VIEWS: 10 PAGES: 20 POSTED ON: 8/4/2011
Malware: It's Everywhere Event ID: 153729 Angelique Matheny: Hello and welcome to this webcast, "Malware: It's Everywhere." I'm Angelique Matheny with IBM and I will be your host for today's event. The proliferation of malware designed to infiltrate computer systems without the owner's informed consent has become one of the most challenging security issues facing users today. But who owns this problem? In today's webcast we will be introduced to a new technique that combines IBM Rational AppScan and ISS technologies to identify unwanted, embedded malware. We will include background material about these scanning and malware identification and some suggestions on how malware scanning can help protect organizations and your visitors from this growing concern. And it is my pleasure to introduce our speaker today, Guy Podjarny, Rational Security Products Architect. Now before we get started, I would like to encourage you, our audience, to submit questions at any time throughout today's webcast. You may enter your questions on the left side of the event console and these will be answered at the end of the presentation; so get those questions in early. There will be a short survey during the Q and A session so please disable any popup blockers you have installed to ensure you receive the survey. We really do look at those, so thank you for taking the time. Well, I think we are ready to begin. I will now turn it over to Guy. Guy? Guy Podjarny: Thanks Angelique. So hi everybody and thanks for joining this webinar. As Angelique said my name is Guy Podjarny. I usually go by Guy Po. And switching over to the agenda, we will actually talk about sort of two parts of this problem today. We will spend a certain amount of time explaining what is the problem that is being discussed here, give a little background about the malware industry, about malware being delivered through the web, and specifically the problem that we are touching on mostly here which is malware being served from legitimate sites. We will then cover a little bit of what are the existing solutions that you could use today and also of course introduce the new capability that we have recently added to our portfolio and explain how does it overcome problems that existed before. Okay, so a little bit before we dive into the deep details, a little bit about the malware industry and sort of the background of who is attacking in this world and what is malware. So let's start with a brief into to what is malware. Malware is malicious software. It is a pretty broad term. The official definition talked about software that performs actions without the user's consent. That is a pretty broad set, and the less official definitions talk about doing nefarious actions or doing malicious actions without the user's consent. So malware is a family of software or pieces of software. It is [not that critical] to understand they are all bad, but at a high level viruses are pieces of software that try to perform some sort of nefarious action on a specific machine. They replicate themselves and they entrench themselves within the machine and try to copy themselves onto additional executables, additional files. But they generally remain within the context of that machine. And they embed themselves into existing pieces of software. They usually do not offer a new piece of functionality themselves. They just modify and attach themselves to the OS in the actions they perform. But they usually, the key difference is that worms propagate themselves and actually push themselves out into the network and into other machines usually, often using security vulnerabilities in the system. So worms would be actually attempting to infiltrate additional machines on your network. And Trojans are a bit of a different beast, and there it is usually a useful piece of software that does something that is indeed useful, but includes within it a Trojan horse, a piece of functionality that you weren't expecting that does something malicious. An example there could be a video codec that actually plays the video but also has something bad that it is doing in the background, also logs your keystrokes at the same time. Trojans are problematic. Spyware which is usually a specific sub-family that attempts to steal information from the system as opposed to sabotage the system. There are a lot of different variations and the types are not mutually exclusive. A malicious individual writing his piece of malware would use it or attempt to use it for many different purposes. So this is at a high level malware. I often get the question about whether malware is another type of virus. It is not another type of virus, it is the family name for all of these types of pieces of software. So now that we have talked a little bit about malware, let's look at what are the motives, why do people write them? And who writes them? So the primary or one of the primary contributors of malware, if you will, or writers of malware is organized crime. In the past we were talking about anarchists and Script Kiddies and other very remote and one-off attackers that were the primary writers of these viruses. And while those still exist, the primary producer today of viruses are organized crime organizations which are doing it for the purpose of gaining profit, basically making money. This industry, this use and selling of stolen data or machine access or spamming, that is something that has become quite centered in the world today to the extent that there are known and common price ranges for different pieces of information; how much would a credit card cost? How much would your identity be sold for when all of the information around it, the social security number and such is stolen and being sold in the market? So organized crime is a well funded group. These are people with means and they would actually higher skilled developers and skilled software engineers to write pieces of nefarious software to try and evade anti-viruses, to try and be as stealthy as they possibly can with the goal of usually stealing data in the system, building up their spamming or distributed denial of service platforms, and in general as assessment performed by McAfee estimates that across the world malicious software has, or I think it is actually entirely all of the cyber crime has a cost to the world in 2008 of over $1 billion. That is definitely a lot of money that was lost due to these types of attacks. So there is a lot of profit to be had. So organized crime is definitely an element and probably the biggest writer of viruses, but there are other players; there is the third bullet here which is the H4ck0rZ [Hackers] or Script Kiddies, basically the old writers of these viruses, they are still around. These are those writing viruses to prove that they can. Sometimes it is anarchists looking to show that the institution doesn't mind and a lot of times you basically write the viruses for bragging rights to show that you could break through these walls of these protection devices. And then that middle one is around the world of the use of malicious software in these cyber security attacks in the context of basically espionage and wars and conflicts between different countries. And you can see the cyber warfare component in every new conflict that occurs today; with the war in Estonia is probably the one that started off the attention given to this type of attack. So you would have viruses that their goal is literally to steal information to be used later for intelligence by one government or the other. So malware is basically a family name for a lot of different types of malicious software that is being written for different purposes such as profit, power or prestige. These are often referred to as the "Three Ps." And the last thing to understand about the malware industry is that it is very evolved and it is an industry to the extent that you can see a lot of industry terms being used in this world. For example today you can go off and you can buy common off the shelf pieces of software like this example that I have here of Turkojan. And these are basically pieces of software that allow you to highjack and manipulate and steal information from other machines without any technical skill. So you don't actually need to be an attacker to be a very savvy security person. You can just buy software and use it. And when you look at the numbers of attacks today, looking at monitoring the network and seeing what attacks are performed, the majority of them come from these types of software. So here I have an example of a common off the shelf tool that you can buy for $100 or more in different editions, very similar to how you would buy a legitimate piece of software. In this slide 8 I also have examples of other regular business models that are used in the malware world. The first one is one that is very similar to the ad business model, the one where you have online ads which is the Pay-Per-Use business model. If you are a website owner you could put an iFrame on your site that would lead to some malicious piece of content that would try to install a virus on the user who is browsing it, on the machine of the user who is browsing it. And you would be paid if you are the site owner and you put that iFrame you would be paid per visit. So for every user that went in and actually got that iFrame you would be paid a certain amount for every chunk of users, very similar to how ad impressions work. And so that is an industry standard. The other common concept that we see today is the whole nation of web-based interfaces and cloud – based software and you can see that in the malware world as well, this is actually I believe Russian- based, web-based central management of multiple machines, so this is a control system for a lot of those machines that you have installed viruses on and you are trying to manage and perform actions through them. Then you have malware the service and other common spinoffs or modifications of existing known practices in the legitimate industry that are reused in this malware industry. So that was a little bit about the malware industry. And the goal there was just to explain that there are some pretty significant players that we are going up against right now. There are well funded attackers that are writing pieces of software for clear commercial or governmental gain and they are using the best practices that are learned from the legitimate use, from the legitimate industry to maximize their impact. The other important takeaway from the discussion about the malware industry is that today you don't need to be a very technologically savvy, security savvy person in order to be a user of malware, a distributor of viruses. You can just buy it and then basically submit it over the wire, which as we will talk about in a bit greatly increases the amount of malware that we see spreading around and we can see the same type of attack being replicated in many, many different locations. Okay, so we talked a little bit about malware industry, let's talk specifically about the malware through the web. So if you are a bad person and you are looking to distribute your viruses, you can do it in many different ways. It used to be that email was the primary delivery mechanism – it is still a significant one; instant messaging was pretty common, it had its days of glory; network vulnerabilities, especially for worms, you would have a virus or a worm on one machine that would try to push itself out to additional machines. So there are different ways and again attackers do not limit themselves to one channel, the same way a company would not limit itself to one channel of marketing or sales. But when you look at numbers today, the primary delivery mechanism of malware is through web applications. So this is basically the notion of having the malicious piece of software served off a web application. And there are really two types of attacks there. One is called drive-by downloads and basically means when you browse a website you load up that page something on that page, some malicious image, malicious script, something attacks you as you are loading the page and without requiring any user action it attempts to actually infect your machine and install something as you are loading, hence the term drive-by downloads. So that is one family of attacks. The other attacks are more of a social engineering attack which is sort of the official term for tricking the user into clicking something. So here you might have for example a family, there is the scare-ware applications trying to scare you into clicking it. For example if you browse a site and you get a prompt that says "A Virus has been detected on your system" and it is crafted and designed to look very much like a legitimate message from an anti-virus product, "Click Here to download the utility that would clean up that virus from your system." So it tries to scare you into downloading the virus, often times actually using messages that alert against viruses. And many users fall for that. And there are a lot of variations of social engineering. So malware is delivered through the web, it is delivered either implicitly or explicitly by tricking you. And it can also be delivered from many different components of a web page. A web page today is not a simple entity; it has images, it has components, it has iFrames that go to external pages, it has links to other pages, to other domains. All of these are potential vehicles for attacks. The most important takeaway from that is that in some cases you browse a site and the malicious software or the attack is actually served from the site that you are browsing. And in some cases there is an iFrame on that site, gets you to another domain, like the iFrame 911 that we saw before and basically that other domain is the one serving the malicious software. From a user's perspective, you don't much care. You browsed the page and then you got infected, the impact is pretty much the same. So looking at a few statistics on Client-side exploits, these clearly show that this is a growing problem. When you look at the first, the larger graph here, it talks about the percentage of exploits, of client-side exploits and where are they focused on . And you can see that almost 60% of the exploits in the first half of 2008, and this has been a growing trend, are focused around the browser and the browser components. That means that more and more of these attacks and these exploits attempt to actually manifest themselves when the user browses a site. He browses a site and then something in that content attempts to exploit a browser-based vulnerability. And you can see how that has changed over the years. It used to be quite minor not that long ago, in 2004, and today that is clearly a growing trend. The other two graphs show interesting other statistics. The top right one talks about how quickly the exploits in the wild between a vulnerability disclosure to an exploit. So as soon as a vendor lets, a Microsoft discloses or publishes a vulnerability that they have fixed in Internet Explorer, in 80% of the cases, in that same day that they disclose that vulnerability with a patch, with a solution, there would be an exploit in the wild. You need to ask yourself the question – how quickly do you apply those patches, both as a user and as a web site owner. How quickly do you apply these patches? Have you ever clicked that Restart Later button after you installed those patches? It means you are not protected, you have you delayed that prompt from the Windows update. Every time you delay that, in 80% of the cases there is an exploit in the wild already trying to hijack your machine. So it is a pretty alarming stat. And you can also see there how the malware industry has improved over the years and they have gone from 20% of the cases having an exploit in the wild in the same day to 80%; they are clearly becoming more efficient. And the other interesting stat is that when you talk about browser-based vulnerability, the vulnerabilities are not just in the browser. The browser today is an ecosystem – it is almost an operating system by itself and it has a lot of add-ons on it. Those would include some known ones like Flash, Java Applets, also some of the QuickTime movie players – a lot of these add-ons that are very prevalent and very common in your browser environments, and there are a lot of smaller less common or less broadly used components and add-ons. All of those are potential targets for these exploits. So so far we have talked about, again the malware industry and these attackers, and we talked about how the attackers have shifted from attacking through primarily email or instant messaging to very much be heaving web-based and deliver attacks through the web. However, up until now we were talking about a malicious site; we were talking about a site that you somehow had to be tricked into browsing, sometimes there are a lot of sites that are considered gray area and are often in reality malicious sites. Those often include porn sites or adult-oriented sites. Also wares sites, illegal software download sites , when you are downloading software illegally through [b-tour], [in-tour] or other such means; often times these sites that are already in the gray area of the law would also have malicious components on them. But those are still a small subset of the sites. You could still relatively protect yourself through being cautious about which pages do you browse. So what we are looking at on Slide 13 is basically the problem that occurs today which is that the need to browse a malicious site in order for you to be attacked has gone away. So one of the fastest growing problems today and I have a variety of quotes here from all sorts of security research summaries that occurred in 2008 by different companies, all of them show a rapidly growing trend of legitimate sites serving malware. So this is a real, kosher legitimate site like a federal traveling booking site, or company sites or Twitter or TrendMicro an anti- virus company by themselves or Business Week – definitely legitimate sites, not trying to attack you on purpose. But these are sites that have been compromised and instead of, or in addition to trying to get to their own data, let's say Business Week was compromised, the attacker may be looking to get data from Business Week subscribers and such, but either instead or in addition to that some malware, some malicious piece of content was left behind. And then the users that browsed that site are getting attacked. The Business Week's website owner doesn't know that and the users don't know that, but basically those sites are being used to spread out malware. And this is very much a very big problem because it breaks the logic that we had before. Before we were talking about user education, we were talking about be careful which emails you open up, be careful which sites do you browse. And basically this sense of legitimate sites serving malware means you are almost helpless as a user – you don’t have a way to avoid exposure to these attacks. We will talk a little bit later about client-side software that you can use to try and protect yourself. But you can avoid being exposed to the attacks. You have browsed these legitimate sites as a part of your day to day work. One of these examples is a federal travel booking site; as a part of your job when you wanted to travel somewhere you had to go to that site and book travel through it. So it is clearly a problem, it is clearly an issue and it is one that breaks the traditional protections, the traditional education – you can't blacklist the URL. You can't say now I am blocking access to the domain Business Week because that is a part of people's day to day usage. So, we will talk more in the next few slides about how does it happen, how does the malicious piece of software get on those sites and of course what can you do about it. But this is basically the problem that we are looking to address. And you can see some alarming stats that talk about how these attacks have grown 4x over the last year; we are talking about almost – stats vary actually in different report – between 60% to 80% of malware in the web today is being served off legitimate websites. And we are also talking about between I think 100,000 and 200,000 attacks per day being identified that are attempting to do this. Actually, excuse me, the statistic is between 100,000 and 200,000 pages are being compromised daily based on some stats from the ISS X-Force team. So it is clearly a rapidly growing problem and more and more sites have that. And I have a few specific examples in the next two slides. So before we get into examples, maybe a few tips about how can this happen. How can a website get comprised, a legitimate website? So there are a lot of ways. The four primary ways are, one is user content – so user content is something that becomes prevalent with the Web 2.0 theme, we are all familiar with wikis, we are familiar with blogs. There are [post-back] sections on news sites. The Web 2.0 theme is very much community-driven information and a lot of the data gets posted by users. If there is improper sanitization and handling of that data, you could have flaws. For example, let's say you have a blog that allows posting an image. Potentially that image could be an image that is maliciously crafted to exploit a vulnerability in some graphics library that is being used when somebody browses it. So you haven't really done anything bad in your website, but you have allowed users in your blog to upload their content and you are serving it back and that content may be malicious. On a similar note you might be including third party content like ads or mash-up applications, just content from additional domains, and once again that is content that is outside of your control, that third party components may have been compromised itself or it may be malicious. For example, think about an ad service serving all sorts of flash banner ads. These pieces of Flash actually run scripts and they can perform some pretty significant exploits if the ad company is not properly vetting and analyzing each Flash banner that they pass along. You might have a malicious Flash file being served on your application and actually serving malware. The third and pretty obvious one is vulnerabilities themselves. So these would be vulnerabilities either in your own code, web application vulnerabilities that allow command execution, allow persistent cross- site scripting – a lot of these vulnerabilities in your own code. Specifically Rational AppScan is a tool that you would use or is a tool that you would use to try and avoid having these problems in your application. But also the second bullet here, sorry the first bullet, the unpatched/0-day vulnerabilities is today the primary delivery mechanism of malware. These are vulnerabilities in the software, in the underlying infrastructure that your website runs on. So for example maybe you are running an Apache web server and in that specific version today there is an exploit that is being disclosed – sorry, there is a vulnerability that is being disclosed. And as we saw in 80% of the cases there is an exploit in the wild. So it attempts to exploit that vulnerability and tunnel and inject some piece of malware through it. How quickly do website owners usually apply the patch? Very rarely do they do that in the seconds after the patch was deployed. So it is very much a race and that even doesn't address the undisclosed vulnerabilities, those vulnerabilities that the attackers found but were not yet disclosed. So the owner, the vendor doesn't know about those yet. And the problem with these types of vulnerabilities is that they can work in mass, and we will talk about these mass SQL injection worms in a bit. And then last but not least is the notion of internal attacker, another growing threat. It could be that the malicious content has been injected from within the network from a disgruntled or blackmailed employee, especially in an international organization, or through other viruses and malware that you have on your system, in a sense a form of worms propagating themselves. So there are a lot of different ways to compromise your sites. And kind of the last bullet to mention on that front is that making sure that your website is not serving malware is something that is the website owner's responsibility. It is the same way that it is your responsibility to ensure that your application properly secures the data that gets uploaded to your system if the customer uploads his credit card to your system in order to purchase something he expects a certain level of security from your site so that you would protect his credit card from being stolen. The same goes for personal information. So this is very similar in its concept. If you are serving malware you would lose customer data, you would lose customer trust, your brand would be harmed, there might be legal liabilities depending on the situation, and there is also a growing interest in this type of problem from regulations. There is talk about PCI's next version, requiring that you perform some sort of routine malware analysis to ensure this isn't happening. So it is very much you as a web application owner, as a website owner, it is very much an issue for you; it is your responsibility to ensure you are not attacking those browsing your site. In the next few slides I have about four examples that are just, I will quickly go through those and what those serve is just a few examples in a bit more detail about such incidents of legitimate sites serving malware. The first one was published on the Washington Post but it is not a vulnerability on their site where a travel booking site for the federal government has been hacked. And basically the reason the vulnerability that allowed the malware to be uploaded was some vulnerability, some misconfiguration in the eAuthentication item. So this was a misconfiguration, sort of an infrastructure/application vulnerability. And the result was that that site was serving malware. Basically once you have logged into the site you would get redirected to a malicious site that would attack you. And the virus that was spread through that system was actually a pretty new virus and it evaded the anti-viruses that were on people's system, at least for awhile. And that resulted in at least, and this was a little bit rumor-based because being in the federal government the attacks were not fully disclosed. But I think the details that I managed to find talk about four sub networks in the federal government that have been compromised with these viruses and had a bit of a hard time getting rid of them. So that is sort of one example of a vulnerability that serves it and obviously the sensitivity here is the fact that this was actually the federal government travel booking site, so it is a site that people access from their intranets at work. The second example, which is interesting, is BarackObama.com. In this example, BarackObama.com had a subsection kind my.barackobama.com, a part of Obama's understanding of the social network and the use of it in the internet, so users/supporters of Obama could open blogs and upload data. So this was basically a blogging sub-portal on BarackObama.com. And what it allowed is it allowed it to post videos from other domains or actually specifically what they have done here is they have used the ability to upload images. So what users experienced was a malicious user posted a blog, obviously it was not known to be a malicious user, and posted an image on that blog that looked like a You Tube video and served as a hyperlink. So that was a feature that the site allowed; the blog allowed you to open an image and have that image be a link. So users are very familiar today with that You Tube like video. They clicked the play, it launched them, took them basically to another site that in turn tried to play that video and prompted them to install a video codec which was actually a Trojan. So there is actually a few components here and this might have been done more efficiently from the attacker's perspective, but users were tricked into, socially engineered into choosing to play that video first because they were used to these videos, they are used to this format, this style of this You Tube video that is embedded in pages. And the second thing was that they got prompted to say, well you want to play this video you need to install this ad-on. Because they came from BarackObama.com they trusted that this was a piece of software that they can rely on and they have approved it and a good number of users were compromised. And the interesting thing is that because of the popularity of that portal and that domain, the attackers actually used that along with additional promotions to get this very high up in the Google search, so a lot more people would be exposed to this attack. The third example and I will kind of quickly go through those because I am spending a bit too much time on those is a back-door, so WordPress is probably the most widely used blogging software in the world today. And what happened here was more of an internal attacker that went in and modified the files that were being downloaded and added a back-door to those files. So if you downloaded WordPress for, I think they caught onto this in a couple of days. So if you downloaded WordPress in the span of these two or three days and installed it, you had a back-door on your system and the attacker could basically access your system and execute any code they wanted on your machine. So that is more the WordPress website serving you a malicious package unknowingly because that malicious package has been modified. And then last but not least is one that is pretty well known from last year. Not the last Super Bowl but the one before that, a short span of time before the actual Super Bowl, that site got compromised with a malicious script. Actually what this was was an iFrame, I believe, that included that malicious script that tired to exploit a couple of vulnerabilities in the Windows OS and spread them out. And the interest here, the vulnerabilities that were being exploited were actually a bit old, so this could have had a lot more impact than it actually did. But clearly the interesting aspect here is the fact that the Super Bowl website attracts a huge amount of traffic. So a lot of users, a lot of people browsed those sites often, people that are not necessarily very computer savvy and got compromised with these attacks. So these are just a few, four examples of sites that were compromised. One more thing that I want to comment before I get into solutions and kind of stop talking about this problem is about these mass automated SQL injection attacks. So, we talked about the fact that the malware industry has become more proficient in producing tools that others can use. One of the latest is a tool that works roughly in this fashion. You would get the tool, you would buy it, you would launch it up, tell it what is the piece of malicious software that you want to install. So you would give it a virus or an iFrame that maybe you bought from somebody else. And then you would look for that tool to propagate your malicious software across the world. So you are not attacking a specific site; you have a virus and you are looking to spread it out. So it is a very different approach than targeting a specific site and trying to hack into it. So you are going to hack into any site that you managed to hack into. So what this tool does is it loads up, you give it that information, it goes to some server, they are often referred to as Chinese SQL injection worms just because the servers and the known variants have often been in China. So they go off to some server, let's say in China, and they download the latest exploits, the latest known vulnerabilities, similar to what a security tool would do. And then they go off and they perform the attacks using these signatures. So the tool does that automatically, again doesn't require expertise from the user. And they would actually use Google or other search engines to look for fingerprints. For example if you know that Apache version X has a certain vulnerability than just kind of latching on to Apache here, all of the web servers have these issues, then identifying that Apache version X is running can usually be done using all sorts of search criteria. So users would actually use Google and such to search for potential targets and then attempt to attack those. And this type of approach is probably the primary reason that the amounts or the numbers of these types of attacks have increased so dramatically and why we are seeing hundreds of thousands of pages being compromised daily. And the tools are easy to get to and it is basically the fact that the industry has released a very efficient tool – the malware industry has released a very efficient tool – and it is really a type of system that is very hard to fight against and is probably not going to go away any time soon. Because the types of vulnerabilities, the types of viruses, those vary constantly and are hard to keep track with. Okay, so up until now we talked about the problem. We talked about the industry, we talked about the propagation of malware over the web and specifically through legitimate sites. Let's talk a little bit about solutions. So first of all on the client-side, on the client-side – and this is not an area where we have necessarily software from Rational for – you basically just need to, there are various tools and you should probably use those to attempt to protect yourself. There is nothing full proof; there is no perfect anti-virus today. There is always the 0-day vulnerabilities. But you basically want to mitigate or reduce your risk. So this is you as a user. You still want to act smart. You don't want to ignore any security warnings that you have, but you don’t want to just click something that you didn't expect. You don't want to browse the sites that you think are concerning; you still want to be smart about that. And you want to use the address bar to make sure that the site you think you browsed is indeed the right one. You definitely want to use desktop or endpoint security solutions such as anti-viruses, anti-malware, a personal firewall. If you want to take it to the next stop, or to the next step, Firefox has an extension called "NoScript" which doesn't allow – you basically need to explicitly allow scripts from every domain so by default it doesn't allow scripts to run and you need to white list specific domains. And the third bit is to stay current. Basically both the anti-virus companies, the operating system companies, the browser companies, they all have a very standard update mechanism, but you have to use that update mechanism. If your operating system is not patched, it is more vulnerable. If the anti-virus solution that you have is not up to date, it would miss the latest viruses. So you definitely want to stay current. And as a corporation you probably want to get a web gateway or an IPS to basically put in front of your network. These solutions are not perfect by any stretch, but they are better than having nothing; they will catch some known attacks. So these are kind of client-side vulnerabilities. They are not what we are here to talk about. What we are here to talk about is about server-side solutions. So if you are a website owner and you acknowledge this is your problem or this is a problem that you need to face, what can you do? What can you perform to reduce the risk or eliminate the risk of attacking users browsing your site? So there are a couple of existing solutions today. Both are quite limited. One thing you can do is you could put an IPS or a network protection device or filter device in front of your site so that anything that you return to the user, any traffic coming back from your site would be inspected by this IPS. And if it is malicious it would be blocked. These tools and these approaches are fine, but the problem with these tools is that because of their nature they need to support an enormous amount of traffic that passes through them. And because they want to maintain a certain throughput, you don't want them to reduce your performance, they can only afford a fraction of a second to every piece of data that passes through them. The result of that is that they see the data, the malware would actually pass through them but they can only look for known patterns, they can't do any deep analysis. They definitely, we talked about an iFrame being embedded in the page and that leading to a malicious site, they definitely don't have the bandwidth to go off and request everything on that page on the user's behalf. So they would do the analysis in a very shallow fashion. They just won't go deep. So while the malware would or the malicious piece would pass through them, they would see it but they would not identify it because they have to be very quick in their analysis. The second solution is to use anti-virus software on the server. So on your actual web server and web application server. And the problem with that solution is that of visibility. So the anti-viruses, while not perfect, are probably the best techniques you have today for identifying that there is a virus but they generally scan files, they don't scan web pages, they don't scan data. So two primary repositories of data that they would never scan and therefore never find malware in, one are the database – some anti- viruses are now building some capabilities to analyze databases, but most of them can't really scan the data within the database, within your custom tables, so if they don't scan the data, and that is often when most of your web data is in, then they would clearly not identify a virus there. And the second may be a bigger problem is that once again they never see the page in completion and therefore if there is a malicious iFrame on your page, there is nothing malicious on your site. There is an iFrame which is generally legit that goes to another site and that site has something malicious. So if there is a malicious iFrame on your site the anti-virus would never clue into that. And these injections of malicious iFrames are the primary attack technique that is used today. Generally the most common attack is an iFrame to malicious site that is being injected through a platform vulnerability. So these are good solutions in the sense that they do improve your security posture but they are very limited, they still leave a lot to be desired. So we talked again about the problem and we talked about the existing solutions, and this is basically the point to introduce this new capability. We have acknowledged the problem and the gap in the existing solutions and we wanted to offer a new capability that would actually help you address this in a more efficient fashion. And we took a different approach to it. What we do is http based malware scanning. So we are combining the http view with more of an anti-virus like capability. And the solution really works in two or maybe three phases. The first phase is the discovery part, and in that case we use Rational AppScan's deep scanning capabilities to discover through the site. So Rational AppScan can already to date traverse modern web applications automatically or manually and get through all of these advanced technologies that remain then, executing Java script, executing Flash, supporting all of these complex log-in processes or states, supporting of course SSL. So basically browsing and discovering the entire sites. This is somewhat a keen to maybe to an anti-virus going through all of your file systems, but in this case we are looking at the page in completion. So if it comes form multiple domains, if it comes from different locations, from the database, form the file system, we don't care – we look at it from the victim's point of view. But we traverse the entire site. So that is the discovery piece. And then the second piece, and this is where the ISS technology comes in, is that we analyze everything that we see for viruses. So we do two types of analysis there – we analyze all of the content that we see to see if it is a virus and then we analyze – so let's say we would do that for everything within your domain or maybe even linked off your domain. And then wherever it is that we stopped, we would look at all of the links further and we have to stop at some point because we don't want to start scanning the web, and we would compare those to a known blacklist of URLs, basically a database that says whether a URL is a sports URL, is a news URL or is a malicious URL. So, and we will talk about those technologies more in the next slide. But at a high level this http-based malware scanning performs an http explorer, discovers the site and then basically analyzes everything that it saw. The first type of analysis, the malware, the content analysis is basically a keen to browsing your entire site in an automated fashion in a machine with a very up to date anti-virus to flag, and flagging any behaviors or any problems that we see. So if we look at the technologies involved, so one piece is the AppScan technology. And the AppScan technology is around, basically takes care of the discovery part of getting through the entire site, the deep scanning capability. And the other technology is what we pulled in from the ISS group, and there are actually two engines that we have done here, that we have used here. One is more of an anti-virus like engine called VPS and this is a very complex and advanced behavioral analysis engine that basically looks at a piece of binary or a page with components of it or scripts and attempts to understand or assimilate the behavior in a very secure fashion, the behavior of that executable or application would do, and tries to see if anything is nefarious there. Does it attempt to override system files, does it attempt to access the network? Are there some other meta behaviors that are known to be malicious or appear to be malicious? And then it flags those issues. So probably the simplest way to think about this, this is an advanced anti-virus. And then the second technology we use is that web filter repository. So in ISS there is a group building this web filter repository, so they have this server farm that constantly scans the web like Google does, identifies new content and classifies that, getting to one URL and saying this is a news site, this is a sports site, this is a phishing site, this is a malware site – this is an illegal download site. So it basically uses a very, very broad set of algorithms including VPS, but many others as well to classify these domains. And in general this data is used in web gateways. So often corporations would have a web gateway where all of the traffic, if you don't want your employees browsing porn while they are at work, then you would put a web gate and you would block access to porn sites. What is and is not a porn site, that is information you would get from this repository. In addition these web gates will also try to protect their users by not allowing them to browse malware sites. So what we do is we basically look at all the external links that we found on our site at the point where we don't do the analysis ourselves and we ask this repository what are the categories of the this link and we flag malicious or unwanted such as illegal links to you as a user. So this is the new capability. I ended up talking primarily about the background and the problem and the solutions because the technology that we are building here is pretty straight forward. We scan the site over http and then we analyze it with existing technologies of an anti-virus like engine and a web gateway like functionality. But the approach that we have looking at it from the http point of view overcomes the problems that we identified in the existing solutions. So the fact that it is http based means you have access and visibility to all of the content and the links, basically if we are not attacked than the user won't be as well because we are looking at it from the same point of view. We are loading the page. On the flip side it is a scanning solution, so it has the time, of course you want the scan to complete quickly, but you don’t need, you are not limited to that fraction of a second for every piece of data that comes in. So you can actually perform that behavioral analysis, you can actually go off and analyze and maybe request those links. So, the combination of that visibility which is described in the third bullet as well with the ability to be a scanning solution and actually inspect what you see in a more deep fashion is the killer combination here, is a strong combination that allows this solution to flag problems that you would not otherwise identify. Another slightly more minor benefit is that we can flag suspicious behaviors, all of these run- time solutions have the limitation that they have to be black and white – you are either blocking or you are not blocking. We can properly prioritize and split them up, but we can flag types of behaviors that seem suspicious that the user can later inspect himself. And so this is the new capability we are building and I will talk about it in our portfolio. But above and beyond the functionality, this is also exciting from the fact that we are tapping into existing technologies within IBM. So I am in the Rational AppScan group, and one of the exciting pieces here is that we could leverage very, very advanced and complicated technology of identifying viruses and classifying these URLs which we would be very hard pressed to build as an independent group. And there are a lot of these types of projects going on right now with AppScan and within in general the security families or security products within IBM where more of these integrations and reuses of technology of very powerful tools is being done so that we can offer powerful capabilities with a lower level of investment, thus offering it up in a more quick fashion and giving you more services as customers. And in addition, I will talk a little bit about these offerings, is that this technology is useful both as a product and a SaaS offering and it is a natural addition to our AppScan On-Demand Production Monitoring Tool Suite – I will talk about those in the next slide. Okay, so this is sort of a summary slide a little bit talking about where is this capability available. So we built this capability and the goal is definitely to have this across our product line. Right now you can go off and you can download an AppScan Standard Edition eXtension. So we have the AppScan eXtension Portal that you can get to through the AppScan developerWorks page – you can just Google up AppScan eXtension Framework. And we have a malware scanner eXtension that you can download and add, it is a free add-on to AppScan and you can use it to perform the malware scanning. This has also been added to all of our software-as-a-service offering, so if you want to perform the scanning but you don't want to host the software yourself, you want to scan your site periodically, then we can do that for you through our software-as-a-service offering. So those are available today and by the end of the year in our fall releases this malware scanning capability would be added across our products – the AppScan Standard, AppScan Enterprise products. So it becomes a tenant, it becomes another core capability in our product suite. Okay, so that was it about malware scanning. We talked, just to summarize, we talked about the industry, the attacker, we talked about the attack vector attacking through the web and compromising legitimate sites. We talked about the existing solutions and their strengths and weaknesses and then we talked about the new offering, the new capability, the malware scanning capability that the Rational AppScan family has now added. With that I will turn it over to Angelique and we will have some time for questions, a couple of minutes for that later on. Angelique Matheny: Thank you very much Guy. This was a very informative presentation and we really appreciate you taking time out to speak about this important topic. It is very important. You did a great job. Just as a reminder to our audience, there is still time to submit questions through the question submission field on the left side of the event console. Your feedback on today's presentation is also very important to us. In a moment you will see a survey pop on your screen and we ask you to help shape the content of our future webcasts. We greatly value your opinion and look forward to hearing what you have to say about today's presentation. But before we launch our survey and begin the Q and A session I wanted to mention a few additional resources available to you from IBM. As you can see on this first slide we have some additional web application security development resources for you. If you are looking for trial codes, check out the developerWorks link listed here to get you started. And on the next slide, free trial downloads of IBM tools. These free downloads provide easy access to IBM's most popular trial software and include a collection of supporting resources for you to trial. Please visit developerWorks downloads for the complete list. And on this slide you will see that our briefings are a great way to get additional education. They are live, local events and you can see that there are a variety of technical briefings being offered. These are held throughout the year in various cities around the country and around the world so check out the website listed on this slide to see what is coming to a city near you. I should also mention that there is no charge to attend these events. And on the next slide you will see IBM Rational Training Solutions. You can certainly booster your productivity with Rational Application Development Software. Some of the top rated and recently announced new courses are a great way to get that additional education. If you would like to buy what we have discussed today or any of our other products, the IBM Software Catalog will help you quickly find what you are looking for. Our interactive online catalog names up to date product and pricing information and allows you to order online or by phone. And finally as you can see we are ready to begin our Q and A session. Our first question Guy, we have two or three in here that I think we will have time for. This says, are any of your competitors offering this type of ability? Guy Podjarny: Thanks Angelique. So the answer to that is certainly in a nutshell no. This is sort of a new capability and as I mentioned it is a capability that we had the benefit of adding only thanks to this technology that we can harvest from the ISS world. So at the moment there are some small offerings, some small capabilities from some specific I guess vendors that are offering the malware scanning abilities, specifically generally these are very small time players and not players in the web application security world in any significant fashion. So we do see this as a competitive strength as well or as a unique capability. And it is part of our mandate, it is part of our challenge to constantly attempt to remain on top and to offer these capabilities based on what our customers would like us to provide. Angelique Matheny: The next question, does it make sense to use malware scanning on a pre- production site? Good question. Guy Podjarny: Yes, so the short here is no. Generally it is important to differentiate the capability that Rational AppScan provides in its core, which is identifying vulnerabilities and the ability to identify malware on a site, which is find out that the website has been compromised. So most of the vulnerability scanning in today's world is done on pre-production sites, although savvy users or security aware organizations also scan their production systems on a periodic basis. But in general when you are looking for vulnerabilities it is okay if you have a mirror environment, a staging environment that mimics your production system, and then you can scan that system and you know that if you identify the vulnerability there, it is the same code, it is the same platform in the production system, therefore it would have the vulnerability in the production system as well. On the flip side, for malware issues, you are basically looking for proof or indications that you have been compromised and that you have been compromised to serve malware. Because in a pre-production site you use that application, the data that drives it have not really been exposed to users. There is no way, there is no real risk or reasonable risk for them to have been compromised. So it doesn't really make sense to scan that pre-production system when you didn't give it a chance to be compromised. So basically doesn't really make sense to use it, but you can, to perform malware scans on pre- production sites, but you can scan with the same tools that you use. With the AppScan tools you can perform the vulnerability scan on your staging site and you can perform the malware scan on your production site. Or of course you can user our service for it. Angelique Matheny: And you just mentioned that service – we are reaching the top of the hour but I think we have time for this question since you just mentioned it. Do you offer service that can do this scanning for me? Guy Podjarny: So that is a very, very common question, and we definitely do have that service and it is probably even the easiest way for you to incorporate malware scanning. We have a suite of offerings called AppScan On-Demand which is basically our software-as-a-service offerings where we run and host the software for you and run these scans. We have On-Demand offerings for vulnerability assessments so we would actually scan your site for vulnerabilities, both pre-production and production sites. And we specifically one of those offerings is called AppScan On-Demand Production Monitoring. I mentioned it briefly before. So this is a specific software-as-a-service offering where we scan your site on a periodic basis from our environment, very little effort for you, very simple for you to get started and we scan production sites. So that is a service where malware scanning is a very natural addition to and it has been added to it, so you can just use our AppScan On-Demand offering and again it is a very simple process and it can get up and running and get those scans without any skills or significant amount of work or effort on your behalf. Angelique Matheny: Guy, is there a link that we can point our customers to, to find out more about this, what you are doing? Guy Podjarny: I don't have the link by heart, but if you just Google up AppScan On-Demand you would get to that offering. And if you go to the devWorks AppScan, to the Rational AppScan devWorks page, again just Google Rational AppScan, it would be there in our family of products. And it is called AppScan On-Demand Production Monitoring. Angelique Matheny: Okay, great. I think you mentioned that as well. Well, thank you very much, Guy. This webcast will be available for replay in about 24 hours using the same URL, so share it with your friends, or listen to it again. I would like to thank our speaker today, Guy Podjarny for being with us to talk about "Malware: It's Everywhere." We would also like to thank you, our audience, for your interest in IBM. We hope to see you back for another one of our events in the near future. Thank you very much.
Pages to are hidden for
"Malware It's Everywhere"Please download to view full document