IBM X-Force 2010 Trend and Risk Report-March 2011


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IBM X-Force 2010 Trend and Risk Report-March 2011

  1. 1. IBM X-Force® 2010Trend and Risk ReportMarch 2011
  2. 2. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportDedicationDedicationThe IBM X-Force® 2010 Trend and Risk Report is dedicated in memory of our friend and colleague BryanWilliams who passed away during this effort. His knowledge and focus on the changing threat landscape ofvirtualization is documented in this report. Bryan was a highly valued member of the IBM X-Force teamsince the early days and his contribution to the team, security and IBM are too numerous to list. He will begreatly missed.IBM Confidential and Internal only—2011 2
  3. 3. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportContributorsContributorsProducing the X-Force Trend and Risk Report is a dedication in collaboration across all of IBM. We would About X-Forcelike to thank the following individuals for their rapt attention and dedication to the publication of this report. The IBM X-Force® research and development teams study and monitor the latest threat trends includingContributor Title vulnerabilities, exploits and active attacks, virusesAmrit Williams Director, Emerging Security Technology and other malware, spam, phishing, and maliciousBryan Williams X-Force Research and Development, Protection Technologies web content. In addition to advising customers andCarsten Hagemann X-Force Software Engineer, Content Security the general public about emerging and criticalColin Bell Principle Consultant, AppScan OnDemand Services threats, X-Force also delivers security content to helpDavid Merrill STSM, IBM Chief Information Security Office, CISA protect IBM customers from these threats.Dr. Jens Thamm Database Management Content SecurityHarold Moss Emerging Tech & Cloud Computing Technical ArchitectJay Radcliffe Senior Threat Analyst, MSSJeffrey Palatt Manager, Emergency Response ServicesJohn Kuhn Senior Threat Analyst, MSSJon Larimer X-Force Advanced Research, MalwareLeslie Horacek X-Force Threat Response ManagerLisa Washburn Global Product Mgr, IBM Security Services—Threat/CloudMarc Noske Database Administration, Content SecurityMark E. Wallis Senior Information Developer for IBM Security SolutionsMatthew Ward Senior Product Manager—Tivoli SecurityMichelle Alvarez Team Lead, MSS Intelligence Center(aka Eagle Eyes)Mike Warfield Senior Wizard, X-ForceOry Segal Security Products Architect, AppScan Product ManagerPatrick Vandenberg Manager, Rational Security & Compliance MarketingRalf Iffert Manager X-Force Content SecurityRyan McNulty IBM Managed Security Services & SQL Querier ExtraordinaireScott Moore X-Force Software Developer and X-Force Database Team LeadShane Garrett X-Force Advanced ResearchSteven Bade STSM Security Architect and StrategistTom Cross Manager—X-Force Strategy and Threat IntelligenceWangui McKelvey X-Force Marketing Manager 3
  4. 4. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportContents > Section IContentsSection IDedication 2 Trending in the dark—what does malicious traffic look like? 24 Phishing 57Contributors 3 Spoofed Denial of Service attacks 24 Phishing volume 57About X-Force 3 Targets of Denial of Service attacks 26 Are phishers becoming skimmers? 58Navigating the report 6 Worms of yesteryear: Where are they now? 27 Phishing—country of origin 59Section I—Threats 7 Web content trends 31 Phishing—country of origin trends 60Executive overview 7 Analysis methodology 31 Phishing URLs—country of origin 612010 Highlights 8 Percentage of unwanted Internet content 32 Phishing URLs—country of origin trends 62 Threats 8 Malicious websites 37 Phishing—most popular subject lines 63 Operating Secure Infrastructure 8 Spammers focus on content rather than volume 42 Phishing targets 64 Developing Secure Software 9 Major content trends in spam for 2010 42 Emerging Trends in Security 10 Spam volume 45 IBM Security collaboration 10 Conclusions about spam volume and content 45IBM Managed Security Services—A global threat landscape 11 Spammers on holiday at the end of the year 46 Trojan Bot networks 11 Regional spam volume per day of the week 47 SQL injection 13 Common domains in URL spam 48 Obfuscation 15 Common top-level domains in URL spam 51 PDF exploitation 16 Internationalized country code top-level domains: First occurrences in spam 51 Cross-site scripting 17 Spam—country of origin 52 Industry trends 18 Spam—country of origin trends 54Top high-volume signatures—IBM MSS 21 Spam URLs—country of origin trends 55 Targeting SMB Servers 22 SQL injection—high volume 23 PsExec 23 Brute force attacks & scans 23 JScript & UNIX 23 4
  5. 5. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportContents > Section II, III and IVContentsSection II, III and IVSection II—Operating Secure Infrastructure 68 Virtualization—risks and recommendations 90 Section III—Developing Secure Software 101Advanced persistent threat (APT) and targeted attacks 68 Virtualization system components 90 Further analysis on web application trends 101 Background and definitions 68 Vulnerability distribution 92 Conclusions from real-world web application assessments 101 Response and research 68 Attacks unique to virtualization systems 93 Hybrid analysis sheds light on vulnerability blind spot 111 Conclusions and recommendations 70 Public exploits 94 Web application hack-ability and efficient defense 114Stuxnet and SCADA 72 Summary of security concerns 94 Avoid the Net cast by automation 119 Who is behind Stuxnet? 72 Operating Secure Virtual Infrastructure 94 Fix vulnerabilities efficiently 119 Works cited 74 Endpoint security and systems management 96 The best defense against the elite 119Public vulnerability disclosures in 2010 74 A well-managed device is a more secure device 96 Section IV—Emerging Trends in Security 120 2010—A record setting year 75 The State of Affairs in DNSSEC 98 Mobile security trends 120 Public exploit disclosure 78 Introduction 98 Effective controls to manage mobile devices 122 Vendor supplied patches 79 2010 The year in review 98 Encryption 123 Toward more reliable public vulnerability reporting 80 Software deployment and components 98 Remote Access Service 124 Shift from local to remotely exploitable vulnerabilities 81 DNSSEC challenges and stumbling blocks 99 Future security vision 125 Web application vulnerabilities 82 What’s ahead now 100 The evolving state of security in the cloud 126 Web application platforms vs. plug-ins 84 Conclusion 100 Design elements for security in the cloud 128 Client-side vulnerabilities and exploits 85 Exploit effort versus potential reward matrix 88 Key Recommendations 89 5
  6. 6. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportNavigating the reportNavigating the reportWelcome. This year we have made some helpful We start by talking about the threats that ourimprovements to the format and content of the systems and networks are facing, because we haveTrend Report. These improvements are aimed at to begin by understanding the problem we are allenabling readers to take the findings a step further. working to solve. Once a threat is understood, weWe understand that computer and network security can work towards realistic technology controls andis about focusing on awareness of the threat and educational awareness to help secure our enterprisehelping to protect the systems and networks from and systems. In both the Operating Securethese threats. But then what? As an organization Infrastructure and Developing Secure Softwarematures in its stance on computer security and sections we not only discuss threats but provideknown threats, how can they begin to develop a logical advice on how to help improve or detectdeeper focus towards improvement? those threats in your environment. In the Emerging Trends in Security section, we take a forward lookWe asked ourselves that question and determined into emerging technologies that are pressing intothe answer was to provide to our readers a deeper discussions as future business concerns.understanding of what we experience and havelearned from the breadth of capabilities that is IBM We believe this new layout better organizes theSecurity Solutions. material we want to present and helps you the reader focus on what is most important to yourFor this report we have divided the content into four organization.sections.• Threats• Operating Secure Infrastructure• Developing Secure Software• Emerging Trends in Security 6
  7. 7. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I > Executive overviewSection I–ThreatsIn this section we explore topics that comprise generally, we have seen a rise in hactivism across In our advanced persistent threat article, we look“Threats” and describe the attacks aimed at the the globe, where attackers are no longer motivated at some of the most sophisticated adversaries ourenterprise that security specialists face. We address simply by self-recognition or financial gain, but by networks have ever faced. These types of low andthe malicious activity observed across the spectrum political change and protest. slow coordinated attacks are often an indicator ofby IBM and how we go about helping protect highly cohesive and organized groups of attackersnetworks from those threats. In addition, an update The second half of 2010 also marked a highly who use a variety of sophisticated attackon the latest attack trends as identified by IBM. visible precedent in the industrial and manufacturing techniques to inch their way into the enterprise. space. The multi-faceted and highly customizedExecutive overview Stuxnet worm shook up the SCADA world by Not only are attacks changing but so is the veryThe second decade of the twenty first century is proving how security vulnerabilities can cripple a technology that we utilize to carry this traffic. Weunderway and technology continues to permeate factory or production site. No longer is just take a quick look at how networks are scramblingevery aspect of our work and personal lives. At IBM e-commerce, personal, or corporate data at risk, to keep up with technology changes. At the mid-we call this the Smarter Planet and we are but the very infrastructure that powers our factories year point, we discussed a shift from IPv4 into IPv6continuously helping our customers to take and energy sector can be exposed for exploitation. requirements and in this report, we discuss theadvantage of a world that’s more interconnected, oncoming advent of DNSSEC.intelligent, and instrumented. As much as these On a smaller scale, mobile devices continue toinnovations can increase our efficiency and ability to multiply in the workplace, helping increase the 2010 was a pivotal year on many counts and hasinstantly connect on a global scale, so too can the magnitude and complexity of risk in protecting the shown that understanding the trends of the securityrisks and dangers of a connected world become enterprise. In the emerging trends in security landscape is more critical than ever. IBM continuesmore sophisticated and difficult to contain. section, we look at several mobile vulnerabilities its dedicated effort to educate, inform, and discuss that may be an indicator of more to come. In the security topics and emerging trends with theTo prove the point, the confluence of this innovation enterprise, and at home, web vulnerabilities community at large. Preparing organizations to notrecently showed its face in several authoritarian targeting the browser continue to dominate the only understand the emerging threat landscape, butcountries, where technology and political activism majority of weaknesses, demonstrating the also to better understand the weaknesses of anhave united to empower people in sharing a voice importance of patch compliance and host organization’s infrastructure.and making change on a global scale. More protection. We discuss an interesting case study of how large complex organizations can benefit from centralized patch management. 7
  8. 8. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I > 2010 Highlights > Threats > Operating Secure Infrastructure2010 Highlights • Obfuscation, whereby attackers attempt to hide • There were a few months with ups and downs inThreats their activities and disguise their programming, the volume of spam seen over the year, however,Malware and the Malicious web continued to increase over 2010 and shows no the overall trends stayed flat and we have seen• IBM Managed Security Services (MSS) saw an signs of waning. even less volume at the end of the year in upward trend in Trojan botnet activity during • Compromise through PDF exploitation continues comparison to the beginning of 2010. 2010. This growth is significant because despite to be a favorite among attackers. In late April, a • At 15.5 percent, India was the top country for increasing coordinated efforts to shut down botnet particular spam campaign contained an Adobe phishing email origination in 2010, followed by activity (as seen with the Mariposa, Bredolab and Acrobat PDF that used the Launch command to Russia at 10.4 percent. Waledec botnets), this threat appears to be deliver malware. At the peak of the attacks, IBM • In 2010, financial institutions continue to climb as gaining momentum. Managed Security Services (MSS) received more the number one target for phishing attempts,• IBM’s data illustrates the dramatic impact of a than 85,000 alerts in a single day. representing 50 percent of the targeted industries successful effort in early 2010 to shutdown the • The SQL Slammer worm first surfaced in January up from the mid-year report when it was 49 percent. Waledac botnet, which resulted in an instantaneous 2003 and became known as one of the most • In 2010, more than three out of four financial phishing drop off in observed command and control traffic. devastating Internet threats of the past decade. emails targeted banks located in North America.• Zeus (also known as Zbot and Kneber), continues This worm continued to generate a great deal of The remaining 22 percent targeted Europe. to evolve through intrinsic and plugin advances. traffic on the Internet in 2010. The Zeus/Zbot family of botnets has been around Operating Secure Infrastructure for many years now and due to its extreme Web content, spam, and phishing Vulnerabilities and Exploitation popularity with attackers, there are hundreds, or • IBM Content security team identified that in the • According to the X-Force database tracking, 2010 even thousands, of separate Zeus botnets active past three years, anonymous proxies have steadily had the largest number of vulnerability disclosures at any given time. The Zeus botnet malware is increased, more than quintupling in number. in history—8,562. This is a 27 percent increase commonly used by attackers to steal banking Anonymous proxies are a critical type of website over 2009, and this increase has had a significant information from infected computers. to track, because they allow people to hide operational impact for anyone managing large IT• SQL injection is one of the leading attack vectors potentially malicious intent. infrastructures. More vulnerability disclosures can because of its simplicity to execute and its • USA, India, Brazil, Vietnam, and Russia are the top mean more time patching and remediating scalability to compromise large amounts of web five countries for spam origination in 2010. vulnerable systems. servers across the Internet. There also appears to • In 2010, spammers focused on content over be a seasonal pattern: during each of the past volume. At the beginning of August, spammers three years, there has been a globally scaled SQL began sending spam threats with ZIP attachments injection attack some time during the months of that contained a single EXE file that was malicious. May through August. By September, spammers began shifting to HTML spam to once again trick the end-user. 8
  9. 9. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I > 2010 Highlights > Developing Secure Software• 49 percent of the vulnerabilities disclosed in 2010 Virtualization • ASP.NET applications were clearly more were web application vulnerabilities. The majority of • IBM X-Force notes that virtualization systems susceptible to SQL injection than Java or PHP. these were cross site scripting and SQL injection added 373 new vulnerabilities to the network The likely reason is that applications would typically issues. However, as IBM X-Force has been saying infrastructure in the period between 1999 use SQL Server as a backend database. SQL for years, these vulnerabilities represent just the tip and 2009. injection is better documented and easier to detect of the iceberg since many organizations develop • A number of public exploits exist that in this technology. third-party applications in-house that are never demonstrate the risk from virtualization • As Web 2.0, AJAX applications, and Rich Internet even reported publically and are not included in system vulnerabilities is real. Applications (RIAs) become more common, this count. • Hypervisor escape vulnerabilities are the most client-side JavaScript vulnerabilities may become• Although vendors have been diligent in providing common type of vulnerability that has been more relevant, with a potential rise in the amount of patches, at least 44 percent of all vulnerabilities in disclosed in server class virtualization systems. such issues being exploited by malicious attackers. 2010 still had no corresponding patch by the end • A recent IBM research study discovered that about of the year. Developing Secure Software 14 percent of the Fortune 500 sites suffer from• In early 2010, the term Advanced Persistent Threat Web Application Vulnerabilities many severe client-side JavaScript issues, which (APT) became part of the everyday information • From the IBM® Rational® AppScan® OnDemand could allow malicious attackers to perform attacks security lexicon as a result of certain public Premium Service we observed web application such as disclosures and acknowledgement of a targeted vulnerabilities comprising 49 percent of the total –– Infecting users of these sites with malware series of attacks known as Operation Aurora. vulnerabilities reported in 2010, it is no surprise and viruses. There has been much debate over this term and that developing secure software is harder –– Hijacking users’ web sessions and performing the underlying concepts within the information than ever. actions on their behalf. security community. • In 2010 for the first time we now find that Cross- –– Performing phishing attacks on users of• During certain public disclosures in early 2010, and Site Request Forgery (CSRF) is more likely to be these sites. after attacks associated with Operation Aurora, the found in our testing than Cross-Site Scripting –– Spoofing web contents. term APT began to take on a different meaning. In (XSS). This change is attributed to better detection • Based on the dataset that we analyzed, we may essence, APT became associated with any techniques for CSRF and also a greater awareness extrapolate that the likelihood that a random page targeted, sophisticated, or complex attack of the risk. We find that organizations will tolerate on the Internet contains a client-side JavaScript regardless of the attacker, motive, origin, or having some outstanding issues with CSRF if the vulnerability is approximately one in 55. method of operation. risk of exploitation is minimized. This is not the case with XSS and these issues are often quickly resolved. 9
  10. 10. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I > 2010 Highlights > Emerging Trends in Security > IBM Security collaborationEmerging Trends in Security IBM Security collaborationMobile• Mobile devices represent opportunities for IBM Security represents several brands that provide a broad spectrum of security competency. sophisticated, targeted attackers. There are a • IBM X-Force® research and development teams discover, analyze, monitor, and record a broad range of number of vulnerabilities to target, and there is computer security threats and vulnerabilities exploit information available.• However, it is important to keep the vulnerability • IBM Managed Security Services (MSS) is responsible for monitoring exploits related to endpoints, servers increases in perspective -- these do represent (including web servers), and general network infrastructure. MSS tracks exploits delivered over the web as shared software components used by both mobile well as other vectors such as email and instant messaging. and desktop software. The vulnerability research • Professional Security Services (PSS) delivers comprehensive, enterprise-wide security assessment, design, that is driving these disclosures is not necessarily and deployment services to help build effective information security solutions. mobile-centric.• Still, we aren’t seeing widespread attack activity • Our Content security team independently scours and categorizes the web through crawling, independent targeting mobile vulnerabilities today, because discoveries, and through the feeds provided by MSS. In addition, the team actively monitors millions of email mobile devices do not represent the same kind of addresses to receive mass amounts of spam and phishing emails. This work provides optimal spam financial opportunity that desktop machines do for protection accompanied by the latest trends in spam and phishing emails. the sort of individuals who appear to create large • IBM has collated real-world vulnerability data from security tests conducted over the past three years from the Internet botnets. IBM® Rational® AppScan® OnDemand Premium Service. This service combines application security assessment results obtained from IBM Rational AppScan with manual security testing and verification.Cloud security• While security is still considered one of the major • IBM Cloud Security Services allows clients to consume security software features through a hosted inhibitors to cloud adoption, organizations are subscription model that helps reduce costs, improve service delivery, and improve security. increasingly adopting cloud-based technologies to • Identity and access management solutions provide identity management, access management, and user address competitive market needs. compliance auditing. These solutions centralize and automate the management of users, authentication,• Extending existing security policies and standards, access, audit policy, and the provisioning of user services. leveraging sound physical security protections already in place, and assessing systems and • IBM Endpoint Management Solutions combine endpoint and security management into a single offering that applications for security weaknesses are examples enables customers to see and manage physical and virtual endpoints—servers, desktops, roaming laptops, of security design elements that should be included and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. when establishing a secure cloud environment. 10
  11. 11. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Trojan Bot networksIBM Managed Security Services— availability of bot exploit toolkits such as WARBOT. Trojan Bot networks also continued to evolve inA global threat landscape This allows less than tech-savvy individuals to take 2010. One of them, Zeus (also known as Zbot andIBM Managed Security Services (MSS) monitors advantage of the lucrative business of selling Kneber), continues to evolve through intrinsic andseveral billion events in more than 130 countries, 24 sensitive information on the black market. plugin advances. The Zeus/Zbot family of botnetshours a day, 365 days a year. The global presence ofIBM MSS provides a first-hand view of current threats. Trojan Botnet ActivityIBM analysts use this wealth of data to deliver a 250,000unique understanding of the cyber threat landscape.This section focuses on Trojan botnet activity, SQLinjection, obfuscation, PDF exploitation, and 200,000cross-site scripting activity—threats that arediscussed throughout this report. The trend ofthese threats is vital to determining what direction 150,000 Event Countthe threat is taking and to understanding thesignificance of the threat to our networks. 100,000Trojan Bot networksIBM MSS saw an upward trend in Trojan botnetactivity during 2010. This growth is significant 50,000because despite increasing coordinated efforts toshut down botnet activity (as seen with theMariposa1 and Bredolab2 botnets), this threat 0 1/1/2010 1/12/2010 1/23/2010 2/3/2010 2/14/2010 2/25/2010 3/8/2010 3/19/2010 3/30/2010 4/13/2010 4/24/2010 5/5/2010 5/16/2010 5/27/2010 6/7/2010 6/18/2010 6/29/2010 7/10/2010 7/21/2010 8/1/2010 8/12/2010 8/23/2010 9/3/2010 9/14/2010 9/25/2010 10/6/2010 10/17/2010 10/28/2010 11/8/2010 11/19/2010 11/30/2010 12/11/2010 12/22/2010appears to be gaining momentum. While there havebeen some successful shutdowns there are manybotnets that, due to their resilient and sophisticatedCommand and Control (CnC) topology, remain Total Trend Linelargely unaffected by these takedown attempts.Another reason attributing to this growth is the Figure 1: Trojan Botnet Activity1 Massive Mariposa botnet shut down – Bredolab botnet shut down – 11
  12. 12. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Trojan Bot networkshas been around for many years now and due to its the application, but certain versions of Foxit Reader dramatic drop? We speculate that the cessation inextreme popularity with attackers, there are do not and merely start the application without user activity is the result of “Operation b49”.5 This Microsofthundreds, or even thousands, of separate Zeus confirmation. In cases where organizations have led operation resulted in the takedown of a majoritybotnets active at any given time. The Zeus botnet moved away from Adobe’s implementation, this is of this botnet in late February. Once a temporarymalware is commonly used by attackers to steal of particular concern with regards to this attack. restraining order was granted on February 22nd,banking information from infected computers. much of the communication between Waledac’s Zeus’ encrypted command and control activity is hard command and control centers and its thousands ofVarious bot networks based on Zeus are to detect. However, one of the signatures analyzed to zombie computers was cut off in a matter of days.responsible for millions of dollars in losses over the assess this threat focuses on a type of behavior that In October, the U.S. District Court of Easternlast few years. For example, Zeus was reportedly Zeus might exhibit. The signature HTTP_Suspicious_ Virginia ordered the permanent transfer ofresponsible for stealing more than $1 million from Unknown_Content detects when a HTTP POST ownership of the 276 domains behind Waledac tocustomers of a single UK-based financial institution message results in a session where the content sent Microsoft.6 Does this mean that Waledac will neverin July.3 The continual arms race between attackers and received is not recognized as typical content, surface again? We may see activity, but probablyand defenders has botnet controllers finding such as images or documents. Activity associated not to the same magnitude that we observed priorstealthier ways to keep their bots under the radar. with this signature seemed to grow in intensity towards to the takedown.Zeus’ merger with SpyEye, a very similar Trojan, is the latter half of 2010. Such activity could be normal orstill in its infant stages. How this plays out over time could indicate botnet activity. While this is a generic Another prevalent botnet is Pushdo (also known asis to be determined, but consolidation amongst signature, we do believe that this activity is associated Pandex and some components are known asTrojan botnets is expected to be an emerging trend. with Zeus. The section titled “Zeus botnet—facts, Cutwail). This botnet generated noticeable activity myths and understanding how these botnets operate” across the IBM MSS network in 2010 though to aIn April, we saw a spike in malicious PDF activity in the 2010 Mid-Year Trend and Risk Report lesser extent than Waledac and Zeus. Pushdo, primarilyassociated with Zeus.4 Attackers abused the provides an in-depth explanation of Zeus and how used for spamming, had been observed launching“Launch” feature in Adobe Acrobat to distribute the readers can protect themselves from this threat. Distributed Denial of Service (DDoS) attacks againstZeus botnet malware via email. The signature certain SSL-enabled websites beginning in the firstPDF_Launch_Program detects the network transfer There was also significant activity associated with the quarter 2010. The DDoS attack involved sendingof a PDF file containing an embedded action to Waledac botnet at the start of the year up until early thousands of malformed SSL requests to the targetLaunch an executable program. Adobe Reader March and then the activity seemingly disappears hosts in an attempt to use up resources. To a business,asks for user confirmation before actually launching for the rest of 2010. What could have caused this this could directly impact revenue if services provided or product sales are interrupted during such an attack.3 Targeted Attack Nets 3,000 Online Banking Customers – PDF-based Zeus attacks – Cracking Down on Botnets – R.I.P. Waledac – Undoing the damage of a botnet 12
  13. 13. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape SQL injectionSQL injection SQL Injection Attacks Monitored bySQL injection is one of the leading attack vectors IBM Managed Security Servicesseen because of its simplicity to execute and its 45,000scalability to compromise large amounts of webservers across the Internet. A review of past 35,000X-Force Trend and Risk Reports reveals aninteresting SQL injection trend. During each of thepast three years, there has been a globally scaled 25,000SQL injection attack some time during the monthsof May through August. The anatomy of these 15,000attacks is generally the same: they target .ASPpages that are vulnerable to SQL injection. The 5,000surges that occurred during 2008 and 2009 areshown in Figure 2. May June 2008In 2008, attackers used a SQL CAST statement andsome hex code to obfuscate the true injection string. 800,000The source of this attack was the Asprox botnet, 700,000and it was massively successful in compromising 600,000thousands of websites. In 2009, we observed thesame attack methodology; the only difference was 500,000in the resulting payload. Asprox was again the 400,000source of this attack. However, it had varied 300,000success this time because of countermeasures that 200,000were deployed to thwart the attack. 100,000 0 SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2008 2009 Figure 2: SQL Injection Attacks Monitored by IBM Managed Security Services 13
  14. 14. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape SQL injectionFigure 3 illustrates the significant SQL injection attack SQL_Injection_Declare_Exec Activityobserved in 2010 as detected by the IBM signatureSQL_Injection_Declare_Exec. The same attack 8,000methodology is used as in the previous two years,but some of the mechanics were changed. Attackers 7,000added leetspeak (1337) to the SQL statement toevade poorly written regex filtering. This statement, 6,000once decoded, contains another CAST statementresulting in two layers of obfuscation. While very 5,000 Event Countsimilar to Asprox, this attack used slightly differenttechniques and therefore is known more popularly 4,000as the “dnf666” attack—so named because of aURL encoded inside. 3,000 2,000 1,000 0 7/14/2010 7/16/2010 7/18/2010 7/20/2010 7/22/2010 7/24/2010 7/26/2010 7/28/2010 7/30/2010 8/01/2010 8/03/2010 8/05/2010 8/07/2010 8/09/2010 8/11/2010 8/13/2010 8/15/2010 8/17/2010 8/19/2010 8/21/2010 8/23/2010 Figure 3: SQL_Injection_Declare_Exec Activity 14
  15. 15. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape ObfuscationObfuscation Obfuscation ActivityIBM MSS continues to track trends in obfuscation 400,000techniques used by attackers and toolkits.Obfuscation is a technique to hide or mask the 350,000code used to develop applications. New 300,000obfuscation methods are constantly evolving in an Event Countattempt to evade intrusion prevention systems (IPS) 250,000and anti-virus which often can’t decode the web 200,000page or file to find the hidden attack. Throughspecial detection algorithms incorporated into IBM 150,000Security Network IPS, we watch how patterns of 100,000use change by monitoring hits on these algorithmsin our world-wide MSS deployments. 50,000Obfuscation activity continued to increase during 02010 and shows no signs of waning. The most 1/1/2010 1/15/2010 1/29/2010 2/12/2010 2/26/2010 3/12/2010 3/26/2010 4/10/2010 4/24/2010 5/8/2010 5/22/2010 6/5/2010 6/19/2010 7/3/2010 7/17/2010 7/31/2010 8/14/2010 8/28/2010 9/11/2010 9/25/2010 10/9/2010 10/23/2010 11/6/2010 11/20/2010 12/4/2010 12/18/2010observed activity came from an event that triggerswhen a JavaScript ‘unescape()’ function with alarge amount of escaped data is detected. Thisactivity should be viewed with suspicion. It may benormal activity, or it could indicate the attempt to Totalinject a large amount of shell code or maliciousHTML and/or JavaScript for the purpose of taking Figure 4: Obfuscation Activitycontrol of a system through a browser vulnerability. 15
  16. 16. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape PDF exploitationPDF exploitation PDF ActivityCompromise through PDF exploitation continues to 200,000be a favorite among attackers. Throughout 2010, 180,000 160,000our global Security Operation Centers witnessed 140,000 Event Countsurges of malicious traffic surrounding spam email. 120,000One notable increase occurred in late April, as 100,000shown in Figure 5. The emails of this particular 80,000spam campaign contained an Adobe Acrobat PDF 60,000that used the Launch command to deliver malware. 40,000At the peak of the attacks, IBM MSS received more 20,000 0than 85,000 alerts in a single day. The spam email 7/31/2010 8/5/2010 7/11/2010 7/16/2010 7/21/2010 7/26/2010 6/6/2010 6/11/2010 6/16/2010 6/21/2010 6/26/2010 7/1/2010 7/6/2010 4/27/2010 5/2/2010 5/7/2010 5/12/2010 5/17/2010 5/22/2010 5/27/2010 6/1/2010 3/22/2010 3/27/2010 4/2/2010 4/7/2010 4/12/2010 4/17/2010 4/22/2010 10/14/2010 10/19/2010 10/24/2010 10/29/2010 11/3/2010 11/8/2010 11/13/2010 11/18/2010 11/23/2010 11/28/2010 12/3/2010 12/8/2010 12/13/2010 12/18/2010 12/23/2010 12/28/2010 2/10/2010 2/15/2010 2/20/2010 2/25/2010 3/2/2010 3/7/2010 3/12/2010 3/17/2010 9/24/2010 9/29/2010 10/4/2010 10/9/2010 1/1/2010 1/6/2010 1/11/2010 1/16/2010 1/21/2010 1/26/2010 1/31/2010 2/5/2010 8/10/2010 8/15/2010 8/20/2010 8/25/2010 8/30/2010 9/4/2010 9/9/2010 9/14/2010 9/19/2010was sent from various SMTP servers globally, whichappeared to originate from the Zeus botnet.There has been a small but steady rise in PDF Total Trend Lineexploitation since the beginning of 2010. There arenumerous signatures that contribute to this Figure 5: PDF Activityassessment. Some of these signatures detect anunauthorized access attempt. For example, onesignature detects a file with embedded corruptJBIG2 data that could cause a buffer overflow invulnerable versions of Adobe Acrobat and AdobeReader. (Note: This is fixed in Adobe Acrobat/Reader 8.1.3.) Other signatures may simply belooking for suspicious activity such as a PDF filecontaining a hex-encoded form of a filter name.This suggests malicious intent by concealingcompressed content within the document. 16
  17. 17. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Cross-site scriptingCross-site scripting Cross-Site Scripting ActivityWhile cross-site scripting vulnerabilities continue to 900,000be one of the predominant types of vulnerabilities 800,000affecting web applications, activity targeting thesevulnerabilities seems to have leveled off in 2010 as 700,000shown in Figure 6. Cross-site scripting allows 600,000 Event Countattackers to embed their own script into a page the 500,000user is visiting, thereby manipulating the behavior orappearance of the page. These page changes can 400,000be used to steal sensitive information, manipulate 300,000the web application in a malicious way, or embed 200,000additional content on the page that can exploitother vulnerabilities. 100,000 0Though the trend is flat, it does not mean that this 1/1/2010 1/26/2010 2/20/2010 3/17/2010 4/12/2010 5/7/2010 6/1/2010 6/26/2010 7/21/2010 8/15/2010 9/9/2010 10/4/2010 10/29/2010 11/23/2010 12/18/2010threat is non-existent. From a Common VulnerabilityScoring System (CVSS) scoring perspective, thesevulnerabilities do not typically rank as high or criticalthreats. IT and security professionals tend to deploycounter measures for the high-profile vulnerabilitiesfirst and, if resources allow, later address the low- Total Trend Lineto medium-rated issues. Attackers, therefore, willcontinue to take advantage of this window of Figure 6: Cross-Site Scripting Activityopportunity in years to come. 17
  18. 18. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Industry trendsIndustry trends Cross-Site Scripting - Industries with Downward TrendThere is great interest in the general security 80,000community in knowing which industries are being 70,000targeted by what attack types. Our customer baseis broad and reaches into a number of different 60,000industries. However, to identify a valid trend acrossa particular industry, we needed to establish a 50,000methodology with an acceptable sample size for 40,000analysis. For each attack category, we onlyassessed activity where a specific criterion was met 30,000in a given industry. A minimum number of affected 20,000customers and a minimum number of devicesdeployed amongst those customers was required 10,000prior to making an assessment. 0 1/1/2010 1/10/2010 1/19/2010 1/28/2010 2/6/2010 2/15/2010 2/24/2010 3/5/2010 3/14/2010 3/23/2010 4/2/2010 4/11/2010 4/20/2010 4/29/2010 5/8/2010 5/17/2010 5/26/2010 6/4/2010 6/13/2010 6/22/2010 7/1/2010 7/10/2010 7/19/2010 7/28/2010 8/6/2010 8/15/2010 8/24/2010 9/2/2010 9/11/2010 9/20/2010 9/29/2010 10/8/2010 10/17/2010 10/26/2010 11/4/2010 11/13/2010 11/22/2010 12/1/2010 12/10/2010 12/19/2010 12/28/2010 Trend Line (Professional, Scientific and Technical Activities) Figure 7: Cross-Site Scripting – Industries with Downward Trend 18
  19. 19. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Industry trendsWhat did we see? Generally speaking, we did not Cross-Site Scripting - Industries with Downward Trendsee any significant discrepancies across differentindustries regarding the varying attack types 80,000compared to overall customer trends. Attack trends 70,000across all industries were relatively uniform. 60,000What can be deduced from this? While someattacks are targeted, many exploits in circulation 50,000simply don’t discriminate. A financial organization 40,000may be just as vulnerable to the latest botnet orPDF exploitation as an educational institution. 30,000Whether or not an organization is vulnerable toattack has much more to do with the protection 20,000measures that they have in place. 10,000 0 10/17/2010 10/26/2010 11/13/2010 11/22/2010 12/10/2010 12/19/2010 12/28/2010 1/10/2010 1/19/2010 1/28/2010 2/15/2010 2/24/2010 3/14/2010 3/23/2010 4/11/2010 4/20/2010 4/29/2010 5/17/2010 5/26/2010 6/13/2010 6/22/2010 7/10/2010 7/19/2010 7/28/2010 8/15/2010 8/24/2010 9/11/2010 9/20/2010 9/29/2010 10/8/2010 11/4/2010 12/1/2010 1/1/2010 2/6/2010 3/5/2010 4/2/2010 5/8/2010 6/4/2010 7/1/2010 8/6/2010 9/2/2010 Transportation and Storage Trend Line (Transportation and Storage) Figure 8: Cross-Site Scripting – Industries with Downward Trend 19
  20. 20. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I IBM Managed Security Services—A global threat landscape Industry trendsThe only exception to our findings of consistent Cross-Site Scripting - Industries with Downward Trendtrends among the industries was in the cross-site 120,000scripting category. As shown in Figure 6, the overalltrend for cross-site scripting was relatively flat and 100,000several industries followed this trend. As shown inFigures 7 through 9, a few industries saw a slight 80,000downward trend in this attack category including: 60,000• “Professional and Scientific”• “Wholesale and Retail Trade” 40,000• “Transportation and Storage” 20,000A decrease in cross-site scripting activity mayindicate greater attention to addressing these types 0of vulnerabilities. As noted later in this report, the 1/1/2010 1/9/2010 1/17/2010 1/25/2010 2/2/2010 2/10/2010 2/18/2010 2/26/2010 3/6/2010 3/14/2010 3/22/2010 3/30/2010 4/8/2010 4/16/2010 4/24/2010 5/2/2010 5/10/2010 5/18/2010 5/26/2010 6/3/2010 6/11/2010 6/19/2010 6/27/2010 7/5/2010 7/13/2010 7/21/2010 7/29/2010 8/6/2010 8/14/2010 8/22/2010 8/30/2010 9/7/2010 9/15/2010 9/23/2010 10/1/2010 10/9/2010 10/17/2010 10/25/2010 11/2/2010 11/10/2010 11/18/2010 11/26/2010 12/4/2010 12/12/2010 12/20/2010 12/28/2010IBM Rational AppScan on Demand Premiumservice that tracks web applicationvulnerabilities has also seen a steady decline inthe instances of cross-site scripting reported Wholesale and Retail Tradevulnerabilities since 2007. Part of this decline is Trend Line (Wholesale and Retail Trade)attributed to a greater awareness of the riskassociated with cross-site scripting. Figure 9: Cross-Site Scripting – Industries with Downward Trend 20
  21. 21. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I Top high-volume signatures—IBM MSSTop high-volume signatures— Rank Event Name Trend LineIBM MSSTable 1 to the right, shows the placement of the top 1 SQL_SSRP_Slammer_Worm DownMSS high volume signatures and their trend linefor 2010. 2 SQL_injection Down 3 PsExec_Service_Accessed Slightly UpThe top high volume signatures seen across theMSS network reveal some interesting aspects of life 4 SSH_Brute_Force Slightly Downon the Internet today and are a reflection of thelongevity of certain threats. For example, the SQL 5 JScript_CollectGarbage UpSlammer worm7 first surfaced in January 2003 andbecame known as one of the most devastating 6 HTTP_Unix_Passwords Slightly UpInternet threats of the past decade. Despite the 7 SMB_Mass_Login Downdownward trend in 2010, this worm still exists andcontinues to propagate as evidenced by the top 8 SMB_Empty_Password No Changeranking signature, SQL_SSRP_Slammer_Wormshown in Table 1. SQL Slammer targets a buffer 9 SQL_Empty_Password Upoverflow vulnerability in the Resolution Service inMicrosoft SQL Server 2000 or Microsoft Desktop Table 1: Top MSS high volume signatures and trend lineEngine (MSDE) 2000 installations. This issue waspatched by Microsoft in 2002. The fact that there issuch a huge volume of activity associated with SQLSlammer seven years after it first surfaced probablysuggests a need for better patch management.7 SQL slammer traffic on the Internet significantly declined in March 2011 shortly before publication of this report. For more information on this topic, please see the Frequency-X blog. ( 21
  22. 22. IBM Security SolutionsIBM X-Force® 2010 Trend and Risk ReportSection I Top high-volume signatures—IBM MSS Targeting SMB ServersTargeting SMB Servers as compromised. The SMB_Mass_Login signature connect to SMB servers with no password, thisTwo of the top signatures protect against threats detects an excessive number of granted NetBIOS signifies that this method of attack continues to betargeting server message block (SMB) servers. The sessions originating from the same IP address. This fruitful for attackers. Recent threats, such as theSMB_Empty_Password detects when a successful may indicate a stolen account being used in a Conficker and Stuxnet malware, use SMB shares toconnection with no password is made to an SMB scripted attack. The existence of these signatures spread across networks.server. If this connection is from outside the in the list highlights a possible lack of basic securitynetwork, consider the information on your server with SMB shares. If attackers are attempting to 2010 Top 9 High Volume Signatures 2010 Top 8 High Volume Signatures 7E+09 45,000,000 40,000,000 6E+09 35,000,000 5E+09 30,000,000Event Count Event Count 4E+09 25,000,000 3E+09 20,000,000 15,000,000 2E+09 10,000,000 1E+09 5,000,000 0 0 Total Total HTTP_Unix_Passwords SMB_Empty_Password SQL_Injection HTTP_Unix_Passwords SMB_Empty_Password SQL_Injection JScript_CollectGarbage SMB_Mass_Login SQL_SSRP_Slammer_Worm JScript_CollectGarbage SMB_Mass_Login SSH_Brute_Force PsExec_Service_Accessed SQL_Empty_Password SSH_Brute_Force PsExec_Service_Accessed SQL_Empty_PasswordFigure 10a: 2010 Top 9 High Volume Signatures Figure 10b: 2010 Top 8 High Volume Signatures 22