State of the Web – Q4 2010

The Leader in Cloud Security
RESEARCH REPORT STATE OF THE WEB – Q4 2010 State of the Web – Q4 2010 A View of the Web from an End User’s Perspective ABSTRACT Attackers are no longer targeting web and email servers. Today, they are attacking enterprises from the inside out, by first compromising end user systems and then leveraging them to gain access to confidential data. As such it is imperative that organizations have an understanding of what is happening on the web. Zscaler is a Security-­‐as-­‐a-­‐
Service vendor, and thus has a unique perspective on web traffic. With millions of end users traversing the web through Zscaler’s global network of web gateways, we are able to better understand both how users are interacting with web-­‐based resources and how attackers may be targeting end users. In our quarterly ‘State of the Web’ report, we provide a window into the web from an end user’s perspective. OVERVIEW ............................................................................................................................................................ 3 TRAFFIC ................................................................................................................................................................. 4 Web Browser Versions ..................................................................................................................................... 4 Web 2.0 Applications ....................................................................................................................................... 5 What’s the Web Made of? ............................................................................................................................... 7 SECURITY .............................................................................................................................................................. 8 Malicious vs. Benign ......................................................................................................................................... 8 Botnets ............................................................................................................................................................. 8 Blackhat SEO .................................................................................................................................................... 9 Spam .............................................................................................................................................................. 10 Incidents ........................................................................................................................................................ 13 Mobile Malware ........................................................................................................................................ 13 Client-­‐Side Exploitation ............................................................................................................................. 13 Security Updates ....................................................................................................................................... 14 Cyber Crime Arrests ................................................................................................................................... 14 POLICY ................................................................................................................................................................ 16 Social Networking .......................................................................................................................................... 16 SSL .................................................................................................................................................................. 16 Top Blocked Domains .................................................................................................................................... 17 CONCLUSION ...................................................................................................................................................... 18 Copyright © 2011 Zscaler 2 OVERVIEW A number of notable events within the Web and security world were realized through the final quarter of 2010. While 0-­‐day attacks continued against client-­‐side applications including Internet Explorer, Adobe Reader, Flash, and Firefox, a number of positive steps towards enhancing security also occurred. Internet Explorer 6 usage finally declined to negligible levels, Adobe released a sandboxed version of their PDF reader, and a number of arrests were made against some very prominent cyber criminals. Some additional shifts were noted within this timeframe as well. We witnessed an increase in web application usage for accessing web content and several mobile malware campaigns emerged. This report details these highlighted topics as well as provides a number of stats and trends, such as which countries are the riskiest to visit on the web and which countries are responsible for sending the most spam. Additional topics include blackhat SEO, sidejacking, and policy-­‐based decisions made by organizations. Copyright © 2011 Zscaler 3 TRAFFIC Every day, millions of web transactions traverse the Zscaler cloud. Traffic originates from all corners of the globe, providing a clear picture of enterprise web traffic. In this section, we take a closer look at trends in web traffic observed during 2010. Web Browser Versions In each of Zscaler’s quarterly State of the Web reports, browser usage is tracked to determine browser popularity in the enterprise. Additionally, Zscaler tracks migration from older, less secure browsers to updated and more secure versions of the same product. Since corporate environments are largely dominated by Microsoft end-­‐user operating systems and software, it should come as no surprise that Microsoft Internet Explorer (IE) remains the most popular browser observed in 2010. Specifically, by year-­‐end, about 65% of the transactions that Zscaler serviced were from IE. Despite IE’s dominance in the enterprise, 2010 saw a dramatic twelve percent drop in overall usage throughout the year. This lost ground did not however go directly to other browsers, but instead, most of it can be attributed to the emergence of native applications that are transmitting HTTP(S) traffic. Monthly Browser Traf1ic 2010 100.00% 80.00% 60.00% 40.00% 20.00% 0.00% Internet Explorer Firefox Safari Chrome Apps Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 76.60% 75.26% 74.39% 74.40% 73.84% 71.34% 71.43% 70.36% 62.71% 61.56% 63.51% 64.74% Firefox 9.62% 9.63% 10.14% 10.56% 10.17% 10.42% 10.53% 10.65% 9.66% 9.10% 9.33% 8.74% Safari 1.52% 1.26% 1.60% 1.91% 2.19% 2.14% 1.23% 1.25% 3.16% 4.01% 4.35% 2.60% Chrome 1.61% 1.84% 2.15% 2.08% 2.06% 0.40% 2.50% 2.74% 0.99% 0.20% 0.28% 2.11% 10.50% 11.95% 11.66% 10.99% 11.64% 15.63% 14.24% 14.92% 23.37% 25.06% 22.44% 21.75% IE Apps The rise of non-­‐ browser web traffic types marks a recent trend. In fact, non-­‐browser traffic increased from only rd
10% in January to nearly 22% by December. This was caused by an increase in the use of 3 party applications used 1
to access web content. An August 2010 Wired magazine cover story, “The Web is Dead” discussed this trend and noted that traditional web browser usage is declining in favor of custom applications to access web services. Rather than using a traditional browser to access Facebook, Twitter, Google Maps, YouTube, NetFlix, Hulu, Pandora, Zillow, etc. – these sites have all released specific applications that allow users to interact with the content they serve. This is an especially popular trend for mobile devices but can also be seen on the desktop where ports 80 and 443 always represent unobstructed paths to the Internet for native applications. In some cases, the applications provide a richer, cleaner interface and may include additional features beyond what is 1
http://www.wired.com/magazine/2010/08/ff_webrip/all/1
Copyright © 2011 Zscaler 4 found on the website. Enterprises that rely on host-­‐based security solutions such as browser-­‐based plugins should be aware that a significant portion of their web traffic might now be avoiding detection. Monthly Internet Explorer Traf1ic 2010 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Internet Explorer 6.x Internet Explorer 7.x Internet Explorer 8.x Jan Feb Mar IE 6.x 33.46% 31.15% 26.93% Apr May Jun Jul Aug Sep Oct Nov Dec 23.32% 21.73% 21.08% 19.80% 18.85% 15.95% 14.57% 13.48% 11.43% IE 7.x 36.95% 35.26% 37.31% 39.32% 38.66% 34.67% 34.53% 32.54% 27.55% 25.27% 24.14% 26.51% IE 8.x 5.79% 8.65% 10.00% 11.64% 13.34% 15.49% 17.01% 18.86% 19.12% 21.62% 25.79% 26.70% After a nine-­‐year run, we’re finally witnessing the death of IE 6 in the enterprise. IE 6 usage has dropped consistently, in favor of the more secure, recent versions. While this trend has also been occurring in the enterprise, it has been delayed due to the many legacy web applications that enterprises continue to maintain. This has been a concerning security risk given the lack of many modern security features in IE 6. Fortunately, 2010 saw a dramatic drop in IE 6 usage. IE 7 and 8 both surpassed IE 6 in Q3 and Q4 of 2010, and IE8 is now the most dominant browser in the enterprise. Zscaler looked at tens of millions of malicious blocks and policy violations throughout the quarter, and analyzed these by browser type. In this way we can see which browser types had the most blocks. For the most popular web browsers, we witnessed the following behavior: Fewest Blocks Firefox 3.6 Least Risky Behavior IE 8 IE 7 Most Blocks IE 6 Most Risky Behavior This suggests that users of non-­‐Microsoft browsers and newer versions of IE are generally engaged in less risky browsing behavior. Web 2.0 Applications Facebook accounted for 47.65% of all Q4 web 2.0 transactions serviced for our enterprise users. This is a rather remarkable percentage when considering that we’re dealing with corporate, as opposed to personal web traffic. The below chart breaks out the application percentage for the top web 2.0 applications serviced. Copyright © 2011 Zscaler 5 LinkedIn 1.30% Web 2.0 Application Traf1ic By Transactions Facebook Chat 1.54% Google Google Talk 1.76% 1.80% WordPress Yahoo! 0.80% Meebo 0.48% eBuddy Craigslist 0.41% Orkut 0.55% 1.13% 0.69% MySpace Pandora Blogger 0.65% 1.16% 1.05% Hulu 0.32% Last.fm 0.33% Windows Live Messenger 2.81% Digg 0.19% Yandex 0.17% Google Videos 0.15% Yahoo! Mail 3.27% Hotmail 3.30% Facebook 47.65% YouTube 6.09% Twitter 4.24% Gmail 9.17% “Web 2.0” has been used as a marketing buzzword. For Zscaler, Web 2.0 applications are defined as popular interactive, user-­‐centric web applications that fall into the categories of webmail, instant messaging, social networking, blogs, and streaming media. Because this pie chart represents raw transactions, it is no surprise that Facebook has many more web transactions than search pages such as Google and Yahoo!. Every file requested from the server (e.g., friend pictures) or API calls (e.g., Farmville) are logged as a transaction – the more interactive and media-­‐rich the site or service, the more transactions there will be. Copyright © 2011 Zscaler 6 What’s the Web Made of? Many assume that web traffic is dominated by HTML content. While that may have been true a decade ago, the 0.25% Icon media rich, dynamic 0.64% CSS web applications 1.08% Flash available today are 1.39% filled with images, Javascript formatting elements, 2.13% XML data, and active 4.14% PNG content. For the 4th 9.81% HTML quarter, JPEG (13.08%) 11.84% GZIP and GIF (12.21%) 12.21% GIF images alone 13.08% JPEG accounted for a quarter of total web 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% 14.00% transactions. Many elements downloaded from the web are compressed to save bandwidth in transit, thus gzip content accounts for the 11.84% of traffic. Top 10 File Types By Transaction Copyright © 2011 Zscaler 7 SECURITY Enterprises block certain web and email traffic for two reasons – policy violations and security violations. The former is generally a productivity measure, focused on ensuring that users do not leverage enterprise resources for unapproved purposes. Security blocks on the other hand focus on protecting the network from known and unknown attacks. An infected machine on a corporate network becomes a Trojan horse, providing an attacker with access to sensitive data. In this section we look at trends and statistics related to security violations. Malicious vs. Benign The top countries that we saw hosting malware were typically also the top countries hosting content on the web. A more accurate picture of a country breakdown is ‘malicious vs. benign’ – in other words, what percentage of web transactions to a particular country were malicious in nature. The chart below shows the countries with the highest percentage of total web servers hosting malicious content, divided by the total number of web servers seen for that country in Q4 2010 (a minimum server threshold was used to omit countries with a limited sample size). Top Malicious vs. Benign Web Server Geography 1 Latvia 2 Romania 3 Ukraine 4 China 5 Austria 6 United States 7 Germany 8 Russia 9 Italy 10 Netherlands There is a noticeable increase in risk with web content from eastern-­‐European countries. On average, roughly 1 in 167 (0.6%) web transactions associated with the top 3 countries (Latvia, Romania, or Ukraine) were deemed malicious in nature during Q4. Botnets Unique C&C Servers By Country Romania 2.25% France 2.53% Russian Netherlands Federation 1.69% 1.97% United Kingdom 1.40% Italy 1.12% China 5.62% Germany 6.46% United States 38.20% Ukraine 10.39% Copyright © 2011 Zscaler The majority of command and control (C&C) servers seen for the quarter were hosted in the US, with 38.20% of sites residing in the US. This is however more a reflection of where content generally resides as opposed to content representing a higher overall risk. The previous section, in addition to this chart, demonstrates a higher concentration of risk from the eastern-­‐European region. These are known, popular regions for organized cyber crime, driven by financial incentives (such as banking bot/Trojans and spam bots). See the “Cyber Crime Arrests” section below for information on the latest developments. 8 Blackhat SEO Blackhat SEO and the fake antivirus malware payloads remain a major threat on the Internet despite Google’s attempts to thwart search engine spam. Zscaler tracks and covers these attacks regularly within our blog. According to our statistics, 85% of all spam pages encountered during the month of December were fake AV malware download redirect sites and 6% were fake software storefronts. In December, Zscaler detected close to 2
5,000 search engine spam pages hosted across 483 sites . Of these spam pages, Google only warned users about 44% of the time – indicating that Google still has a long way to go to protect users from being redirected to a malicious site when searching for a poisoned search term. Percentage of Malicious Blackhat SEO Sites 4.35% 1.24% 1.24% 0.62% 0.62% 0.41% 0.41% 0.41% Fake AV Unavailable 6.00% Fake Stores Other Fake Download 84.68% Movie Sites Fake Search Engines Illegal Pharmacies Adult Site 2
http://research.zscaler.com/2011/01/blackhat-seo-numbers-for-december-2010.html
Copyright © 2011 Zscaler 9 Spam The top 10 spamming source countries Spam Sources By Country -­‐ Q4 2010 account for 55% of total spam messages 2.66% Italy observed during Q4. Within each month, the 3.20% Germany top spamming IP 4.02% Ukraine address accounted for 4.10% France just over 1% of the 4.40% United Kingdom total spam messages 5.29% Vietnam that we blocked for the 6.08% Brazil entire month. Many of the top offending 6.73% India spamming IPs are 7.03% Russian Federation 11.73% repeat offenders as United States well. 193.14.90.8 (Based in Sweden) was 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00% a top spammer for November and December and overall for Q4. 67.90.14.194 (US) and 174.123.173.58 (US) are top repeat offenders across each month. We noticed that 192.114.84.0/24 (AS5486 SMILE-­‐ASN Euronet Digital Communications) was heavily abused to send spam in September, but then trailed off. The vast majority of the spam seen advertised fake pharmacy (“pharma”) and replicas (e.g., fake Rolex), including the following sample subject lines: • “Impotence pills such as Viagra, Buy Cialis” • “Erectile Dysfunction Pills | Buy Viagra” • “VIAGRA <AE> Official -­‐71%” • “We sell amazing quality Rep1icaWatches” Top 10 spamming IPs per month October November 1 67.90.14.194 193.14.90.8 2 174.123.173.58 67.90.14.194 3 192.114.84.142 174.123.173.58 4 192.114.84.140 92.60.184.21 5 192.114.84.149 80.65.16.71 6 192.114.84.135 217.20.163.3 7 192.114.84.145 92.60.184.4 8 192.114.84.147 217.20.175.17 9 192.114.84.133 81.92.121.131 10 192.114.84.137 217.20.175.117 December 193.14.90.8 83.12.4.83 67.90.14.194 92.63.102.66 174.123.173.58 81.80.62.102 95.154.240.98 80.65.16.71 89.184.65.77 92.60.184.21 Q4 Overall 193.14.90.8 67.90.14.194 174.123.173.58 83.12.4.83 80.65.16.71 92.60.184.21 217.20.163.3 81.92.121.131 192.114.84.140 111.224.250.133 The top spamming ASNs (Organizations & Providers) that we noticed within Q4 were AS45899 VNPT Corp. (Vietnam) and AS9829 National Internet Backbone Bharat Sanchar Nigam (India). Together these two network owners generated 5.77% of the spam messages and just over 9% of the unique spamming IPs that we saw for the quarter. This indicates that the spamming hosts of India and Vietnam (which are top 10 offenders) are largely concentrated within a single network entity. Copyright © 2011 Zscaler 10 While the above bar graph shows the countries sending the most spam messages in total, the pie chart below reflects the countries with the highest number of unique spam IPs observed for Q4 2010. Q4 Top Spammer Countries (% unique IPs) India Russian Federation Brazil 11.72% 9.38% 38.69% Vietnam 8.62% 6.98% Ukraine Germany United States 4.16% 2% 2.42% 2.7% 2.8% 3.12% 3.48% 3.93% United Kingdom Saudi Arabia It is interesting to note that the India, Saudi Arabia, and Pakistan show up as having high numbers of unique spamming IPs, yet they do not show up as being top hosts of malware or C&Cs (above). This is likely due to the fact that in these environments, infected clients on dial-­‐up or slower connections with dynamically assigned IPs are more likely to be used to send out spam rather than provide any persistent or stable infrastructure for the attacker. The top 10 spamming countries broken down per month, where “top” is most number of spam messages blocked: October November December Q4 Overall 1 United States United States United States United States 2 Brazil Russia Russia Russia 3 India India India India 4 Russia Vietnam Brazil Brazil 5 Vietnam Brazil Ukraine Vietnam 6 United Kingdom United Kingdom Vietnam United Kingdom 7 France France United Kingdom France 8 Germany Ukraine Germany Ukraine 9 Italy Germany Italy Germany 10 Ukraine Italy Israel Italy Analyzing the increase/decrease of percentage spam activity from each country from month to month shows that all but 3 of the top 10 declined in overall percentage of spam activity. The US had the largest decline, while Russia and Ukraine had the largest increases. Copyright © 2011 Zscaler 11 Spam Trending By Country -­‐ Q4 2010 14.00% United States 12.00% Brazil 10.00% India Russian Federation 8.00% Vietnam 6.00% United Kingdom France 4.00% Germany 2.00% Italy Ukraine 0.00% October November December For the most part, the top 10 spamming countries stayed fairly consistent from month to month. Countries in which the fewest spam messages originated, as seen in Q4, were: • Scandinavia / Nordic region (Denmark, Norway, Finland, Iceland, Greenland) o Sweden was the exception, as it had the top spamming IP for Q4 • Several Central and South American countries (Bolivia, Ecuador, Honduras) o Brazil was the exception, as it was consistently in the top 5 • African countries (Congo, Somalia, Chad) • Island nations (Caribbean islands, Cuba, Guam) Copyright © 2011 Zscaler 12 Incidents Mobile Malware For some time the security community has been talking about the rise of mobile malware. Several notable mobile incidents occurred in the later half of 2010. In late September, Zeus in the mobile malware (Zitmo for short) was released to steal financial credentials (e.g., SMS one-­‐time-­‐passwords) from Symbian and Blackberry mobile 3
phones . Trojan variants have been cropping up for Android mobile phones to generate revenue for the criminals 4
by sending SMS/text messages – a third iteration of the “FakePlayer” SMS Trojan was released in early October . The Geinimi Android Trojan also made headlines toward the end of December – it has botnet characteristics and 5
has been embedded within legitimate applications (particularly Chinese apps) within the Android Marketplace . 6
Firesheep, a Firefox plugin to conduct “sidejacking” to steal session cookies, was released at the end of October . While not exactly mobile malware, it is a tool that is particularly useful to obtain unauthorized access to accounts (e.g., Facebook, Google, etc.) that are being accessed by users on public Wi-­‐Fi hotspots. Laptops, iPads, and mobile phones accessing the web from a coffee shop (Wi-­‐Fi hotspots) can leak session cookies to anyone listening on the network. These session cookies are then replayed by the attacker to gain access to the victim’s accounts. Zscaler 7
released a plugin, BlackSheep, to detect this activity . Recently, Facebook has presented users with the option to encrypt all session transactions, protecting users from “sidejacking,” but creating a blind spot for enterprises (see “Policy” section below for further details discussing this blind spot). Client-­‐Side Exploitation There were several notable 0-­‐day vulnerabilities during Q4 2010. October 2010, saw a Trojan being spread on the 8
Nobel Peace Prize website using exploit code for a 0-­‐day vulnerability within Firefox (CVE-­‐2010-­‐3765) . At the same time, there was a 0-­‐day vulnerability within Adobe Flash (CVE-­‐2010-­‐3654) that was being exploited within PDF files – for example, fake usajobs.gov (OPM) emails containing a malicious PDF attachment that would exploit the 3
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
http://www.securelist.com/en/blog/329/FakePlayer_take_3
5
http://www.wired.com/gadgetlab/2010/12/android-malware/
6
http://codebutler.com/firesheep
7
http://zscaler.com/blacksheep.html
8
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
4
Copyright © 2011 Zscaler 13 9
vulnerability . Microsoft Internet Explorer was next on the list with a 0-­‐day vulnerability in early November (CVE-­‐
2010-­‐3962). The vulnerability was exploited in targeted emails with web links attacking IE 6 and 7 to install a 10
backdoor . In late December, another 0-­‐day vulnerability was exposed in Internet Explorer (CVE-­‐2010-­‐3971). Both MS IE vulnerabilities were “use-­‐after-­‐free” vulnerabilities related to the handling of cascading style sheets (CSS). The vulnerability was reportedly first published on a Chinese security blog, and exploit code was later developed for Metasploit. The exploit is able to bypass both data execution prevention (DEP) and address space layout randomization (ASLR) to compromise Internet Explorer 8 running on Windows 7 (as well as earlier OS / browser 11
versions) . There were two notable exploit kit platforms that had new/updated versions being actively used in Q4 2010: the Phoenix Exploit Kit (PEK) and NeoSploit. PEK v2.3 and above were actively being used to distribute crimeware, such as Zeus and SpyEye bots used to steal financial credentials. PEK includes a dozen or so exploits by default against a number of client-­‐side vulnerabilities ranging from Adobe Flash, Adobe Reader, Java, Internet Explorer, and 12
13
Windows . In late December a new version of NeoSploit was released which was used in a malware-­‐as-­‐a-­‐service campaign that leveraged a number of criminal-­‐registered domains – the campaign was visibly successful as many 14
of these domains made it into Alexa’s top web domain results in early January 2011 . Security Updates To combat exploitation of 0-­‐day vulnerabilities within Adobe Acrobat Reader, Adobe’s released version X during Q4. This version operates in “Protected Mode”, which is a sandboxing technology where action requests are made 15
through a broker process, which enforces policy for the Reader application . In other words, the broker process will enforce policy for file-­‐system, registry, and other local activity to prevent unauthorized access of system resources. This sandboxing technique has already been implemented within Google Chrome, Microsoft Office 2010, and parts of the Windows operating system. Cyber Crime Arrests There were a number of noteworthy cyber crime arrests in late 2010. In late September through early October, the FBI’s “Operation Trident Breach” resulted in numerous arrests of organized criminals who used Zeus botnets to steal financial credentials from individuals and businesses to commit banking fraud. The arrests included individuals within the United States, the United Kingdom, Ukraine, and the Netherlands. Before the arrests, the 16
individuals had stolen $70 million and were attempting to steal an additional $220 million . Immediately following the arrests, Zeus Tracker indicated that the number of Zeus command and control (C&Cs) sites had fallen to one of 17
its lowest levels . That said, Zeus still remains one of the most popular crimeware bots in use and current (2011) levels of C&Cs have risen back to pre-­‐arrest levels. Another noteworthy arrest, was that of Georg Avanesov – the alleged author and bot herder of Bredolab. Bredolab is a malicious bot that provides a platform for its owner to remotely install other malware on the victim, e.g., FakeAV, Zeus, spambots, etc. The bot herder generates revenue in this “malware-­‐as-­‐a-­‐service” business model. An estimated 3.6 billion spam emails were sent out daily containing the Bredolab malware, and the botnet 9
http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html
http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
11
http://www.zdnet.com/blog/security/attack-code-posted-for-new-ie-zero-day-vulnerability/7859
12
https://www.infosecisland.com/blogview/8519-Inside-Phoenix-Exploits-Kit-v23.html
13
http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
14
http://research.zscaler.com/2011/01/alexa-illustrates-web-security-risks_24.html
15
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
16
http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud
17
http://krebsonsecurity.com/2010/10/zeus-busts-bring-botnet-beatdown/
10
Copyright © 2011 Zscaler 14 infrastructure was capable of infecting up to 3 million computers per month. In late October, Avanesov was 18
arrested in the Netherlands and 143 servers were seized . In mid November, FBI arrested Oleg Nikolaenko – the Russian “king of spam.” Nikolaenko controlled and managed a network of infected computers, called the Mega-­‐D botnet, which generated 10 billion spam emails per day (an rd
19
estimated 1/3 of all spam) . The spam botnet frequently advertised fake Rolex watches and male enhancement drugs. Throughout Q4 2010, the ‘Anonymous’ group participated in a number of cyber attacks dubbed ‘Operation Payback’ that culminated in ‘Operation Avenge Assange’ with denial of service attacks in early December against financial and service companies that refused to provide their services to Wikileaks. The operation involved willing participants to use a denial of service tool, Low Orbit Ion Cannon (LOIC), to disrupt the online presence of these 20
companies and cause them financial harm . Several arrests have occurred from those that participated in these 21
attacks, including five ‘Anonymous’ members in the UK . 18
http://www.computerworld.com/s/article/9193080/Dutch_team_up_with_Armenia_for_Bredolab_botnet_take_do
wn
19
http://www.jsonline.com/news/crime/111169714.html
20
http://research.zscaler.com/2010/12/hacktivism-on-display-operation-payback.html
21
http://nymag.com/daily/intel/2011/01/five_anonymous.html
Copyright © 2011 Zscaler 15 POLICY Enterprises choose to block traffic for more than just security reasons. Productivity and legal concerns also drive decisions on traffic that is permitted on enterprise networks. In this section we take a closer look at web traffic policies. Social Networking Approximately 16% of Zscaler customers enforce policy (block transactions) for content categorized as social networking. This low percentage is not surprising, given that social networks such as Facebook, Twitter, and LinkedIn are increasingly being leveraged as valuable business tools for marketing and recruiting. As such, enterprises are turning to solutions that permit monitoring and managing social networking traffic as opposed to simply blocking it outright. Social Networking Policies 16.26% SocNet Block Policy 83.73% No SocNet Policy SSL Web services like Gmail and more recently Facebook, provide SSL-­‐only access to content. This is a “blind spot” within enterprises. In other words, intrusion detection/prevention systems (IDS/IPS) and other content inspection engines are unable to detect and block malicious content within these encrypted transactions. Zscaler provides content inspection within SSL by acting as an SSL-­‐proxy. It is interesting to note that fewer than a quarter of customers currently choose to inspect SSL encrypted traffic for security violations. As additional web applications turn to SSL-­‐only sites to combat sidejacking, it will be increasingly important for enterprises to employ security solutions capable of inspecting encrypted traffic. Copyright © 2011 Zscaler 16 SSL content inspection Customer (%) 21.65% SSL-­‐inspection enabled 78.34% SSL-­‐inspection disabled Top Blocked Domains The chart below shows the top categories of blocked web requests from enterprises within Q4. The top blocked website category was social networking, at 8.2%. Top Blocked Request Categories Social Networking Web Banners 8.20% 49.33% TV/Movies 6.96% 6.67% 5.68% Botnet Sales/Marketing Web Mail 5.03% 3.98% 3.93% 2.72% 3.71% 3.79% Web Search Spyware/Adware Internet Services Online Chat / IM Other Copyright © 2011 Zscaler 17 The chart below shows the top domains that were blocked in Q4, by number of web transactions and by number of unique users being blocked. Top Domain Blocked Top Domain Blocked (transactions) (unique users) 1 facebook.com facebook.com google.com google.com 2 3 ustream.tv yieldmanager.com 4 trafficconverter.biz addthis.com 5 yahoo.com facebook.net 6 imgci.com doubleclick.net msn.com twitter.com 7 8 Doubleclick.net atdmt.com 9 live.com fbcdn.net 10 fbcdn.net youtube.com The only security-­‐related domain in the above list is trafficconverter.biz, which is an older FakeAV domain that was related to Conficker infections. The domain has since been sink holed, and we continue to block/report these transactions to our customers. CONCLUSION Web and email continue to be the main conduits of attack on the Internet, and data from 2010 highlights a variety of attack vectors. 0-­‐day client-­‐side exploits, updated exploit kits, targeted emails, and even mobile malware were present in the final quarter of 2010. Blackhat SEO remains a popular avenue for attackers to redirect users to fake antivirus software and other malware. Eastern-­‐European countries (Ukraine and Russia) rise to the top of many security-­‐related statistics – further highlighting the cyber criminal operations within these countries. However, there have been some positive strides made to increase security on the web – Internet Explorer 6 dropped to its lowest levels, Adobe released a sandboxed version of their PDF reader, a number of arrests were made against some prominent cyber criminals, and spam-­‐levels from most of the top countries declined. Additionally, some enterprises have opted to enforce a variety of policies to decrease their potential attack surface – to include selective blocking of social networking, webmail, and chat services. The state of the web continues to evolve – web applications and mobile browsing continue to rise as a means of accessing content on the Internet. Security vendors, organizations, must adapt to this evolution of the web, as we can be sure that attackers will continue to find new exploits, new threat vectors, and new techniques. Copyright © 2011 Zscaler 18