Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/6/2012
06:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

What The IPS Saw

Analysis of HP TippingPoint intrusion prevention system alerts from the past five years reveals how attackers pump out exploits in wake of patches, and how old threats never die

Researchers have drilled down into billions of alerts from intrusion prevention system (IPS) worldwide in an effort to get better picture of the anatomy of today's attacks.

The preliminary findings shed light on spikes in attacks, as well as the source of the types of attacks plaguing organizations. HP researchers Sathya Chandran Sundaramurthy and Sandeep Bhatt of HP Labs, and Marc Eisenbarth of HP TippingPoint, analyzed more than 35 billion alerts issued by its TippingPoint IPS devices between 2007 and 2012 at more than 1,000 of its customer sites around the world, and plan to present their findings at a big data conference next month called BADGERS'12 in Raleigh, N.C.

One thing they found: those old-school attacks like SQL Slammer are alive and well. The HP researchers saw the IPSes triggered alerts for the near-decade old Slammer worm more than one hundred times as much as any other threat. "In fact, Slammer accounts for almost 2% of all alerts raised by 6,000 filters over the 5 year period," the researchers wrote in their paper.

More than half of its customers had a Slammer infection, followed by Nimda (46 percent); Back Orifice (31.4 percent); Storm (8.29 percent); and Code Red (2.29 percent). Slammer, which was first discovered in 2003, was spotted in HP's data set in January of 2009, and hasn't been seen since mid-February of this year, the report says. The alerts for the worm hit a high of 42 million on February 15, 2011.

"There have been reports ... that Slammer activity, which always exists in the background, dipped significantly between March 1 and April 12, 2011. This is consistent with our findings; it is likely that, in response to the February 15 spike, administrators initially took measures to weed out Slammer infections," the researchers said. "Many people have noted that Slammer persists on the Internet as a sort of background radiation and our results are consistent with this, except for a specific high volume denial-of-service attack using the Slammer payload targeting just one customer. While it is certainly possible that the target was a vulnerable instance of Microsoft SQL Server, it is also quite possible that the intended victim was a piece of security or networking equipment in hopes that it could not keep up with the attack volume."

Bob Walder, chief research officer for NSSLabs, says the phenomenon of old-school malware re-emerging is a good reality-check. "The frequency and volume of probes from machines infected by 10-year old malicious code is a constant source of amazement, and a reminder that some of these machines may never be disinfected, at least not until they simply die of old age," says Bob Walder, chief research officer for NSSLabs. "It is also a salutary reminder that when choosing a security product like an IPS it is important to verify that the vendor does not age out older signatures too aggressively in order to improve performance of the product. SQL Slammer is showing no signs of dying out, and even old chestnuts like the LAND attack can reemerge as programmers forget lessons learned years ago. If any IPS vendor tries to tell you that old vulnerability signatures don't matter, it is time to run far, run fast."

The IPS alerts also provided a glimpse into how attackers respond to vendors disclosing and patching their bugs. It basically illustrated the concept of Exploit Wednesday, the day after Microsoft's Patch Tuesday release. The data shows in some cases, a vendor's patch results in jump in exploit attack attempts, researchers say. HP TippingPoint's IPS had a filter back in 2005 to detect some JavaScript bugs in Mozilla Firefox, Thunderbird, and SeaMonkey that had not yet been patched by the company. Mozilla issued a fix for the bugs in April of 2010: and it was then that the IPS spit out a wave of alerts about attacks it detected exploiting those bugs: "The number of alerts increased after the patch release date, while there was very little activity for the prior years," the researchers said in their report.

When Microsoft on October 12, 2010, issued a patch for its Extended OpenType fonts flaw, the IPSes detected a massive increase in exploit attempts. (TippingPoint had a filter to detect exploits of the flaws back in 2006). "We believe that attackers became aware of this vulnerability and started hosting malicious websites that contain EOT fonts crafted and embedded in a way that would compromise Windows client machines," the researchers wrote. "Even though the filter just detects the download of EOT font over the network (which could be benign), the fact that the download increased after a patch disclosure is suspicious."

[UPDATE]: HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project, says while it's true that patches often drive exploitation, there are a few catches here. "Notably, IPS signatures are frequently subject to false positives. My hunch is that most of the pre-disclosure and post-disclosure baseline levels of alerts are actually false positives with those specific filters," Moore says. "I saw this firsthand while testing IPS products at BreakingPoint -- sending enough random data for a long enough period of time results in all sorts of signatures firing on benign traffic. The nature of client-side exploits ... is that evasion is incredibly easy: the true level of attacks could be much higher, but hidden in gzip compression, chunked encoding, JavaScript encoding, SSL, and other forms of evasion, all of which are common in typical drive-by attacks."

NSSLabs' Walder says exploit spikes are inevitable after vulnerabilities get disclosed. "Many of these will be successful as security practitioners struggle to keep up with patching vulnerable software deployed on their network, or are unable to do so due to vulnerabilities being disclosed without first giving the software vendors time to formulate a fix," Walder says.

Take the recent Java exploit exposed last month, which quickly was added to the BlackHole crimeware kit and the open-source Metasploit penetration testing tool. "Within days, it [the exploit] became a major threat to Internet users," he says.

[Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit. See New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs.]

That's where IPSes with timely signatures can come in handy as a stopgap measure prior the release and application of a patch. "When purchasing an IPS, it is very important to focus on the signature-writing capabilities of the vendor, whether or not they have a history of producing timely and accurate updates, and whether their signatures are vulnerability- or exploit-focused," he says.

[UPDATE]: Rapid7's Moore says he'd like to see more analysis of the initial IPS data from HP. "I would love to see a deeper dive into this data with more clear-cut examples of the pre-disclosure and post-disclosure periods. The report includes a lot of great data to chew on, but I don't believe they make a compelling case for post-patch exploitation increases today," he says.

The researchers say they plan to continue their analysis, according to the report.

Moore says the publication of HP's analysis of the data was intriguing. "The most surprising thing about this report was the fact it was released at all. It is amazing that 1,000 of TippingPoint's customers agreed to provide their IPS alert data for this analysis," he says.

HP's research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.