state of the web

Transcription

state of the web
State of the Web - Quarter 2, 2011
STATE OF THE WEB
QUARTER 2, 2011 REPORT
© 2011 Zscaler. All Rights Reserved.
Page 1
State of the Web - Quarter 2, 2011
Introduction
In this Q2 2011 edition of the State of the Web from the Zscaler ThreatLabZ,
we once again take a look at Enterprise web traffic, aggregated across over a
In this issue:
• The Apple iOS explosion
hundred billion transactions and millions of business users across the globe.
• How advanced threats target the
headlines
This quarter we see the social elements of the web continue to dominate
• Browser plug-ins tap into business
advanced threats and attacks in Enterprise networks. Malicious actors and
• Top 10 malicious sites
hactivists know the human element is the weakest link in any enterprise
security chain, and are continuing to leverage human interest, curiosity and
oversight to launch their attacks.
This quarter we saw the following key trends:
• With the death of Osama Bin Laden, enterprise traffic saw peaks in related
searches and malware.
− Blackhat SEO continues to be a favorite method for stealing corporate data, and particularly newsworthy events only increase this risk.
• Facebook dominates enterprise web application use.
− Like-jacking, click-jacking and spear-phishing techniques continue to be
a boon to attackers.
• Browser plug-ins remain relatively unpatched and out-of-date.
− Even within the enterprise, plug-ins are out of date and thus a prime
threat vector for getting onto corporate networks.
As the trusted social networks and applications continue to dominate
enterprise Internet use, employees are lulled into a false sense of
security, thinking their tools and apps can be trusted to provide them safe
information. Whether through web apps, web searches, or targeted email
scams, hackers this quarter continued to take advantage of this trust to
exploit corporate victims.
© 2011 Zscaler. All Rights Reserved.
Page 2
State of the Web - Quarter 2, 2011
Table of Contents
iOS Beats Blackberry and Android in the Enterprise
4
Facebook Flexes its Muscle in The Enterprise
5
Hacking the Headlines
7
What You Might Not Know About Browsers
8
Browser Plug-Ins Tap Into The Heart Of Businesses
11
When Malware Strikes
13
Top 10 Malicious Sites
15
© 2011 Zscaler. All Rights Reserved.
Page 3
State of the Web - Quarter 2, 2011
iOS Beats Blackberry and Android in the Enterprise
As IT becomes more consumerized and smartphones and tablets become
more ubiquitous in the enterprise, we’re continuing to see more and more
growth in the amount of mobile traffic. Blackberry devices have historically
been the favored tool of the corporate road warrior. But now—as shown in
iPhones and iPads are used
more than any other mobile
devices on corporate networks:
• iOS: 42.4%
the chart below—we’re seeing more mobile traffic from iOS devices than from
• Blackberry: 40.2%
Blackberries.
• Android: 17.4%
Q2 Mobile Device Usage
17.38%
Android
40.24%
iOS
Blackberry
42.37%
Figure 1
Why it Matters to Your
Enterprise:
Recent market data and reports have shown that Android devices are
• Apple continues to change the way enterprises embrace a
mobile workforce.
producing nearly as much traffic as iOS devices and over 4X the traffic of
Blackberry devices.1 However, such reports derive statistics from serverside logs and cannot differentiate enterprise from consumer traffic. Our
• Securing iOS devices is now a
major focus and challenge for
enterprises.
statistics—which represent exclusively enterprise traffic—show that Android
remains a distant third for employee-generated mobile traffic.
1 http://www.netmarketshare.com/2011/07/01/Mobile--Tablet-Crosses-5-percent-of-All-Browsing-Globally
© 2011 Zscaler. All Rights Reserved.
Page 4
State of the Web - Quarter 2, 2011
Facebook Flexes its Muscle in the Enterprise
During Q2 2011, social networking was far and away the most dominant
category of browsed web applications through the Zscaler cloud. And,
of those browsed applications, Facebook handily led the pack. This is
an interesting statistic given that we see and secure primarily enterprise
traffic. Is this trend attributed to the fact more and more enterprises are
now leveraging Web 2.0 and social networking, or is due to the fact that
employees spending more time pursuing personal interests? It’s likely a
combination of both, as enterprises realize the power of social media at the
same time corporate IT becomes increasingly consumerized.
Q2 Web App Usage By Category
2.26%
7.28%
15.27%
7.55%
Social Networking
Webmail
9.30%
IM
Streaming Media
Web Search
File-Sharing, P2P, Other
53.33%
Figure 2
Note: For the purposes of these statistics, Zscaler ThreatLabZ is defining a transaction to be a single HTTP/
HTTPS application layer (layer 7) request/response.
As can be seen in figure 2 above, the usual suspects dominate web application
usage and volume. Social networking and webmail make up about 75%
of the total web application transactions for the quarter. Web search is a
comparatively small percentage—which is not surprising as individual search
© 2011 Zscaler. All Rights Reserved.
Page 5
State of the Web - Quarter 2, 2011
queries require only a single request. In contrast, social networking apps
may involve numerous requests – leveraging technologies such as AJAX – to
provide a rich user experience.
The chart below provides a more detailed drill-down of overall web usage (by
site) throughout the quarter:
Q2 Web Application Drill-Down
Facebook
Google Webmail
1.52%
0.79%
Yahoo Webmail
13.70%
Hotmail Webmail
LinkedIn
5.80%
Blogger
2.50%
48.59%
3.96%
Wordpress
Twitter
5.09%
MSN IM
0.77%
1.04%
1.47%
2.82%
Facebook IM
9.18%
2.77%
Figure 3
YouTube
Pandora
Google Search
Other
Why it Matters to Your
Enterprise:
• Facebook is the predominant
web 2.0 app in the enterprise.
• Controlling and securing
Facebook is mission critical.
Between Facebook and Facebook IM, the social networking giant consumed
just over 51% of the web application transactions for the quarter. The next
three were Gmail (9.18%), YouTube (5.8%) and Twitter (5.09%). Keep in
• Managing bandwidth for
Facebook is likely now on your
to-do list.
mind these statistics focus exclusively on corporate enterprise environments.
© 2011 Zscaler. All Rights Reserved.
Page 6
State of the Web - Quarter 2, 2011
Hacking the Headlines
Web Transactions Associated with Osama Bin Laden per Hour
4500000
4000000
3500000
3000000
2500000
2000000
1500000
1000000
500000
5:00 PM
6:00 PM
7:00 PM
8:00 PM
9:00 PM
10:00 PM
11:00 PM
12:00 AM
1:00 AM
2:00 AM
3:00 AM
4:00 AM
5:00 AM
6:00 AM
7:00 AM
8:00 AM
9:00 AM
10:00 AM
11:00 AM
12:00 PM
1:00 PM
2:00 PM
3:00 PM
4:00 PM
5:00 PM
6:00 PM
7:00 PM
8:00 PM
9:00 PM
0
Sunday May 1
Monday May 2
Figure 4
There were a number of notable news stories during Q2 2011—arguably the
most noteworthy being the death of Osama Bin Laden. Following the news
of Bin Laden’s death – as the above graph shows – Zscaler went from seeing
fewer than 1,000 URLs containing the terms ‘osama’, ‘usama’ or ‘laden’ on
the afternoon of Sunday, May 1st, to a peak of over 4 million by 10am PST on
Monday morning (May 2nd).
Cyber-criminals tend to use big stories to their benefit – using social
engineering to convince victims to download/execute malicious files. This
story was no different. Zscaler ThreatLabZ identified malware intended to
immediately capitalize on this news2, and then continued3 to track a number
of other malware campaigns and scams using this news.
Figure 5
2 http://research.zscaler.com/2011/05/malware-already-capitalizing-on.html
3 http://research.zscaler.com/2011/05/osama-bin-laden-related-malware.html
© 2011 Zscaler. All Rights Reserved.
Page 7
State of the Web - Quarter 2, 2011
A frequent theme of the malware campaigns leveraged social networks—for
example malware binaries (i.e. Koobface) spread via social network sites,
where they were masquerading as fake buttons or links that had to be
Why it Matters to Your
Enterprise:
Likejacking and CPA surveys – were also prevalent.
• Hackers are using headlines to
trick users into downloading
malware.
What you Might Not Know About Browsers
• Only half of today’s antivirus
programs block this malware
from downloading.
clicked to watch videos. Direct social networking scams themselves – such as
Browser Use vs Web Use
As we all know, HTTP and HTTPS are used for far more than simply web
browser traffic. Zscaler ThreatLabZ tracks enterprise HTTP and HTTPS use,
as well as specific browsers in use, to show trends in general Web use as well
as browser use trends – and the vulnerabilities associated with them.
Corporate environments are largely dominated by Microsoft end-user
operating systems, so it’s no surprise that Microsoft Internet Explorer (IE)
remains the most popular browser observed this quarter.
What is more surprising is the large percentage of “other” usage in the chart
below: Web browsers make up just over 75% of HTTP and HTTPS traffic,
with the rest made up of browser plug-ins, add-ons and extensions, as well as
HTTP and HTTPS traffic from native applications.
Q2 HTTP(S) Traffic by Type
23.1%
Internet Explorer
Firefox
0.2%
Safari
5.7%
60.2%
10.8%
Chrome
Other
Figure 6
© 2011 Zscaler. All Rights Reserved.
Page 8
State of the Web - Quarter 2, 2011
Drilling deeper into the Internet Explorer usage data over each month of the
Internet Explorer 6 is finally
leaving the enterprise after
10 years, removing all the
vulnerabilities associated
with it.
quarter, we see that:
• IE 8 now dominates the browser landscape.
• IE 8 and IE 7 account for over half of enterprise web browsers.
• IE 6 has finally been relegated to an afterthought.
• IE 9 (released on May 14, 2011), has not yet seen true deployment in the enterprise.
Internet Explorer Versions in use by Month
April
May
June
30
25
26.51
24.28
20
15
10
5
5.48
0.74
0
IE6
IE7
IE8
IE9
Figure 7
What makes up the “Other” traffic?
Zscaler ThreatLabZ continues to see a rise of web traffic from non-traditional
web browser user agents. This traffic is being driven by web browser plug-ins
(defined as a combination of plug-ins, add-ons, and extensions) and native
applications sending HTTP(S) traffic.
As such, a significant percentage of web traffic now originates from
applications other than web browsers. What is sending this traffic? Below, we
break down the top non-browser user agents that we’re seeing.
© 2011 Zscaler. All Rights Reserved.
Page 9
State of the Web - Quarter 2, 2011
Q2 Web Application Drill-Down
1%
1%
1%
1%
Microsoft Updates and Flash
Video make up the lion’s share
of non-browser web traffic.
0%
Microsoft BITS family
Shockwave Flash
7%
No User Agent
3%
Mozilla 4 family
5%
Google Earth family
Microsoft Crypto API family
52%
Mozilla 5 family
Micrsoft Office family
29%
iTunes family
Java family
Windows Media Player family
Other
Figure 8
By far, the majority of the non-traditional web browser transactions are
Microsoft BITS (52.51%). Background Intelligent Transfer Service (BITS) is
commonly used by recent versions of Windows Update and other Microsoft
Update services4. Since enterprises regularly download patches and apply
updates to Microsoft products, this is no surprise.
The large percentage (28.81%) of “Shockwave Flash” user-agent usage
represents the streaming audio, video, and data sessions between client
flash players and a servers . Flash is nearly ubiquitous in the enterprise, so
5
the trend is expected, but as we will see later in the report, Flash plug-ins
Why it Matters to Your
Enterprise:
• Protecting your browser isn’t
enough – App visibility and
control is a critical component
to security.
• It is imperative to look inside
of HTTPS traffic to control and
secure web apps.
represent a strong possible threat vector for attacks.
4 http://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service
5 http://www.adobe.com/devnet/rtmp.html
© 2011 Zscaler. All Rights Reserved.
Page 10
State of the Web - Quarter 2, 2011
Browser Plug-Ins Tap into the Heart of Businesses
Nearly every browser is running some combination of plug-ins, add-ons or
extensions. Zscaler ThreatLabZ can identify trends in the use of these plugins, and can also identify the versions in use. As with most software, older
versions of plug-ins typically have more security vulnerabilities.
Browser plug-ins offer a dangerous combination of characteristics:
• Readers and players are ubiquitous, across browsers.
• Most users aren’t aware of which plug-ins they have installed.
• Most enterprises have no patch management deployed to keep plug-ins up to date.
This adds up to a tempting target for hackers. It’s easy to see why plug-ins
are the targets of readily available off-the-shelf exploit kits and customized
attacks as well.
In Q2, the most often seen browser plug-ins are summarized in figure 9
below:
Browser Plug-ins Installed (Percentage)
RealPlayer
1.11
Microsoft Office
6.67
Quicktime
7.24
Java
9.25
34.39
Adobe Shockwave
Silverlight
48.05
Microsoft .Net
80.68
Outlook
83.14
Adobe Reader
83.37
Windows Media Player
85.56
Adobe Flash
93.62
0
20
40
60
80
100
Figure 9
Zscaler ThreatLabZ also tracks the versions of each plug-in, providing the
ability to track which percentage of plug-ins are up-to-date, and which are
outdated and vulnerable to security exploits. When you compare outdated
plug-ins in figure 10 with the total installation in figure 9, it’s easy to see why
these are a prime target for attackers.
© 2011 Zscaler. All Rights Reserved.
Page 11
State of the Web - Quarter 2, 2011
Out of Date (Percentage)
RealPlayer
0.11
Silverlight
1.18
Windows Media Player
1.18
Quicktime
3.39
Java
6.49
Adobe Flash
8.44
Outlook
18.75
31.73
Adobe Shockwave
56.4
Adobe Reader
0
10
20
30
40
50
60
Figure 10
As an example, Adobe reader is installed in 83% of all enterprise browsers,
and is out of date in 56% of those installations. It’s no surprise then that
the increasingly popular Blackhole Exploit kit includes a variety of payloads
designed to target recent Adobe Reader vulnerabilities.6
Recent headline level hacks are thought to have been performed by
compromising just one plug-in in a corporation. These overlooked apps can
be exploited to gain full control of an endpoint machine. When that endpoint
machine is a member of a corporate domain, the hackers gain full access to
Why it Matters to Your
Enterprise:
• Browser plug-ins — like Adobe
Reader — are ubiquitous, yet
highly vulnerable.
• Hackers are focusing on outof-date plug-ins with targeted
exploits.
all corporate data.
6 http://research.zscaler.com/2011/02/blackhole-exploits-kit-attack-growing.html
© 2011 Zscaler. All Rights Reserved.
Page 12
State of the Web - Quarter 2, 2011
When Malware Strikes
Zscaler ThreatLabZ identifies and tracks malicious content in real time,
across both HTTP and HTTPS. Not only does this allow for tracking trends
in malware threats, but also provides Zscaler ThreatLabZ the information
needed to identify the sources of that malware.
Q2 top 10 families of malware
1
Zeus config URL detected
6
Rimecud Worm
2
Grum/Tedroo Spam Trojan
7
Trojan Hiloti
3
Trojan Brontok
8
Win32 Cycbot
4
Trojan Sality
9
Trojan KLog
5
Cnzz/Baidu Spyware reporting
10
Hostile encoded JS (generic)
The virus activity above is mainly comprised of web-based check-ins from
victim hosts. Since victim check-ins occur until the victim hosts are cleaned
up, this list provides an indication of the top malware families that have
infected enterprise systems.
Of course, identifying malware only tells part of the story. Zscaler
ThreatLabZ also tracks the sources and vectors used to distribute malware.
This quarter the top 5 sources were:
Q2 top 5 sources
1
FakeAV landing page
4
Java Game Trojan download
2
Blackhole exploit kit page
5
CVE-2010-0249 exploit
3
Malicious IFrame detected
In other words, social engineering (FakeAV and games) and exploit kits
continue to be the primary infection vectors for malware. Several highprofile hacks and attacks were performed last quarter based on these
methods, including the attack against the usps.gov website in which encoded
JavaScript was used to inject an iFrame to redirect browsers to a site hosting
malware from the Blackhole exploit kit7.
7 http://research.zscaler.com/2011/04/uspsgov-website-infected-with-blackhole.html
© 2011 Zscaler. All Rights Reserved.
Page 13
State of the Web - Quarter 2, 2011
Top 10 Viruses by Month
Old-fashioned viruses continue to be a viable threat to enterprises, with
new twists in attempts to thwart signature scans and traditional antivirus
installations.
Throughout Q2 “JS/Crypted” was the top signature blocked. This signature
family identifies client side attacks and malware hiding within encrypted
JavaScript, in an attempt to avoid detection.
Typically this is a result of exploit kits, which often repackage legacy malware
and viruses in new ways.
This quarter we saw the results of common exploit kits abound:
• Traditional virus signatures, obfuscated with JavaScript
• Shellcode in and outside of JavaScript
• Malicious redirection from infected endpoints to dynamic attack pages
Attackers know that they need a layered attack to trick users and bypass
security – only an integrated and comprehensive security solution will stop
Why it Matters to Your
Enterprise:
• Attackers can bypass legacy
security systems with
advanced threats.
• Social Engineering is prevalent:
Educating your users is a
key component of any
security solution.
these vectors as they move across email, web, and malware vectors.
© 2011 Zscaler. All Rights Reserved.
Page 14
State of the Web - Quarter 2, 2011
Top 10 Malicious Sites
Over the course of the quarter, 1 in 500 total transactions were blocked
because of an A/V or security issue. That may not sound like much, but
this actually means that Zscaler blocked several hundred million enterprise
security risks in Q2 alone.
Zscaler ThreatLabZ has observed that standalone antivirus scanning is
becoming less effective as attackers continue to shift away from binary based
attacks. Instead, attacks tend to be web based (i.e. JavaScript), dynamic in
nature, and often injected into otherwise legitimate sites.
Of all the malicious blocks seen over the quarter, 8.14% were infected sites
blocked based on real-time content inspection.
Zscaler Interrogator, from Zscaler ThreatLabZ, is constantly analyzing
data in order to identify and block emerging threats before they can impact
customers. Based on the findings of Interrogator and partner feeds, Zscaler
ThreatLabZ identified the top 10 malicious domains for the quarter:
Q2 Top 10 Malicious Sites
Site
Threat
1
trafficconverter.biz
Conficker infection
2
muza-flowers.biz
Rustock infection
3
h1.ripway.com
AutoIt/AutoRun infection
4
acreunagoias.com.br
Bancos infection
5
gwc2.wodi.org
Lukicsel infection
6
cf.mimagoo.com
Adware DuckPlay installed
7
code.etracker.com
W32 Virut infection
8
xml.sahcdn.com
ShopAtHome Adware installed
9
clckil.com
TDL/TDSS infection
10
ha81naoo0o0.com
FakeAV infection
10 http://research.zscaler.com/2011/04/30-days-of-cycbot.html
© 2011 Zscaler. All Rights Reserved.
Page 15
State of the Web - Quarter 2, 2011
Looking at the threats in action on these sites, we see that well-known and
legacy malware, such as Conficker and Rustock, is still being leveraged by
attackers. Likewise, many endpoints which may have been infected long ago,
have not been cleaned or remediated by enterprises – a disturbing trend in
incident management and response.
Zscaler is blocking all of these transactions, some botnets are becoming
decommissioned, and C&C domains may be sink-holed or deregistered, but
the fact remains that infected enterprise hosts are not remediated, leaving
security risks. Infected hosts often have security and update functionalities
disabled, may have additional malware components installed and can provide
Why it Matters to Your
Enterprise:
• Several hundred million threats
transactions are hard to ignore:
malware is more active
than ever.
• Infections (often from
unmanaged devices) must be
cleaned to ensure security.
backdoor/remote access.
© 2011 Zscaler. All Rights Reserved.
Page 16
State of the Web - Quarter 2, 2011
About the Authors
This report was written by Michael Sutton, Julien Sobrier, Mike Geide,
Pradeep Kulkarni, and Umesh Wanve.
About Zscaler ThreatLabZ
Zscaler ThreatLabZ is the global security research team for Zscaler.
Leveraging an aggregate view of billions of daily web transaction, from
millions of users across the globe, Zscaler ThreatLabZ identifies new and
emerging threats as they occur, and deploys protections across the Zscaler
Security Cloud in real time to protect customers from advanced threats.
About Zscaler: The Cloud Security Company™
Zscaler enforces business policy, mitigates risk and provides twice the
functionality at a fraction of the cost of current solutions, utilizing a multitenant, globally-deployed infrastructure. Zscaler’s integrated, clouddelivered security services include Web Security, Mobile Security, Email
Security and DLP. Zscaler services enable organizations to provide the
right access to the right users, from any place and on any device—all while
empowering the end-user with a rich Internet experience.
For more information, visit www.zscaler.com.
© 2011 Zscaler. All Rights Reserved.
Page 17