IBM report reviews Internet crime

IBM has released a report on Internet crime in 2007 here
<http://www.iss.net/documents/whitepapers/xforce_2007_annual_report.pdf>

Some highlights from the Management summary with my comments in [square
brackets]:

Vulnerabilities
* Although total vulnerability disclosures went down, the number of
reported high
severity vulnerabilities increased by 28 percent in comparison with
2006.
* The busiest day of the week for vulnerability disclosures continued to
be Tuesday,
with 1,361 new vulnerabilities disclosed on this day of the week in
2007.
* Of all the vulnerabilities disclosed in 2007, only 50 percent can be
corrected through
vendor patches. [suggests that ISPs need to be proactive about detecting
and blocking compromised machines]
* Nearly 90 percent of 2007 vulnerabilities could be remotely exploited,
up one
percentage point from 2006.

Web Browser Exploitation
* Most in-the-wild browser exploits are generated by Web exploit
toolkits.
* Critical vulnerabilities for Mozilla Firefox were dramatically lower
in 2007
compared to 2006.
[If you still distribute any kind of software kits that do not install
FireFox, you are doing your customers a disservice and making your
detection and blocking task that much bigger. When you contact customers
with compromised machines you might want to make it mandatory to install
Firefox from your servers before re-enabling Internet access]

Spam and Phishing
* Of the top 20 companies targeted by phishing in 2007, 19 are in the
banking industry
and one conducts recruiting.
[This suggests keywords to look for in incoming email. Also, for local
and regional ISPs, the number of companies in these two industries are
low enough that you may want to consider establishing a direct
relationship with them to configure stricter incoming email filters]

Web Content
* 9 percent of Internet content was classified as unwanted (criminal,
pornography, etc)
as compared to 12.5 percent in 2006.
* The U. S. far outpaces other countries as the primary hosting source
of adult,
socially deviant and criminal content on the Internet, accounting for
roughly 40-48
percent in each content category.
* The U. S. and Germany were the only two countries consistently among
the top three
hosting sources for each type of "unwanted" Internet content monitored
throughout 2007.
[Suggests that NANOG members need to raise the bar considerably to clean
up their own backyard. What do you know about your own Internet peering
partners?]

Malcode
* Trojans represent the largest category of malware in 2007 - 109,246
varieties
account for 26 percent of all malware.
* The most frequently occurring malware on the Internet was
Trojan.Win32.Agent -
26,573 varieties in 2007 account for 24 percent of all Trojans.
* The most common worm in 2007 was Net-Worm.Win32.Allaple with 21,254
varieties. It is a family of polymorphic worm that propagates by
exploiting
Windows(r) vulnerabilities instead of using e-mail.
[This suggests that targetting these specific attack vectors could clean
up a significant amount of the problem and correspondingly recduce your
costs for detection and blocking of compromised machines.]

Make sure to download the report for the complete management summary and
many more details.

Some highlights from the Management summary with my comments in [square
brackets]:

Vulnerabilities
* Although total vulnerability disclosures went down, the number of
reported high
severity vulnerabilities increased by 28 percent in comparison with
2006.
* The busiest day of the week for vulnerability disclosures continued to
be Tuesday,
with 1,361 new vulnerabilities disclosed on this day of the week in
2007.
* Of all the vulnerabilities disclosed in 2007, only 50 percent can be
corrected through
vendor patches. [suggests that ISPs need to be proactive about detecting
and blocking compromised machines]

I think this conclusion assumes a number of facts not in evidence.

If the vulnerability cannot be corrected through a vendor patch, then,
one has to wonder what, exactly the vulnerability is. If it is social
engineering, then, I don't believe that ISP proactivity can really
address the issue. Much more detail on the nature of these
vulnerabilities which cannot be corrected by vendor patches is
needed before any useful conclusion about the correct solution can
be drawn.

* Critical vulnerabilities for Mozilla Firefox were dramatically lower
in 2007
compared to 2006.
[If you still distribute any kind of software kits that do not install
FireFox, you are doing your customers a disservice and making your
detection and blocking task that much bigger. When you contact customers
with compromised machines you might want to make it mandatory to install
Firefox from your servers before re-enabling Internet access]

Huh? Why should everyone ship a browser with their software kit?
Browsers are like religion. You're really not going to have a lot of
success trying to force one down your customers' throats.

It's great that Firefox security has improved, but, this statement alone
does not really provide any details about the current relative level
of vulnerability between Firefox and any other browser.

* The U. S. and Germany were the only two countries consistently among
the top three
hosting sources for each type of "unwanted" Internet content monitored
throughout 2007.
[Suggests that NANOG members need to raise the bar considerably to clean
up their own backyard. What do you know about your own Internet peering
partners?]

Considering that the US is also consistently among the top three sources
of desirable content, I'm not sure that this ranking necessarily proves much
of anything, but, I do agree that ISPs could do a better job of shutting down
mal-sites.

Malcode
* Trojans represent the largest category of malware in 2007 - 109,246
varieties
account for 26 percent of all malware.
* The most frequently occurring malware on the Internet was
Trojan.Win32.Agent -
26,573 varieties in 2007 account for 24 percent of all Trojans.
* The most common worm in 2007 was Net-Worm.Win32.Allaple with 21,254
varieties. It is a family of polymorphic worm that propagates by
exploiting
Windows(r) vulnerabilities instead of using e-mail.
[This suggests that targetting these specific attack vectors could clean
up a significant amount of the problem and correspondingly recduce your
costs for detection and blocking of compromised machines.]

It also suggests that taking Windows off the net could do a lot to reduce
the level of vulnerability, but, I'm not holding my breath until that
happens either.

Owen

vendor patches. [suggests that ISPs need to be proactive about detecting
and blocking compromised machines]

This I've seen suggested for a while yet I've seen many here shun the idea. "If we force someone who doesn't know they'll jump ship elsewhere in droves" seemed to be the consensus. How about "if some acted as a *group* and did not allow an uber infected machine from your client to get on a network.

"Sorry we don't your $20.00 per month since its costing us 3 calls to tech support per month, we're getting overwhelmed with emailed complaints your machine is sending spam..." And so on. Wait, not feasible, instead of thinking about this logically it for a second, its likely some would focus more on countering it with an argument.

[If you still distribute any kind of software kits that do not install
FireFox, you are doing your customers a disservice and making your
detection and blocking task that much bigger. When you contact customers
with compromised machines you might want to make it mandatory to install
Firefox from your servers before re-enabling Internet access]

Agree, and disagree. When I am on Windows, I loathe using the newer versions of Firefox. Its become such a resource hog its scary. I've resorted to Opera. So you push them to Firefox anyway, what now, there are still countless amounts of vulnerabilities for FF many not even seen. Because the security industry has some numbers on vulnerabilities for Mozilla, what about the unknowns? What about the spambot herder/hoarder criminals who don't distribute code.

[Suggests that NANOG members need to raise the bar considerably to clean
up their own backyard. What do you know about your own Internet peering
partners?]

Are you suggesting that if peers don't clean up their act they should be de-peered? I'd like to see that happen even for a day and watch a large portion of the net crumble. I could point out off the top of my head about a dozen dirty peers and I mean extremely dirty, who would never be de-peered. Money talks

[This suggests that targetting these specific attack vectors could clean
up a significant amount of the problem and correspondingly recduce your
costs for detection and blocking of compromised machines.]

That would mean work. It would also mean the time alloted to focusing on how to fix it would be taken away from the time it takes to counter-argue your points.

* Owen DeLong:

If the vulnerability cannot be corrected through a vendor patch, then,
one has to wonder what, exactly the vulnerability is.

You assume that a vendor patches a vulnerability once they learn about
it. In my experience, this is not true. Sometimes it's easy to explain
(product or vendor ceased to exist), sometimes it's not (some cross-site
scripting issues I'm trying to straighten out; minor bugs to you
perhaps, but huge media exposure because of their visibility and
reproducibility--think FDIV bug).

> [If you still distribute any kind of software kits that do
not install
> FireFox, you are doing your customers a disservice and making your
> detection and blocking task that much bigger. When you contact
> customers with compromised machines you might want to make it
> mandatory to install Firefox from your servers before re-enabling
> Internet access]

Agree, and disagree.

Yes, it certainly does not apply to everyone.

So you push them to Firefox
anyway, what now, there are still countless amounts of
vulnerabilities for FF many not even seen.

I was actually targeting this suggestion to those who
currently distribute Internet Explorer kits. So it was
more of a suggestion to not distribute the browser that
is most vulnerable. And if you make installation of
Firefox a requirement to come out of quarantine, that
does not imply that people need to uninstall their other
browsers. This is to give them the experience of something
new knowing that a certain percentage will continue using
it and not be reinfected. And reducing reinfections cuts
your costs of detection and blocking compromised PCs.

Are you suggesting that if peers don't clean up their act
they should be de-peered?

That's pretty extreme. I would think that you could start
by keeping regular communication with them and always
showing reports about how much bad traffic comes from
them versus how much comes from you. Or how many compromised
hosts are in their AS versus in yours. You could share what
you have learned about detection and blocking of compromised
computers and the resulting reduction in helpdesk calls.
In other words, if there is a problem, discuss it, make it
clear how you are doing a better job than they are, and
how the term "peering" refers to two companies who are
equals by some measure. And how the peer is lacking by
certain malware measures. In many cases, repeated communication
will lead to people fixing problems, even if you have to wait
until it filters up to a level where management says "What if
our peers start depeering because of these problems? Go fix them!".

Engineers like to figure out everything to the nth detail and
cost it all out. But that's not the only way to get action.

--Michael Dillon

michael.dillon@bt.com wrote: (removed cc)

I was actually targeting this suggestion to those who
currently distribute Internet Explorer kits. So it was
more of a suggestion to not distribute the browser that is most vulnerable. And if you make installation of
Firefox a requirement to come out of quarantine, that
does not imply that people need to uninstall their other
browsers. This is to give them the experience of something
new knowing that a certain percentage will continue using
it and not be reinfected. And reducing reinfections cuts
your costs of detection and blocking compromised PCs.

Then what about antivirus and antispyware. Why should one be favored over the other. How many providers are suggesting this. It has an outside view of product favoritism. Perhaps the marketing teams could suggest a few free ones e.g. Avast, AVG, Adaware. There is the potential to clean up a lot of the trash that comes in and out of the network but then what, I could see ISPs' call centers screening "I just installed AVG but I can't get it to work". Same goes for Firefox or any other product. Do you then look to support these.

I agree wholeheartedly that ISP's should step up to the plate considering their own resources are being abused and have the potential for some serious damage (imagine 70% of Cox, Comcast, TW being botnets aimed at your network). Sadly, this will be argued for a few more posts then deemed offtopic to be re-argued and unevaluated in the future.

Not necessarily - it's unclear they mean "the vuln innately can't be fixed
by a mere patch, because it's a social engineering issue", or "the vuln can't
be fixed because the vendor has not yet shipped a patch for some reason".

... or the patch application mechanism isn't likely to be successful
against sufficiently infected machines.

-Jim P.

Good thread; nice summary, Owen.

There are ways for ISP's to get involved with stopping/controlling
botnets e.g. the very recent work here -
http://www.offensivecomputing.net/?q=node/623 and here -
http://www.secureworks.com/research/threats/storm-worm/ - and the
not-so-distant work here -
http://www.bleedingthreats.net/index.php/2007/11/14/encrypted-storm-sigs/

ISP's are in a uniquely powerful control situation with software
vendors. We can demand audits from vendors that include SAS 70 Type
II / SOX 404 / AS5 or PCI-DSS (even better would be PA-DSS) on the
specific parts of their applications that their customers use. We can
provide a five-star rating system of "approved OS and applications"
that work on our networks.

I suggest starting with Microsoft, Adobe, Mozilla, and Google -
specifically on products such as Windows, Office, Acrobat Reader,
Firefox, and Google search. Make sure that any relationship you have
with these vendors starts with a conversation about application
security five-star rating systems and ends with
http://www.sans.org/whatworks/poster_2008.pdf

Establish relationships with two companies you may not have head of:
ESET and Avira. Avira's AntiVir is the most proven
free-for-non-commercial-use AV (http://free-av.com). ESET's Nod32 is
the most proven AV that costs a minimal amount of money. Advertise
both like they are going out of style everywhere you possibly can.
For example, when I call your ISP the phone shouldn't ring, I should
go through a menu, and then I should hear, "If you run Microsoft's
Windows - consider FreeDashAVDotcom - AntiVir - the safest and free AV
solution for your personal computer". Then the technician/salesperson
who gets on the line should mention it right after the initial
greetings again. All email correspondence should include it at the
top of every message. Your websites should have it on the front page,
at the top.

I chose AntiVir and Nod32 because of http://www.av-comparatives.org
and safety issues (although Symantec is the safest because they have
an internal file fuzz testing harness called SEEAS that could
certainly stand to be open-sourced or sold commercially). Be careful
not to oversell AV as the only fix for security problems because of
the inherent difficulties of these products to avoid vulnerabilities
themselves (I know it's a contradiction, but life is full of
contradictions) - see
http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf
I saw that other people mentioned AVG and avast, so you can just
ignore their comments, please.

Because of the problems with AV being particularly vulnerable to
common software weaknesses (those "in the know" refer to these by
their MITRE CWE definitions), I suggest adding ESET and Avira to our
list of "vendors we harass about application security" and demand
audits from. I understand that SAS 70 Type II and even SOX 404 do not
typically cover "non-financial IT infrastructure", but we don't have
to tell the vendors that. Similarly, PCI/PA-DSS do not cover
applications that do not contain or transmit cardholder data, although
I would argue that all of the vendors named have just gotten away with
murder if you think about the reality of this presupposition.

It's our fault for not pushing AV on your customers, and it's the AV's
fault for not providing audit data to us, and it's the software
vendors' fault for causing us to have to recommend AV and for AV to
exist. The liability should land on the software vendors.

Make the five-star security rating systems a company-wide movement
from the top-down with support from C-level upper-management and your
general counsel.

Did I mention product literature? Don't forget to include the
five-star security product ratings in this product literature. E.g.
Windows 98 (0 stars), Windows Vista (4 stars), Mac OS X (2 stars),
Windows 2000/XP (1 star), Adobe Acrobat Reader (0 stars), Mozilla
Firefox (0 stars), Internet Explorer 7 (1 star), Internet Explorer
3/4/5/6 (0 stars), Google Search (0 stars), MSN Search (1 star),
Microsoft Office 2007 (1 star), Symantec Norton AV (3 stars), ESET
Nod32 (2 stars), Avira AntiVir (1 star), McAfee AV (1 star), all other
AV (0 stars), etc.

Do similar security five-star ratings for your recommended/supported
router, DSL, and Cable modem devices, but base it on their software
from the audit reports. Hardware security is not worth time/energy.
If this means that Cisco (sans Linksys) and 2WIRE are 1 star
contenders in a market full of zeros (well ok Juniper gets a 2), then
so be it. We've got to show improvement somehow and at some point, so
this gives everyone room to grow.

Finally, run Honeyclients against all of your hosting. Promote SpyBye
(FOSS) and Tenable PVS (commercial) to your hosting customers in the
same way you promote ESET and Avira to your access customers. Be
careful how you run Honeyclients because there is a lot of malware
that responds to these. It used to be that you could run
low-interaction Honeyclients and then follow these scans up with
high-interaction Honeyclients. Unfortunately, the career-criminals
have advanced their methods to prevent this tactic by using
elusive/evasive malware. I suggest running taint-mode tools such as
Argos because of their efficiency, although Capture is another good
high-interaction Honeyclient -
http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient

I suggest running your Honeyclient infrastructure on systems with
hardware virtualization running Xen with the ability to shift VM
guests around using xm-migrate. This requires shared-storage such as
OCFS2 with iSCSI (or something old like NFS). Management systems such
as http://en.wikipedia.org/wiki/Enomalism can verify that hundreds of
VM guests are at certain patch levels and deployed in mass.

If anyone needs any individual advice, please let me know. I'd also
like to hear how you're implementing any of these ideas/concepts and
how successful they are - but also encourage you to send to the
mailing-list for the benefit of others.

Cheers,
Andre

No, I presume that a vulnerability identified as "cannot be resolved through
vendor patch" means a vulnerability for which, even if a vendor patch were
available, it would not resolve the vulnerability. A vulnerability for which
a patch is not yet available, but, which could be resolved if the vendor
released a patch is a vulnerability which "CAN be resolved through
vendor patch when one becomes available."

It is unclear from the text provided which of our conflicting definitions for
the term applies in IBM's text.

Owen

* Owen DeLong:

* Owen DeLong:

If the vulnerability cannot be corrected through a vendor patch,
then, one has to wonder what, exactly the vulnerability is.

You assume that a vendor patches a vulnerability once they learn
about it. In my experience, this is not true. Sometimes it's easy
to explain (product or vendor ceased to exist), sometimes it's not
(some cross- site scripting issues I'm trying to straighten out;
minor bugs to you perhaps, but huge media exposure because of their
visibility and reproducibility--think FDIV bug).

No, I presume that a vulnerability identified as "cannot be resolved
through vendor patch" means a vulnerability for which, even if a
vendor patch were available, it would not resolve the vulnerability.

These vulnerabilities surely exist, but they are usually not considered
software vulnerabilities as such, and are usually not part of such
vulnerability reports. (A popular example are attacks on the Ebay
transaction protocol.)

A vulnerability for which a patch is not yet available, but, which
could be resolved if the vendor released a patch is a vulnerability
which "CAN be resolved through vendor patch when one becomes
available."

I wouldn't view it this way, but I can understand that this is a
possible interpretation.

It is unclear from the text provided which of our conflicting
definitions for the term applies in IBM's text.

True, I'll try to get clarification.

> * Of all the vulnerabilities disclosed in 2007, only 50 percent can be
> corrected through vendor patches. [suggests that ISPs need to be
> proactive about detecting and blocking compromised machines]

I think this conclusion assumes a number of facts not in evidence.

If the vulnerability cannot be corrected through a vendor patch, then,
one has to wonder what, exactly the vulnerability is. If it is social
engineering, then, I don't believe that ISP proactivity can really
address the issue.

It can if the kind of proactivity they mean is taking down phishing web
sites. (Though I wouldn't describe a phishing site as a vulnerability.)

Tony.

Andre Gironda wrote:

It's our fault for not pushing AV on your customers, and it's the AV's
fault for not providing audit data to us, and it's the software
vendors' fault for causing us to have to recommend AV and for AV to
exist. The liability should land on the software vendors.

I'm really surprised that ISPs haven't banded together to sue Microsoft for negligently selling and distributing an insecure OS that is an Attractive Nuisance - causing the ISPs (who don't own the OS infected computers) harm from the network traffic the infected OSs send, and causing them untold support dollars to handle the problem.

If every big ISP joined a class action lawsuit to force Microsoft to pay up for the time ISPs spend fixing viruses on Windows computer, Microsoft would get a LOT more proactive about solving this problem directly. The consumers have no redress against MS because of the EULA, but this doesn't extend to other computer owners (e.g. ISPs) who didn't agree to the EULA on the infected machine but who are impacted by the infection.

jc

JC,

Nice conjecture.

I'm really surprised that ISPs haven't banded together to sue Microsoft
for negligently selling and distributing an insecure OS that is an
Attractive Nuisance - causing the ISPs (who don't own the OS infected
computers) harm from the network traffic the infected OSs send, and
causing them untold support dollars to handle the problem.

I'm really surprised, too. However, it's more complicated than that.
Read the book, "Geekonomics" for more information on this topic.

If every big ISP joined a class action lawsuit to force Microsoft to pay
up for the time ISPs spend fixing viruses on Windows computer, Microsoft
would get a LOT more proactive about solving this problem directly. The
consumers have no redress against MS because of the EULA, but this
doesn't extend to other computer owners (e.g. ISPs) who didn't agree to
the EULA on the infected machine but who are impacted by the infection.

Hence the "Trustworthy Computing Initiative" which was started by Bill
Gates / Craig Mundie in 2002 -

Only now we're too late - Bill has a parachute.

Cheers,
Andre

JC Dill wrote:

I'm really surprised that ISPs haven't banded together to sue Microsoft for negligently selling and distributing an insecure OS that is an Attractive Nuisance - causing the ISPs (who don't own the OS infected computers) harm from the network traffic the infected OSs send, and causing them untold support dollars to handle the problem.

If every big ISP joined a class action lawsuit to force Microsoft to pay up for the time ISPs spend fixing viruses on Windows computer, Microsoft would get a LOT more proactive about solving this problem directly. The consumers have no redress against MS because of the EULA, but this doesn't extend to other computer owners (e.g. ISPs) who didn't agree to the EULA on the infected machine but who are impacted by the infection.

jc

I think I would rather see a class action against Symantec for the hundreds of hours ISP's waste fixing customers mail server settings that Symantec sees fit to screw up with every update. We can always tell when they have pushed a major update - hundreds of calls from mail users who can no longer send mail.

It's 2008. How bloody hard is it to notice that the mail server SMTP port is 587 and authentication is turned on? Why do they mess with it?

Hear-hear: most of our customer's e-mail problems are resolved when we turn
off in the in and outbound scanning offered by their favorite AV vendor. =)
I bet we've had more support calls about e-mail scanning than the number of
viruses that feature has ever trapped for them.

And another anecdote: we experienced a rash of malware-infected subscribers
spewing out spam last weekend. Most of them had some kind of AV, but of
course that AV didn't prevent them from getting infected. Many of them
update their definitions and scanned and thought they were clean, but
because the virus/Trojan was so new, they started spewing spam again. In
this case, their AV software gave them a false sense of assurance.

Frank