Internet Security Systems - AlertCon(TM)

Key findings in the Mid-Year Trend and Risk Report

Posted by Holly Stewart on August 28, 2009 at 11:15 AM EDT.

We all breathe a great sigh of relief as we pass the finish line of releasing our bi-annual X-Force Trend and Risk Report.   At 86 pages, it’s not light reading, so let me try to help you navigate the mountains of data.

Vulnerabilities and Exploitation
Although the rate of new vulnerability disclosures has declined in the first half due to some major categories of vulnerabilities that decreased (SQL injection and file include affecting Web applications and ActiveX control vulnerabilities), the exploitation of these (still) highly prevalent vulnerability types hasn’t seen a decline.

I wish I could say that we could all rest a little easier knowing that less vulnerabilities were discovered in the first half of this year in comparison to more recent years.  However, this lull is most likely representative of a tapping out of low-hanging fruit in the areas in which we’ve seen a decline.  As new areas of research open up or new tools that make research and vulnerability discovery easier, we’ll see another uptick in the disclosure rate.

Not all vulnerability categories have decreased.  Document format vulnerabilities, especially those affecting PDF documents, have increased in number and have also been increasingly targeted when it comes to real-world exploitation.

Obfuscation
Attackers don’t always need a new vulnerability to get around protection anymore.  New obfuscation tricks are constantly evolving in an attempt to evade intrusion prevention (IPS) and antivirus (AV).  Obfuscation is a method used by attackers that allows them to conceal their attacks by scrambling the code in a way that may be easily de-scrambled by a browser, multimedia player, or document viewer, but may make IPS and AV blind to the exploit because they can’t decode the Web page or file to find the hidden attack.  So, using obfuscation, attackers don’t always have to rely on new vulnerability discoveries to get to their victims.  All they need is a lapse in patching and a bit of trickery to get around simple pattern-matching protection or even the best vulnerability-centric protection.

We track this kind of obfuscation through special detection algorithms we've incorporated into our IPS, and we watch how patterns of use change through monitoring hits on these algorithms in our world-wide deployments of Managed Security Services (MSS).  In the second quarter of 2009, our MSS witnessed nearly double the amount of obfuscation in comparison to the first quarter.

Operating System Vulnerabilities

For those of you that questioned the Operating System vulnerability statistics in the 2008 report, we’ve made some changes.  We typically rely on CPE (the Common Platform Enumeration industry standard created by MITRE), but, as we found out, not all vendors follow quite the same methodology for reporting their operating system versions.  So, to try to compare Apples to, um… Apples we changed some things around.  Instead of breaking down operating systems by the platform as reported by the vendor, we grouped the operating systems into major groups (like all Apple, all Linux, all Microsoft) and counted each unique vulnerability one time.  So, if two versions of an Apple operating system were affected by the same vulnerability, that vulnerability was only counted once.  Ditto for Microsoft and Linux and other major categories.  The results looked eerily similar to what we reported at the end of 2008 with the CPE methodology, with one exception—Sun Solaris, which shot up to the top in the first half of 2009 (likely due to a change in disclosure policy and not a lot of new vulns—see our report for more details on this one).  Apple and Linux are still ahead of Microsoft when it comes to sheer number of disclosed vulnerabilities.


However, the story changes significantly when you look at only critical and high vulnerabilities.  If you only consider the more critical vulnerabilities, Microsoft operating systems are well ahead of the rest of the pack:


 

Spam and Phishing

A few changes in spam and phishing really surprised us.  First, the return of image-based spam was a strange surprise.  We talked about this one in another blog post earlier this year.

Second, phishing, especially financial phishing, dramatically declined in the first half of this year.  Although there’s no direct proof, it’s likely that financial phishers may have found more lucrative ways to harvest banking login information… primarily the use of malware.

Think about the effort it takes to set up a malicious Web server that looks just like the Web site you're attempting to phish, and then imagine crafting an email convincing enough to get a user to go to that Web site by clicking a link from within that email and then also log in with their banking credentials.  All of that requires a lot of work AND social engineering AND a fairly gullible user.  Now, consider crafting an email about any topic… ALL you have to do is convince a user to click on one single link that serves up a malicious exploit that silently compromises their computer through an upatched vulnerability (using obfuscation to cover your tracks and hide from protections on their computer.)  If you compromise the system, all you have to do is install a Trojan that does the rest of the dirty work for you.  Not only do you get banking details, but anything else that is lucrative on that system.

 

Malicious Links and Malware

Some of the biggest changes on the malicious link and malware side were:

  • An incredible jump in the overall number of malicious links – 508%
  • A big increase in the number of countries hosting at least one malicious link – up 80%
  • An increase in the number of Trojans, which appears to be the most active category of malware representing 55% of all the new malware we saw in the first half of this year.

As always, we welcome your comments and suggestions about the report.  Please email them to xforce@iss.net.

 

Updated Sept 4, 2009: Corrected an error on the obfuscation chart (replaced with new graphic).

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.