The Evolving Threat Environment – Trend Micro Total Web Threat Protection

Veli-Pekka Kusmin Trend Micro Channel Confidential Pre-Sales Engineer March 2008 Threat Environment Evolution to Crimeware

Web Based Crimeware Malware Attacks Intelligent Botnets ? Spyware Spam •Multi-Vector •Multi-Component Mass Mailers •Web Polymorphic

Complexity Vulnerabilities •Rapid Variants Worm/Outbreaks •Single Instance •Single Target •Regional Attacks •Silent, Hidden •Hard to Clean •Botnet Enabled

20012003 2004 2005 2007

Trend Micro Channel Confidential Mar-2008 2 Copyright 2008 - Trend Micro Inc. BOTNETS!

DEFINITIONS • Bot: – Software robot – Allows a system to be controlled remotely without user’s knowledge • Zombie – System controlled by a Bot • Botnet: – Network (group) of zombie systems controlled by the Botherder (Botnet owner)

Trend Micro Channel Confidential Mar-2008 3 Copyright 2008 - Trend Micro Inc. Money – Money – Money!

The Security Industry struggles!

Security companies were founded in a time where hackers and malware writers released their creations in the wild to

1. Have fun 2. Show off 3. Highlight Security issues 4. Combat the Evil Commerce aka Microsoft

Now the security industry struggles with organized cybercriminals who WANT TO MAKE MONEY

Trend Micro Channel Confidential Mar-2008 4 Copyright 2008 - Trend Micro Inc. Malware for Profit is driving Web Threats

SophisticatedHackedBlendedMalicious fast-growing legitimate sequential sponsored malicious websites attacks links websites

Trend Micro Channel Confidential Mar-2008 5 Copyright 2008 - Trend Micro Inc. Web Threats - Revisited

Uses the Internet to facilitate Cybercrimes

1. Internet Infection Vector (Web, E-Mail, Vulnerabilities...)

2. Host Infection via Malicious Programs

3. Updates and possible propagation via the Internet

4. Hidden Payload delivered without users knowledge or Permission

Note: Cycle 3 has to be present for a web threat

Trend Micro Channel Confidential Mar-2008 6 Copyright 2008 - Trend Micro Inc. Key Web Threat Examples

• Spyware that was installed upon visiting a website • Bot that receives commands via IRC or thru web pages • Adware that was installed after downloading a cool program from the Internet • Trojan that was installed from a JPEG exploit upon visiting a website that was clicked from an email received • Virus that was spread from a program downloaded from the internet • Worm that started blasting copies of itself after disguising itself as a downloadable widget for golfers

Trend Micro Channel Confidential Mar-2008 7 Copyright 2008 - Trend Micro Inc. Example: Haxdoor 1. Your boss asks you to develop a corporate travel policy 2. You begin with a Google search on travel policy

First result is a .gov site

Second result looks like a good choice

Oct 7, 2006

Trend Micro Channel Confidential Mar-2008 8 Copyright 2008 - Trend Micro Inc. Example: Haxdoor

1. You click on the second search result

2. You wait…the site appears to be downloading images and content…you wait…and you wait…

3. Finally you close the browser window…you’ll find another site

Trend Micro Channel Confidential Mar-2008 9 Copyright 2008 - Trend Micro Inc. Example: Haxdoor Unbeknownst to you… 1. The IFRAME at the top of the page leads you to an index.html file 2. This file includes a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) – The original exploit code has been modified to try to bypass AV scanners that detect the original exploit 3. An executable file (win.exe) is downloaded to your system and executed 4. You now have a backdoor with rootkit features—a variant of the notorious family of backdoor rootkits known as Haxdoor !

Trend Micro Channel Confidential Mar-2008 10 Copyright 2008 - Trend Micro Inc. The Major Threat Vectors are Business Critical

EXTERNAL THREATS DNS Viruses & Worms Spyware & Adware Mail Spam & Phishing Server End Point

MTA Port 25

Internet Port 80

Servers Proxy Applications Storage

Off Network INTERNAL THREATS Information Leaks Compliance Vulnerabilities

Trend Micro Channel Confidential Mar-2008 11 Copyright 2008 - Trend Micro Inc. Threat landscape is shifting to Web-borne attacks

Web Threats: Total Growth Since 2005 1800%

1600%

1564%

1400%

1314%

1200%

1092%

1000%

800% 824%

645% 600% 532%

400% 431% 337% 247% 200% 192% 161% 100%

0% Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

2005 2006 2007

Trend Micro Channel Confidential Mar-2008 12 Copyright 2008 - Trend Micro Inc. Total Web Threat Protection: A multi-layered, multi-threat solution

Gateway

End-Point

In-the-Cloud (Web Reputation)

Trend Micro Channel Confidential Mar-2008 13 Copyright 2008 - Trend Micro Inc. Total Web Threat Protection: Web reputation is unique!

Trend Core Technology Trend Global DNS Network

Domain 2 Billion Hits/Day Reputation 99.999% Availability Database Zone Files URL Filtering Security Rating

Email Reputation Database

DNS Total Web Threat Protection Content= of the Reputation Database:
Web SecurityDomain Rating reputation +
URLURL Filtering Filtering
Malware+ URL blocking (includes scanner feedback!) Malware URL Blocking
Spam+ correlation Spam Correlation

The most comprehensive reputation database

Trend Micro Channel Confidential Mar-2008 14 Copyright 2008 - Trend Micro Inc. Total Web Threat Protection: Web reputation is unique!

Trend Core Technology Trend Global DNS Network

Domain 2 Billion Hits/Day Reputation 99.999% Availability Database Zone Files URL Filtering Security Rating

Email Reputation Database

DNS Total Web Threat Protection = RealWeb -SecurityTime Ratingaccess to database:
Web+ Reputation is accessible `in -the -cloud ´ URL Filtering
High+ Availability servers
MalwareThreat URL Blocking information always updated! + Spam Correlation

No more risks due to missed updates!

Trend Micro Channel Confidential Mar-2008 15 Copyright 2008 - Trend Micro Inc. Why Different from URL Filtering Alone?

• URL filtering as a Web security solution is like capturing criminals by sending out “WANTED” posters

• Not always up to date Bad • Only known offenders with previous URL convictions are listed

• No way to recognize potential new offenders

Trend Micro Channel Confidential Mar-2008 16 Copyright 2008 - Trend Micro Inc. Web Reputation is the 21 st Century Solution

• Exhaustive databases with full profiles on: – Known offenders – Suspected offenders – Possible future offenders • Constantly updated with input from all over the world • Instantly accessible by any special agent (Trend product) • Protect unknown malware and sequential attacks through in-the- cloud Web security rating service • Web Reputation comprised of 50-plus web site characteristics – Static characteristics – Historic characteristics – Community characteristics – Geographic characteristics – Web Pages/contents characteristics – IP characteristics

Trend Micro Channel Confidential Mar-2008 17 Copyright 2008 - Trend Micro Inc. OfficeScan 8: End-point Web Protection Mobile Computers On and Off the Network

Web Reputation Domain URL Query

Customer Policy Web Threat Protection

Web Threat Off Portal Network (Policy Customer A) (Policy Customer B) On Network OfficeScan Gateway

HTTP Internet HTTP HTTP End Point Web Threat Protection

Trend Micro Channel Confidential Mar-2008 18 Copyright 2008 - Trend Micro Inc. OfficeScan 8: Adjustable Sensitivity Level

• Administrators are allowed to set the protection level based on the query results from Web Reputation • Actions can be taken upon violation – Block, pass but report Management Console • Web Reputation overrides URL filtering policies

Trend Micro Channel Confidential Mar-2008 19 Copyright 2008 - Trend Micro Inc. OfficeScan 8: What the IT Admin Sees

Trend Micro Channel Confidential Mar-2008 20 Copyright 2008 - Trend Micro Inc. OfficeScan 8: What the End-user Sees

Browser:

Client popup:

Trend Micro Channel Confidential Mar-2008 21 Copyright 2008 - Trend Micro Inc. Real-time stats on web reputation

http://www.am-i-ok.com

Trend Micro Channel Confidential Mar-2008 22 Copyright 2008 - Trend Micro Inc. Total Web Threat Protection - Summary

Malware writers are motivated by profit not fame

New malware is: − Constantly changing − Aimed to be undetectable − Intended to reap information for profit (botnets)

Pattern matching is less and less viable: − Constantly changing malware signatures − High volume of patterns leading to HUGE pattern files − Rate of pattern updates required is untenable

You need total web threat protection from Trend Micro

Trend Micro Channel Confidential Mar-2008 23 Copyright 2008 - Trend Micro Inc. Total web threat protection

Instant Multi-layer, dynamic, Available to all multi-threat Trend Micro Always solution up-to-date Customers protection

Trend Micro Channel Confidential Mar-2008 24 Copyright 2008 - Trend Micro Inc. Trend Micro Securing Your Web World

Copyright 2008 - Trend Micro Inc. Veli -Pekka Kusmin Pre -Sales Engineer

Trend Micro Baltics & Finland Pakkalakuja 7, 3 rd floor FI -01510 Vantaa Finland Telephone +358 9 4730 8300 Direct +358 9 4730 8302 Fax +358 9 4730 8999 Mobile +358 40 596 7181 veli [email protected] http://fi.trendmicro -europe.com

Trend Micro Channel Confidential June 2007 26 Copyright 2008 - Trend Micro Inc.