intermute spysubtract

Finjan Compliance Concerns when allowing Web Browsing Presentation Overview • Regulatory Compliance in respect of: – Healthcare – Finance – Public and Private Sectors • Logical Conclusion when providing Web Access in relation to Regulatory Compliance • Spyware Overview • Examples of Web Threats in the Wild • The technology used to identify these known & unknown threats Healthcare • HIPAA ~ “Health Insurance Portability and Accountability Act” – Goal: assure that individuals’ health information is properly protected – Applying to health plans, health care clearinghouses, and to any health care provider who transmits "individually identifiable health information“ – Information covered by HIPAA includes: • Social Security numbers • Patient Identity Numbers • Medical Diagnostic Codes – References • Summary of the 1996 Act – http://www.hhs.gov/ocr/privacysummary.pdf • PricewaterhouseCoopers – http://www.pwc.com/extweb/ncsurvres.nsf/DocID/15BD9CBE7 4906300852570760056939F/$file/GISS05-health3.pdf Financial Industry Sarbanes-Oxley Act (SOX) – Legislation brought in to protect Shareholders and the general public from accounting errors and fraudulent practices in the enterprise following the Enron and Worldcom financial scandals. – Three specific sections contain the rules that affect the management of electronic records: • Sec. 802(a) ~Deals with destruction, alteration or falsification of records, and carries heavy fines and imprisonment up to 20 years. • Sec. 802(a)(1) ~States that all business records, must be saved for not less than five years. • Sec. 802(a)(2) ~ Refers to the type of business records that need to be stored, including all business records and communications, including electronic communications. • Basel II – Risk-management practices for tracking and reporting exposure to risks – Program of risk prevention, detection, analysis and management. Public and Private Sectors • EU Data Protection Directive (95/46/EC) – Aimed at protecting individual information for reasons of consumer privacy and identity theft prevention • ISO 17799:2000 – An internationally recognized, structured list of better practices dedicated to information security – Originally published as BS 7799 by the British Standards Institute (BSI) in 1995 and adopted by ISO as ISO 17799. • BS7799-2:2005 certification – Based on the Plan-Do-Check-Act cycle – Specification for an ISMS (‘Information Security Management System’) Public and Private Sectors...cont. • The UK Data Protection Act 1998 came into force on 1 March 2000. Under the Data Protection Act, anyone processing personal information must comply with eight principles of good information handling. The eight principles state that the data must be: – – – – – – – – fairly and lawfully processed; processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; not kept longer than necessary; processed in accordance with the individual's rights; secure; not transferred to countries outside the European Economic area, unless there is adequate protection. Logical Conclusion when providing Web Access in relation to Regulatory Compliance • All security regulations define the framework that must be created to implement, manage, maintain and enforce information processes in order to reduce operational risk • Logical Conclusion ~ If a company, organisation or public body provides web access to an employee, and that employee’s browsing access resides on a machine or network containing personal information on customers or employees, patients and / or correspondence / documents relating to financial records then the company should implement security measures aimed at minimising the ability for this data to be stolen, destroyed or altered via Web based attacks. Hence the Question.. So is there code in the wild that can steal, destroy or alter this kind of data via Web browsing? Spyware Definitions Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. www.tjiss.net/glossary_s.html Software that sends information about your Web surfing habits to its Web site. Spyware is often installed without the users knowledge or explicit permission in combination with a free download. www.spywaredetection.org/spyware-glossary.htm Gathers information about Internet users without their knowledge or consent and delivers that information to advertisers or others who have access to the information. Users can get spyware in their systems by downloading certain programs or in the form of a virus. www.broadbandinfo.com/internet-connections-101/glossary/default.html Snapshot Data from IDC’s Latest Report Trends • Spyware has become the no. 2 threat to businesses • Over ¾ of all machines connected to Internet are infected with various forms of Spyware • Has evolved from “mischievous hobby” to a money-making criminal activity; profit-driven motivation will cause the # of attacks to increase in sophistication, frequency and severity – and is regarded as the top security challenge organizations face over the next 12 months • Without effective early detection and blocking capabilities, the total cost of Spyware will continue to rise Source: IDC’s latest WW Anti-spyware 2006-2010 Forecast and Analysis Report (June 2006). The Business Behind New Exploits • Hackers are selling new exploits rather than disclosing them • Spyware and Trojans SDKs are available for sale, with warranties • Big business and financial rewards are fueling the fire • Privacy, IP and identity thefts are driving the market Web Attacker Toolkit - Website Web Attacker Toolkit – Order Page Web Attacker Toolkit – User Interface Web Attacker Toolkit – Statistics Report Web Attacker Toolkit – FAQ Page The Web – A False Feeling • We know Email messages can be malicious …. but so can Web pages • Web threats are serious, even more than Email ones • Web threats are here! JavaScript Microsoft ActiveX Web Server Java Applets Web Browser a Dat e C od MS VB Script Executables Web Threats - Infection Methods • Almost exclusively based on Active Content – Java Script, VB Script, ActiveX, Java Applets – Browser vulnerabilities • “Drive-by” download – While visiting Web sites – While reading emails via web browser • Piggyback Installation – Bundled as a hidden component of programs, such as: – Games, P2P, Screen savers The Web Threat Source: 2005 FBI Computer Crime Survey http://www.fbi.gov/publications/ccs2005.pdf Examples of the level of threats using the Web Propagation vectors ~ Jan / Feb 05 Propagation Vector Virus Troj/Dloader-IE Troj/LowZone-O W32/Assiral-B W32/MyDoom-BC W32/MyDoom-O W32/MyDoom-BE W32/Traxg-C W32/Bagle-BK W32/Kelvir-C W32/Kelvir-A Troj/PurScan-V Troj/Vidlo-H W32/Kassbot-A W32/Domwis-H W32/Rbot-WX W32/Sdbot-VH W32/Rbot-WW W32/Bropia-Q √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares Peer-to-Peer Propagation vectors ~ Jan / Feb 05 Propagation Vector Virus W32/Rbot-UE W32/Rbot-WB W32/Rbot-UH W32/Rbot-UC W32/Rbot-VQ W32/Rbot-VT W32/Rbot-VX W32/Rbot-AIX W32/Rbot-ALO W32/Rbot-TF W32/Forbot-DS W32/Forbot-DR W32/Forbot-DV W32/Rbot-UD W32/Forbot-ER W32/Bobax-G Troj/Agent-ZC W32/Kelvir-B √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Peer-to-Peer Payload delivered via Web Propagation Vector Virus Troj/Dloader-IE Troj/LowZone-O W32/Assiral-B W32/MyDoom-BC W32/MyDoom-O W32/MyDoom-BE W32/Traxg-C W32/Bagle-BK W32/Kelvir-C W32/Kelvir-A Troj/PurScan-V Troj/Vidlo-H W32/Kassbot-A W32/Domwis-H W32/Rbot-WX W32/Sdbot-VH W32/Rbot-WW W32/Bropia-Q √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares Peer-to-Peer Payload delivered via Web Propagation Vector Virus W32/Rbot-UE W32/Rbot-WB W32/Rbot-UH W32/Rbot-UC W32/Rbot-VQ W32/Rbot-VT W32/Rbot-VX W32/Rbot-AIX W32/Rbot-ALO W32/Rbot-TF W32/Forbot-DS W32/Forbot-DR W32/Forbot-DV W32/Rbot-UD W32/Forbot-ER W32/Bobax-G Troj/Agent-ZC W32/Kelvir-B √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Peer-to-Peer Payload extracting Information via Web Propagation Vector Virus Troj/Dloader-IE Troj/LowZone-O W32/Assiral-B W32/MyDoom-BC W32/MyDoom-O W32/MyDoom-BE W32/Traxg-C W32/Bagle-BK W32/Kelvir-C W32/Kelvir-A Troj/PurScan-V Troj/Vidlo-H W32/Kassbot-A W32/Domwis-H W32/Rbot-WX W32/Sdbot-VH W32/Rbot-WW W32/Bropia-Q √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares Peer-to-Peer Payload extracting Information via Web Propagation Vector Virus W32/Rbot-UE W32/Rbot-WB W32/Rbot-UH W32/Rbot-UC W32/Rbot-VQ W32/Rbot-VT W32/Rbot-VX W32/Rbot-AIX W32/Rbot-ALO W32/Rbot-TF W32/Forbot-DS W32/Forbot-DR W32/Forbot-DV W32/Rbot-UD W32/Forbot-ER W32/Bobax-G Troj/Agent-ZC W32/Kelvir-B √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Peer-to-Peer Payload taking Control of Desktop via Web Propagation Vector Virus Troj/Dloader-IE Troj/LowZone-O W32/Assiral-B W32/MyDoom-BC W32/MyDoom-O W32/MyDoom-BE W32/Traxg-C W32/Bagle-BK W32/Kelvir-C W32/Kelvir-A Troj/PurScan-V Troj/Vidlo-H W32/Kassbot-A W32/Domwis-H W32/Rbot-WX W32/Sdbot-VH W32/Rbot-WW W32/Bropia-Q √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares Peer-to-Peer Payload taking Control of Desktop via Web Propagation Vector Virus W32/Rbot-UE W32/Rbot-WB W32/Rbot-UH W32/Rbot-UC W32/Rbot-VQ W32/Rbot-VT W32/Rbot-VX W32/Rbot-AIX W32/Rbot-ALO W32/Rbot-TF W32/Forbot-DS W32/Forbot-DR W32/Forbot-DV W32/Rbot-UD W32/Forbot-ER W32/Bobax-G Troj/Agent-ZC W32/Kelvir-B √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Peer-to-Peer Summary of Propagation Methods delivering Payload / Effect via Web Propagation Vector Virus Troj/Dloader-IE Troj/LowZone-O W32/Assiral-B W32/MyDoom-BC W32/MyDoom-O W32/MyDoom-BE W32/Bagle-BK W32/Kelvir-C W32/Kelvir-A Troj/PurScan-V Troj/Vidlo-H W32/Domwis-H W32/Rbot-WX W32/Sdbot-VH W32/Rbot-WW W32/Bropia-Q √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares Peer-to-Peer Summary of Propagation Methods delivering Payload / Effect via Web Propagation Vector Virus W32/Rbot-UE W32/Rbot-WB W32/Rbot-UH W32/Rbot-UC W32/Rbot-VQ W32/Rbot-VT W32/Rbot-VX W32/Rbot-AIX W32/Rbot-ALO W32/Rbot-TF W32/Forbot-DS W32/Forbot-DR W32/Forbot-DV W32/Rbot-UD W32/Forbot-ER W32/Bobax-G Troj/Agent-ZC W32/Kelvir-B √ √ √ √ √ √ Email Web Instant Messenger IRC Network Shares √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Peer-to-Peer Web is Primary Payload Vector Analysis performed on 50 different Viruses seen from the 1st January 2005 to the 9th March 2005 15 Viruses (30%) connected to the web after they were installed to receive instructions or to get additional malicious content 17 Additional Viruses (34%) installed an HTTP server or a proxy server on the infected machine, allowing remote users to control the machine or redirect data through it via HTTP. (SoX, Data Protection Act etc.) 1 Virus (W32/Kassabot-A) used Web as direct vector of infection 1 Virus (W32/Traxg-C) infects via HTML email messages and relies upon a Web vulnerability Stats show that 32 of these 50 viruses (64%) utilise the web for payload delivery, control of users PC, or exit route for stolen information Examples of Web Threats in the Wild All examples are taken from customer audits and evaluations Customer Evaluating Possible Anti-Spyware Solutions Example of Finjan’s Anti-Spyware Effectiveness • 2000 user Prospect ran independent test in January 2005 • Test was designed only for effectiveness of anti-spyware solutions • Four solutions were tested – Microsoft Antispyware Beta 1 (Desktop) – Intermute SpySubtract 2.61 (Desktop) – Lavasoft AdAware SE Personal 1.05 (Desktop) • All three solutions ran latest spyware definitions, with any active protection disabled – Finjan Vital Security for Web, v7 (Software) (Retested with NG Appliance in May) • Clean Desktops with XP (no service packs or hotfixes), and Symantec Corporate Antivirus 8 (latest definitions) and IE 6.0.2600 (No service packs or hotfixes) 8 Sites were visited in order and the following actions taken • • • • • • • • http://iowrestling.com http://www.007arcadegames.com http://www.lyricsdomain.com http://astalavista.box.sk http://www.cracks.am http://www.allcracks.net http://freeserials.spb.hu http://www.oday-warez.com • In true user fashion any dialogue boxes that appeared were responded to with “Yes” or “OK” • After completion of the surfing the XP installation was left for 5 minutes and then rebooted • Once rebooted the installed Anti-Spyware applications were each allowed to perform a full system scan • Results …. Results.... Spyware/Malware Name 180search Assistant(Adware) 2020Search (Browser Plugin) Advertising.com Apropos Media AvenueMedia.DyFuCA(Browser plugin) Better Internet BlazeFind Booked Space Browseraid.com CDT Claria (Adware) Claria.DashBar(Toolbar) Claria.PrecisionTime(Adware) Com.Com CoolWebSearch.Startpage(Browser Hijacker) Cydoor(Adware) DelFin Media Viewer (Adware) Dot Com Toolbar Doubleclick.net DownloadWare (Adware) E2give(Adware) Microsoft Antispyware Detected Detected Intermute Spysubtract Detected Detected Detected Detected Detected Lavasoft AdAware Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected More results... Spyware/Malware Name EUniverse.Updater (Browser Hijacker) Exitfuel.com Ezula Inc FastTrack GAIN(Adware) HuntBar(Browser Hijacker) IBIS LLC iDownload Ie2bar IST.ISTbar (Browser Hijacker) IST.PowerScan(Adware) IST.XXXToolBar(Browser Plugin) IST.XXXToolbar(Toolbar) ITForum JimmyHelp Master.mx-targeting.com MediaMotor(Trojan dl’r) MoneyTree(Dialer) Ncase(Browser Hijacker) Network Essentials(Browser Hijacker) Powerscan Microsoft Antispyware Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Intermute Spysubtract Lavasoft AdAware Detected Detected Detected Detected Detected Detected Detected Detected And even more results. Spyware/Malware Name Promulgate Prutect(Security Disabler) Roings Search(Browser Hijacker) SearchEnhancement(Browser Hijacker) SearchRelevancy(Adware) ShopAtHome(spyware) SideFind(Adware) SULoads.popuppers(Trojan dl’r) Superlogy.com (Browser Plugin) Surfside Kick Targetnet.com TV Media Display (Adware) VX2 webHancer(Spyware) Websearch Toolbar(Browser Plugin) WinAD WindUpdates(Browser Plugin) Wintools (Trojan) Xrenoder(Browser Plugin) YourSiteBar(Spyware) Z1.adserver.com Microsoft Antispyware Detected Detected Detected Detected Detected Detected Detected Detected Intermute Spysubtract Lavasoft AdAware Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Detected Overall Result • 63 different Spyware applications found • Success rate of four different solutions tested – – – – Lavasoft Intermute Microsoft Finjan Appliance 33% 51% 59% 100% • A common set of only 8 items (12.7%) of Spyware were detected by all 3 desktop clients! • Microsoft came out in this test as the best desktop client, stopping 37 of the 63 items, but missing 26 Spyware items • As well as Spyware, additional Trojan horses were identified and stopped by Vital Security not identified by Symantec • Conclusion reached ~ Running multiple Anti-Spyware solutions at the desktop simultaneously did not match the performance of running Vital Security at the gateway. “Additional Security Testing Evaluation” at a major US Telco Overview • • Telco centrally managing 15,000 web users Already had Bluecoat with Websense URL filtering (no access to actual category policy) Looking for malicious code / Spyware solution Testing: 2 weeks in June 2005 Testing: on live traffic, ICAP, and in X-ray mode with default policy. Preliminary testing – No in-depth policy rules – using default X-ray – ALBB, VAD, SPY and AV engines • • • • Results – Overview of Traffic • • • 2 week period on live network traffic (not all users) 272,000 http transactions 18,858 Active Content objects (6.9% of traffic) – – – – – – 8,871 standalone Scripts 8,209 embedded Scripts 956 Java Applets 734 executables 86 Zip JAR 2 MS Encoded Scripts Results – of default X-Ray Policy • • • • • 1,632 behavior policy violations on Scripts alone. 586 instances of 15 known vulnerabilities exploited 46 instances of Spyware 6 known viruses Over 2 week period with Bluecoat and Websense already in place. Finjan Security Preliminary Audit Prepared by MCRC Malicious Code Research Center December 2005 ©2004 Finjan Software, LTD. All rights reserved. 09-December-2005 Methodology • The audit analysis was based on 8 days of pilot that was preformed from the 21-Nov-2005 until the 28-Nov-2005 • The audit was performed using X-Ray mode which logs any violation according to the recommended security policy • Minimum logging policy was used (Blocked, Allow according to the policy) • The logs were analysed by security experts from Finjan’s Malicious Code Research Centre (MCRC) Technical Specifications • Total number of users participated: 150 000, where ~ 20 000 in permanent logging through a F5 Loadbalancer • Estimate Load of 400 hits/sec • System Used: Finjan NG 8000 with 7 Scanners The default Policy • The default policy was created mainly and above all for security. It was designed and optimized with the intention of allowing the user to work without risking the users’ productivity. Main findings • ~117,000 instances of code breaking of the selected security policy • 83 viruses were detected in 228 requests • 284 Spyware • 37323 Access to Spyware sites • 5626 behavior based violations – Active Binary code • 9670 behavior based violations – Scripts • 7660 Attempt to exploit OS/Browser vulnerabilities • 4844 High risk site categories (URL Filtering) – Adults (top ten, other examples) , Hacking, Remote proxies (in the first 2 hours of audit only!) Examples for Spyware detected • HotBar • Dialer.Trafficadvance • Trojan.AdminCash Examples for Spyware - HotBar • Overview Marketed as a program to add graphical skins to IE toolbars, it also adds its own toolbar. It monitors all URLs you visit to add link buttons to its toolbar dependent on the site you are visiting. • Screenshot • Classification Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be associated with the product. • Severity High • More Info URL: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474 Examples for Spyware - Dialer.Trafficadvance • Overview Dialer.Trafficadvance is a dialer program that can be used to access pornographic Web sites by dialing a high cost telephone number using a modem. • Classification Dialer: A dialer is a spyware application which silently dials one of several ISPs to download a hostile executable • Severity High • More Info URL: http://securityresponse.symantec.com/avcenter/venc/data/dialer.trafficadvance.html Examples for Spyware - Trojan.AdminCash • Overview Trojan.Admincash is a Trojan horse program that infects the Explorer.exe file, lowers security settings in Windows, and downloads adware and dialers. Classification Trojan: a program (often malicious) that install itself or run surreptitiously on a victim's machine. They do not install or run automatically, but may entice users into installing or executing by masquerading as another program altogether (such as a game or a patch) or they may be packaged with hacked legitimate programs that install the Trojan when the host program is executed Severity High More Info URL: http://securityresponse.symantec.com/avcenter/venc/data/pf/trojan.admincash.html • • • Examples for Viruses detected (McAfee) • • • • Nuke-Voob JS/IEstart.gen.c / JS/IEstart.gen.d JS/Exploit-MhtRedir.ldr / JS/Exploit-MhtRedir.gen Exploit-ByteVerify Examples for virus - Nuke-Voob • Overview Nuke-Voob is a file infector which infects .COM and .EXE files by writing to their ends • Classification Virus/File Infector • Number of variants ~40 • Number of requests (In the organization) 1 • More Info URL: http://vil.mcafee.com/dispVirus.asp?virus_k=4147 Examples for virus - JS/IEstart.gen.c / JS/IEstart.gen.d • Overview This script Trojan simply alters the default start up page that Internet Explorer uses by altering the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page The Trojan may create and run an .HTA application or .REG file. This Trojan exists as script code contained in an .ASP, .HTM, .HTML, .VBS, .VBE, or .HTA file. • • • Classification Trojan Number of variants ~10 Number of requests (In the organization) 3 • More Info URL: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99066 Examples for virus - JS/Exploit-MhtRedir.ldr / JS/Exploit-MhtRedir.gen • Overview – Downloads code from the internet – Exploits system or software vulnerabilities – It is a HTML-based JavaScript file which attempts to download an executable file from a remote location to the local computer using vulnerabilities associated with Microsoft Internet Explorer. • Classification Worm • Number of requests (In the organization) 18 • More Info URL: http://www.sophos.com/virusinfo/analyses/jspadoloadc.html Examples for virus - Exploit-ByteVerify • Overview Exploit-ByteVerify is a Trojan downloader for Windows based systems. On a computer with a vulnerable or poorly configured Microsoft Virtual Machine plug-in for Internet Explorer, ExploitByteVerify will download and execute a pre-specified file. The file will be downloaded to the Windows system folder with a random filename. • Classification Trojan • Number of requests (In the organization) 140 • More Info URL: http://www.sophos.com/virusinfo/analyses/trojclsldrd.html Behavior detection URL: http://www.grutop.com/ppp.js CVE-2003-1328 Consequences: Remote code execution Detailed description: Technique to bypass MS security zone by opening an html file embedded in a help (compiled) file. This file will run under local zone restrictions. • Tokens found: xcv = ''; clsid1='adb880a6-d8ff-11cf-9377-00aa003b7a11'; • More information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1328 • • • • Vulnerabilities detection IE Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability • URL: http://earlyass.com?id=sweet-young.info • Consequences: Remote code execution • Detailed description: By using a JavaScript function an attacker could potentially hijack mouse click events and influence an Internet Explorer user into invoking unintended procedures. • Tokens found: self.moveTo(0,0) self.resizeTo(screen.availWidth,screen.availHeight) document.onmousedown=clickNS; • More information: http://www.kb.cert.org/vuls/id/413886 Vulnerabilities detection Several COM Objects Memory Corruption Remote Code Execution Vulnerability • URL: http://193.108.38.6/manual/syn_combo2/exp_sp61/index.htm • Consequences: Remote code execution • Detailed description: Microsoft Internet Explorer (IE) dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system. • Tokens found More information: http://www.kb.cert.org/vuls/id/413886 Examples from an Audit carried out in October 04 About the Audit ~ Background on the data • Policy agreed with Customer in advance • “Audit Window” from 18th October 2004 to the 1st November 2004 • Audit sample is based upon surfing habits of 3,000 users for these two weeks • Customer was using one of the top 3 URL Filtering companies products, and results shown are after blocking of Black listed categories Operational Requirements • All content downloaded from the Internet, had to be scanned before being allowed access to a users system, however nothing was to be blocked, “Log but Allow” policy. The Security Policy at a Glance 1. No content was to be allowed to create, move, modify, delete, or copy files located on the local system or any connected network drives. 2. Any content being downloaded from the Internet with or without the user’s permission should not be permitted to remove, copy, or modify any information relating to the user in question or regarding the company. 3. Any content being downloaded from the Internet should not be permitted to apply or change any settings in relation to the operating system. 4. No users were to be allowed to download executable files from the Internet other than the IT department for the provision of service patches and update files. 5. No users should be permitted to download the following file types: EXE, DLL, COM, SCR, BAT, MP3, MOV, RP?, HTA, REG, EML. The IT department will have some exceptions to this list based on an agreed business requirement. 6. Content being downloaded from the Internet should only be permitted to communicate to a trusted host and no cross communication to other hosts was to be allowed. 7. Any content being downloaded should not be permitted to access or change any of the users Internet browser settings. General Areas Broken in Security Policy Security Policy 1 No content was to be allowed to create, move, modify, delete, or copy files located on the local system or any connected network drives. Any content being downloaded from the Internet with or without the user’s permission should not be permitted to remove, copy, or modify any information relating to the user in question or regarding the company. ACSA Findings There were 939 violations in relation to the file system. These file violations cover all aspects of file create, delete, modify, copy, move, and read 2 In addition to the 939 file access violations that could be used to modify user or company data, there were also 994 network violations where data could have been passed to third party hosts outside of Customer. General Areas Broken in Security Policy Security Policy 3 Any content being downloaded from the Internet should not be permitted to apply or change any settings in relation to the operating system. No users were to be allowed to download executable files from the Internet other than the IT department for the provision of service patches and update files. ACSA Findings There were a total of 9331 instances where Active Content was downloaded to the users system where it had some effect on the users Operating System. There were 1386 instances where executable files were downloaded to the users system. Based on the user names and IP addresses detailed with these downloads it is not possible to state whether these were members of the Technical Team. 4 General Areas Broken in Security Policy Security Policy 5 No users should be permitted to download the following file types: EXE, DLL, COM, SCR, BAT, MP3, MOV, RP?, HTA, REG, EML. The IT department will have some exceptions to this list based on an agreed business requirement. Content being downloaded from the Internet should only be permitted to communicate to a trusted host and no cross communication to other hosts was to be allowed ACSA Findings Based on the list of files, a total of 1553 documents, including many of those detailed were downloaded to the users system. Reports can be run to detail the file types that have been downloaded. With no control at the gateway, meant that 994 cross network violations were generated. 6 General Areas Broken in Security Policy Security Policy 7 Any content being downloaded should not be permitted to access or change any of the users Internet browser settings ACSA Findings There were 89,728 instances where Active Content coming from the Internet has attempted to access, modify or delete settings within the JVM or Browser configuration. Overview of major threats identified. • The Active Content Security Audit has discovered the following notable malicious items during the two week audit window: – – – – – 4 Spyware & Adware Applications 6 Internet Dialers 1 Virus 1 Remote Assistant Tool 2 Incidents of sites exploiting known vulnerabilities to acquire sensitive data. Unnamed Dialler • • • • • • • • • • Dialler application not yet identified by any security company. Checks all network connections for dialup Internet connections. If found, disconnects, disables modem speaker and reconnects to an international ISP located in Eastern Asia. Installer creates an EXE file on users desktop named asian.exe and runs it. Opens HTTP server on local machine and listens on port 8081. Inbound requests serviced by local machine and remote access to local files is possible. (Sox / DPA / etc.) On connection to ISP opens page index.html from local web server (http://127.0.0.1:8081/index.html) Opens porn search engine page. Infection took place on Wednesday 27th October 2004 Targeted machine: Removed QLowZones-5 • • • • • • • • • Only identified by major AV vendors after November 17th 2004. No signature at the time of this audit. Sex dialer dropper Trojan. Initial 15KB Executable is downloaded. When executed, downloads larger executable, which is the installation of the dialer. Drops and executable of the desktop and also in the Program Menus. Checks all network connections, looking for a dialup connection. If found, disconnects and reconnects to an international ISP located around the world. Downloaded in three different locations: – 27th October, – 29th October, – 29th October, Sensitive Data Acquisition Tool Vulnerability ~ By crafting a specially designed JavaScript code, exploiting a vulnerability in one of Microsoft’s ActiveX controls called Microsoft.XMLHTTP, an attacker creating a web page can read the contents of local files of whoever browses the page. • ActiveX control • Downloaded from http://out.mayerbrownrowe.com/exchweb/controls/util_Recipient s20.js • JavaScript reads the content of a local file, then wraps it in XML format and sends to a remote server • Attack happened on Wednesday 20th October 2004 Malicious Websites Statistics Verticals Blocked by Finjan behavior-based technology Blocked by Anti-Virus and URL Filtering e-Criminals writing malicious content Source: Finjan Inc. Q1 2006 audit results Geeks writing viruses “Infamous Israel Corporate Trojans” PWS-Hotworld Trojans • 17 different variants • Trojans designed: – Capture Video; Capture Screenshots; Check Outlook & ICQ configuration settings; Download & Upload files from / to FTP; Execute Remote Commands; Log user input; Monitor URL’s being visited; Restart the computer; Search for files with specific extensions (Office and email files); Send Emails. • Propagates via Email as an executable attachment or a protected MS word document icon, or MS word update icon or similar • Finjan Next Generation Vital Security for Web stopped all 17 different variations of this attack PROACTIVELY. The Technology Behind this Data • All Audits and Evaluations shown in this presentation have been made using Finjan’s standard products running mostly the standard default security policy. • Finjan’s core technology utilises Behaviour Analysis, which is able to pick up New and Unknown threats based upon their behaviour, such as Spyware, Trojans, Viruses etc. and does not rely upon signatures, hence is truly proactive. • Finjan’s products are Checkmark certified for Gateway AntiSpyware prevention. • Finjan owns 15 Patents, with 27 further Pending Patents in the areas of Behaviour Analysis and Content Inspection. Thank You This is what Finjan behavior-based technology blocks Finjan Inc. Q1 2006 audit results This is what Anti-Virus & URL Filtering block Social Engineering is Epidemic eBay, Yahoo, Microsoft – All guide us to click Yes Social Engineering is Epidemic eBay, Yahoo, Microsoft – All guide us to click Yes … and so do Spyware sites Social Engineering is Epidemic Social Engineering is Epidemic Social Engineering is Epidemic Drag the window to reveal the real information! HotBar Screenshot Several COM Objects Memory Corruption Remote Code Execution Vulnerability Document.write(unescape('%0a%76%61%72%20%72%65%6d%46%54%73 %6d%68%' + '3d%27%36%31%35%63%39%62%62%64%65%37%39%3' + '7%63%66%36%39%31%31%37%61%36%64%61%32%38' + '%37%62%63%39%62%37%63%65%30%61%38%64%62%' + … '7%30%25%36%35%25%32%38%25%34%34%25%37%39' + '%25%36%64%25%35%32%25%35%34%25%34%64%25%' + '37%30%25%36%62%25%32%39%25%32%39%25%33%6' + '2%27%29%29%3b')); Encoded Script Top Ten URL‘s • • • • • • • • • • • http://www.playboy.de/KOOPS/cover/cover.jpg (43 Hits) http://www.shirtcityclub.com/images/avatars/001.gif (40 Hits) http://www.ostwestmodels.com/Maxmodel/images/style/blackdream/heads.gif (34 Hits) http://www.swingfreunde.de/includes/status.cfm (17 Hits) http://www.twistyspreview.com/votd/videos/20051118_sc_1_hkp.wmv (14 Hits) http://www.0bucks.com/cgibin/at3/out.cgi?s=65&u=http://real.adulttime.net/roxytgp050/jv90016.htm (12 Hits) http://www.bild.de (11 Hits) http://www.calendariomania.com/cgi-bin/banner.pl (9 hits) http://www.teenmegacash.com/potd/thumb.php?c=n&h=133&s=6&w=100.com (9 hits) http://www.ostwestmodels.com/usicht.php (7 Hits) Some examples on Adult • http://www.teen-star-magazine.com http://www.swingfreunde.de http://www.sweethotasians.com/ http://www.realhotgirls.com/ http://www.playboy.de http://www.avpgalleries.com http://www.alsbikinis.com http://jennys-porn.com http://apmhostedgalleries.com/ http://www.ostwestmodels.com/ Split on Categories • Adult Hacking Hate Speech Remote Proxies Violence Weapons 4350 141 69 183 65 36