Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Cisco 3Q10 Global Threat Report

advertisement 
Cisco 3Q10
Global Threat Report
Contributors:
Gregg Conklin
John Klein
Mary Landesman
Shiva Persaud
Tom Schoelllhammer
Chad Skipper
Henry Stern
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered
trademarks or trademarks of Cisco and/or its affiliates in the United States and certain other countries. All
other trademarks mentioned in this document or Website are the property of their respective owners. The use
of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Key Highlights
• 79% of clicks on “Here You Have” email occurred within the first three hours of the
worm’s spread.
• Approximately 10% of Web malware was encountered via search engine traffic
and/or services.
• D
uring 3Q10, 7% of all Web malware encounters resulted from Google referrers,
followed by Yahoo at 2%, Bing/MSN at 1% and Sina at 0.1%.
• E
xploits targeted Sun Java increased from 5% of all Web malware encounters in
July 2010 to 7% in September 2010.
• E
xploits targeting Adobe Reader and Acrobat declined over the quarter, from 3% of
all Web malware blocks in July 2010 to 1% in September 2010.
• 3
8% of those impacted with Stuxnet were located in the UK, 25% in Hong Kong,
and 13% each in Brunei, the Netherlands, and Australia.
• A
t 5%, the Windows Print Spooler vulnerability exploited by Stuxnet was the 5th
most prevalent event handled by Cisco Remote Operations Services (ROS) in 3Q10.
• T
he Rustock Botnet was the highest occurring ROS event in 3Q10, at 21% of
events handled during the report period.
• Peak Rustock activity occurred in late August 2010, declining in September 2010.
• A
mong the top ten spam sending countries, volume of spam sent also dropped in
September 2010 for 8 of the top ten countries. However, spam sent from Russia
and the Ukraine increased in September 2010.
• V
olume of “Here You Have” email reached a peak of 10% of all spam during the
worm’s initial outbreak.
• V
olume of spoofed LinkedIn email delivering the Zeus Trojan reached a peak of
31.26% of all spam during a later stage of its outbreak.
2
© 2010 Cisco and/or its affiliates. All rights reserved.
Encounter Rates
Enterprise users experienced an average of 133 Web
malware encounters per month in 3Q10 (see Figure
1). The number of unique Web malware hosts was
highest in August, at 15,842. Unique Web malware
URLs were also highest in August, at 39,001.
Figure 1 Average Web Encounters per Enterprise, 3Q10
Source: Cisco ScanSafe
160
120
Collectively, there were a total of 36,154 unique
Web malware hosts resulting in 102,058 unique Web
malware URLs in the third quarter (see Figures 2 and 3).
Exploits
65 percent of all
web-based malware
encounters were blocked
prior to exploit code
or involved encounters
which did not include
exploit code. Of exploits
that are encountered,
those targeting Adobe
Reader/Acrobat, Sun
Java, and Adobe Flash
were the three most
common during the
first half of 2010.
Cisco Security
140
100
80
60
Approximately 10% of Web malware was encountered
via search engine traffic and/or services. During
3Q10, 7% of all Web malware encounters resulted
from Google referrers, followed by Yahoo at 2%, Bing/
MSN at 1% and Sina at 0.1%.
40
20
0
Jul
Aug
Sep
Traffic resulting from the September “Here You Have”
email worm was 0.3% of all Web malware encountered in September 2010. 8% of Cisco ScanSafe
customers clicked through on the link contained in the worm’s email. 79% of the click-through attempts
occurred in the first 3 hours of the worm’s spread. Cisco ScanSafe’s Outbreak Intelligence™ detected
and blocked all attempts.
Figure 2 Unique Web Malware Hosts, Jan-Sep 2010
Figure 3 Unique Web Malware URLs, Jan-Sep 2010
Source: Cisco ScanSafe
Source: Cisco ScanSafe
18000
Cisco Security
16000
45000
Cisco Security
40000
14000
35000
12000
30000
10000
25000
8000
20000
6000
15000
4000
10000
2000
5000
0
0
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
On average, 65% of all Web malware encounters are blocked prior to exploit code or involve
encounters which do not include exploit code. Of exploits that are encountered, those targeting Sun
Java, Adobe Reader/Acrobat, and Adobe Flash were the three most commonly rendered during the
third quarter of 2010.
Sun Java exploits increased throughout the quarter, from 5% of all Web malware blocks in July 2010 to
7% in September 2010. Conversely, PDF exploits targeting Adobe Reader and Acrobat declined over
the quarter, from 3% of all Web malware blocks in July 2010 to 1% in September 2010. The third most
common exploit rendered via the Web were exploits targeting vulnerabilities in Adobe Flash player,
which averaged 0.4% of all Web malware encounters throughout the quarter.
3
© 2010 Cisco and/or its affiliates. All rights reserved.
The Vertical Risk
Companies in the Pharmaceutical & Chemical vertical were the most at risk for Web malware
encounters in 3Q10, experiencing a heightened risk rating of 372%. Other higher risk verticals in 3Q10
included Energy, Oil, & Gas (209%), and Agriculture & Mining at 169%. The median rate for all verticals
is reflected as 100% - anything above that is considered heightened risk, anything below 100% is
below the median.
The Stuxnet Worm
Figure 4 Vertical Risk: Web Based Malware, 3Q10
Source: Cisco ScanSafe
The SCADA-targeting
0%
Stuxnet worm was first
100%
reported in July 2010 by
Belarus antivirus vendor
VirusBlokAda. That initial
report was based on the
analysis of a June 17th
sample of the worm
with the initial confirmed
infection at a power plant
located in Germany.
Upon successful infection, the Stuxnet worm
ascertains whether an
Internet connection
is available and, if so,
Agriculture & Mining
Food & Beverage
Media & Publishing
HVAC, Plumbing, Utilities
Banking and Finance
Transportation & Shipping
Travel & Entertainment
Engineering & Construction
Retail & Wholesale
Healthcare
to mypremierfutbol.com
Real Estate & Land Mgmt
and todaysfutbol.com.
Government
Education
An analysis of Cisco
ScanSafe Web traffic
Legal
processed in the third
were from the Energy &
500%
Energy, Oil, and Gas
Manufacturing
outbound request, 50%
400%
Cisco Security
outbound GET requests
of those making the
300%
Pharmaceutical and Chemical
makes specially formed
quarter reveals that
200%
Charities & NGO
IT & Telecommunications
Professional Services
Aviation & Automotive
Oil sector and 50% from
the Pharmaceutical &
Chemical industry. 38%
of those impacted were
in the UK, 25% in Hong
Kong, and 13% each in
Brunei, the Netherlands,
and Australia.
Stuxnet and CVE-2010-2729
The vulnerability described in CVE-2010-2729 exists due to an error in the Windows print spooler
service. The service fails to properly validate remote procedure call (RPC) requests and improperly
determines user permissions. As a result, the service may allow an unauthorized user to print to an
arbitrary file location. A Microsoft update to address this vulnerability was released in September 2010
(MS10-061).
The first known in-the-wild exploit of the vulnerability was by the Stuxnet worm, initially discovered in
June 2010. During the 3Q10 report period, this vulnerability was the 5th most frequently encountered
event handled by Cisco Remote Operations Services (ROS), comprising 5.08% of events handled by
Cisco ROS during the third quarter. The following chart illustrates the top ten events handled by Cisco
Remote Operations Security in 3Q10.
4
© 2010 Cisco and/or its affiliates. All rights reserved.
The Rustock Botnet
Cisco Intrusion
Prevention System
The Cisco Intrusion
Prevention System (IPS)
provides protection
against over 30,000
known threats with
Cisco Global Correlation
to dynamically
recognize, evaluate,
and stop emerging
Internet dangers.
Global Correlation
combines the inspection
capability of new and
existing signatures
with intelligence from
the Cisco SensorBase
Network. Network
participation and
reputation are the two
core components of
Global Correlation.
Network participation
enables IPS devices
to send data such as
signature IDs, attacker
ports and addresses,
reputation scores, and
risk ratings to Cisco
SensorBase. Reputation
provides an IPS with a
probability that a given
IP address is malicious.
IPS devices interact with
the Cisco SensorBase
Network to send network
participation data and
receive reputation data.
As seen in Figure 5 above, the Rustock Botnet was the highest occurring ROS event in 3Q10, at 21%
of events handled during the report period. Analysis of Cisco IPS data reveals that peak Rustock activity
occurred in late August 2010, as seen in Figure 6.
Figure 5 ROS Events, 3Q10
Source: Cisco ScanSafe
Sig ID
Signature
Events
17363/3
Rustock Botnet
21.11%
5930/5
Generic SQL Injection v1
18.83%
5930/13
Generic SQL Injection v2
18.03%
13003/1
AD - External TCP Scanner
15.61%
29459/0
Microsoft Windows Print Spooler Design Flaw Vulnerability
5.08%
1203/0
IP Fragment Overwrite - Data is Overwritten
3.40%
5639/0
Web View Script Injection Vulnerability
2.60%
4055/2
B02K-UDP
1.70%
1300/0
TCP Segment Overwrite
1.66%
5081/0
WWW WinNT cmd.exe Access
1.17%
Cisco Security
Figure 6 Rustock Activity, 3Q10
Source: Cisco IPS
120000
Cisco Security
100000
80000
60000
40000
20000
0
1/7/2010
1/8/2010
1/9/2010
Figure 7 Top 3 IPS Signature Event Firings, 3Q10
TCP SYN Host Sweep
ICMP Network Sweep with Echo
Multiple Rapid SSH Connections
Source: Cisco IPS
450000
400000
350000
300000
250000
200000
150000
100000
50000
0
7/1/2010
5
© 2010 Cisco and/or its affiliates. All rights reserved.
2/1/2010
3/4/2010
4/4/2010
5/4/2010
Cisco Security
SQL Injection Attacks Continue, 3Q10
What is SQL
Injection?
The SQL language is
used to manage the data
contained in relational
databases and administer the SQL servers
that house that data.
A SQL injection attack
uses malformed SQL
statements in an attempt
to override intended
behavior and cause the
SQL server to act upon
the statement in an
unintended fashion.
SQL servers that do not
properly validate input
data or sanitize output
data can be vulnerable
to various types of
SQL injection attacks.
Successful attacks
can lead to a range of
possible compromise
conditions, including the
alteration of contents
of a database, sensitive
information disclosure,
or the control of a SQL
server.
The following chart reflects the top four Cisco IPS signature events for potential SQL injection related
attacks during the third quarter of 2010. Asprox SQL injection attacks made a brief reappearance
between July 31 and August 18, 2010.
SQL Query in HTTP Request
GenericSQL Injection
MSSQL Resolution Service Stack Overflow
Asprox Injection Attack
Figure 8 Top SQL Events, 3Q10
Source: Cisco ScanSafe
45000
Cisco Security
40000
35000
30000
25000
20000
15000
10000
5000
0
7/1/2010
7/19/2010
8/6/2010
8/26/2010
9/13/2010
SQL Query in HTTP Request detects the presence of encoded words that may be indicative of SQL
injection attacks. The Generic SQL Injection event signature detects the presence of SQL keywords in
HTTP arguments. MSSQL Resolution Service Stack Overflow is detection for SQL/Slammer activity.
In terms of port activity, 54% of Cisco Remote Operations Services (ROS) events handled occurred on
port 80, followed by port 445 at 18% and port 25 at 15%.
Global Spam Trends
Analysis of Cisco IronPort data indicates that spam volumes were highest in August 2010 compared to
the remainder of the quarter. Spam volume fell from 326 billion spam per day in August 2010 to 257
billion per day in September 2010.
The Rustock botnet is believed to be one of the largest purveyors of spam, with the largest number of
Rustock bots reportedly located in the U.S. Rustock has been most predominantly affiliated with
sending pharmaceutical and counterfeit watch spam, often in the form of a breaking news alert (a tactic
first popularized by the Storm botnet).
Figure 9 Events by Port
Figure 10 Global Spam Volume (Bn/Day), 3Q10
Source: Cisco ROS
Source: Cisco Ironport
Port 80
Port 445
Port 25
Other Ports
350
Cisco Security
300
250
200
150
100
50
0
6
© 2010 Cisco and/or its affiliates. All rights reserved.
Jul
Aug
Sep
As previously observed in Figure 6, peak Rustock activity was in August 2010 followed by a decline in
September 2010, mimicking the pattern observed with spam volumes during the same period.
Among the top ten spam sending countries, volume of spam sent similarly dropped for eight of the ten.
However, spam sent from Russia and the Ukraine increased in September 2010. Figure 11 illustrates
spam volumes originating from the top ten spam senders in 3Q10.
Figure 11 Top Spam Senders by Country, (Bn/Mo), 3Q10
Source: Cisco Ironport
United States
India
1600
Cisco Security
Brazil
Russian Federation
1200
United Kingdom
Vietnam
800
Germany
Ukraine
400
France
Italy
0
Jul
Sep
Aug
“Here You Have” Email Worm
On September 9, an email bearing the subject line “Here you have” began arriving in users’ inboxes.
The email included a link disguised as a PDF which actually pointed to a a copy of the worm. As users
clicked through to the link and became infected, the wom sent an identical message to all contacts in
the newly infected user’s address book.
Fortunately, the malware domain hosting the worm’s binary was taken offline within 3 hours of the
worm’s spread. This neutered the worm’s ability to propagate further, though not before significant
volumes were observed in email as seen in Figure 12.
Figure 12 “Here You Have” Email as a Percentage of All Spam
Source: Cisco Ironport
10%
Cisco Security
8%
6%
4%
2%
0%
Thu Sep 9 16:00:00 2010
7
© 2010 Cisco and/or its affiliates. All rights reserved.
Fri Sep 10 02:00:00 2010
Fri Sep 10 12:15:00 2010
Fake LinkedIn Email
Also occuring in September, a spoofed LinkeIn email masqueraded as a standard LinkedIn alert (see Figure 14).
Recipients that clicked the links in the email were directed to a wepage which responded with “PLEASE
WAITING.... 4 SECONDS” after which they were redirected to Google.com. During the 4 seconds, exploit
code was rendered on the victim’s PC in an attempt to silently install a varient of the Zeus data theft trojan.
Zeus injects itself as a process in the user’s web browser and launches a man-in-the-browser attack to
capture personal information such as online banking credentials. Infected systems are also joined to the
Zeus botnet, after which the infected computers may be used to launch additional attacks on others.
During the course of the largest LinkedIn spoofing in mid-September, the maliicous LinkedIn email
comprised 31.26% of all spam for that period (Figure 15).
Figure 13
Figure 14
Figure 15 Fake LinkedIn Email as a Percentage of All Spam
Source: Cisco Ironport
35%
Cisco Security
30%
25%
20%
15%
10%
5%
0%
Mon Sep 27 10:15:00 2010
For more information
on Cisco SIO, visit
www.cisco.com/go/sio.
8
© 2010 Cisco and/or its affiliates. All rights reserved.
Wed Sep 29 12:15:00 2010
Fri Oct 1 15:00:00 2010
Related documents
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Download
advertisement