Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/6/2012
06:13 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

What The IPS Saw

Analysis of HP TippingPoint intrusion prevention system alerts from the past five years reveals how attackers pump out exploits in wake of patches, and how old threats never die

Researchers have drilled down into billions of alerts from intrusion prevention system (IPS) worldwide in an effort to get better picture of the anatomy of today's attacks.

The preliminary findings shed light on spikes in attacks, as well as the source of the types of attacks plaguing organizations. HP researchers Sathya Chandran Sundaramurthy and Sandeep Bhatt of HP Labs, and Marc Eisenbarth of HP TippingPoint, analyzed more than 35 billion alerts issued by its TippingPoint IPS devices between 2007 and 2012 at more than 1,000 of its customer sites around the world, and plan to present their findings at a big data conference next month called BADGERS'12 in Raleigh, N.C.

One thing they found: those old-school attacks like SQL Slammer are alive and well. The HP researchers saw the IPSes triggered alerts for the near-decade old Slammer worm more than one hundred times as much as any other threat. "In fact, Slammer accounts for almost 2% of all alerts raised by 6,000 filters over the 5 year period," the researchers wrote in their paper.

More than half of its customers had a Slammer infection, followed by Nimda (46 percent); Back Orifice (31.4 percent); Storm (8.29 percent); and Code Red (2.29 percent). Slammer, which was first discovered in 2003, was spotted in HP's data set in January of 2009, and hasn't been seen since mid-February of this year, the report says. The alerts for the worm hit a high of 42 million on February 15, 2011.

"There have been reports ... that Slammer activity, which always exists in the background, dipped significantly between March 1 and April 12, 2011. This is consistent with our findings; it is likely that, in response to the February 15 spike, administrators initially took measures to weed out Slammer infections," the researchers said. "Many people have noted that Slammer persists on the Internet as a sort of background radiation and our results are consistent with this, except for a specific high volume denial-of-service attack using the Slammer payload targeting just one customer. While it is certainly possible that the target was a vulnerable instance of Microsoft SQL Server, it is also quite possible that the intended victim was a piece of security or networking equipment in hopes that it could not keep up with the attack volume."

Bob Walder, chief research officer for NSSLabs, says the phenomenon of old-school malware re-emerging is a good reality-check. "The frequency and volume of probes from machines infected by 10-year old malicious code is a constant source of amazement, and a reminder that some of these machines may never be disinfected, at least not until they simply die of old age," says Bob Walder, chief research officer for NSSLabs. "It is also a salutary reminder that when choosing a security product like an IPS it is important to verify that the vendor does not age out older signatures too aggressively in order to improve performance of the product. SQL Slammer is showing no signs of dying out, and even old chestnuts like the LAND attack can reemerge as programmers forget lessons learned years ago. If any IPS vendor tries to tell you that old vulnerability signatures don't matter, it is time to run far, run fast."

The IPS alerts also provided a glimpse into how attackers respond to vendors disclosing and patching their bugs. It basically illustrated the concept of Exploit Wednesday, the day after Microsoft's Patch Tuesday release. The data shows in some cases, a vendor's patch results in jump in exploit attack attempts, researchers say. HP TippingPoint's IPS had a filter back in 2005 to detect some JavaScript bugs in Mozilla Firefox, Thunderbird, and SeaMonkey that had not yet been patched by the company. Mozilla issued a fix for the bugs in April of 2010: and it was then that the IPS spit out a wave of alerts about attacks it detected exploiting those bugs: "The number of alerts increased after the patch release date, while there was very little activity for the prior years," the researchers said in their report.

When Microsoft on October 12, 2010, issued a patch for its Extended OpenType fonts flaw, the IPSes detected a massive increase in exploit attempts. (TippingPoint had a filter to detect exploits of the flaws back in 2006). "We believe that attackers became aware of this vulnerability and started hosting malicious websites that contain EOT fonts crafted and embedded in a way that would compromise Windows client machines," the researchers wrote. "Even though the filter just detects the download of EOT font over the network (which could be benign), the fact that the download increased after a patch disclosure is suspicious."

[UPDATE]: HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project, says while it's true that patches often drive exploitation, there are a few catches here. "Notably, IPS signatures are frequently subject to false positives. My hunch is that most of the pre-disclosure and post-disclosure baseline levels of alerts are actually false positives with those specific filters," Moore says. "I saw this firsthand while testing IPS products at BreakingPoint -- sending enough random data for a long enough period of time results in all sorts of signatures firing on benign traffic. The nature of client-side exploits ... is that evasion is incredibly easy: the true level of attacks could be much higher, but hidden in gzip compression, chunked encoding, JavaScript encoding, SSL, and other forms of evasion, all of which are common in typical drive-by attacks."

NSSLabs' Walder says exploit spikes are inevitable after vulnerabilities get disclosed. "Many of these will be successful as security practitioners struggle to keep up with patching vulnerable software deployed on their network, or are unable to do so due to vulnerabilities being disclosed without first giving the software vendors time to formulate a fix," Walder says.

Take the recent Java exploit exposed last month, which quickly was added to the BlackHole crimeware kit and the open-source Metasploit penetration testing tool. "Within days, it [the exploit] became a major threat to Internet users," he says.

[Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit. See New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs.]

That's where IPSes with timely signatures can come in handy as a stopgap measure prior the release and application of a patch. "When purchasing an IPS, it is very important to focus on the signature-writing capabilities of the vendor, whether or not they have a history of producing timely and accurate updates, and whether their signatures are vulnerability- or exploit-focused," he says.

[UPDATE]: Rapid7's Moore says he'd like to see more analysis of the initial IPS data from HP. "I would love to see a deeper dive into this data with more clear-cut examples of the pre-disclosure and post-disclosure periods. The report includes a lot of great data to chew on, but I don't believe they make a compelling case for post-patch exploitation increases today," he says.

The researchers say they plan to continue their analysis, according to the report.

Moore says the publication of HP's analysis of the data was intriguing. "The most surprising thing about this report was the fact it was released at all. It is amazing that 1,000 of TippingPoint's customers agreed to provide their IPS alert data for this analysis," he says.

HP's research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27974
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
CVE-2020-27975
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-27978
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
CVE-2020-22552
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.