Embed Size (px)
Citation preview
1 All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Cisco 1Q11Global Threat ReportFeaturing Data from Cisco Security Intelligence Operations
2 All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
• 105,536uniqueWebmalwarewereencounteredinMarch2011,a46%increasefromJanuary2011;
• Maliciouswebmailrepresented7%ofallWeb-deliveredmalwareinMarch2011,a391%increasefromJanuary2011;
• 45%ofallmaliciouswebmailresultedfromYahoo!mail,25%fromMicrosoftLive/Hotmail,andonly2%fromGoogle’sGmail;
• Search-engine-relatedtrafficresultedinanaverageof9%ofallWebmalwareencounteredin1Q11;
• 33%ofsearchengineencounterswereviaGooglesearchengineresultspages(SERPs),with4%eachfromYahoo!and
BingSERPs;
• SERPsandwebmailencountersareimpactedbythepopularityofaparticularserviceandarelikelynotindicativeofany
heightenedriskspecifictothatservice;
• Likejackingincreasedsignificantlyduringthefirstquarterof2011,from0.54%ofallWebmalwareencountersinJanuary
2011to6%inMarch2011;
• At13%,MileyCyrus–themedlikejackingscamsbeatoutallothercelebritiesandeventsinMarch2011.Likejackingthemes
forIndianactressNayantarawereat7%,whileCharlieSheenwasat3%,JustinBieberat2%,andLadyGagaat1%;
• At4%ofallWebmalwareencountersin1Q11,websitecompromisesthatattemptedtodownloadtheHilotiTrojanwere
themostfrequentlyencountered,followedbymaliciousGIFinjections(3%).WebsitecompromisesrelatedtotheLizamoon
seriesofSQLinjectionattacksrepresentedjust0.15%ofWebmalwareencountersforthequarter;
• Thoughfarlesssuccessfulthaninyearspast,SQLinjectionattemptscontinuedtobethemostprevalenteventfiring(55%)
observedbyCiscoRemoteManagementServicesin1Q11;
• MalwareactivityrelatedtotheMyDoomwormwasthe10thmostfrequentlyRMS-observedIPSeventin1Q11,
demonstratingthatlegacymalwarecanstillposeathreattounprotectedsystems;
• Asexpected,Rustockactivitydeclinedsignificantlyover1Q11,but,interestingly,thesharpdeclinecommencedweeks
priortothebotnettakedown;
• Following4Q10declines,globalspamvolumeincreasedandthensubsequentlydecreasedduring1Q11,butlevels
remainedabovethatofDecember2010;
• Withanincreaseof248%,IndonesiaovertooktheUnitedStatesasthetopspam-sendingcountryin1Q11.
KeyHighlights
3All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
IntroductionThepropersecuritytoolscanpreventinfectionorstopoutbreaks,mitigateorreducelossesfrommaliciousevents,andevendecreaselegalliability.Buttheseproductscanalsooftenserveasanexcellentsourceofinformationaboutwhatishappeninginyourspecificenterprise.Regularreviewandunderstandingofthelogsproducedbythesetoolsandservicescanenableyoutobenchmarkwhatisnormalandtypicalforyourenterprise,whichinturnprovidesabenchmarktospotunusualoratypicalbehavior that might be indicative of an advanced persistent threat or other intrusion.
Correlatingloginformationacrossvarioustoolsandservicesalsoprovidesatimely“pulse”ofthethreatlandscape,whichcansometimeshaveinterestingtie-instoglobalnon-malware-relatedevents.Mostimportantly,regularreviewandunderstandingofthedatacanhelpferretouttheelusive‘blackswan’–thetypesofsurreptitiousandmaliciouseventsthatotherwisecouldflybelowtheradar.AnexcellentexampleofthiswasillustratedintheCisco3Q10GlobalThreatReport,whichshowcasedthetell-talesignsofaStuxnetintrusiondiscoverablevialoganalysis.
TheCiscoGlobalThreatReportisacompilationofdatacollectedacrossfourcoresegmentsofCiscoSecurity:ScanSafe,IPS,RMS,andIronPort.Thereportispublishedquarterlyinthehopesthatitwillinspireandmotivateyoutoperformyourownin-house analysis on an ongoing basis.
Contributors to the Cisco Global Threat Report include:
JayChan GreggConklin RaymondDurant JohnKlein MaryLandesman ArminPelkmann Shiva Persaud Tom Schoellhammer ChadSkipper Ashley Smith
4All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Cisco ScanSafe: Web Malware Events
Enterpriseusersexperiencedanaverageof274Webmalwareencounterspermonthin1Q11,a103%increasecomparedto2010.UniqueWebmalwareencounteredalsoincreased(46%)in1Q11,from72,294uniqueWebmalwareinJanuary2011to105,536inMarch(Figures1-3).
ThoughWebmalwarecontinuestoincrease,farfewerlarge-scalecompromisesareoccurringcomparedtopreviousyears.Instead,compromisesaremorefocusedonthe“longtail”oftheWeb,withfewercompromisesperattackbutafarlargernumberofseparateattacks.AsFigure4demonstrates,thelargestoutbreakoccurredinMarch2011withaseriesofGIFinjectionattackstargetedatpopularPakistaninewssites.
Thesecondlargestattackin1Q11involvedwebsitecompromisesdesignedtodelivertheHilotitrojan.Thisparticularwaveofattacks,breakinginJanuary2011beforeresuming in February, is part of an ongoing series.
ThoughtheLizamoonseriesofSQLinjectionattackswerehighlypublicizedinMarch2011,boththeactualnumbersofcompromisedwebsitesandtheliveencounterrateswerefarfewerthanhadbeenreported.Inreality,onlyafewthousandwebsiteswereactuallycompromisedandliveencountersrepresentedonly0.15%ofallWebmalwareencounteredforthequarter.
Websearchesresultedin9%ofWebmalwareencountersin1Q11,withanaverageof33%resultingfromGooglesearchengineresultspages(SERPs)and4%eachfromYahoo!andMicrosoftBingSERPs.ThemajorityofWebsearchencounters(58%)occurredviasmallersearchenginesand/orsearchesperformedonnon-search-enginewebsites(Figure5).
Figure 1 Average Web Encounters per Enterprise, 1Q11Source:CiscoScanSafe
Figure 2 Unique Web Malware Encounters, 1Q11Source:CiscoScanSafe
Figure3 Unique Malware Domains and IPs, 1Q11Source:CiscoScanSafe
100
200
300
400
500
0FebuaryJanuary March
40000
60000
80000
100000
120000
0FebuaryJanuary March
20000
10000
15000
20000
25000
0FebuaryJanuary March
5000
Unique Malware Hosts Unique IP Addresses
Figure4 High Profile Web Attacks, 1Q11Source:CiscoScanSafe
GIF Injection
2%
0%
8%
10%
6%
4%
PHP ShellsGumblar
January February March
Lizamoon Hiloti
5All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Itisimportanttonotethatsearch-relatedmalwareencountersarenotreflectiveofanyunderlyingriskwithaparticularsearchengine;rather,theseencountersareduetothepopularityandthusincreasedusageofaparticularsearchservice.
Therateofmalwareencountersviawebmailincreasedratherdramaticallyin1Q11,from1%ofallWebmalwareencountersinJanuary2011to7%inMarch2011.
Themajorityofall1Q11maliciouswebmail(44%)occurredviaYahoo!mail(Figure6).Aswithsearchengineencounters,webmailencounterratesarelikelymorereflectiveofthepopularityofagivenwebmailserviceratherthanspecifictoanyelevated(orreduced)risk.
“Likejacking”referstoamethodofclickjackingthatusesimageoverlaystoforciblycauseaFacebookuserto“Like”aparticularpage.Inturn,thiscausesalinktothepagetoappearontheuser’sFacebookwall,exposingtheirFacebookfriendstothelikejackingscam.Thisworm-likescamisoftenaccompaniedbyaphishingsegmentwherebythevictimisalsotrickedintoprovidingtheirFacebookusernameandpassword.
AsshowninFigure7,likejackingencountersincreasedsignificantlyduring1Q11,from0.54%ofallWebmalwareinJanuary2011to6%inMarch2011.At48%,themostfrequentlyencountered”hook”forlikejackingscamsinJanuary2011involvedclaimsthatthelinkwouldenablethevictimtoseewhohadbeenviewingtheirprofile.However,thisscamdeclinedineffectivenessthroughoutthequarter,resultinginonly2%oflikejackingencountersinMarch2011.
Amongcelebrities,MileyCyrus–themedlikejackingdominated,with13%ofalllikejackingencountersinMarch2011.Thesecondhighestcelebrity-themedlikejackingleveragedthepopularityofIndianactressNayantara,resultingin7%oflikejackingscams for the same month.
Figure5 Search Engine Web Malware Encounters, 1Q11Source:CiscoScanSafe
January
0%
60%
80%
40%
20%
MarchFebruary
Yahoo!
Bing
Other
Figure6 Webmail Malware Encounters, 1Q11 Source:CiscoScanSafe
Yahoo! - 45%
Live/Hotmail - 25%
AOL - 3%
Gmail - 2%
Other - 26%
Figure7 Top 10 Lifejacking Scams, 1Q11Source:CiscoScanSafe
January
0%
40%
50%
30%
10%
MarchFebruary
Pro�le Checker
Exotic
Miley Cyrus
Justin Bieber
Japan/Tsunami
Nayantara
Soccer
Charlie Sheen
20%
Prank
Lady Gaga
6All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
At5%ofallWebmalwareencounters,JavaexploitscontinuedtooutpaceAdobeReaderandAcrobatexploits(1%),aswellasAdobeFlashexploits(0.17%),in1Q11.
CompaniesinthePharmaceutical&ChemicalandtheEnergy&OilsectorscontinuedtobeathighestriskofWebmalwarethroughout1Q11.Otherhigher-riskverticalsthroughoutthequarterincludedAgriculture&Mining,Transportation&Shipping,andEducation.Themedianrateforallverticalsisreflectedas100%—anythingabove100%hasahigher-than-medianencounterrate,andanythingbelow100%isbelowthemedianforall(Figure8).
Figure8 Vertical Risk, 1Q11Source:CiscoScanSafe
50% 150%
Travel and Entertainment
Transportation and Shipping
Energy, Oil and Gas
Education
Insurance
Pharmaceutical and Chemical
Agriculture and Mining
Food and Beverage
HVAC, Plumbing, Utilities
250% 350%
Banking and Finance
Retail and Wholesale
Manufacturing
Government
Heathcare
Legal
Media and Publishing
Engineering and Construction
Charities and NGO
IT and Telecommunications
Aviation and Automotive
Real Estate and Land Management
0% 100% 200% 300% 400%
Professional Services
7All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Cisco IPS and Remote Management ServicesAsdiscussedintheCisco4Q10GlobalThreatReport,legacywormactivitycontinuestohaveanimpact—evenyearsafterprotectionagainstthemalwarehasbeenmadereadilyavailable.Thattrendcontinuesin2011withthesurpriseappearanceofthecirca-2004MyDoomworminthetop10IPSeventfiringsobservedbyCiscoRemoteManagementServicesduringthefirstquarter(Figure9).
NotethattheMHTMLvulnerabilitydescribedinMicrosoftKB2501696,IntelliShieldalert22310,andCiscoIntrusionPreventionSystem(IPS)6.0-33379/0alsoappearsontheCiscoRMStop10signatureeventslistfor1Q11.Microsoftreleasedanupdateforthisformerzero-dayvulnerabilityinApril2011(MS11-026).
Whileasignificantlyoccurringeventin1Q11,SQLinjectionattemptsremainedatafairlysteadypacethroughoutthequarterwiththeonlynotableincreaseoccurringinthelatterpartofMarch2011(Figure10).
Figure 10 SQL Volume, 1Q11Source:CiscoIPS
40,000
0
160,000
120,000
01/0
1/20
11
01/0
3/20
11
01/0
5/20
11
01/0
7/20
11
01/0
9/20
11
01/1
1/20
11
01/1
3/20
11
01/1
5/20
11
01/1
7/20
11
01/1
9/20
11
01/2
1/20
11
01/2
3/20
11
01/2
5/20
11
01/2
7/20
11
01/2
9/20
11
01/3
1/20
11
02/0
2/20
11
02/0
4/20
11
02/0
6/20
11
02/0
8/20
11
02/1
0/20
11
02/1
2/20
11
02/1
4/20
11
02/1
6/20
11
02/1
8/20
11
02/2
0/20
11
02/2
2/20
11
02/2
4/20
11
02/2
6/20
11
02/2
8/20
11
02/3
0/20
11
03/0
2/20
11
03/0
4/20
11
03/0
6/20
11
03/0
8/20
11
03/1
0/20
11
03/1
2/20
11
03/1
4/20
11
03/1
6/20
11
03/1
8/20
11
03/2
0/20
11
03/2
2/20
11
03/2
4/20
11
03/2
6/20
11
03/2
8/20
11
03/3
0/20
11
80,000
Figure9 Top 10 Signature Firings, 1Q11Source:CiscoRMS
Generic SQL Injection
Web View Script Injection Vulnerability
Gbot Command and Control Over HTTP
B02K-UDP
Cisco Uni�ed Videoconferencing Remote Command Injection
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution
WWW WinNT cmd.exe Access
Web Application Security Test/Attack
MyDoom Virus Activity
Windows MHTML Protocol Handler Script Execution
55.03%
7.01%
5.16%
2.47%
5.20%
4.91%
3.27%
1.30%
1.19%
1.16%
Signature Events
8All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Denial-of-Service(DoS)attacksalsohadasteadypresencethroughout1Q11,withseveralnotablepeaksoccurringthroughoutthequarter(Figure11).Whileoncelargelyprank-related,DoSattacksareincreasinglypoliticallyandfinanciallymotivated.
Rustockactivity,whichhadpeakedinthefourthquarterof2010,significantlydeclinedin1Q11.Firstdiscoveredin2006,Rustockinstallsarootkit-enabledbackdoorthathasmostcommonlybeenassociatedwithspamandscarewaredelivery.OnMarch16,2011,itwasreportedthatgloballawenforcementandMicrosofthadsuccessfullydismantledkeysegmentsoftheRustockbotnet.However,asseeninFigure12,Rustockactivityhadbeguntodeclineseveralweekspriortothetakedownevent.
Figure 12 Rustock Volume, 1Q11Source:CiscoIPS
8,000
0
20,000
16,000
01/0
1/20
11
01/0
3/20
11
01/0
5/20
11
01/0
7/20
11
01/0
9/20
11
01/1
1/20
11
01/1
3/20
11
01/1
5/20
11
01/1
7/20
11
01/1
9/20
11
01/2
1/20
11
01/2
3/20
11
01/2
5/20
11
01/2
7/20
11
01/2
9/20
11
01/3
1/20
11
02/0
2/20
11
02/0
4/20
11
02/0
6/20
11
02/0
8/20
11
02/1
0/20
11
02/1
2/20
11
02/1
4/20
11
02/1
6/20
11
02/1
8/20
11
02/2
0/20
11
02/2
2/20
11
02/2
4/20
11
02/2
6/20
11
02/2
8/20
11
02/3
0/20
11
03/0
2/20
11
03/0
4/20
11
03/0
6/20
11
03/0
8/20
11
03/1
0/20
11
03/1
2/20
11
03/1
4/20
11
03/1
6/20
11
03/1
8/20
11
03/2
0/20
11
03/2
2/20
11
03/2
4/20
11
03/2
6/20
11
03/2
8/20
11
03/3
0/20
11
12,000
18,000
14,000
10,000
4,000
6,000
2,000
Figure 11 DoS Volume, 1Q11Source:CiscoIPS
100,000
0
200,000
01/0
1/20
11
01/0
5/20
11
01/0
9/20
11
01/1
3/20
11
01/1
7/20
11
01/2
1/20
11
01/2
5/20
11
01/2
9/20
11
02/0
2/20
11
02/0
6/20
11
02/1
0/20
11
02/1
4/20
11
02/1
8/20
11
02/2
2/20
11
02/2
6/20
11
02/3
0/20
11
03/0
4/20
11
03/0
8/20
11
03/1
2/20
11
03/1
6/20
11
03/2
0/20
11
03/2
4/20
11
03/2
8/20
11
160,000
120,000
60,000
80,000
40,000
20,000
140,000
180,000
Activity, Top 25, 1Q11 Source:CiscoRMS
Port Percent
80 69.00%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%
554 0.57%
39162 0.47%
59446 0.47%
49688 0.35%
41483 0.25%
29930 0.24%
44122 0.24%
3985 0.20%
445 0.19%
3986 0.19%
57522 0.18%
63650 0.18%
58198 0.18%
53565 0.17%
54826 0.16%
9All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Cisco IronPort: Global Spam TrendsThe2011takedownofsegmentsofRustock,combinedwithmultiplespambotnettakedownsin2010,hadapositiveimpactonoverallspamvolume.However,spamvolumein1Q11remainedabovethelowestpointrecordedinDecember2010.Figure13reflectsglobalspamvolumeasreportedthroughCiscoSensorBaseNetworkparticipants.
Interestingly,whilethetakedowneffortshadthemostpostiveimpactonspamoriginatingfromtheUnitedStatesandRussia,spamoriginatingfromothercountriesisrapidlyincreasing(Figure14).
Figure13 Global Spam Volume, 1Q11Source:CiscoIronPort(SBNP/ESA)
800,000,000
0
1,400,000,000
01/0
1/20
11
01/0
3/20
11
01/0
5/20
11
01/0
7/20
11
01/0
9/20
11
01/1
1/20
11
01/1
3/20
11
01/1
5/20
11
01/1
7/20
11
01/1
9/20
11
01/2
1/20
11
01/2
3/20
11
01/2
5/20
11
01/2
7/20
11
01/2
9/20
11
01/3
1/20
11
02/0
2/20
11
02/0
4/20
11
02/0
6/20
11
02/0
8/20
11
02/1
0/20
11
02/1
2/20
11
02/1
4/20
11
02/1
6/20
11
02/1
8/20
11
02/2
0/20
11
02/2
2/20
11
02/2
4/20
11
02/2
6/20
11
02/2
8/20
11
02/3
0/20
11
03/0
2/20
11
03/0
4/20
11
03/0
6/20
11
03/0
8/20
11
03/1
0/20
11
03/1
2/20
11
03/1
4/20
11
03/1
6/20
11
03/1
8/20
11
03/2
0/20
11
03/2
2/20
11
03/2
4/20
11
03/2
6/20
11
03/2
8/20
11
03/3
0/20
11
1,200,000,000
1,000,000,000
400,000,000
600,000,000
200,000,000
Figure14 Top Spam Senders by Country, (Bn/Mo), 1Q11Source:CiscoIronPort
80
100
120
0
140
Indonesia
United States
Russian Federation
British Indian Ocean Territory
Rwanda
FebuaryJanuary March
60
40
20
10 All contents are Copyright © 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public information.
Althoughtheyrepresentarelativelysmallpercentageofoverallspam,phishingattacksposeaseriousrisktosecurity,bothfromafinancialandsensitiveinformationdisclosureperspective.In1Q11,attackersincreasinglyturnedtheirattentiontowardphishingTwitteraccounts(Figure15).ThisinterestinTwittercredentialsislikelydueinparttoTwitterusers’acceptanceofshortenedURLs.BycompromisingTwitteraccounts,attackerscantakeadvantageofshortenedURLstoenticefollowerstovisitmaliciouslinkstheusersmightordinarilyviewassuspicious.Suchattacksarefurtherfueledbythetrustengenderedthroughsocialnetworkingingeneral.
Insummary,whileglobalspamvolumeshaveincreased,themalwareencounterrateviawebmailhassubstantiallyincreased.Further,socialnetworkingscamsinvolvingbothFacebookandTwitteralsoincreasedthroughoutthefirstquarter.Web-deliveredmalwareisalsoatanall-timehighandtherateofencounterswithuniquenewmalwarecontinuestoincrease
Figure15 Global Spam Volume, 1Q11Source:CiscoIronPort(SBNP/ESA)
2.00%
0
4.50%
4.00%
01/0
1/20
11
01/0
3/20
11
01/0
5/20
11
01/0
7/20
11
01/0
9/20
11
01/1
1/20
11
01/1
3/20
11
01/1
5/20
11
01/1
7/20
11
01/1
9/20
11
01/2
1/20
11
01/2
3/20
11
01/2
5/20
11
01/2
7/20
11
01/2
9/20
11
01/3
1/20
11
02/0
2/20
11
02/0
4/20
11
02/0
6/20
11
02/0
8/20
11
02/1
0/20
11
02/1
2/20
11
02/1
4/20
11
02/1
6/20
11
02/1
8/20
11
02/2
0/20
11
02/2
2/20
11
02/2
4/20
11
02/2
6/20
11
02/2
8/20
11
02/3
0/20
11
03/0
2/20
11
03/0
4/20
11
03/0
6/20
11
03/0
8/20
11
03/1
0/20
11
03/1
2/20
11
03/1
4/20
11
03/1
6/20
11
03/1
8/20
11
03/2
0/20
11
03/2
2/20
11
03/2
4/20
11
03/2
6/20
11
03/2
8/20
11
03/3
0/20
11
3.00%
3.50%
2.50%
1.00%
1.50%
0.50%
Non-Twitter Phish Twitter Phish
Ciscohasmorethan200officesworldwide.Addresses,phonenumbers,andfaxnumbersarelistedontheCiscowebsiteatwww.cisco.com/go/offices.
CiscoandtheCiscoLogoaretrademarksofCiscoSystems,Inc.and/oritsaffiliatesintheU.S.andothercountries.AlistingofCisco’strademarkscanbefoundatwww.cisco.com/go/trademarks.Thirdpartytrademarksmentionedarethepropertyoftheirrespectiveowners.TheuseofthewordpartnerdoesnotimplyapartnershiprelationshipbetweenCiscoandanyothercompany.(1005R)C02-640572-001/11
Americas Headquarters Cisco Systems, Inc. SanJose,CA
Asia Pacific Headquarters Cisco Systems(USA)Pte.Ltd. Singapore
Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands
