Engineering

•  May 2009 -  Purewire customer reports that USAToday.com intermittently blocked by

Purewire Web Security Service (PWSS) - What happened?

•  USAToday.com ad network (idatrinity.com) compromised •  Visitors served malicious javascript bundled with ad for Roxio Creator 2009 •  Automatically directed users to Rogue AV website (antivirusquickscanv1.com)

through malicious traffic distribution system (liveavantbrowser2.cn) -  Neither clicking nor hovering over ad required to activate malicious code

Threat Landscape Prelude – Social Engineering Cont’d

•  July 2009 -  Twitter messages with links claiming to offer pictures and videos of Erin

Andrews begin appearing -  Links redirect to malicious websites (e.g., sunny-tube-world.com) serving

malware disguised as Erin Andrews video -  Second-stage malware embedded as RC4-encrypted data in the comment

fields of dynamically-generated GIF files

Threat Landscape Prelude – Zero Day Attacks

•  July 2009 -  Executive receives email with PDF attachment

•  Email’s subject, recipient’s ethnicity compels him to view attachment •  PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash

interpreter, compromises the system and phones home to controller

-  Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player

-  Vulnerability traced back to bug reported to Adobe in December 2008

Threat Landscape Prelude – Zero Day Attacks Cont’d

•  Zero Day Attacks for July 2009 - July 6 – Microsoft Video (DirectShow) ActiveX Control • Discovered through in-the-wild exploits

- July 13 – Microsoft Office Web Components (OWC) Control • Attacks appeared before the MS advisory

- July 17 – Firefox 3.5 JITJavascript Compiler Component • Weaponized within hours of discovery

- July 22 – Adobe Acrobat Reader, Flash Player AVM2 • Aforementioned attacks via PDF files, compromised websites

•  Waledac •  P2P-over-HTTP spamming botnet

- Believed to have ties to the creators of Storm

•  Propagates via social engineering - Uses geo-location, temporally relevant events (e.g., bomb blast in <your

city>, July 4th fireworks videos) to make attacks more compelling

• 

Threat Landscape Prelude – Botnets Cont’d

•  Conficker - Worm/botnet hybrid - Propagates via software vulnerabilities, portable media,

network shares with weak passwords - Can be used to place other malware on the

compromised system

•  Recent Activity - March 2009: Appearance of Conficker C •  Introduced P2P file sharing mechanism

– April 2009: Downloaded additional malware • Waledac, Spyware Protect 2009

Threat Landscape Prelude – Botnets Cont’d

•  Platform - Predominantly Microsoft Windows

- Emergent threats beginning to target Mac OS X (e.g., OSX.Iservice) and mobile devices (e.g., SymbOS/Yxes.A)

•  Propagation – Social engineering

•  Standard (emails with ecards), innovative (torrents offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger)

– Rapid, short-term exploitation of critical vulnerabilities •  Conficker’s use of MS08-067 allowed it to grow to 500,000 hosts in

a single week

Threat Landscape Overview

•  Installation – Thread injection into a benign/trusted process • Can be part of the unpacking process (code is deobfuscated

into a newly allocated section)

•  Internet Explorer is a common target

•  Activities – Information theft, spam, clickfraud

– RogueAV software sales • Affiliate programs offer commissions as high as 90%

• Using botnets as installation medium can earn individuals $100,000/week

Threat Landscape Overview Continued

•  Network-Level Protection – Firewall • Evaded by C&C protocol congruency

– IPS/IDS • Evaded by custom encodings

•  Host-Level Protection – User Access Control • Analogous to “informed consent”

– AntiVirus • Uses complex, heuristics-based detection along with signature

matching

Modern Threats and Traditional Defense-In-Depth

• What does current host-based AV buy you? – Protection from 20th century malware

•  Project: ZeroPack – Proof-of-Concept obfuscation tool • Makes malware appear benign to AV tools

– Developed for DefCon 16’s Race to Zero contest

ZeroPack

Traditional Defense-In-Depth: Host-based AV

•  Server-side Polymorphism – Attacks the heart of the traditional host-based AV model by

automating mutations

•  When done professionally: Waledac

Techniques for Threat Scalability

Collected on 12/30/2008

Collected on 2/25/2009

•  Botnets – Getting smaller (harder to detect) with some exceptions

(e.g., Conficker is 1M+) – Increasingly detect instrumentation/VMs to stymie attempts

at automated analysis •  Automated SQL Injection – Used by Danmec/Asprox malware to build and maintain

infrastructure •  Rootkits – Several large botnets (Kraken and Storm) abandoned their

rootkit components – Less than 25% of malware requires administrator access to

function (January 2009)

Threat Landscape Changes

Purewire, Inc. www.purewire.com

Part 2 – Purewire Web Security Service

www.purewire.com

Web Security is Evolving

Purewire Web Security Service: Compliance Enforcement and Threat Prevention for Web Traffic

The person on the other side of the transaction

The Web destination

The objects that are

downloaded

Purewire is the only vendor to address the complete Web security threat landscape:

Market Disruptive Solution: People, Places, Things

Social Graph Analysis

Persistence Analysis

Social Activity Image Analysis

Monitor Web

Real-time Behavior

Classification

Multi-Identity Reputation

Score

- Enterprises - Honeypots - Web crawlers

- Research scientists - Advanced algorithms

- Millions detected per day - Reputation of Internet Identities is

dynamically computed

Commerce

Collaboration

Communication DIM

ENSI

ON

S

IP Email ID

IDENTITY

People: Purewire User Analyzer (User Reputation System)

Reaching the Long Tail: •  Dynamic, real-time classification •  Reputation scores calculated based on actual content

Places: Going Beyond Manual Categorization

Layer1 Layer2 Layer3

Visibility

DepthofAnalysis

AJAX‐AwareAnalysis

Anti‐MalwareAnti‐Virus

• Interactionbased• AJAXapps• ScriptandSessionAware

•  Heuristicsbased•  Commandlevel

•  Signaturebased•  Stringscanning

Things: Going Beyond Traditional AV Sigs & Object-based Anti-malware

Purewire Technology Family

Purewire, Inc. www.purewire.com

Questions?

www.purewire.com