Vulnerabilities and Malware: Statistics and Research for Malware Identification by Wolfgang Kandek

1. QualysVulnerabilities, Statistics and… Malware ? Wolfgang KandekCTO Qualys, Inc. http://null.co.in/ http://nullcon.net/

2. Qualys Basics Founded to automate Vulnerability Assessments Software as a Service (SaaS) with: Internet based shared scanners Scanner Appliances for internal scanning Webportal for data access http://null.co.in/ http://nullcon.net/

3. http://null.co.in/ http://nullcon.net/ VIP 2-factor or Client certificate strong authentication options

4. http://null.co.in/ http://nullcon.net/ VIP 2-factor or Client certificate strong authentication options

5. Qualys Basics Founded to automate Vulnerability Assessments Software as a Service (SaaS) with: Internet based shared scanners Scanner Appliances for internal scanning Webportal for data access 270 employees (140 in Engineering) 5000+ customers http://null.co.in/ http://nullcon.net/

6. 6 http://nullcon.net/ http://null.co.in/

7. IDC 2011 Report http://nullcon.net/ http://null.co.in/

8. Frost & Sullivan 2010 Report Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010 http://nullcon.net/ http://null.co.in/

9. Laws of Vulnerabilities 2004 - 3M IPs scanned, 2M vulnerabilities Half-life – 30 days Prevalence – 50 % renewal annually Persistence – unlimited for some Exploitation – 80 % available with 60 days 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity http://null.co.in/ http://nullcon.net/

10. Laws of Vulnerabilities Half-Life = 29.5 days http://nullcon.net/ http://null.co.in/

11. Laws of Vulnerabilities 2004 - 3M IPs scanned, 2M vulnerabilities Half-life – 30 days Prevalence – 50 % renewal annually Persistence – unlimited for some Exploitation – 80 % available with 60 days 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity Difference by OS and Application http://null.co.in/ http://nullcon.net/

12. Laws of Vulnerabilities 12 http://nullcon.net/ http://null.co.in/

13. Laws of Vulnerabilities 13 http://nullcon.net/ http://null.co.in/

14. New Services Policy Compliance Configuration checks Password length, installed SW, access rights 20 technologies, 2000 controls Web Application Scanning Web Application Catalog Batch oriented production scanning http://null.co.in/ http://nullcon.net/

15. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal http://null.co.in/ http://nullcon.net/

16. Blind Elephant Web App Fingerprinter Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc http://null.co.in/ http://nullcon.net/

17. Blind Elephant Web App Fingerprinter http://null.co.in/ http://nullcon.net/

18. Blind Elephant Web App Fingerprinter http://null.co.in/ http://nullcon.net/

19. Blind Elephant Web App Fingerprinter Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results http://null.co.in/ http://nullcon.net/

20. Blind Elephant Web App Fingerprinter 1 Million “.com” domains http://null.co.in/ http://nullcon.net/

21. Blind Elephant Web App Fingerprinter http://null.co.in/ http://nullcon.net/

22. Blind Elephant Web App Fingerprinter http://null.co.in/ http://nullcon.net/

23. Blind Elephant Web App Fingerprinter Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results Available at: blindelephant.sourceforge.net http://null.co.in/ http://nullcon.net/

24. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection System http://null.co.in/ http://nullcon.net/

25. Neptune Malware Detection System Visit/crawl web site with: Virtualized Machine Vulnerable, but instrumented OS Vulnerable, but instrumented Browser Configuration VMware Internet Explorer 6 on Windows XP Detours + Custom Hooks Log everything Detect malicious intent early, avoid infection 25 http://nullcon.net/ http://null.co.in/

26. Neptune Malware Detection System Static Detection Analyze inputs for known exploit patterns, signature based Pro: efficient and fast, signatures easily updated and shared Con: false positives, defeated by obfuscation, known threats only Behavioral Detection Monitor the browser process, check for anomalous activity Pro: false positives low, immune to obfuscation and detect new threats Con: success required, false negatives, expensive Reputation and AV checks (pluggable: Google, Trend) 26 http://nullcon.net/ http://null.co.in/

27. Neptune Malware Detection System UI version Focus on end-user, website owner Daily scheduled scans, alerts 27 http://nullcon.net/ http://null.co.in/

28. Neptune Malware Detection System UI version Focus on end-user, website owner Daily scheduled scans, alerts 28 http://nullcon.net/ http://null.co.in/

29. Neptune Malware Detection System UI version Focus on end-user, website owner Daily scheduled scans, alerts API version Focus on bulk user, integration, research Single URLs, Maps, or site with crawling 29 http://nullcon.net/ http://null.co.in/

30. Neptune Malware Detection System UI version Focus on end-user, website owner Daily scheduled scans, alerts API version Focus on bulk user, integration, research Single URLs, Maps, or site with crawling Available: qualys.com/stopmalware Contact: pthomas@qualys.com for API access 30 http://nullcon.net/ http://null.co.in/

31. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA http://null.co.in/ http://nullcon.net/

32. BrowserCheck https://browsercheck.qualys.com Security check for Browsers and Plug-ins End user focus, free and easy to use http://nullcon.net/ http://null.co.in/

33. BrowserCheck http://nullcon.net/ http://null.co.in/

34. BrowserCheck https://browsercheck.qualys.com Security check for Browsers and Plug-ins End user focus, free and easy to use 200,000 visits – Jul 2010 / Jan 2011 IE, Firefox, Safari, Chrome, Opera Windows, Mac OS X and Linux http://nullcon.net/ http://null.co.in/

35. BrowserCheck http://nullcon.net/ http://null.co.in/

36. BrowserCheck Stats 36 http://nullcon.net/ http://null.co.in/

37. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

38. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

39. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

40. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

41. BrowserCheck Stats Operating System: Windows XP – 47 % Windows 7 – 32 % Browser: IE 8 – 36 % Firefox 3.6 – 34 % Plug-in: ? Country: http://nullcon.net/ http://null.co.in/

42. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

43. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

44. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall http://null.co.in/ http://nullcon.net/

45. Ironbee – Web App Firewall Open source effort led by Ivan Ristic Author of mod_security WAF technology renewed Focus on accuracy and usability WAS and MDS (neptune) integration Available at: www.ironbee.com SSL Labs – SSL usage statistics V2 is coming http://ssllabs.com http://nullcon.net/ http://null.co.in/

46. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal http://null.co.in/ http://nullcon.net/

47. Dissect – Malware portal Led by Rodrigo Branco - www.kernelhacking.com Team in Brazil, Malware and Vulnerability Research Malware exchange system up and running Malware analysis in alpha Static analysis Runtime analysis on virtual and real machines Integration with Neptune MDS coming in Community oriented effort Contact: rbranco@qualys.com http://nullcon.net/ http://null.co.in/

48. New Research Activities Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal http://null.co.in/ http://nullcon.net/

49. Honeynet Nemean Networks acquisition University of Wisconsin research team Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html Honeynet/Signature/IDS system Global Honeynet Effort Centralized Signature generation – open-source Snort/Suricata plug-ins – open-source http://nullcon.net/ http://null.co.in/

50. Contacts Wolfgang Kandek – wkandek@qualys.com Amit Deshmukh – adeshmukh@qualys.com http://null.co.in/ http://nullcon.net/