Mcafee Threat Intelligence Updates Records with New Internet Reputation Info

In the Cloud Security

Greg Day Principal Security Analyst EMEA AVERT member July 28, 2009 The Tsunami

• Decades of threats, surely we have a handle on this?

• Estimated in excess $1trillion loss through Cybercrime and data loss in 2008

McAfee Unsecured Economies Report 2009

• Q1 2009 - 12 million new IP’s zombied since January! 50 percent increase since 2008

McAfee Quarterly threat Report Q1 2009

• Koobface - more than 800 new variants in March 09! McAfee Quarterly threat Report Q1 2009

2 July 28, 2009 Confidential McAfee Internal Use Only Understand the motivation, to understand the methodology

Source: Chat Interview with the Dream Coders Team, the developers of MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/

3 July 28, 2009 Confidential McAfee Internal Use Only Today anyone can be a cyber criminal!

4 July 28, 2009 Confidential McAfee Internal Use Only Over 20 years of Anti-Virus

• Dr Solomon’s Anti-virus from 1990

• Looking for string match against known malware

5 July 28, 2009 Confidential McAfee Internal Use Only The age old question - Is anti-virus dying?

Anti-Virus protection (%) of 2003 Medium+ threats

100

60 40 y 1991 : Michelangelo : 6 months ? 20 y 1997 : WM/Cap : 2 months ? 0 AV y 1999 : WM/Melissa : 1 Day ? % Proactive protectionAV software% Reactive Protection y 2000 : VBS/Loveletter : 4 hours ?

Anti-Virus protection (%) of y 2001 : CodeRed/Nimda : 1 hour ? 2004 Medium+ threats y 2003 : Slammer : 3 mins ? 100

80 y 2008 : Mass Web compromises : secs ?

60 % 40

0 AV software

% Proactive protection % Reactive Protection

6 July 28, 2009 Confidential McAfee Internal Use Only From Elephant to Chameleon How threats have changed

7 July 28, 2009 Confidential McAfee Internal Use Only Evolution of threats

1987 – Brain & Stoned (Early BSV) 1990 – Vienna modified to be polymorphic 1991 – Polymorphism hits the wild (Tequila) 1995 – WM/Concept (first Macro Virus) 1999 – Melissa Mass Mailer & ExploreZip reply mailer 2000 – Phage (Virus for Palm Pilot) 2001 – CodeRed & Nimda (utilise security vulnerabilities) 2002 – Klez & Elkern, Bugbear (Droppers) 2003 – Slammer (Speed), Slapper (Unix, directed attack) 2004 – Turf wars (Bagle Netsky, Sober, BOTs) 2005 – System & data theft (Trojan’s & Rootkit) 2007 – Rootkits, Packers, Recycling (Threat Longevity) 2008 – Drive-by infections,

8 July 28, 2009 Confidential McAfee Internal Use Only Early proactive techniques

9 July 28, 2009 Confidential McAfee Internal Use Only Heuristics (behavioural analysis)

• Positive & Negative analysis • Protection against new file and/or macro viruses • Checks for virus like characteristics • Block execution of possible virus code (OAS) • No cleaning as no exact match • Tangible sample to send to virus lab

10 July 28, 2009 Confidential McAfee Internal Use Only Speed…

The blended/zero day attack, bought the new solutions

11 July 28, 2009 Confidential McAfee Internal Use Only 12 July 28, 2009 Confidential McAfee Internal Use Only 13 July 28, 2009 Confidential McAfee Internal Use Only Proactive behavioural protection (HIPS, NIPS, FW, Whitelisting etc…)

• Known Vulnerably detection • Behavioural controls – RFC non-compliance – Anomaly detections f – Policy controls n.in • Define web/email usage Ru • Lockdown Windows & Windows system folderto • Registry Modification Au • Block un-used ports r – – Proactive or Reactive?icke • Blacklist non-corperatenf high risk apps Co

14 July 28, 2009 Confidential McAfee Internal Use Only Proactive Behavioural Controls - limitations

• What did I really stop? • Did it stop all of the attack? • What else could it have done?

• We still want to identify the threat • We sometimes need to clean up

• Assumes clean at point of install

15 July 28, 2009 Confidential McAfee Internal Use Only Volume…

1,500,000+

Source: McAfee Avert Labs

900,000 - 800,000 - 700,000 - • 246% growth from 2006 to 600,000 - 2007 500,000 - 400,000 - ~350,000 projected for ‘08 • 400%+ growth projected # of threats 271,197 300,000 - for 2008 200,000 - 78,381 100,000 - • 2008 exceed projections 0 - 2006 2007 2008 16 July 28, 2009 Confidential McAfee Internal Use Only The Great Zoo: McAfee Known Malware Samples

Count of dirty samples/hashes in the McAfee zoo

17 July 28, 2009 Confidential McAfee Internal Use Only Shark – Compliable multi system back door Trojan Now anyone can be a cyber criminal!

4. See what you have!

1. Setup server5. Full control!

2. Compile6. Enable threat keylogger

7.3. Control Infected processes systems talk home!

18 July 28, 2009 Confidential McAfee Internal Use Only Buy the deployment tools

19 July 28, 2009 Confidential McAfee Internal Use Only Mass infection of public web pages globally (13 March 08 )

• 200,000 web pages compromised – SQL injection – Vuls in .ASP pages running phpBB • Inserted JS to write IFRAME in header or body – MS06-014 – RealPlayer (ActiveX Control) – Baofeng Storm (ActiveX control) – Ourgame GL World GlobalLink Chat (ActiveX Control) • Daisy chains to China server – Drops down loaders – Steals gaming credentials

20 July 28, 2009 Confidential McAfee Internal Use Only Example: IFrame & MPack

Booby-trappedBooby-trapped legitimate sites MPackMPack C&CC&C centercenter legitimate sites 1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame). 2. They are silently redirected to the server hosting the attack tool. 3. Depending on the browser, various vulnerabilities may be tested. Various malware are (2):(2): silentsilent downloaded and executed. redirectredirect 4. The web pages accessible from the victim's workstation are in turn (3):(3): exploitationexploitation booby-trapped. (1):(1): connectionconnection toto aa legitimatelegitimate sitesite Botnet, RockPhish, Fast-Flux, DDoS, Identity theft, (4):(4): machinemachine (4):(4): HTMLHTML infectioninfection … underunder controlcontrol

21 July 28, 2009 Confidential McAfee Internal Use Only Regular “Protection Gap”

Protection gap of 24-72 hours with current solutions

t0 t1 t2 t3 t4 Malware in Malware Protection is Protection is Protection is the wild discovered available downloaded deployed

22 July 28, 2009 Confidential McAfee Internal Use Only Security in the Cloud

23 July 28, 2009 Confidential McAfee Internal Use Only Next Gen “In the cloud” detection

Internet

Fingerprint Database

24 July 28, 2009 Confidential McAfee Internal Use Only What is “in the Cloud scanning”?

End-node reporting

Very little system overhead

Meta-data

25 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Blocking what we already know!

Non-replicating malware is static

And some replicating is static too (e.g. worms)

Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.)

Black List of fingerprints

100% Replicating vs Non-Replicating Malware 90%

80%

70%

60%

50%

40%

30%

20%

10%

0%26 July 28, 2009 Confidential McAfee Internal Use Only 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 How does in the Cloud anti-virus work?

User receives new 1 file via email or web 2 No detection with existing DATs, but Internet the file is “suspicious”

Fingerprint of file 3 is created and sent 6 VirusScan processes using Artemis information and removes threat Artemis reviews this 4 fingerprint and other inputs Artemis statistically across threat landscape

5 Artemis Collective Threat identifies threat Intelligence and notifies client

27 July 28, 2009 Confidential McAfee Internal Use Only In the Cloud in action

28 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Identifying what we don’t know!

Software may be deemed “suspicious” based on Observed behaviours Source Detections by other products

Behaviours, sources, detections can be assigned a weight

Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty

29 July 28, 2009 Confidential McAfee Internal Use Only Closing the loop

30 July 28, 2009 Confidential McAfee Internal Use Only Malware case study – Spy-Agent.bw

First seen – 15th October 2008, 22:24:28 Auto-blacklisted – 15th October 2008, 22:57:01

Artemis clients sent fingerprints ~2 hours before regular submission saw the file

31 July 28, 2009 Confidential McAfee Internal Use Only Security & privacy

Example:

U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRg qEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8q Bk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI 0nqHhRWX+TDgPgXRfW9wD06qE

Cryptographically strong actionable responses

Query specific Immune to replay attacks

32 July 28, 2009 Confidential McAfee Internal Use Only Cloud security compressed “Protection Gap”

Protection delivered in real-time t0 t1 t1 t2 t3 t4 Malware in ProtectionMalware is the wild downloadeddiscovereddeployedavailable Case study – Spy-Agent.bw

• Artemis protection – ~32 minutes • Regular protection – ~8.5 hours – Not including deployment time

33 July 28, 2009 Confidential McAfee Internal Use Only I was blind, but now I see

Artemis customers Customer SiteAdvisor

Vulnerability Internet Research

SPAM Malware Research Research

Collective Threat Risk and HIPs Compliance Intelligence

34 July 28, 2009 Confidential McAfee Internal Use Only Taking it to the next level

35 July 28, 2009 Confidential McAfee Internal Use Only Collaborative Global Intelligence

Physical Deploy agents: Officers around the Interpol globe (MI5, MI6, FBI, CIA, Interpol.) World Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system) CIA FBI Results Police Effective - Accurate detection of Stations offenders Police Intelligence Pro-active - Stop them from coming Police Stations in the country Agents Stations

Cyber Deploy security probes: Around the globe (firewall, email gateways, IntelliCenter World web gateways) Global intelligence system: Share cyber communication info. London (e.g.: hackers, spammers, phishers) Chicago Frankfurt Results San Jose Atlanta Effective - Accurate detection of bad Hong Kong Intelligence IPs, domains Probes Pro-active - Deny connection to intruders to your enterprise

36 McAfee Global Threat Intelligence July 28, 2009 Confidential McAfee Internal Use Only Global Intelligence, Local Protection

REAL-TIMEREAL-TIME GLOBALGLOBAL DATA DATA MONITORING MONITORING AUTOMATEDAUTOMATED ANALYSIS ANALYSIS PROTECTIONPROTECTION PLATFORMS PLATFORMS

Edge / Firewall 10 Billion Enterprise • Traffic Shaping IntelliCenter Messages • Attack Blocking Chicago Analyzed per Month London Web Gateways Portland Atlanta • Anti-Malware Hong Kong • Anti-Spoofing

Ownership Messaging Gateways •Whois • Outbreak • Zone files Detection • Trademark • Anti-Spam Content Dynamic Computation • Images Identity Fraud •Text Of Reputation Score •Links Applications IP Domain URL Image Message • Anti-Phishing Behavior • Zombie Alerts • Social networks • Persistence Bad Good • Longevity

Global Data Monitoring is Fueled by the Network Effect of Real-Time Information Sharing from Thousands of Gateway Security Devices around the World 37 July 28, 2009 Confidential McAfee Internal Use Only Intelligence: How It All Works….

This entire process happens constantly, every second, 7x24x365

3 McAfee Threat Intelligence updates records with new Internet reputation info

2 3 Appliance McAfee Threat Intelligence queries returns reputation info McAfee Threat 1 Intelligence Incoming traffic

TS-enabled appliance

38 McAfee Global Threat Intelligence July 28, 2009 Confidential McAfee Internal Use Only Responder Architecture

• Legacy protocol based on customized DNS servers • Enhanced proprietary protocol (UDP over SSL)

Query Data

Analysis Systems Internal & External

Data Sources • Historical data • Message data/metadata Reputation • Neighborhood data

Instant Analysis Data • Ownership data • Spamtraps and honeypots • Blacklists

39 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only What does it monitor?

•Email – IP Reputation

DoS, DDoS, misc – Message Reputation Hack Hacker sites Attack other attacks • Web Other – URL Categories Active Content Compromised or ActiveX, Java, VB – Web Reputation malicious web sites code from infected Web Malware or URLs web sites • Intrusion/FW Dimensions – IP/Protocol Virus Zombies, Botnets, other sources Image spam, Reputation Phishing Virus, worms, Email Trojans – Geo-Location Spam

– IPS Attack Vector IP Attachment Domain Image Correlation URL Message

Connection Reputation Content Reputation

40 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only Message Reputation

5. Unknown sender sends New/New/ different UnknownUnknown message 3. Unknown sender spammerspammer sends similar message KnownKnown spammerspammer 6. Message is associated with new machine in a botnet and blocked 1. Known spammer sends message

2. Message is blocked 4. Message is M recognized and ail Gatew blocked ay Mail Gateway

Allows Reputations to Move Across Identities and Protocols

41 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only TS Web Reputation Breakout

42 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only Building Web Reputation

Reputation Raw Data Analysis Service

Size • TrustedSource for •Correlation Mapping Email (Joint Conditional •75 Million Hosts • Domain Registrations Mapping) •WHOIS data • Support Vector Machine • WebWasher classifiers classification of all • SmartFilter categories parameters • Web access logs • Parked Domain Identifier •Malware URLs • Neighborhood Precision •Phishing URLs Classification •Spam URLs • Real-Time Classifier • Fortune 1000 •GEO Location •More Precise websites • Host information: (-180 - +180) • Blacklists •DNS •Identified zombies, malware, • Whitelists •WHOIS suspicious •OS Reputation •Webserver -180 Range +180

TrustedSource for Web •Certificate information Bad Suspicious Good

43 July 28, 2009 Confidential McAfee Internal Use Only TrustedSource Web Database

• Category-based filtering + reputation based filtering = best protection available

• 96 URL categories

• TrustedSource global intelligence augments numerous categories such as Spam, Malicious Sites, Phishing, Hacking/Computer Crime

• Reputation-based filtering for today’s Web 2.0 threats – Provides an additional layer of security – Malicious sites, Spyware, Hacking, P2P, IM and more

• 31+ Million URLs (contains IPs, HTTP and HTTPS URLs)

• Automated proactive and reactive URL gathering systems

• Human review of URLs by multi-lingual/cultural Web Analysts – Global coverage (language and regions)

• Real-time updates

44 July 28, 200944 Confidential McAfee Internal Use Only TS Web Language breakout

45 Artemis Q2 2009 QBR July 28, 2009 Confidential McAfee Internal Use Only www.TrustedSource.Org

• Public Portal •View reputations for domains, IP addresses or URLs • Sending patterns of the senders • Analytical information: – country of origin – network ownership – hosts for known senders within each domain • Snapshot of global email trends, including a map illustrating country of origin for email attacks • Graphs displaying overall email and spam volume trends • ROI Calculator • ZombieMeter • Domain Health Check • Latest malware threats • Blogs from experts • Top spam senders

46 July 28, 200946 Confidential McAfee Internal Use Only [email protected]

0100011101110010011001010110011101011111010001000110000101111001010000000100 1101011000110100000101100110011001010110010100101110011000110110111101101101