Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification

2,279 views

Published on

Vulnerabilities and Malware: Statistics and Research for Malware Identification by Wolfgang Kandek

Published in: Technology
  • Be the first to comment

nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification

  1. 1. QualysVulnerabilities, Statistics and… Malware ?<br />Wolfgang KandekCTO Qualys, Inc.<br />http://null.co.in/<br />http://nullcon.net/<br />
  2. 2. Qualys Basics<br />Founded to automate Vulnerability Assessments<br />Software as a Service (SaaS) with:<br />Internet based shared scanners<br />Scanner Appliances for internal scanning<br />Webportal for data access<br />http://null.co.in/<br />http://nullcon.net/<br />
  3. 3. http://null.co.in/<br />http://nullcon.net/<br />VIP 2-factor or Client certificate strong authentication options <br />
  4. 4. http://null.co.in/<br />http://nullcon.net/<br />VIP 2-factor or Client certificate strong authentication options <br />
  5. 5. Qualys Basics<br />Founded to automate Vulnerability Assessments<br />Software as a Service (SaaS) with:<br />Internet based shared scanners<br />Scanner Appliances for internal scanning<br />Webportal for data access<br />270 employees (140 in Engineering)<br />5000+ customers <br />http://null.co.in/<br />http://nullcon.net/<br />
  6. 6. 6<br />
  7. 7. IDC 2011 Report<br />
  8. 8. Frost & Sullivan 2010 Report<br />Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010<br />
  9. 9. Laws of Vulnerabilities<br />2004 - 3M IPs scanned, 2M vulnerabilities<br />Half-life – 30 days<br />Prevalence – 50 % renewal annually<br />Persistence – unlimited for some<br />Exploitation – 80 % available with 60 days<br />2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity<br />http://null.co.in/<br />http://nullcon.net/<br />
  10. 10. 10<br />Laws of Vulnerabilities<br />Half-Life = 29.5 days<br />
  11. 11. Laws of Vulnerabilities<br />2004 - 3M IPs scanned, 2M vulnerabilities<br />Half-life – 30 days<br />Prevalence – 50 % renewal annually<br />Persistence – unlimited for some<br />Exploitation – 80 % available with 60 days<br />2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity<br />Difference by OS and Application<br />http://null.co.in/<br />http://nullcon.net/<br />
  12. 12. Laws of Vulnerabilities<br />12<br />
  13. 13. Laws of Vulnerabilities<br />13<br />
  14. 14. New Services<br />Policy Compliance<br />Configuration checks<br />Password length, installed SW, access rights<br />20 technologies, 2000 controls<br />Web Application Scanning<br />Web Application Catalog<br />Batch oriented production scanning<br />http://null.co.in/<br />http://nullcon.net/<br />
  15. 15. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection Scanner<br />Browsercheck – Light-weight, end-user VA<br />IronBee – Web Application Firewall<br />SSL Labs – World-wide SSL usage statistics<br />Dissect – Malware Exchange/Analysis Portal<br />HoneyNet Research Portal<br />http://null.co.in/<br />http://nullcon.net/<br />
  16. 16. Blind Elephant Web App Fingerprinter<br />Fingerprint common web applications by analyzing source code <br />Blogs, Forums, Wikis, etc<br />http://null.co.in/<br />http://nullcon.net/<br />
  17. 17. Blind Elephant Web App Fingerprinter<br />http://null.co.in/<br />http://nullcon.net/<br />
  18. 18. Blind Elephant Web App Fingerprinter<br />http://null.co.in/<br />http://nullcon.net/<br />
  19. 19. Blind Elephant Web App Fingerprinter<br />Fingerprint common web applications by analyzing source code <br />Blogs, Forums, Wikis, etc<br />Goals: accuracy, speed, low resource usage<br />Results<br />http://null.co.in/<br />http://nullcon.net/<br />
  20. 20. Blind Elephant Web App Fingerprinter<br />1 Million “.com” domains<br />http://null.co.in/<br />http://nullcon.net/<br />
  21. 21. Blind Elephant Web App Fingerprinter<br />http://null.co.in/<br />http://nullcon.net/<br />
  22. 22. Blind Elephant Web App Fingerprinter<br />http://null.co.in/<br />http://nullcon.net/<br />
  23. 23. Blind Elephant Web App Fingerprinter<br />Fingerprint common web applications by analyzing source code <br />Blogs, Forums, Wikis, etc<br />Goals: accuracy, speed, low resource usage<br />Results<br />Available at: blindelephant.sourceforge.net<br />http://null.co.in/<br />http://nullcon.net/<br />
  24. 24. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection System<br />http://null.co.in/<br />http://nullcon.net/<br />
  25. 25. Neptune Malware Detection System<br />Visit/crawl web site with:<br />Virtualized Machine<br />Vulnerable, but instrumented OS<br />Vulnerable, but instrumented Browser<br />Configuration<br />VMware<br />Internet Explorer 6 on Windows XP<br />Detours + Custom Hooks<br />Log everything<br />Detect malicious intent early, avoid infection<br />BLACK HAT USA 2010<br />25<br />
  26. 26. Neptune Malware Detection System<br />Static Detection<br />Analyze inputs for known exploit patterns, signature based<br />Pro: efficient and fast, signatures easily updated and shared<br />Con: false positives, defeated by obfuscation, known threats only<br />Behavioral Detection<br />Monitor the browser process, check for anomalous activity<br />Pro: false positives low, immune to obfuscation and detect new threats<br />Con: success required, false negatives, expensive<br />Reputation and AV checks (pluggable: Google, Trend)<br />BLACK HAT USA 2010<br />26<br />
  27. 27. Neptune Malware Detection System<br />UI version<br />Focus on end-user, website owner<br />Daily scheduled scans, alerts<br />BLACK HAT USA 2010<br />27<br />
  28. 28. Neptune Malware Detection System<br />UI version<br />Focus on end-user, website owner<br />Daily scheduled scans, alerts<br />BLACK HAT USA 2010<br />28<br />
  29. 29. Neptune Malware Detection System<br />UI version<br />Focus on end-user, website owner<br />Daily scheduled scans, alerts<br />API version<br />Focus on bulk user, integration, research<br />Single URLs, Maps, or site with crawling<br />BLACK HAT USA 2010<br />29<br />
  30. 30. Neptune Malware Detection System<br />UI version<br />Focus on end-user, website owner<br />Daily scheduled scans, alerts<br />API version<br />Focus on bulk user, integration, research<br />Single URLs, Maps, or site with crawling<br />Available: qualys.com/stopmalware<br />Contact: pthomas@qualys.com for API access<br />BLACK HAT USA 2010<br />30<br />
  31. 31. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection Scanner<br />Browsercheck – Light-weight, end-user VA<br />http://null.co.in/<br />http://nullcon.net/<br />
  32. 32. BrowserCheck<br />https://browsercheck.qualys.com<br />Security check for Browsers and Plug-ins <br />End user focus, free and easy to use<br />
  33. 33. BrowserCheck<br />
  34. 34. BrowserCheck<br />https://browsercheck.qualys.com<br />Security check for Browsers and Plug-ins <br />End user focus, free and easy to use<br />200,000 visits – Jul 2010 / Jan 2011<br />IE, Firefox, Safari, Chrome, Opera<br />Windows, Mac OS X and Linux<br />
  35. 35. BrowserCheck<br />
  36. 36. BrowserCheck Stats<br />36<br />
  37. 37. BrowserCheck Stats<br />
  38. 38. BrowserCheck Stats<br />
  39. 39. BrowserCheck Stats<br />
  40. 40. BrowserCheck Stats<br />
  41. 41. BrowserCheck Stats<br />Operating System: <br />Windows XP – 47 %<br />Windows 7 – 32 %<br />Browser: <br />IE 8 – 36 %<br />Firefox 3.6 – 34 %<br />Plug-in: ?<br />Country:<br />
  42. 42. BrowserCheck Stats<br />
  43. 43. BrowserCheck Stats<br />
  44. 44. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection Scanner<br />Browsercheck – Light-weight, end-user VA<br />IronBee – Web Application Firewall<br />http://null.co.in/<br />http://nullcon.net/<br />
  45. 45. Ironbee – Web App Firewall<br />Open source effort led by Ivan Ristic<br />Author of mod_security<br />WAF technology renewed<br />Focus on accuracy and usability<br />WAS and MDS (neptune) integration<br />Available at: www.ironbee.com<br />SSL Labs – SSL usage statistics V2 is coming<br />http://ssllabs.com<br />BLACK HAT USA 2010<br />
  46. 46. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection Scanner<br />Browsercheck – Light-weight, end-user VA<br />IronBee – Web Application Firewall<br />SSL Labs – World-wide SSL usage statistics<br />Dissect – Malware Exchange/Analysis Portal<br />http://null.co.in/<br />http://nullcon.net/<br />
  47. 47. Dissect – Malware portal<br />Led by Rodrigo Branco - www.kernelhacking.com<br />Team in Brazil, Malware and Vulnerability Research<br />Malware exchange system up and running<br />Malware analysis in alpha<br />Static analysis<br />Runtime analysis on virtual and real machines<br />Integration with Neptune MDS coming in <br />Community oriented effort<br />Contact: rbranco@qualys.com<br />
  48. 48. New Research Activities<br />Blind Elephant – Web Application Fingerprinter<br />Neptune – Malware Detection Scanner<br />Browsercheck – Light-weight, end-user VA<br />IronBee – Web Application Firewall<br />SSL Labs – World-wide SSL usage statistics<br />Dissect – Malware Exchange/Analysis Portal<br />HoneyNet Research Portal<br />http://null.co.in/<br />http://nullcon.net/<br />
  49. 49. Honeynet<br />Nemean Networks acquisition<br />University of Wisconsin research team<br />Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html<br />Honeynet/Signature/IDS system<br />Global Honeynet Effort<br />Centralized Signature generation – open-source<br />Snort/Suricata plug-ins – open-source<br />BLACK HAT USA 2010<br />
  50. 50. Contacts<br />Wolfgang Kandek – wkandek@qualys.com<br />Amit Deshmukh – adeshmukh@qualys.com<br />http://null.co.in/<br />http://nullcon.net/<br />

×