nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
2.052 -
download
0
description
Transcript of nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malware Identification
http://nullcon.net/
QualysVulnerabilities, Statistics and… Malware ?
Wolfgang KandekCTO Qualys, Inc.
http://null.co.in/
http://nullcon.net/
Qualys Basics
• Founded to automate Vulnerability Assessments• Software as a Service (SaaS) with:
– Internet based shared scanners– Scanner Appliances for internal scanning– Webportal for data access
http://null.co.in/
http://nullcon.net/http://null.co.in/
VIP 2-factor or Client certificate strong authentication options
http://nullcon.net/http://null.co.in/
VIP 2-factor or Client certificate strong authentication options
http://nullcon.net/
Qualys Basics
• Founded to automate Vulnerability Assessments• Software as a Service (SaaS) with:
– Internet based shared scanners– Scanner Appliances for internal scanning– Webportal for data access
• 270 employees (140 in Engineering)• 5000+ customers
http://null.co.in/
6http://null.co.in/ http://nullcon.net/
IDC 2011 Report
http://null.co.in/ http://nullcon.net/
Frost & Sullivan 2010 Report
Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010
http://null.co.in/ http://nullcon.net/
http://nullcon.net/
Laws of Vulnerabilities
•2004 - 3M IPs scanned, 2M vulnerabilities• Half-life – 30 days• Prevalence – 50 % renewal annually• Persistence – unlimited for some• Exploitation – 80 % available with 60 days
• 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity
http://null.co.in/
Laws of Vulnerabilities
0
20
40
60
80
100
120
140
Overall Critical Vulnerabilities – 72M data points
Half-Life = 29.5 days
http://null.co.in/ http://nullcon.net/
http://nullcon.net/
Laws of Vulnerabilities
•2004 - 3M IPs scanned, 2M vulnerabilities• Half-life – 30 days• Prevalence – 50 % renewal annually• Persistence – unlimited for some• Exploitation – 80 % available with 60 days
• 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity
• Difference by OS and Application
http://null.co.in/
Laws of Vulnerabilities
12
0 7 14 21 28 35 42 49 56 63 70 77 84 91 98 105 112 119 126 133 140 147 154 161 168 1750
20
40
60
80
100
120 2009 mixed half-life
Days
Percent
http://null.co.in/ http://nullcon.net/
Laws of Vulnerabilities
0 16 32 48 64 80 96 1121281441601761922082242400
20
40
60
80
100
120
Microsoft OS vulnerabilities
Days
Percent
0 8 16 24 32 40 48 56 64 72 80 88 96 1041121200
20
40
60
80
100
120
Adobe Acrobat APSA09-1 & APSA09-02
Days
Percent
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 600
20406080
100120
MS09-017 - Powerpoint - 5/12/2009
Days
Percent
13http://null.co.in/ http://nullcon.net/
http://nullcon.net/
New Services
• Policy Compliance– Configuration checks
• Password length, installed SW, access rights
– 20 technologies, 2000 controls• Web Application Scanning
– Web Application Catalog– Batch oriented production scanning
http://null.co.in/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal• HoneyNet Research Portal
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
• Fingerprint common web applications by analyzing source code
• Blogs, Forums, Wikis, etc
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
• Fingerprint common web applications by analyzing source code
• Blogs, Forums, Wikis, etc• Goals: accuracy, speed, low resource usage• Results
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
• 1 Million “.com” domains
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
http://null.co.in/
http://nullcon.net/
Blind Elephant Web App Fingerprinter
• Fingerprint common web applications by analyzing source code
• Blogs, Forums, Wikis, etc• Goals: accuracy, speed, low resource usage• Results• Available at: blindelephant.sourceforge.net
http://null.co.in/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection System
http://null.co.in/
Neptune Malware Detection System
• Visit/crawl web site with:– Virtualized Machine– Vulnerable, but instrumented OS– Vulnerable, but instrumented Browser– Configuration
• VMware• Internet Explorer 6 on Windows XP• Detours + Custom Hooks
• Log everything• Detect malicious intent early, avoid infection
25http://null.co.in/ http://nullcon.net/
Neptune Malware Detection System• Static Detection
– Analyze inputs for known exploit patterns, signature based– Pro: efficient and fast, signatures easily updated and
shared– Con: false positives, defeated by obfuscation, known
threats only• Behavioral Detection
– Monitor the browser process, check for anomalous activity– Pro: false positives low, immune to obfuscation and detect
new threats– Con: success required, false negatives, expensive
• Reputation and AV checks (pluggable: Google, Trend)26
http://null.co.in/ http://nullcon.net/
Neptune Malware Detection System
• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts
27http://null.co.in/ http://nullcon.net/
Neptune Malware Detection System
• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts
28http://null.co.in/ http://nullcon.net/
Neptune Malware Detection System
• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts
• API version– Focus on bulk user, integration, research– Single URLs, Maps, or site with crawling
29http://null.co.in/ http://nullcon.net/
Neptune Malware Detection System
• UI version– Focus on end-user, website owner– Daily scheduled scans, alerts
• API version– Focus on bulk user, integration, research– Single URLs, Maps, or site with crawling
• Available: qualys.com/stopmalware• Contact: [email protected] for API access
30http://null.co.in/ http://nullcon.net/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA
http://null.co.in/
BrowserCheck
• https://browsercheck.qualys.com• Security check for Browsers and Plug-ins • End user focus, free and easy to use
http://null.co.in/ http://nullcon.net/
BrowserCheck
http://null.co.in/ http://nullcon.net/
BrowserCheck
• https://browsercheck.qualys.com• Security check for Browsers and Plug-ins • End user focus, free and easy to use• 200,000 visits – Jul 2010 / Jan 2011• IE, Firefox, Safari, Chrome, Opera• Windows, Mac OS X and Linux
http://null.co.in/ http://nullcon.net/
BrowserCheck
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
36http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
• Operating System: – Windows XP – 47 %– Windows 7 – 32 %
• Browser: – IE 8 – 36 %– Firefox 3.6 – 34 %
• Plug-in: ?• Country:
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
BrowserCheck Stats
http://null.co.in/ http://nullcon.net/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall
http://null.co.in/
Ironbee – Web App Firewall
• Open source effort led by Ivan Ristic– Author of mod_security– WAF technology renewed– Focus on accuracy and usability– WAS and MDS (neptune) integration
• Available at: www.ironbee.com
• SSL Labs – SSL usage statistics V2 is coming– http://ssllabs.com
http://null.co.in/ http://nullcon.net/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal
http://null.co.in/
Dissect – Malware portal
• Led by Rodrigo Branco - www.kernelhacking.com– Team in Brazil, Malware and Vulnerability Research
• Malware exchange system up and running• Malware analysis in alpha
– Static analysis– Runtime analysis on virtual and real machines
• Integration with Neptune MDS coming in • Community oriented effort• Contact: [email protected]
http://null.co.in/ http://nullcon.net/
http://nullcon.net/
New Research Activities
• Blind Elephant – Web Application Fingerprinter• Neptune – Malware Detection Scanner• Browsercheck – Light-weight, end-user VA• IronBee – Web Application Firewall• SSL Labs – World-wide SSL usage statistics• Dissect – Malware Exchange/Analysis Portal• HoneyNet Research Portal
http://null.co.in/
Honeynet
• Nemean Networks acquisition• University of Wisconsin research team
– Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html
• Honeynet/Signature/IDS system• Global Honeynet Effort• Centralized Signature generation – open-source• Snort/Suricata plug-ins – open-source
http://nullcon.net/http://null.co.in/
http://nullcon.net/
Contacts
Wolfgang Kandek – [email protected] Deshmukh – [email protected]
http://null.co.in/