Malware: It's Everywhere
Event ID: 153729
Angelique Matheny: Hello and welcome to this webcast, "Malware: It's Everywhere." I'm Angelique
Matheny with IBM and I will be your host for today's event. The proliferation of malware designed to
infiltrate computer systems without the owner's informed consent has become one of the most
challenging security issues facing users today. But who owns this problem? In today's webcast we will
be introduced to a new technique that combines IBM Rational AppScan and ISS technologies to identify
unwanted, embedded malware.
We will include background material about these scanning and malware identification and some
suggestions on how malware scanning can help protect organizations and your visitors from this
And it is my pleasure to introduce our speaker today, Guy Podjarny, Rational Security Products
Now before we get started, I would like to encourage you, our audience, to submit questions at any time
throughout today's webcast. You may enter your questions on the left side of the event console and
these will be answered at the end of the presentation; so get those questions in early. There will be a
short survey during the Q and A session so please disable any popup blockers you have installed to
ensure you receive the survey. We really do look at those, so thank you for taking the time.
Well, I think we are ready to begin. I will now turn it over to Guy. Guy?
Guy Podjarny: Thanks Angelique. So hi everybody and thanks for joining this webinar. As Angelique
said my name is Guy Podjarny. I usually go by Guy Po. And switching over to the agenda, we will
actually talk about sort of two parts of this problem today. We will spend a certain amount of time
explaining what is the problem that is being discussed here, give a little background about the malware
industry, about malware being delivered through the web, and specifically the problem that we are
touching on mostly here which is malware being served from legitimate sites.
We will then cover a little bit of what are the existing solutions that you could use today and also of
course introduce the new capability that we have recently added to our portfolio and explain how does
it overcome problems that existed before.
Okay, so a little bit before we dive into the deep details, a little bit about the malware industry and sort
of the background of who is attacking in this world and what is malware. So let's start with a brief into
to what is malware. Malware is malicious software. It is a pretty broad term. The official definition
talked about software that performs actions without the user's consent. That is a pretty broad set, and
the less official definitions talk about doing nefarious actions or doing malicious actions without the
user's consent. So malware is a family of software or pieces of software. It is [not that critical] to
understand they are all bad, but at a high level viruses are pieces of software that try to perform some
sort of nefarious action on a specific machine. They replicate themselves and they entrench themselves
within the machine and try to copy themselves onto additional executables, additional files. But they
generally remain within the context of that machine. And they embed themselves into existing pieces of
software. They usually do not offer a new piece of functionality themselves. They just modify and
attach themselves to the OS in the actions they perform. But they usually, the key difference is that
worms propagate themselves and actually push themselves out into the network and into other
machines usually, often using security vulnerabilities in the system. So worms would be actually
attempting to infiltrate additional machines on your network.
And Trojans are a bit of a different beast, and there it is usually a useful piece of software that does
something that is indeed useful, but includes within it a Trojan horse, a piece of functionality that you
weren't expecting that does something malicious. An example there could be a video codec that
actually plays the video but also has something bad that it is doing in the background, also logs your
keystrokes at the same time. Trojans are problematic. Spyware which is usually a specific sub-family
that attempts to steal information from the system as opposed to sabotage the system. There are a lot
of different variations and the types are not mutually exclusive. A malicious individual writing his piece
of malware would use it or attempt to use it for many different purposes.
So this is at a high level malware. I often get the question about whether malware is another type of
virus. It is not another type of virus, it is the family name for all of these types of pieces of software.
So now that we have talked a little bit about malware, let's look at what are the motives, why do people
write them? And who writes them? So the primary or one of the primary contributors of malware, if
you will, or writers of malware is organized crime. In the past we were talking about anarchists and
Script Kiddies and other very remote and one-off attackers that were the primary writers of these
viruses. And while those still exist, the primary producer today of viruses are organized crime
organizations which are doing it for the purpose of gaining profit, basically making money. This industry,
this use and selling of stolen data or machine access or spamming, that is something that has become
quite centered in the world today to the extent that there are known and common price ranges for
different pieces of information; how much would a credit card cost? How much would your identity be
sold for when all of the information around it, the social security number and such is stolen and being
sold in the market?
So organized crime is a well funded group. These are people with means and they would actually higher
skilled developers and skilled software engineers to write pieces of nefarious software to try and evade
anti-viruses, to try and be as stealthy as they possibly can with the goal of usually stealing data in the
system, building up their spamming or distributed denial of service platforms, and in general as
assessment performed by McAfee estimates that across the world malicious software has, or I think it is
actually entirely all of the cyber crime has a cost to the world in 2008 of over $1 billion. That is definitely
a lot of money that was lost due to these types of attacks. So there is a lot of profit to be had. So
organized crime is definitely an element and probably the biggest writer of viruses, but there are other
players; there is the third bullet here which is the H4ck0rZ [Hackers] or Script Kiddies, basically the old
writers of these viruses, they are still around. These are those writing viruses to prove that they can.
Sometimes it is anarchists looking to show that the institution doesn't mind and a lot of times you
basically write the viruses for bragging rights to show that you could break through these walls of these
And then that middle one is around the world of the use of malicious software in these cyber security
attacks in the context of basically espionage and wars and conflicts between different countries. And
you can see the cyber warfare component in every new conflict that occurs today; with the war in
Estonia is probably the one that started off the attention given to this type of attack. So you would have
viruses that their goal is literally to steal information to be used later for intelligence by one government
or the other.
So malware is basically a family name for a lot of different types of malicious software that is being
written for different purposes such as profit, power or prestige. These are often referred to as the
And the last thing to understand about the malware industry is that it is very evolved and it is an
industry to the extent that you can see a lot of industry terms being used in this world. For example
today you can go off and you can buy common off the shelf pieces of software like this example that I
have here of Turkojan. And these are basically pieces of software that allow you to highjack and
manipulate and steal information from other machines without any technical skill. So you don't actually
need to be an attacker to be a very savvy security person. You can just buy software and use it. And
when you look at the numbers of attacks today, looking at monitoring the network and seeing what
attacks are performed, the majority of them come from these types of software.
So here I have an example of a common off the shelf tool that you can buy for $100 or more in different
editions, very similar to how you would buy a legitimate piece of software. In this slide 8 I also have
examples of other regular business models that are used in the malware world. The first one is one that
is very similar to the ad business model, the one where you have online ads which is the Pay-Per-Use
business model. If you are a website owner you could put an iFrame on your site that would lead to
some malicious piece of content that would try to install a virus on the user who is browsing it, on the
machine of the user who is browsing it. And you would be paid if you are the site owner and you put
that iFrame you would be paid per visit. So for every user that went in and actually got that iFrame you
would be paid a certain amount for every chunk of users, very similar to how ad impressions work. And
so that is an industry standard.
The other common concept that we see today is the whole nation of web-based interfaces and cloud –
based software and you can see that in the malware world as well, this is actually I believe Russian-
based, web-based central management of multiple machines, so this is a control system for a lot of
those machines that you have installed viruses on and you are trying to manage and perform actions
through them. Then you have malware the service and other common spinoffs or modifications of
existing known practices in the legitimate industry that are reused in this malware industry.
So that was a little bit about the malware industry. And the goal there was just to explain that there are
some pretty significant players that we are going up against right now. There are well funded attackers
that are writing pieces of software for clear commercial or governmental gain and they are using the
best practices that are learned from the legitimate use, from the legitimate industry to maximize their
The other important takeaway from the discussion about the malware industry is that today you don't
need to be a very technologically savvy, security savvy person in order to be a user of malware, a
distributor of viruses. You can just buy it and then basically submit it over the wire, which as we will talk
about in a bit greatly increases the amount of malware that we see spreading around and we can see
the same type of attack being replicated in many, many different locations.
Okay, so we talked a little bit about malware industry, let's talk specifically about the malware through
the web. So if you are a bad person and you are looking to distribute your viruses, you can do it in many
different ways. It used to be that email was the primary delivery mechanism – it is still a significant one;
instant messaging was pretty common, it had its days of glory; network vulnerabilities, especially for
worms, you would have a virus or a worm on one machine that would try to push itself out to additional
machines. So there are different ways and again attackers do not limit themselves to one channel, the
same way a company would not limit itself to one channel of marketing or sales.
But when you look at numbers today, the primary delivery mechanism of malware is through web
applications. So this is basically the notion of having the malicious piece of software served off a web
application. And there are really two types of attacks there. One is called drive-by downloads and
basically means when you browse a website you load up that page something on that page, some
malicious image, malicious script, something attacks you as you are loading the page and without
requiring any user action it attempts to actually infect your machine and install something as you are
loading, hence the term drive-by downloads. So that is one family of attacks.
The other attacks are more of a social engineering attack which is sort of the official term for tricking the
user into clicking something. So here you might have for example a family, there is the scare-ware
applications trying to scare you into clicking it. For example if you browse a site and you get a prompt
that says "A Virus has been detected on your system" and it is crafted and designed to look very much
like a legitimate message from an anti-virus product, "Click Here to download the utility that would
clean up that virus from your system." So it tries to scare you into downloading the virus, often times
actually using messages that alert against viruses. And many users fall for that. And there are a lot of
variations of social engineering.
So malware is delivered through the web, it is delivered either implicitly or explicitly by tricking you.
And it can also be delivered from many different components of a web page. A web page today is not a
simple entity; it has images, it has components, it has iFrames that go to external pages, it has links to
other pages, to other domains. All of these are potential vehicles for attacks. The most important
takeaway from that is that in some cases you browse a site and the malicious software or the attack is
actually served from the site that you are browsing. And in some cases there is an iFrame on that site,
gets you to another domain, like the iFrame 911 that we saw before and basically that other domain is
the one serving the malicious software.
From a user's perspective, you don't much care. You browsed the page and then you got infected, the
impact is pretty much the same.
So looking at a few statistics on Client-side exploits, these clearly show that this is a growing problem.
When you look at the first, the larger graph here, it talks about the percentage of exploits, of client-side
exploits and where are they focused on . And you can see that almost 60% of the exploits in the first
half of 2008, and this has been a growing trend, are focused around the browser and the browser
components. That means that more and more of these attacks and these exploits attempt to actually
manifest themselves when the user browses a site. He browses a site and then something in that
content attempts to exploit a browser-based vulnerability. And you can see how that has changed over
the years. It used to be quite minor not that long ago, in 2004, and today that is clearly a growing trend.
The other two graphs show interesting other statistics. The top right one talks about how quickly the
exploits in the wild between a vulnerability disclosure to an exploit. So as soon as a vendor lets, a
Microsoft discloses or publishes a vulnerability that they have fixed in Internet Explorer, in 80% of the
cases, in that same day that they disclose that vulnerability with a patch, with a solution, there would be
an exploit in the wild. You need to ask yourself the question – how quickly do you apply those patches,
both as a user and as a web site owner. How quickly do you apply these patches? Have you ever clicked
that Restart Later button after you installed those patches? It means you are not protected, you have
you delayed that prompt from the Windows update. Every time you delay that, in 80% of the cases
there is an exploit in the wild already trying to hijack your machine. So it is a pretty alarming stat. And
you can also see there how the malware industry has improved over the years and they have gone from
20% of the cases having an exploit in the wild in the same day to 80%; they are clearly becoming more
And the other interesting stat is that when you talk about browser-based vulnerability, the
vulnerabilities are not just in the browser. The browser today is an ecosystem – it is almost an operating
system by itself and it has a lot of add-ons on it. Those would include some known ones like Flash, Java
Applets, also some of the QuickTime movie players – a lot of these add-ons that are very prevalent and
very common in your browser environments, and there are a lot of smaller less common or less broadly
used components and add-ons. All of those are potential targets for these exploits.
So so far we have talked about, again the malware industry and these attackers, and we talked about
how the attackers have shifted from attacking through primarily email or instant messaging to very
much be heaving web-based and deliver attacks through the web. However, up until now we were
talking about a malicious site; we were talking about a site that you somehow had to be tricked into
browsing, sometimes there are a lot of sites that are considered gray area and are often in reality
malicious sites. Those often include porn sites or adult-oriented sites. Also wares sites, illegal software
download sites , when you are downloading software illegally through [b-tour], [in-tour] or other such
means; often times these sites that are already in the gray area of the law would also have malicious
components on them.
But those are still a small subset of the sites. You could still relatively protect yourself through being
cautious about which pages do you browse. So what we are looking at on Slide 13 is basically the
problem that occurs today which is that the need to browse a malicious site in order for you to be
attacked has gone away. So one of the fastest growing problems today and I have a variety of quotes
here from all sorts of security research summaries that occurred in 2008 by different companies, all of
them show a rapidly growing trend of legitimate sites serving malware. So this is a real, kosher
legitimate site like a federal traveling booking site, or company sites or Twitter or TrendMicro an anti-
virus company by themselves or Business Week – definitely legitimate sites, not trying to attack you on
purpose. But these are sites that have been compromised and instead of, or in addition to trying to get
to their own data, let's say Business Week was compromised, the attacker may be looking to get data
from Business Week subscribers and such, but either instead or in addition to that some malware, some
malicious piece of content was left behind. And then the users that browsed that site are getting
attacked. The Business Week's website owner doesn't know that and the users don't know that, but
basically those sites are being used to spread out malware.
And this is very much a very big problem because it breaks the logic that we had before. Before we
were talking about user education, we were talking about be careful which emails you open up, be
careful which sites do you browse. And basically this sense of legitimate sites serving malware means
you are almost helpless as a user – you don’t have a way to avoid exposure to these attacks. We will
talk a little bit later about client-side software that you can use to try and protect yourself. But you can
avoid being exposed to the attacks. You have browsed these legitimate sites as a part of your day to day
work. One of these examples is a federal travel booking site; as a part of your job when you wanted to
travel somewhere you had to go to that site and book travel through it. So it is clearly a problem, it is
clearly an issue and it is one that breaks the traditional protections, the traditional education – you can't
blacklist the URL. You can't say now I am blocking access to the domain Business Week because that is a
part of people's day to day usage.
So, we will talk more in the next few slides about how does it happen, how does the malicious piece of
software get on those sites and of course what can you do about it. But this is basically the problem
that we are looking to address. And you can see some alarming stats that talk about how these attacks
have grown 4x over the last year; we are talking about almost – stats vary actually in different report –
between 60% to 80% of malware in the web today is being served off legitimate websites. And we are
also talking about between I think 100,000 and 200,000 attacks per day being identified that are
attempting to do this. Actually, excuse me, the statistic is between 100,000 and 200,000 pages are
being compromised daily based on some stats from the ISS X-Force team. So it is clearly a rapidly
growing problem and more and more sites have that. And I have a few specific examples in the next
So before we get into examples, maybe a few tips about how can this happen. How can a website get
comprised, a legitimate website? So there are a lot of ways. The four primary ways are, one is user
content – so user content is something that becomes prevalent with the Web 2.0 theme, we are all
familiar with wikis, we are familiar with blogs. There are [post-back] sections on news sites. The Web
2.0 theme is very much community-driven information and a lot of the data gets posted by users. If
there is improper sanitization and handling of that data, you could have flaws. For example, let's say
you have a blog that allows posting an image. Potentially that image could be an image that is
maliciously crafted to exploit a vulnerability in some graphics library that is being used when somebody
browses it. So you haven't really done anything bad in your website, but you have allowed users in your
blog to upload their content and you are serving it back and that content may be malicious.
On a similar note you might be including third party content like ads or mash-up applications, just
content from additional domains, and once again that is content that is outside of your control, that
third party components may have been compromised itself or it may be malicious. For example, think
about an ad service serving all sorts of flash banner ads. These pieces of Flash actually run scripts and
they can perform some pretty significant exploits if the ad company is not properly vetting and analyzing
each Flash banner that they pass along. You might have a malicious Flash file being served on your
application and actually serving malware.
The third and pretty obvious one is vulnerabilities themselves. So these would be vulnerabilities either
in your own code, web application vulnerabilities that allow command execution, allow persistent cross-
site scripting – a lot of these vulnerabilities in your own code. Specifically Rational AppScan is a tool that
you would use or is a tool that you would use to try and avoid having these problems in your
application. But also the second bullet here, sorry the first bullet, the unpatched/0-day vulnerabilities is
today the primary delivery mechanism of malware. These are vulnerabilities in the software, in the
underlying infrastructure that your website runs on.
So for example maybe you are running an Apache web server and in that specific version today there is
an exploit that is being disclosed – sorry, there is a vulnerability that is being disclosed. And as we saw
in 80% of the cases there is an exploit in the wild. So it attempts to exploit that vulnerability and tunnel
and inject some piece of malware through it. How quickly do website owners usually apply the patch?
Very rarely do they do that in the seconds after the patch was deployed. So it is very much a race and
that even doesn't address the undisclosed vulnerabilities, those vulnerabilities that the attackers found
but were not yet disclosed. So the owner, the vendor doesn't know about those yet. And the problem
with these types of vulnerabilities is that they can work in mass, and we will talk about these mass SQL
injection worms in a bit.
And then last but not least is the notion of internal attacker, another growing threat. It could be that
the malicious content has been injected from within the network from a disgruntled or blackmailed
employee, especially in an international organization, or through other viruses and malware that you
have on your system, in a sense a form of worms propagating themselves. So there are a lot of different
ways to compromise your sites.
And kind of the last bullet to mention on that front is that making sure that your website is not serving
malware is something that is the website owner's responsibility. It is the same way that it is your
responsibility to ensure that your application properly secures the data that gets uploaded to your
system if the customer uploads his credit card to your system in order to purchase something he expects
a certain level of security from your site so that you would protect his credit card from being stolen. The
same goes for personal information. So this is very similar in its concept. If you are serving malware you
would lose customer data, you would lose customer trust, your brand would be harmed, there might be
legal liabilities depending on the situation, and there is also a growing interest in this type of problem
from regulations. There is talk about PCI's next version, requiring that you perform some sort of routine
malware analysis to ensure this isn't happening. So it is very much you as a web application owner, as a
website owner, it is very much an issue for you; it is your responsibility to ensure you are not attacking
those browsing your site.
In the next few slides I have about four examples that are just, I will quickly go through those and what
those serve is just a few examples in a bit more detail about such incidents of legitimate sites serving
malware. The first one was published on the Washington Post but it is not a vulnerability on their site
where a travel booking site for the federal government has been hacked. And basically the reason the
vulnerability that allowed the malware to be uploaded was some vulnerability, some misconfiguration in
the eAuthentication item. So this was a misconfiguration, sort of an infrastructure/application
vulnerability. And the result was that that site was serving malware. Basically once you have logged
into the site you would get redirected to a malicious site that would attack you. And the virus that was
spread through that system was actually a pretty new virus and it evaded the anti-viruses that were on
people's system, at least for awhile. And that resulted in at least, and this was a little bit rumor-based
because being in the federal government the attacks were not fully disclosed. But I think the details that
I managed to find talk about four sub networks in the federal government that have been compromised
with these viruses and had a bit of a hard time getting rid of them.
So that is sort of one example of a vulnerability that serves it and obviously the sensitivity here is the
fact that this was actually the federal government travel booking site, so it is a site that people access
from their intranets at work.
The second example, which is interesting, is BarackObama.com. In this example, BarackObama.com had
a subsection kind my.barackobama.com, a part of Obama's understanding of the social network and the
use of it in the internet, so users/supporters of Obama could open blogs and upload data. So this was
basically a blogging sub-portal on BarackObama.com. And what it allowed is it allowed it to post videos
from other domains or actually specifically what they have done here is they have used the ability to
upload images. So what users experienced was a malicious user posted a blog, obviously it was not
known to be a malicious user, and posted an image on that blog that looked like a You Tube video and
served as a hyperlink. So that was a feature that the site allowed; the blog allowed you to open an image
and have that image be a link. So users are very familiar today with that You Tube like video. They
clicked the play, it launched them, took them basically to another site that in turn tried to play that
video and prompted them to install a video codec which was actually a Trojan.
So there is actually a few components here and this might have been done more efficiently from the
attacker's perspective, but users were tricked into, socially engineered into choosing to play that video
first because they were used to these videos, they are used to this format, this style of this You Tube
video that is embedded in pages. And the second thing was that they got prompted to say, well you
want to play this video you need to install this ad-on. Because they came from BarackObama.com they
trusted that this was a piece of software that they can rely on and they have approved it and a good
number of users were compromised. And the interesting thing is that because of the popularity of that
portal and that domain, the attackers actually used that along with additional promotions to get this
very high up in the Google search, so a lot more people would be exposed to this attack.
The third example and I will kind of quickly go through those because I am spending a bit too much time
on those is a back-door, so WordPress is probably the most widely used blogging software in the world
today. And what happened here was more of an internal attacker that went in and modified the files
that were being downloaded and added a back-door to those files. So if you downloaded WordPress
for, I think they caught onto this in a couple of days. So if you downloaded WordPress in the span of
these two or three days and installed it, you had a back-door on your system and the attacker could
basically access your system and execute any code they wanted on your machine.
So that is more the WordPress website serving you a malicious package unknowingly because that
malicious package has been modified.
And then last but not least is one that is pretty well known from last year. Not the last Super Bowl but
the one before that, a short span of time before the actual Super Bowl, that site got compromised with a
malicious script. Actually what this was was an iFrame, I believe, that included that malicious script that
tired to exploit a couple of vulnerabilities in the Windows OS and spread them out. And the interest
here, the vulnerabilities that were being exploited were actually a bit old, so this could have had a lot
more impact than it actually did. But clearly the interesting aspect here is the fact that the Super Bowl
website attracts a huge amount of traffic. So a lot of users, a lot of people browsed those sites often,
people that are not necessarily very computer savvy and got compromised with these attacks.
So these are just a few, four examples of sites that were compromised. One more thing that I want to
comment before I get into solutions and kind of stop talking about this problem is about these mass
automated SQL injection attacks. So, we talked about the fact that the malware industry has become
more proficient in producing tools that others can use. One of the latest is a tool that works roughly in
this fashion. You would get the tool, you would buy it, you would launch it up, tell it what is the piece of
malicious software that you want to install. So you would give it a virus or an iFrame that maybe you
bought from somebody else. And then you would look for that tool to propagate your malicious
software across the world. So you are not attacking a specific site; you have a virus and you are looking
to spread it out. So it is a very different approach than targeting a specific site and trying to hack into it.
So you are going to hack into any site that you managed to hack into.
So what this tool does is it loads up, you give it that information, it goes to some server, they are often
referred to as Chinese SQL injection worms just because the servers and the known variants have often
been in China. So they go off to some server, let's say in China, and they download the latest exploits,
the latest known vulnerabilities, similar to what a security tool would do. And then they go off and they
perform the attacks using these signatures. So the tool does that automatically, again doesn't require
expertise from the user. And they would actually use Google or other search engines to look for
fingerprints. For example if you know that Apache version X has a certain vulnerability than just kind of
latching on to Apache here, all of the web servers have these issues, then identifying that Apache
version X is running can usually be done using all sorts of search criteria. So users would actually use
Google and such to search for potential targets and then attempt to attack those.
And this type of approach is probably the primary reason that the amounts or the numbers of these
types of attacks have increased so dramatically and why we are seeing hundreds of thousands of pages
being compromised daily. And the tools are easy to get to and it is basically the fact that the industry
has released a very efficient tool – the malware industry has released a very efficient tool – and it is
really a type of system that is very hard to fight against and is probably not going to go away any time
soon. Because the types of vulnerabilities, the types of viruses, those vary constantly and are hard to
keep track with.
Okay, so up until now we talked about the problem. We talked about the industry, we talked about the
propagation of malware over the web and specifically through legitimate sites. Let's talk a little bit
about solutions. So first of all on the client-side, on the client-side – and this is not an area where we
have necessarily software from Rational for – you basically just need to, there are various tools and you
should probably use those to attempt to protect yourself. There is nothing full proof; there is no perfect
anti-virus today. There is always the 0-day vulnerabilities. But you basically want to mitigate or reduce
your risk. So this is you as a user.
You still want to act smart. You don't want to ignore any security warnings that you have, but you don’t
want to just click something that you didn't expect. You don't want to browse the sites that you think
are concerning; you still want to be smart about that. And you want to use the address bar to make
sure that the site you think you browsed is indeed the right one.
You definitely want to use desktop or endpoint security solutions such as anti-viruses, anti-malware, a
personal firewall. If you want to take it to the next stop, or to the next step, Firefox has an extension
called "NoScript" which doesn't allow – you basically need to explicitly allow scripts from every domain
so by default it doesn't allow scripts to run and you need to white list specific domains. And the third bit
is to stay current. Basically both the anti-virus companies, the operating system companies, the browser
companies, they all have a very standard update mechanism, but you have to use that update
mechanism. If your operating system is not patched, it is more vulnerable. If the anti-virus solution that
you have is not up to date, it would miss the latest viruses. So you definitely want to stay current. And
as a corporation you probably want to get a web gateway or an IPS to basically put in front of your
network. These solutions are not perfect by any stretch, but they are better than having nothing; they
will catch some known attacks.
So these are kind of client-side vulnerabilities. They are not what we are here to talk about. What we
are here to talk about is about server-side solutions. So if you are a website owner and you
acknowledge this is your problem or this is a problem that you need to face, what can you do? What
can you perform to reduce the risk or eliminate the risk of attacking users browsing your site?
So there are a couple of existing solutions today. Both are quite limited. One thing you can do is you
could put an IPS or a network protection device or filter device in front of your site so that anything that
you return to the user, any traffic coming back from your site would be inspected by this IPS. And if it is
malicious it would be blocked. These tools and these approaches are fine, but the problem with these
tools is that because of their nature they need to support an enormous amount of traffic that passes
through them. And because they want to maintain a certain throughput, you don't want them to
reduce your performance, they can only afford a fraction of a second to every piece of data that passes
through them. The result of that is that they see the data, the malware would actually pass through
them but they can only look for known patterns, they can't do any deep analysis. They definitely, we
talked about an iFrame being embedded in the page and that leading to a malicious site, they definitely
don't have the bandwidth to go off and request everything on that page on the user's behalf.
So they would do the analysis in a very shallow fashion. They just won't go deep. So while the malware
would or the malicious piece would pass through them, they would see it but they would not identify it
because they have to be very quick in their analysis.
The second solution is to use anti-virus software on the server. So on your actual web server and web
application server. And the problem with that solution is that of visibility. So the anti-viruses, while not
perfect, are probably the best techniques you have today for identifying that there is a virus but they
generally scan files, they don't scan web pages, they don't scan data. So two primary repositories of
data that they would never scan and therefore never find malware in, one are the database – some anti-
viruses are now building some capabilities to analyze databases, but most of them can't really scan the
data within the database, within your custom tables, so if they don't scan the data, and that is often
when most of your web data is in, then they would clearly not identify a virus there.
And the second may be a bigger problem is that once again they never see the page in completion and
therefore if there is a malicious iFrame on your page, there is nothing malicious on your site. There is an
iFrame which is generally legit that goes to another site and that site has something malicious. So if
there is a malicious iFrame on your site the anti-virus would never clue into that. And these injections of
malicious iFrames are the primary attack technique that is used today. Generally the most common
attack is an iFrame to malicious site that is being injected through a platform vulnerability.
So these are good solutions in the sense that they do improve your security posture but they are very
limited, they still leave a lot to be desired.
So we talked again about the problem and we talked about the existing solutions, and this is basically
the point to introduce this new capability. We have acknowledged the problem and the gap in the
existing solutions and we wanted to offer a new capability that would actually help you address this in a
more efficient fashion.
And we took a different approach to it. What we do is http based malware scanning. So we are
combining the http view with more of an anti-virus like capability. And the solution really works in two
or maybe three phases. The first phase is the discovery part, and in that case we use Rational AppScan's
deep scanning capabilities to discover through the site. So Rational AppScan can already to date
traverse modern web applications automatically or manually and get through all of these advanced
technologies that remain then, executing Java script, executing Flash, supporting all of these complex
log-in processes or states, supporting of course SSL. So basically browsing and discovering the entire
sites. This is somewhat a keen to maybe to an anti-virus going through all of your file systems, but in
this case we are looking at the page in completion. So if it comes form multiple domains, if it comes
from different locations, from the database, form the file system, we don't care – we look at it from the
victim's point of view. But we traverse the entire site.
So that is the discovery piece. And then the second piece, and this is where the ISS technology comes in,
is that we analyze everything that we see for viruses. So we do two types of analysis there – we analyze
all of the content that we see to see if it is a virus and then we analyze – so let's say we would do that
for everything within your domain or maybe even linked off your domain. And then wherever it is that
we stopped, we would look at all of the links further and we have to stop at some point because we
don't want to start scanning the web, and we would compare those to a known blacklist of URLs,
basically a database that says whether a URL is a sports URL, is a news URL or is a malicious URL.
So, and we will talk about those technologies more in the next slide. But at a high level this http-based
malware scanning performs an http explorer, discovers the site and then basically analyzes everything
that it saw.
The first type of analysis, the malware, the content analysis is basically a keen to browsing your entire
site in an automated fashion in a machine with a very up to date anti-virus to flag, and flagging any
behaviors or any problems that we see.
So if we look at the technologies involved, so one piece is the AppScan technology. And the AppScan
technology is around, basically takes care of the discovery part of getting through the entire site, the
deep scanning capability. And the other technology is what we pulled in from the ISS group, and there
are actually two engines that we have done here, that we have used here. One is more of an anti-virus
like engine called VPS and this is a very complex and advanced behavioral analysis engine that basically
looks at a piece of binary or a page with components of it or scripts and attempts to understand or
assimilate the behavior in a very secure fashion, the behavior of that executable or application would
do, and tries to see if anything is nefarious there. Does it attempt to override system files, does it
attempt to access the network? Are there some other meta behaviors that are known to be malicious
or appear to be malicious? And then it flags those issues. So probably the simplest way to think about
this, this is an advanced anti-virus.
And then the second technology we use is that web filter repository. So in ISS there is a group building
this web filter repository, so they have this server farm that constantly scans the web like Google does,
identifies new content and classifies that, getting to one URL and saying this is a news site, this is a
sports site, this is a phishing site, this is a malware site – this is an illegal download site. So it basically
uses a very, very broad set of algorithms including VPS, but many others as well to classify these
domains. And in general this data is used in web gateways. So often corporations would have a web
gateway where all of the traffic, if you don't want your employees browsing porn while they are at work,
then you would put a web gate and you would block access to porn sites. What is and is not a porn site,
that is information you would get from this repository. In addition these web gates will also try to
protect their users by not allowing them to browse malware sites.
So what we do is we basically look at all the external links that we found on our site at the point where
we don't do the analysis ourselves and we ask this repository what are the categories of the this link and
we flag malicious or unwanted such as illegal links to you as a user.
So this is the new capability. I ended up talking primarily about the background and the problem and
the solutions because the technology that we are building here is pretty straight forward. We scan the
site over http and then we analyze it with existing technologies of an anti-virus like engine and a web
gateway like functionality. But the approach that we have looking at it from the http point of view
overcomes the problems that we identified in the existing solutions. So the fact that it is http based
means you have access and visibility to all of the content and the links, basically if we are not attacked
than the user won't be as well because we are looking at it from the same point of view. We are loading
On the flip side it is a scanning solution, so it has the time, of course you want the scan to complete
quickly, but you don’t need, you are not limited to that fraction of a second for every piece of data that
comes in. So you can actually perform that behavioral analysis, you can actually go off and analyze and
maybe request those links.
So, the combination of that visibility which is described in the third bullet as well with the ability to be a
scanning solution and actually inspect what you see in a more deep fashion is the killer combination
here, is a strong combination that allows this solution to flag problems that you would not otherwise
identify. Another slightly more minor benefit is that we can flag suspicious behaviors, all of these run-
time solutions have the limitation that they have to be black and white – you are either blocking or you
are not blocking. We can properly prioritize and split them up, but we can flag types of behaviors that
seem suspicious that the user can later inspect himself.
And so this is the new capability we are building and I will talk about it in our portfolio. But above and
beyond the functionality, this is also exciting from the fact that we are tapping into existing technologies
within IBM. So I am in the Rational AppScan group, and one of the exciting pieces here is that we could
leverage very, very advanced and complicated technology of identifying viruses and classifying these
URLs which we would be very hard pressed to build as an independent group. And there are a lot of
these types of projects going on right now with AppScan and within in general the security families or
security products within IBM where more of these integrations and reuses of technology of very
powerful tools is being done so that we can offer powerful capabilities with a lower level of investment,
thus offering it up in a more quick fashion and giving you more services as customers.
And in addition, I will talk a little bit about these offerings, is that this technology is useful both as a
product and a SaaS offering and it is a natural addition to our AppScan On-Demand Production
Monitoring Tool Suite – I will talk about those in the next slide.
Okay, so this is sort of a summary slide a little bit talking about where is this capability available. So we
built this capability and the goal is definitely to have this across our product line. Right now you can go
off and you can download an AppScan Standard Edition eXtension. So we have the AppScan eXtension
Portal that you can get to through the AppScan developerWorks page – you can just Google up AppScan
eXtension Framework. And we have a malware scanner eXtension that you can download and add, it is
a free add-on to AppScan and you can use it to perform the malware scanning.
This has also been added to all of our software-as-a-service offering, so if you want to perform the
scanning but you don't want to host the software yourself, you want to scan your site periodically, then
we can do that for you through our software-as-a-service offering. So those are available today and by
the end of the year in our fall releases this malware scanning capability would be added across our
products – the AppScan Standard, AppScan Enterprise products. So it becomes a tenant, it becomes
another core capability in our product suite.
Okay, so that was it about malware scanning. We talked, just to summarize, we talked about the
industry, the attacker, we talked about the attack vector attacking through the web and compromising
legitimate sites. We talked about the existing solutions and their strengths and weaknesses and then
we talked about the new offering, the new capability, the malware scanning capability that the Rational
AppScan family has now added.
With that I will turn it over to Angelique and we will have some time for questions, a couple of minutes
for that later on.
Angelique Matheny: Thank you very much Guy. This was a very informative presentation and we really
appreciate you taking time out to speak about this important topic. It is very important. You did a great
Just as a reminder to our audience, there is still time to submit questions through the question
submission field on the left side of the event console. Your feedback on today's presentation is also
very important to us. In a moment you will see a survey pop on your screen and we ask you to help
shape the content of our future webcasts. We greatly value your opinion and look forward to hearing
what you have to say about today's presentation. But before we launch our survey and begin the Q and
A session I wanted to mention a few additional resources available to you from IBM.
As you can see on this first slide we have some additional web application security development
resources for you. If you are looking for trial codes, check out the developerWorks link listed here to get
And on the next slide, free trial downloads of IBM tools. These free downloads provide easy access to
IBM's most popular trial software and include a collection of supporting resources for you to trial.
Please visit developerWorks downloads for the complete list.
And on this slide you will see that our briefings are a great way to get additional education. They are
live, local events and you can see that there are a variety of technical briefings being offered. These are
held throughout the year in various cities around the country and around the world so check out the
website listed on this slide to see what is coming to a city near you. I should also mention that there is
no charge to attend these events.
And on the next slide you will see IBM Rational Training Solutions. You can certainly booster your
productivity with Rational Application Development Software. Some of the top rated and recently
announced new courses are a great way to get that additional education.
If you would like to buy what we have discussed today or any of our other products, the IBM Software
Catalog will help you quickly find what you are looking for. Our interactive online catalog names up to
date product and pricing information and allows you to order online or by phone. And finally as you can
see we are ready to begin our Q and A session. Our first question Guy, we have two or three in here
that I think we will have time for. This says, are any of your competitors offering this type of ability?
Guy Podjarny: Thanks Angelique. So the answer to that is certainly in a nutshell no. This is sort of a
new capability and as I mentioned it is a capability that we had the benefit of adding only thanks to this
technology that we can harvest from the ISS world. So at the moment there are some small offerings,
some small capabilities from some specific I guess vendors that are offering the malware scanning
abilities, specifically generally these are very small time players and not players in the web application
security world in any significant fashion. So we do see this as a competitive strength as well or as a
unique capability. And it is part of our mandate, it is part of our challenge to constantly attempt to
remain on top and to offer these capabilities based on what our customers would like us to provide.
Angelique Matheny: The next question, does it make sense to use malware scanning on a pre-
production site? Good question.
Guy Podjarny: Yes, so the short here is no. Generally it is important to differentiate the capability that
Rational AppScan provides in its core, which is identifying vulnerabilities and the ability to identify
malware on a site, which is find out that the website has been compromised. So most of the
vulnerability scanning in today's world is done on pre-production sites, although savvy users or security
aware organizations also scan their production systems on a periodic basis. But in general when you are
looking for vulnerabilities it is okay if you have a mirror environment, a staging environment that mimics
your production system, and then you can scan that system and you know that if you identify the
vulnerability there, it is the same code, it is the same platform in the production system, therefore it
would have the vulnerability in the production system as well.
On the flip side, for malware issues, you are basically looking for proof or indications that you have been
compromised and that you have been compromised to serve malware. Because in a pre-production site
you use that application, the data that drives it have not really been exposed to users. There is no way,
there is no real risk or reasonable risk for them to have been compromised. So it doesn't really make
sense to scan that pre-production system when you didn't give it a chance to be compromised.
So basically doesn't really make sense to use it, but you can, to perform malware scans on pre-
production sites, but you can scan with the same tools that you use. With the AppScan tools you can
perform the vulnerability scan on your staging site and you can perform the malware scan on your
production site. Or of course you can user our service for it.
Angelique Matheny: And you just mentioned that service – we are reaching the top of the hour but I
think we have time for this question since you just mentioned it. Do you offer service that can do this
scanning for me?
Guy Podjarny: So that is a very, very common question, and we definitely do have that service and it is
probably even the easiest way for you to incorporate malware scanning. We have a suite of offerings
called AppScan On-Demand which is basically our software-as-a-service offerings where we run and host
the software for you and run these scans. We have On-Demand offerings for vulnerability assessments
so we would actually scan your site for vulnerabilities, both pre-production and production sites. And
we specifically one of those offerings is called AppScan On-Demand Production Monitoring. I mentioned
it briefly before. So this is a specific software-as-a-service offering where we scan your site on a periodic
basis from our environment, very little effort for you, very simple for you to get started and we scan
production sites. So that is a service where malware scanning is a very natural addition to and it has
been added to it, so you can just use our AppScan On-Demand offering and again it is a very simple
process and it can get up and running and get those scans without any skills or significant amount of
work or effort on your behalf.
Angelique Matheny: Guy, is there a link that we can point our customers to, to find out more about this,
what you are doing?
Guy Podjarny: I don't have the link by heart, but if you just Google up AppScan On-Demand you would
get to that offering. And if you go to the devWorks AppScan, to the Rational AppScan devWorks page,
again just Google Rational AppScan, it would be there in our family of products. And it is called AppScan
On-Demand Production Monitoring.
Angelique Matheny: Okay, great. I think you mentioned that as well. Well, thank you very much, Guy.
This webcast will be available for replay in about 24 hours using the same URL, so share it with your
friends, or listen to it again. I would like to thank our speaker today, Guy Podjarny for being with us to
talk about "Malware: It's Everywhere." We would also like to thank you, our audience, for your interest
in IBM. We hope to see you back for another one of our events in the near future. Thank you very