![Page 1: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/1.jpg)
X-Force Research, Results
and Observations
Dr. Jean Paul Ballerini
Sr. Technology Solutions Expert, X-Force Expert
IBM Internet Security Systems
![Page 2: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/2.jpg)
Agenda• Who is X-Force?
• How can you protect?
• Conclusions
2
![Page 3: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/3.jpg)
The mission of theIBM Internet Security Systems™
X-Force® research and development team is to:
Research and evaluate threat and protection issues
Develop assessment and countermeasure technology
Educate the media and user communities
3
![Page 4: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/4.jpg)
4
![Page 5: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/5.jpg)
Vulnerability Highlights
5
• Overall number of disclosed vulnerabilities increased in comparison to previous years
• 5% increase over the first half of year 2007
![Page 6: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/6.jpg)
Analyze Them AllX-Force analyzed every single vulnerability disclosed
![Page 7: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/7.jpg)
Web Server Application Vulnerabilities
7
• Three newcomers to the top ten vendor list were web server application software vendors
• Web server application vulnerabilities account for 54% of all 2008 H1 disclosures and 51% since 2006
![Page 8: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/8.jpg)
Web Server Application Vulnerabilities: SQL Injection
• SQL injection vulnerability disclosures more than doubled in comparison to 2007
• The number of active, automated attacks on web servers was unprecedented
![Page 9: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/9.jpg)
Endpoint Vulnerabilities
9
• More than 80% of public exploits released on the same day as the vulnerability
• The main target of public exploits has shifted from the operating system to the browser
![Page 10: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/10.jpg)
Browser Vulnerabilities
10
• Memory corruption is the main vulnerability.
• No substantial difference.
![Page 11: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/11.jpg)
Primary Exploit Target: Browser Plug-Ins
• The majority of publicly released exploits are for browser plug-ins
• The top five most exploited browser vulnerabilities all target plug-ins
• Although most active exploitation focuses on older vulnerabilities, newer attack tools have automatic methods to incorporate the most recent exploits
11
![Page 12: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/12.jpg)
2007 Malcode Highlights
12
• X-Force collected and analyzed nearly 410,000 new malware samples in 2007, almost a third more than it researched in 2006.
• Trojans represent the largest category of malware in 2007—109,246 varieties account for 26% of all malware.
• The most frequently occurring malware on the Internet was Trojan.Win32.Agent—26,573 varieties in 2007 account for 24% of all Trojans.
• The most common worm in 2007 was Net-Worm.Win32.Allaple with 21,254 varieties. It is a family of polymorphic worm thatpropagates by exploiting Windows® vulnerabilities instead of using e-mail.
![Page 13: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/13.jpg)
New Year, Same Story
13
Full Mid-Year Report: http://www-935.ibm.com/services/us/iss/xforce/midyearreport/
![Page 14: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/14.jpg)
Agenda• Who is X-Force?
• How can you protect?
– X-Force Strategy
• Conclusions
14
![Page 15: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/15.jpg)
The Ever Growing Danger Zone
![Page 16: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/16.jpg)
ISS Preemptive Protection
![Page 17: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/17.jpg)
Vulnerability Focused Protection
![Page 18: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/18.jpg)
Protection Advances
![Page 19: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/19.jpg)
The Threat Lifecycle
19
The initial culprits in owning a system can be as innocent as an email from
Mom or as malicious as a hacker set to steal valuable information.
How do you get “owned” these days?
![Page 20: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/20.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
The Threat Lifecycle
20
![Page 21: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/21.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
The Threat Lifecycle
21
![Page 22: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/22.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
The Threat Lifecycle
22
![Page 23: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/23.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
The Threat Lifecycle
23
![Page 24: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/24.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
Malcode, such as a
trojan or rootkit is
executed to wreak
havoc on the system
The Threat Lifecycle
24
![Page 25: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/25.jpg)
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
Malcode, such as a
trojan or rootkit is
executed to wreak
havoc on the system
The Threat Lifecycle
25
![Page 26: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/26.jpg)
X-Force Protection Engines
26
Shellcode HeuristicsCobion
VPS
The Virus Prevention System (VPS) is a behavioral
anti-virus technology that can stop not only new
malware variants, but also new malware families.
VPS uses pre-execution behavioral analysis to
stop malware before it can run and do damage.
BOEP
PAM
The Protocol Analysis Module (PAM) is the
network IPS component in IBM ISS desktop, server,
and network products. PAM uses behavioral and
vulnerability-centric methods to detect and block
network-based exploits affecting more than 7,400
vulnerabilities.
This engine uses generic
shellcode detection to block
shellcode payloads, one of
the most prevalent method of
infecting non-binary files like
html, docs, and images.
Buffer Overflow Exploit Prevention
(BOEP) blocks execution payloads
delivered through buffer overflow
exploits, providing 0-day protection
for this class of threats.
Cobion e-mail and content
filtering technology has analyzed
over 8.7B URLs and images and
1B unique spam messages. Over
100k web/700k spams
analyzed daily.
![Page 27: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/27.jpg)
Agenda
27
• Who is X-Force?
• How can you protect?
• Conclusions
![Page 28: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/28.jpg)
Conclusions
28
• Web Applications are the target of vulnerability research.
• The endpoint is the target of exploits.
• Multiple protection technologies give better granularity.
• Defense in depth is still mandatory
• X-Force research is the way to stay “Ahead of the ThreatTM”
![Page 29: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/29.jpg)
X-Force R&D Drives IBM ISS Security Innovation
Protection Technology
Research
Threat Landscape
Forecasting
Malware Analysis
Public Vulnerability
Analysis
Original Vulnerability
Research
Research
X-Force Protection Engines
• Extensions to existing engines
• New protection engine creation
X-Force XPU’s
• Security Content Update
Development
• Security Content Update QA
X-Force Intelligence
• X-Force Database
• Feed Monitoring and Collection
• Intelligence Sharing
Technology Solutions
![Page 30: X-Force Research, Results and Observations · • The number of active, automated attacks on web servers was unprecedented. ... trojan or rootkit is executed to wreak havoc on the](https://reader030.vdocument.in/reader030/viewer/2022040308/5ed7022e62136e72fb7ba93b/html5/thumbnails/30.jpg)
Questions?Thank You
Dr. Jean Paul Ballerini
Sr. Technology Solutions Expert, X-Force Expert
IBM Internet Security Systems