Scansafe Annual Global Threat Report 2009


Published on

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Scansafe Annual Global Threat Report 2009

  2. 2. F O R E WORD There’s an old saying that says“familiarity breeds contempt.” Our goal is to help dispel the misconceptions and subsequent Perceived familarity can have an equally detrimental effect - complacency that arise due to perceived familiarity with malware lulling us into a false sense of complacency and blinding us to as merely a system-disrupting scourge. To fully combat today’s reality. threats, we must recognize its 21st century purpose – criminal data and asset-targeting designed to achieve global economic For many years there have been dire sounding warnings that advantage. cyberwar is looming somewhere on the horizon. Many have scoffed at those predictions; others have approached the topic - Mary Landesman, Senior Security Researcher, ScanSafe STAT with academic and even military interest. But what many have failed to realize is that cyberwar is already here and the battle is already being waged. At the frontlines are corporate assets: intellectual property, research, schematics, sensitive proprietary data, and confidential customer and employee information. Modern malware is merely a tool – and only one of many – used by cybercriminals to carry out their attacks. To approach today’s security challenges as a malware problem is to completely miss the bigger picture – it is a criminally run sophisticated e-business network intent on gathering intellectual and corporate assets. It is not simply a malware problem per se; it is a large scale cyber- espionage assault and all countries are being adversely impacted. In the 2009 ScanSafe Annual Global Threat Report, we intend to highlight some of the business practices that drive cybercrime, explore some of the human aspects that fuel many of these attacks, and present data that demonstrates the continued use of the Web as the attack vehicle. PAGE 2
  3. 3. KEY HIGHLIGHT S Malicious PDF files comprised 56% of Web- encountered exploits in 1Q09, growing to 80% of all exploits by 4Q09; Flash exploits encountered via the Web dropped from 40% in 1Q09 to 18% in 4Q09; Web-encountered exploits in Word and Excel comprised less than 1% of all detected exploits for the year; Malicious image files comprised 10% of all Web malware encountered in 2009; The Gumblar attacks were the single largest at 14% of all Web malware blocks in 2009; Compromises and malware encounters resulting from the Asprox and Zeus botnets comprised 2% and 1% of Web malware blocks, respectively; 45% of all Web malware encounters in 2009 were with exploits and iframes indicative of compromised websites; Energy & Oil experienced an encounter rate 356% higher than normal for data theft trojans; Companies in the Pharmaceutical & Chemical sector experienced a 322% heightened rate of encounter with data theft trojans; Other sectors experiencing higher than average exposure to data theft trojans included Government at 252% higher and the Banking & Finance sector at 204% higher; Attacks continue to increase. A representative customer encountered 77 compromised websites in May 2007, compared to 1024 in May 2009. Direct encounters with data theft Trojans increased from 0 in May 2007 to 307 in May 2009. PAGE 3
  4. 4. C O N TENTS Foreword 2 Key Highlights 3 Contents 4 Why this Report 5 Introduction 6 The Business of Malware 8 The Sole Proprietor The Middleman The Developer The Buyer Targeting the Attack 12 Promiscuous Friending Exploiting the Wild Wild Web 14 Adobe a Target The Office Space Malicious Image Files Building a Better Botnet 17 Gumblar Asprox Zeus Malware Categories 20 Outbreak Intelligence One Company’s Experience 22 The Vertical Threat 23 A Decade of Deception 24 Executive Summary 26 Glossary 27 About ScanSafe 28 PAGE 4
  5. 5. WHY THIS REPO R T The ScanSafe Global Threat Report is an analysis of more than a trillion Web requests processed in 2009 by the ScanSafe Threat Center on behalf of the company’s corporate clients in over 80 countries across five continents. Our leading position of providing security in-the-cloud provides unparalleled insight in the real-world Web threats faced by the today’s enterprise; this report represents the world’s largest security analysis of real- world Web traffic. The ScanSafe Global Threat Report provides a view of the threats which businesses actually face, rather than those experienced in labs or other artificial environments. Our data is gathered from real-time analysis by our proprietary threat detection technology, Outbreak Intelligence™, of every single Web request processed by ScanSafe in 2009. This approach differs to traditional methods of gathering information on Web-based threats, such as those methods afforded by distributed ‘honeypot’ networks. The artificial and contrived nature of honeypots, Web crawling, or similar technologies can lead to a skewed vision of the Web threat landscape which does not reflect actual user experience. By using the analysis data generated by Outbreak Intelligence™ in the course of protecting our customers, ScanSafe can report on the threats that our users would have been exposed to had they not been using our security service. Our leading position of providing security in-the-cloud provides unparalleled insight in the real-world Web threats faced by the today’s enterprise; this report represents the world’s largest security analysis of real-world Web traffic. PAGE 5
  6. 6. I N TR ODUCTION “… the stolen data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information.” PAGE 6
  7. 7. INTRODUCTI O N Sometime in mid-December 2009, This is not to say the malware was easily The heightened risk of data theft Trojan search engine giant Google discovered detectable. But today, no malware is encounters continued throughout 2009; a breach of their network which had easily detectable. On average, even given Energy & Oil experienced an encounter subsequently led to the loss of sensitive four possible points of detection (the rate 356% higher than the rate for all intellectual property. The origin of email, the website, the exploit and the customers combined. the breach: an email containing a dropper), the miss rate with traditional link that pointed to a hostile website. signature scanners is near 40%. Unlike Google and Adobe, the The resulting compromise enabled energy companies alleged to have attackers to see inside Google’s Pre-dating the Google/Adobe been breached did not confess to network and, eventually, to target announced attacks were targeted the compromise. Indeed, few victim specific resources that enabled the attacks on energy and oil companies in companies choose to self report. Instead, theft of sensitive intellectual property. late 2008 and early 2009. Those attacks the breaches that get acknowledged went undisclosed until a January 2010 publicly are generally only those which During the course of their investigation, investigation by The Christian Science involve theft of consumer or employee Google discovered more than 20 other Monitor1 revealed details. According data – and only then because the laws high-profile companies had been to that report, the stolen data “included require it. This selective disclosure fuels similarly breached, including Adobe. e-mail passwords, messages, and other the misconception that cybercriminals Eventual statements from Google and information tied to executives with are only intent on stealing data intended Adobe described the attacks as highly access to proprietary exploration and for credit card fraud and identity theft. targeted and highly sophisticated. discovery information.” In reality, cybercriminals are casting a Yet for anyone monitoring the state much wider net. of cybercrime today, the methods Neither the report of those attacks nor employed were routine and the malware the sensitivity of the data targeted was actions predictable. Indeed, components a surprise to ScanSafe. In November dropped in Hydraq.A, the malware 2008 we published the ScanSafe Vertical described as used in those attacks, were Risk Assessment2 which analyzed components that have been found in Web malware data to determine the other malware for the past two years – risk posture of 21 industry verticals. even contained in far more mundane Our analysis revealed that not only scareware programs. was Energy & Oil most at risk, but that particular vertical’s rate of exposure to new variants of data theft Trojans was four times the average for all verticals combined. The heightened risk of data theft Trojan encounters continued throughout 2009; Energy & Oil experienced an encounter rate 356% higher than the rate for all customers combined. 1 2 PAGE 7
  8. 8. TH E B USINESS OF MALWARE To attempt to describe the business The Sole Proprietor structure behind cybercrime is not unlike trying to describe the business These more independent criminals structure behind any other global broker in stolen credit cards, phished economy. It is, in fact, well beyond the banking credentials, and similar scope and size of this report to attempt consumer-focused data theft transfers. to do it justice (no pun intended). These crimes tend to be less sophisticated Instead, we will be forced to highlight and thus have a lower barrier to entry. As only a few of the tactics used, in the the laws of economics would suggest, hopes of helping readers understand this often leads to supplies being larger the broadness of the methods than demand, driving prices of the employed. (For a more complete stolen credentials downward. As with discussion, download the ScanSafe traditional legitimate online commerce, whitepaper, “Web 2.0wned: A History stolen credentials come from across the of Malware on the Web” 3). globe and the sellers have their own eBay-style ratings systems to verify their ‘trustworthiness’ to buyers. Figure 1 3 PAGE 8
  9. 9. THE BUSINESS OF MALWA R E The Middleman And as would any other software maker, the exploit kit writers fully describe Just as there are trucking companies that what’s included in their offering. ship goods between a buyer and seller, there are cybercriminals that specialize Offer additional reasons to buy their in delivering exploit kits that join the product (Figure 3). attacker and victim. Consolidation even occurs as it often does among And offer support services free of charge partners in any other business, as we see (Figure 4). advertised in Figure 2. The cost for this exploit kit: a mere one hundred US dollars. Figure 2 Figure 3 Figure 4 Figure 5 PAGE 9
  10. 10. TH E B USINESS OF MALWARE The Developer on remote computer. So it can cause of services he and other cybercriminals unwanted results. Now we have a special provide. But industrial espionage isn’t just Malware authors typically employ a offer for you, don’t you want to have an a cross-border problem; competitors can reseller to peddle the malware on behalf undedected copy of Turkojan Private also buy the services of cybercriminals to of the author – presumably in exchange Edition?” gain intel on product pricing strategies for commission. In Figure 6, we see and proprietary development data. member “jboyz” reselling the latest (at Available for purchase from the authors’ the time) private version of the Zeus website are three versions: bronze, gold, In some cases, the buyer may contract banking Trojan for a minimum $6,000. and silver – each subsequent upgrade directly with the malware developer. Additional features are extra, total cost offers successively extended periods In January 2009, Heartland Payment for the full blown package is triple the during which the product is guaranteed Systems publicly announced a malware amount. to be undectable by scanners or replaced breach of their internal systems had free of charge. resulted in large scale theft of credit It’s worth noting that while Zeus is card transactions processed on behalf typically considered a banking Trojan, of their merchant customers. It was later capabilities enable it to steal whatever The Buyer divulged that the malware used in those data the attacker wishes to target, as well attacks was custom-created specifically as sniffing and retrieving FTP and POP3 The sole proprietor, middleman, and for the Heartland heist. credentials and capturing HTTP / HTTPS developer all have something to gain traffic. by publicly advertising their offerings. In summary, there is no common Conversely, there will be no such public denominator that defines the buyer – Developers and their resellers may also displays from the buyer, particularly who they are and what data they are take a more professional approach to those criminals engaged in hardcore after is left only to their own imagination selling. To entice their customers to cyber-espionage such as the attacks – and their ability to pay. But one thing move from free to fee versions of their leveraged against Google, Adobe, oil is certain, today’s malware is highly software, the developers of the Turkojan companies, and multiple other firms customizable; once planted within the keylogger family ask: over the past year. enterprise, this digital insider threat is able to operate silently and efficiently “Anti-virus and anti-spyware software In “Hacking for Fun and Profit in China’s to siphon the most sensitive assets from label Turkojan Public Edition as Underworld,” a Chinese cybercriminal that corporation. potentially unwanted programs and identified only as “Majia”4 admits that sometimes they can remove them government and military agencies are or prevent installing Turkojan server among those who contract for the types Available for purchase from the authors’ website are three versions: bronze, gold, and silver – each subsequent upgrade offers successively extended periods during which the product is guaranteed to be undectable by scanners or replaced free of charge. 4 PAGE 10
  11. 11. THE BUSINESS OF MALWA R E Figure 6 Figure 7 PAGE 11
  13. 13. TARGETING THE ATTA C K Whether targeted to a specific individual Anti-Virus Cannot Stop the Spread of was there’s no real way (save offline or sent to a broad generic audience, Email Worms,” the researchers warned, verification) to ensure that the person social engineering attacks are designed “As long as there are users who can be on the other end of the ‘wire’ is really the to trick the user into taking some action fooled, malware will continue to plague person you think they are. The problem that will prove harmful to themselves or us.” Their advice: either get rid of the gets exponentially worse when dealing others. The range of social engineering users or help them to avoid getting with promiscuous frienders who will scams is broad: money laundering fooled. accept any friend request, even from schemes disguised as help wanted ads, persons they only vaguely know and bogus notices from spoofed authorities Despite that still timely advice, user often from complete strangers. such as the FBI or IRS, advance fee fraud education is typically never attempted schemes masquerading as death benefit and certainly almost never with the most Social networking sites can be a useful notices, breaking news alerts that link to highly positioned senior executives. Yet tool for keeping abreast of events in malicious websites – the list goes on. these executives are the biggest – and friends, family, or colleagues lives, often easiest – targets. Thanks to press whether personally or professionally. It The more targeted social engineering releases, social networking sites, silo- can also be a useful tool for networking attacks can cause huge headaches style sites that collate information on with associates met at business for corporations. Instead of figuring public personalities, and search engines, conferences or with whom you otherwise out a way to break through the finding enough information to compose don’t have day-to-day contact. But to perimeter defenses, attackers are able a reasonably personalized targeted be used safely, any correspondence to entice innocent inside employees to attack email has never been easier. sent via the network should be treated unwittingly grant them entry. A frequent as cautiously as any traditional email target – highly placed executives would – that means, don’t divulge with knowledge and access to the Promiscuous Friending confidential information, don’t click links corporation’s most sensitive data assets. in any unsolicited message received Back in the day when MySpace was first unexpectedly and never agree to install The approach that allegedly tripped up introduced, many worried about who anything resulting from a link received in oil execs and led to those networks being would protect the kids from online con an unsolicited message. infiltrated was a simple email claiming artists and criminals. Maybe we should to be a discussion of the “Economic be asking ourselves who will protect the The social networking sites are designed Stabilization Act.” As with Google, Adobe, adults. to make it easy to network. This ease and so many other victim companies, means it’s equally easy for scammers to that email contained a link to a booby- At the Vegas BlackHat conference in set up shop. Don’t assume that because trapped website which foisted exploits August ‘08, researchers Shawn Moyer it happens on a social networking site, onto any visitor that clicked through. and Nathan Hamiel presented “Satan that it must be safe. Quite the opposite is is On My Friends List: Attacking Social true. Offline, trust your real life friends to In May 2000, researchers for Interhack Networks.” Part of that demonstration have your back. But online, trust no one. Corporation published advice on email- focused on how trivially easy it was to borne threats that is as true today as it spoof the profiles of well known people was ten years ago. In summarizing “Why in the security industry. The point made Instead of figuring out a way to break through the perimeter defenses, attackers are able to entice innocent inside employees to unwittingly grant them entry. A frequent target – highly placed executives with knowledge and access to the corporation’s most sensitive data assets. 5 PAGE 13
  15. 15. EXPLOITING THE WILD WILD W E B The vast majority of modern malware As seen in figures 8 and 9, malicious PDF recent surges in Adobe vulnerabilities encounters occur with exposure files comprised 56% of exploits in 1Q09, has become of concern to many officials, to compromised websites, which growing to 80% of all exploits by 4Q09. prompting an unprecedented warning attackers outfit with hidden malicious Conversely, Flash exploits dropped from from Stephen Northcutt, president of iframes or external javascript source 40% in 1Q09 to 18% in 4Q09. This trend is the SANS Technology Institute. In the references. Typically, attackers use likely indicative of attackers’ preference August 4, 2009 issue of SANS Newsbytes, multiple layers of compromised or for PDF exploit, probably due to a Northcutt warned: “I think organizations malicious websites in a single attack, combination of increasing availability should avoid Adobe if possible. Adobe thus the initially encountered (but of vulnerabilities in Adobe Reader and security appears to be out of control, and unseen) iframe may silently cycle Adobe Acrobat and the continued using their products seems to put your through two, three, or even more widespread use and acceptance of organization at risk. Try to minimize your iframes and source reference hosts PDF files in both the workplace and attack surface. Limit the use of Adobe before the final exploits or malicious consumer sectors. products where you can.” binary are delivered. This cross-domain attack and subsequent malware CVE, maintained by the MITRE Whether Adobe products can or should delivery is silent but deadly. Corporations, retains a list of security be avoided is a matter of debate. vulnerabilities, assigning it a common However, what does appear certain is Adobe a Target identifier to facilitate information and that Adobe Reader and Adobe Acrobat data sharing. As of December 31, 2009, are increasingly a favored exploit When malicious exploit code was there were 288 total CVE records for target for attackers. Accordingly, users encountered in 2009, vulnerabilities vulnerabilities in Adobe products. Of should treat all PDF files with the same involving malformed PDF files (Adobe those, 107 CVE numbers assigned to caution they would use with any other Reader / Adobe Acrobat) were the Adobe vulnerabilities were issued in executable file type. Enhanced security most frequently targeted, followed 2009; only one was rated low, 25 were of PDF can be obtained by disabling by vulnerabilities in Adobe Flash. rated medium, and the remaining 81 Adobe javascript in Reader and Acrobat Interestingly, as the rate of malicious were rated high. In 2008, there were and avoiding the use of browser plug-ins PDF files increased in 2009, the rate only 58 vulnerabilities listed in CVE for for those products. of malicious Flash files decreased vulnerabilities in Adobe products, 50 throughout the year. in 2007, 35 in 2006, 18 in 2005, with the remaining 20 CVE entries spread between 2004 to 1999. The problem of Figure 8 - PDF / Flash Exploits Figure 9 - Adobe CVE Records PAGE 15
  16. 16. E X P L OITING THE WILD WILD WEB The Office Space Malicious Image Files In many cases, malicious image files are hosted on legitimate websites It is well understood that attackers Malformed images also factored presumed to have been compromised. typically employ exploits that target the extensively in Web-delivered attacks In most of those cases, it appears the most ubiquitous products. Given that throughout 2009, although not due to an attackers have replaced actual site these are Web-delivered exploits and exploit by definition. These images take images with the maliciously modified Adobe Reader is the most ubiquitous advantage of features in the operating copies of the images. The imposter document reader used on the Web, it system, browser, and the Web server. As images display normally but behind stands to reason that the rate of PDF a result, MIME types can be forged, PHP the scenes, depending on the browser, exploits would be high. However, can be nestled in text comment fields of the iframe contained in the image exploits for Microsoft Office file formats, legitimate GIF or JPG images, and PHP attempts to launch malcode from the which also enjoy widespread use, interpreters can override even concerted attacker-owned site. Note that these were comparatively (and significantly) blacklisting efforts. Figure 10 shows the malicious images are not the sole means more rare in 2009. Collectively, Web- proportion of malicious image files to all of compromise, but typically act as an encountered exploits in Word and Excel other Web-delivered malware for each adjunct to the overall compromise. comprised less than 1% of all detected quarter of 2009. exploits for the year. Malicious Image Files 12% 10% 8% 6% 4% 2% 0% 1Q09 2Q09 3Q09 4Q09 Figure 10 - Malicious Image Files PAGE 16
  17. 17. BUILDING A BETTER BOTN E T In most of those cases, it appears the attackers have replaced actual site images with the maliciously modified copies of the images. PAGE 17
  18. 18. B U I L D ING A BETTER BOTNET The traditional definition of a botnet Gumblar The technique also proved effective at is a collection of compromised client bypassing signature detection. During computers under the control of a Gumblar is a multi-stage series of Gumblar’s initial peak from April 24th common attacker (or common group compromises that delivers malware through May 15th, signature scanners of attackers). A typical botnet may designed to intercept Web traffic, steal were unable to detect the Gumblar be used for nefarious commercial FTP credentials, manipulate search compromise. ScanSafe Outbreak purposes such as distributing spam engine results, and install backdoors on Intelligence successfully detected and or scareware. Botnets can also be compromised computers and websites. blocked all phases of the Gumblar attack. used for distributed denial of service (DDoS) attacks, which can sometimes The malicious script embedded during In subsequent phases, Gumblar attackers be rendered against competing sites the original compromise was placed on began uploading PHP backdoors to or services for illicit financial gain. In collateral .js or .php files called when the compromised websites, providing addition to other uses (left only to the page was loaded, rather than directly attackers with continued control of the imagination of the attackers), botnets on the default home page itself. This sites even if the original FTP passwords can also play a role in the compromise technique enabled attacks to avoid were changed. of legitimate websites or be used as casual observation, but still have their part of a fast flux network to mask the malicious scripts rendered when users At 14% of the total Web malware blocks origin of a particular malware host. visited the site. for the year, the Gumblar attacks were the most prevalent attacks in 2009, peaking In 2009, Gumblar changed the at 35% of all blocks in November 2009. traditional view of botnets, as the Gumblar attackers began uploading PHP backdoors to compromised websites for continued command and control of those sites. This enables the attackers to interchangeably use the compromised sites as the actual malware host, or as part of a redirection chain for exploit delivery, or both. This not only hampers remediation efforts – effectively giving the Gumblar attackers thousands of possible malware hosts – but it also can thwart standard reputation-style filters and thus increase the likelihood of Figure 11 - Gumblar exposure to the malware. In 2009, the three most prolific botnets from a Web malware standpoint were Gumblar (14%), Asprox (2%), and Zeus (1%). While both Conficker and Koobface received the lion share’s of attention from a media perspective, actual encounters resulting from these botnets were extremely low, collectively representing only .05% of Web malware in 2009. PAGE 18
  19. 19. BUILDING A BETTER BOTN E T Asprox Zeus Zeus was the third largest single botnet impacting Web surfers in 2009. Zeus- The Asprox botnet causes infected The Zeus botnet was implicated in a $6 related malware and sites compromised computers (bots) to become the attack million dollar commercial account heist by the Zeus botnet comprised 1% of mechanism. Some of the bots are on 20 European banks in the summer of all Web malware blocks for the year. instructed to upload a SQL injection 2008. In early 2009, the Zeus botnet began Beginning in the first quarter of 2009, attack tool, which then queries search employing an exploit toolkit known as the Zeus botnet began employing engines to find susceptible sites and Luckysploit, which uses standard RSA the LuckySploit framework to render exploit any found. Successful exploit public/private key cryptography to exploits on unsuspecting Web surfers’ results in compromised websites encrypt the communication session with computers. that silently attempt to infect visitors’ the browser. computers. Other bots are used as hosts for the malware. Asprox commonly Zeus bots are known for browser traffic uses fast flux, thus a single malware sniffing, intercepting POST data and domain called by the compromised keystrokes associated with the active site may resolve to one of a number of browser session as well as clipboard IP addresses in an attempt to mask the data pasted into the browser. While actual host. these actions facilitate Zeus’ activities concerning data theft, it could also lead In terms of botnet-related Web malware, to compromise of FTP credentials. For websites compromised as a result of this reason, impacted sites may not just Aprox were second largest at 2% of all be spreading new Zeus banking trojans Web malware blocks, peaking at 11% in and bots, their management systems October 2009. may also be infected. Zeus bots and trojans are also rootkit-enabled, which can hinder discovery efforts. Figure 12 - Asprox Figure 13 - Zeus PAGE 19
  20. 20. M A L WARE CATEGORIES Web Malware Blocks by Category This report focuses solely on malicious Exploit & Iframe software and excludes tracking cookies, Web bugs, non-malicious opt-in Backdoor & PWS tracking or legitimate (but potentially Trojan - General unwanted) advertising supported Rogue Scanner software. Categories of malware in this report include the following: Downloader / Dropper Virus & Worm • Trojans • Exploits / iframes Redirector • Redirectors Clickfraud Trojan • Downloaders 0% 10% 20% 30% 40% 50% • Clickers • Scareware (rogue scanners) Figure 14 - Web Malware Blocks by Category • Viruses • Worms (including autorun worms which connect via the Web upon Top Ten Web Malware 3% infection) 2% Trojan-Iframe.JS.Gumblar 2% PSW.Banker In 2009, 45% of all blocked Web malware OI-PSW.Keylogger.OF encounters were with exploits and 2% Worm.AutoIt iframes indicative of compromised Hoax.Win32.Krap.ah websites. The second highest category 2% OI-PSW.Win32.MultiBanker.SV were direct encounters with Trojans 14% Backdoor.Win32.RaMag.a 2% engaged in data theft (backdoors and PSW.Win32.Magania.bfrp password stealers), which comprised 2% 1% 19% of all ScanSafe Web malware blocks 1% for the year. Interestingly, because Figure 15 - Top Ten Web Malware scareware is intentionally designed to be a very noticeable infector, these rogue scanners tend to get the lion share of attention in media and consumer reports, yet were only 7% of all Web malware encounters for 2009. In 2009, 45% of all blocked Web malware encounters were with exploits and iframes indicative of compromised websites. PAGE 20
  21. 21. MALWARE CATEGOR I E S Outbreak Intelligence Outbreak Intelligence, Today’s cybercriminals go to great 27% lengths to ensure their malware goes undetected. As we previously demonstrated in Figure 7, malware creators may even offer service level agreements consisting of full replacement and money-back guarantees that the malware will not be picked up by traditional scanners. Signature, 73% In 2009, 27% of all Web-delivered malware blocked by ScanSafe Outbreak Figure 16 - Outbreak Intelligence vs. Signature Blocks Intelligence was undetectable by signature scanners at the time of 100% encounter. While 27% was the overall 90% average for the year, during peak 80% outbreak periods the rate of zero day 70% malware blocks was much higher. 60% 50% Outbreak Intelligence blocks on 40% November 7th reached 97%. Second 30% highest rate of zero day malware 20% occurred on August 24, with 90% 10% 0% undetectable by traditional signatures. 03-Dec-09 17-Dec-09 04-Jun-09 18-Jun-09 08-Oct-09 22-Oct-09 05-Nov-09 19-Nov-09 02-Jul-09 09-Apr-09 23-Apr-09 16-Jul-09 30-Jul-09 12-Feb-09 26-Feb-09 10-Sep-09 24-Sep-09 12-Mar-09 26-Mar-09 01-Jan-09 15-Jan-09 29-Jan-09 13-Aug-09 27-Aug-09 07-May-09 21-May-09 Figure 17 provides a day-by-day snapshot of zero day malware blocked by Outbreak Intelligence in 2009. Figure 17 - Outbreak Intelligence Blocks Throughout 2009 In 2009, 27% of all Web- delivered malware blocked by ScanSafe Outbreak Intelligence was undetectable by signature scanners at the time of encounter. PAGE 21
  22. 22. O N E COMPANY’S EXPERIENCE Focus Company: Compromised Websites Encountered To help contextualize the increased 1200 risks posed by Web-delivered malware, 1000 ScanSafe provides raw numbers from an 800 actual 15,000 seat customer. We analyze 600 that customer’s Web malware blocks in 400 May of each of the target years (2007, 200 2008, 2009) to provide year-over-year 0 comparisons for trending purposes. May 2007 May 2008 May 2009 Figure 18 - Focus Company: Compromised Websites Encountered As Figure 18 demonstrates, encounters Focus Company: Data Theft Trojans with compromised websites have Encountered increased dramatically over the past 350 three years. In May 2007, the customer 300 encountered only 77 compromised 250 websites, increasing to 481 compromised 200 website encounters in 2008, and 1024 150 encounters in May 2009. 100 50 Direct encounters with data theft Trojans 0 also increased year over year, from 0 May 2007 May 2008 May 2009 direct encounters in May 2007 to 307 in Focus Company: Unique Attacks Figure 19 - Focus Company: Data Theft Trojans Encountered May 2009. Encountered 250 A typical website compromise can impact tens of thousands of websites 200 simultaneously. Multiple distinct 150 (unrelated) attacks can also occur 100 simultaneously. Throughout 2009, ScanSafe STAT recorded over a thousand 50 unique attacks on average for each 0 month of the year. In May 2007, our May 2007 May 2008 May 2009 15,000 seat focus customer encountered Figure 20 - Focus Company: Unique Attacks Encountered 11 unique separate attacks, compared to Focus Company: Total Encounters 197 unique attacks in May 2009. 2000 1800 Total encounters also increased year 1600 1400 over year. The ScanSafe STAT focus 1200 customer experienced 205 total Web 1000 malware encounters in May 2007, 669 in 800 May 2008, and 1719 total Web malware 600 400 encounters in May 2009. 200 0 May 2007 May 2008 May 2009 Figure 21 - Focus Company: Total Encounters PAGE 22
  23. 23. THE VERTICAL THRE A T For two years in a row, ScanSafe STAT The Government sector had a 2.5 times malware block data reflects a disturbing higher than average rate of encounters trend – companies in highly sensitive with data theft Trojans delivered via the verticals experience a much higher than Web, but had a 25% lower than average average rate of Web malware encounters. rate of encounters with unique variants of this category of malware. The Banking In 2009, Energy & Oil experienced a 3.5 & Finance sector experienced a data times higher rate of direct encounters theft Trojan encounter rate that was with data theft Trojans compared to all 204% higher than average. Encounters other verticals for the report period. with unique variants of data theft Trojans Companies in the Pharmaceutical and were 211% higher than the norm for all Chemical sector experienced a 3.2 times customers combined. heightened rate of encounter with this most serious category of malware. Increased rate of exposure to data theft Trojans Both the Pharmaceutical & Chemical industry and the Energy & Oil sector also Energy and Oil 356% experienced higher rates of encounter to unique variants of password stealers Pharmaceutical & Chemical 322% and backdoors, at a rate 14 times and 11 times higher than average, respectively. Government 252% The higher rate of encounters with unique variants is likely indicative of Banking Finance 204% greater targeting of these segments, as attackers typically introduce new variants in an attempt to evade malware detection. In 2009, Energy & Oil experienced a 356% greater rate of direct encounters with data theft Trojans compared to all other verticals for the report period. PAGE 23
  24. 24. A D E CADE OF DECEPTION As one decade closes and another January 2003 ushered in the Sobig worm, Following the worm wars, named threats begins, it provides an opportunity to look a significant threat not fully appreciated became fewer as attacks became more both to the future and to the past. For until Sobig.E and Sobig.F appeared in overtly criminal and profit motivated. as the saying goes, “Those who cannot the summer of that same year. Sobig- To bypass technology, clever attackers remember the past are condemned to infected computers were outfitted with began incorporating a much higher repeat it.” 6 a spam proxy, enabling mass-mailers to degree of social engineering in their send large volumes of unwanted email attacks. In January 2005, following the Modern malware is commercially via victim computers, even harvesting previous month’s tsunami in the Indian motivated - instead of writing malware the victims own email contacts to add to ocean, scammers began targeting for ego gratification, today’s attackers the spammers’ mailing lists. peoples’ fear and curiosity through are using malware to make money. Thus, breaking news alerts. Links in the email in hindsight, the May 2000 Loveletter The monetary gains to be had from that claimed to point to headline news worm was a harbinger of things to come. harvesting email addresses became actually pointed to malicious malware The Loveletter worm combined social even more apparent during the that turned victim computers into bots. engineering (love letter for you) with a subsequent email worm wars in early password-stealing trojan designed to 2004. Beginning with MyDoom and By 2006, the Storm botnet was formally harvest ISP usernames and passwords. the Bagle worm, an interloper (Netsky) underway, though not named as The intent: to provide free Internet quickly jumped into the fray. The authors such until January 2007, after a bogus access to the worm’s author. of Bagle then began coding variants of breaking news alert claimed “230 dead their worm that, in addition to dropping as storm batters Europe.” Coincidental to In mid-September 2001, the Nimda their own malware, would also remove the alert, a very real storm in Europe did worm began its rapid spread around Netsky. In turn, the Netsky author began cause loss of life, thus earning the trojan the globe, facilitated by multiple means neutering the MyDoom/Bagle infections family (and its associated botnet) its new of propagation. One of the methods while adding his own malicious code to name, Storm. included modifying any .htm, .html, or the system. This prompted a response .asp pages found on infected systems. from the Bagle authors; hidden in The worm also spread by exploiting Bagle.K’s code was the message, “Hey several vulnerabilities in Microsoft Netsky, f*ck off you b*tch, don’t ruine our IIS, furthering the worm’s ability to business, wanna start a war?” infect Web pages. As such, Nimda can be viewed as a pioneer in malware’s eventual move to the Web. “...instead of writing malware for ego gratification, today’s attackers are using malware to make money.” 6 George Santayana: Life of Reason, Reason in Common Sense, Scribner’s, 1905 PAGE 24
  25. 25. A DECADE OF DECEPTI O N In 2007, publicity around MPack led The 2009 Gumblar attacks can be “Hey Netsky, f*ck off to heightened adoption of exploit viewed as the culmination of a decade’s frameworks in general, laying the evolution of criminal/profit-motivated you b*tch, don’t ruine groundwork for managed Web attacks. malware. Gumblar creates two sets of The release of free or low cost SQL botnets: client-side traditional backdoors our business, wanna injection tools in the Fall of 2007, and a second, never before seen followed by remote discovery tools such botnet compromised of thousands of start a war?” as Goolag in 2008, further cemented backdoored websites. Gumblar includes -- Bagle.K author, 2004 cloud-based malware delivery via the a forced redirect revenue stream for Web. These attacks quickly proved the Gumblar creators thus providing profitable and shifted the value instant monetization, as well as long proposition from spam and malicious term potential profits via its ability to marketing to stolen FTP credentials and intercept, tamper with and steal Internet intellectual/financial property theft. and network communications. Gumblar Cloud-based distribution of malware also includes the ultimate in social also increased the sophistication of engineering – turning perfectly good, malware creation kits, thus doubling the reputable websites against their visitors, volume of malware with exponential and even against their very owners. year-over-year increases. The 2009 Gumblar attacks can be viewed as the culmination of a decade’s evolution of criminal/ profit-motivated malware. PAGE 25
  26. 26. E X E C UTIVE SUMMARY If Loveletter was the harbinger of The digital divide will also likely continue data theft to come in the last decade, to grow and resulting tensions will likely Gumblar may well be the first harbinger fuel further cyber-attacks, including of mass control of the Web in the new even more increases in attacks designed decade. As such, one can only conclude for theft of intellectual property and that the criminal harvesting of data via attacks designed to disrupt access. the Web will continue to be top priority for attackers in 2010 and beyond. To confront the challenges of the coming years, we must reposition our thinking to To counter threats on the Web, network match the new reality. We must forgo our architecture will likely undergo many perceived familiarities and see the issues changes in the coming decade. As a that are already at hand – the criminal result, it can be expected that various business of data harvesting and the forms of user authentication based siphoning off of intellectual property. on trust relationships will eventually Our defences must extend beyond the emerge. As these efforts evolve, confines of brick and mortar and into the subsequent online personas will become cloud to ensure end-to-end protection increasingly attractive targets to would- of our most sensitive assets and people, be attackers. Identity theft programs will regardless of operating system, device, subsequently need to evolve beyond or geo-locale. protection of one’s credit report, to include protecting one’s virtual identity from those who would spoof it for illicit gains. It can also be expected that the Internet will increasingly become more device and service centric and less “desktop centric.” As that development unfolds, this will introduce a less homogenous environment for attackers, thus further propelling the (ab)use of the Web for criminal gain. One can only conclude that the criminal harvesting of data via the Web will continue to be top priority for attackers in 2010 and beyond. PAGE 26
  27. 27. G L O S SARY Backdoor Malware that provides surreptitious and unwanted access to a remote computer or device Compromised Site A site which has been the victim of exploit of vulnerabilities, resulting in the distribution of malware Heuristic An algorithm which may be signature or behavior-based, designed to detect a characteristic or specific set of criteria consistent with previously observed malware Malicious Site Website distributing malware, whether intentionally or through compromise Malware Software distributed for malicious intent OI ScanSafe Outbreak Intelligence™; a collection of technologies designed to detect both known and unknown malware threats Password Stealer Malware that monitors keystrokes, captures screenshots, or steals data, sending the captured details to attackers Signature An algorithm used by signature-based scanners to detect a specific threat or specific family of threats Trojan A non-replicating program which has intentionally malicious behavior Virus Malware that infects other files or programs Worm Malware that spontaneously copies itself to other folders, drives, shares, or accessible sites Zero-Day A vulnerability or malware for which no patch, signature, or intelligence is available preliminary to initial detection PAGE 27
  28. 28. ABOUT SCANSA F E ScanSafe EMEA ScanSafe (, now a Qube, 90 Whitfield Street part of Cisco, is the pioneer and largest London,W1T 4EZ global provider of SaaS Web Security, T: +44 (0) 20 7034 9300 ensuring a safe and productive Internet F: +44 (0) 20 7034 9301 environment for businesses. ScanSafe E: solutions keep malware off corporate networks and allow businesses to control and secure the use of the Web. As ScanSafe US a SaaS solution, ScanSafe eliminates the 950 Elm Avenue burden of purchasing and maintaining San Bruno, CA 94066 infrastructure in-house, significantly T: +1 650 989 7100 lowering the total cost of ownership. F: +1 650 989 6543 Powered by its proactive, multilayered E: Outbreak Intelligence™ threat detection technology, ScanSafe processes more than 20 billion Web requests and 200 million blocks each month for customers in over 100 countries. The ScanSafe Security Threat Alert Team (STAT) is a key part of the ScanSafe Threat Center, which monitors the global state of Web traffic, 24 hours a day, seven days a week. STAT is comprised of a group of malware experts dedicated to analyzing trends and anomalies in Web traffic scanned by the ScanSafe Threat Center and the more than 200 million blocks each month. The team performs ongoing expert analysis of Internet threats, identifying trends in new malware tactics and developing technologies to prevent them. STAT also provides timely information on significant, newly emerging Web- borne threats via the ScanSafe STAT blog - a tool designed to provide readers with the pulse on the overall Web threat landscape. In 2009, the company was awarded “Best Content Security” solution by SC Magazine for the third consecutive year. © ScanSafe All rights reserved. ScanSafe, the ScanSafe logo and Outbreak Intelligence are trademarks of ScanSafe. All other trademarks are the property of their respective owners. PAGE 28 PAGE 28