IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
The Threat Landscape Has Changed: Moving Beyond Anti-Spam and Anti-Virus
Eric Hanselman, CISSPNetwork Protection Architect
IBM Global Services
© 2007 IBM Corporation2 IBM Internet Security Systems 04/08/23
Email Management: An Ongoing Problem
Has always been an issue
Too easy an access path
–Ubiquitous, anonymous access
Too critical to block
Cycles of control
–Problem is getting worse…
IBM Global Services
© 2007 IBM Corporation3 IBM Internet Security Systems 04/08/23
The Problem is Complex
Spam
Attacks
Content management
–Intellectual property
–Legal liabilities
IBM Global Services
© 2007 IBM Corporation4 IBM Internet Security Systems 04/08/23
Nefarious Goals are Blending
Product sales
Stock manipulation
Money laundering
Bot recruitment
Data Theft
– Phishing
– Keystroke loggers
IBM Global Services
© 2007 IBM Corporation5 IBM Internet Security Systems 04/08/23
The Mule Trade
5
IBM Global Services
© 2007 IBM Corporation6 IBM Internet Security Systems 04/08/236
Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED
7849343
Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2
Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED
7849343
Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2
Queried whois.apnic.net with "58.65.236.129"...
% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong
Queried whois.apnic.net with "58.65.236.129"...
% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong
[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands
+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ
[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands
+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ
IBM Global Services
© 2007 IBM Corporation7 IBM Internet Security Systems 04/08/23
Profit Motivates Innovation
There is a lot of money to be made!
Senders are smart
–Techniques are evolving
Spam and attack traffic are converging!
IBM Global Services
© 2007 IBM Corporation8 IBM Internet Security Systems 04/08/23
Two Traditional Paths of Defense
Anti-spam
– Block known bad senders
• RBL’s
– Block known bad words
– Block known bad paths
Anti-Virus
– Block known bad attachments
We expect some will get through!
IBM Global Services
© 2007 IBM Corporation9 IBM Internet Security Systems 04/08/23
Sender Innovations
Spread the senders
– Botnet spam agents
Obscure the words
– Image spam
Multiply the paths
Morph the attachments
– Polymorphic encoding
Embed new attacks
IBM Global Services
© 2007 IBM Corporation10 IBM Internet Security Systems 04/08/23
Image Spam Gets Smarter
IBM Global Services
© 2007 IBM Corporation11 IBM Internet Security Systems 04/08/23
Techniques Get Smarter
IBM Global Services
© 2007 IBM Corporation12 IBM Internet Security Systems 04/08/23
Avoiding Detection
Senders are stealthy
– No news is good news!
Techniques are quieter
– Stay under the radar
– Slip between the cracks
Targets are smaller
Keeping victims quiet
– Social engineering
IBM Global Services
© 2007 IBM Corporation13 IBM Internet Security Systems 04/08/23
A Tale of Two Bots
Similar roots
– Use self-replicating worm techniques to infect hosts via email
– Establishes connection to bot network for download of additional components
• Future activities are limitless
Stration
– Great polymorphic encoder
SpamThru
– Brings its own Anti-Virus
– GIF tools
IBM Global Services
© 2007 IBM Corporation14 IBM Internet Security Systems 04/08/23
Masking By Morphing
Polymorphic encoder beats Anti-Virus protections
High volumes increase success probabilities
IBM Global Services
© 2007 IBM Corporation15 IBM Internet Security Systems 04/08/23
Self-Modifying Malware – Stration
Number of Variants Captured
8/16/06 to 11/26/06
IBM Global Services
© 2007 IBM Corporation16 IBM Internet Security Systems 04/08/23
Next Generation Payloads
Script-based obfuscation
– Payload is hidden by Java script
– Can pass built-in encoder
Additional hiding capabilities
– Very hard to see in transit
– Depends on interpretation on the endpoint
We can’t count on clean-up
We can’t allow any to succeed
IBM Global Services
© 2007 IBM Corporation17 IBM Internet Security Systems 04/08/23
How to Approach Protection
Staunch the flow
– Better mail stream filtering
– Limit user choices
Protect at the end points
– The only place to catch them
– Ultimate user protection
IBM Global Services
© 2007 IBM Corporation18 IBM Internet Security Systems 04/08/23
Staunching the Flow
Traditional techniques need a priori knowledge
– Elusive at best…
– Bad Stuff is Hard to Predict
Time is required for analysis
– Delay causes scaling problems
Statistical analysis
– An a posteriori technique
– Good for large volumes
Some still gets through
IBM Global Services
© 2007 IBM Corporation19 IBM Internet Security Systems 04/08/23
Better Flow Techniques
URL references
– Analyze web links
Structure analysis
– Better capabilities
Image analysis
– Beyond OCR
Sender identity control
– Still a long way off
IBM Global Services
© 2007 IBM Corporation20 IBM Internet Security Systems 04/08/23
Host-Based Detection
Best for executable content analysis
– Highly scalable
Behavioral executable analysis
– Anti-Virus isn’t enough
Poor statistical capabilities
Traditional security
– Patching still required, but…
IBM Global Services
© 2007 IBM Corporation21 IBM Internet Security Systems 04/08/23
The Risks Have Expanded
Our protections need to expand, too!
– Plan for action today!
– Review existing protections
– Coordinate email and host protection planning
– Keep data security planning on the horizon
Risks aren’t standing still!
IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Threats are everywhere… and always evolving. Will you be protected?
IBM Global Services
© 2007 IBM Corporation23 IBM Internet Security Systems 04/08/23
Resources
Spam and Phishing
– http://www.antiphishing.org/
– http://www.sans.org/
– http://www.secureworks.com/research/threats/spamthru/
– http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf
Security Protections
– http://xforce.iss.net/
– http://www.av-test.org/
IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Thank You!
Questions?