Qualys Vulnerabilities, Statistics and… Malware ?

QualysVulnerabilities, Statistics and… Malware ? Wolfgang KandekCTO Qualys, Inc. http://nullcon.net/

Qualys Basics http://nullcon.net/ • Founded to automate Vulnerability Assessments • Software as a Service (SaaS) with: • Internet based shared scanners • Scanner Appliances for internal scanning • Webportal for data access

VIP 2-factor or Client certificate strong authentication options http://nullcon.net/

Qualys Basics http://nullcon.net/ • Founded to automate Vulnerability Assessments • Software as a Service (SaaS) with: • Internet based shared scanners • Scanner Appliances for internal scanning • Webportal for data access • 270 employees (140 in Engineering) • 5000+ customers

http://nullcon.net/

IDC 2011 Report http://nullcon.net/

Frost & Sullivan 2010 Report Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010 http://nullcon.net/

Laws of Vulnerabilities http://nullcon.net/ • 2004 - 3M IPs scanned, 2M vulnerabilities • Half-life – 30 days • Prevalence – 50 % renewal annually • Persistence – unlimited for some • Exploitation – 80 % available with 60 days • 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity

Laws of Vulnerabilities Half-Life = 29.5 days http://nullcon.net/

Laws of Vulnerabilities http://nullcon.net/ • 2004 - 3M IPs scanned, 2M vulnerabilities • Half-life – 30 days • Prevalence – 50 % renewal annually • Persistence – unlimited for some • Exploitation – 80 % available with 60 days • 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity • Difference by OS and Application

Laws of Vulnerabilities 12 http://nullcon.net/

Laws of Vulnerabilities 13 http://nullcon.net/

New Services http://nullcon.net/ • Policy Compliance • Configuration checks • Password length, installed SW, access rights • 20 technologies, 2000 controls • Web Application Scanning • Web Application Catalog • Batch oriented production scanning

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal

Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc

Blind Elephant Web App Fingerprinter http://nullcon.net/

Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results

Blind Elephant Web App Fingerprinter http://nullcon.net/ 1 Million “.com” domains

Blind Elephant Web App Fingerprinter http://nullcon.net/

Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results Available at: blindelephant.sourceforge.net

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection System

Neptune Malware Detection System • Visit/crawl web site with: • Virtualized Machine • Vulnerable, but instrumented OS • Vulnerable, but instrumented Browser • Configuration • VMware • Internet Explorer 6 on Windows XP • Detours + Custom Hooks • Log everything • Detect malicious intent early, avoid infection http://nullcon.net/ http://null.co.in/

Neptune Malware Detection System • Static Detection • Analyze inputs for known exploit patterns, signature based • Pro: efficient and fast, signatures easily updated and shared • Con: false positives, defeated by obfuscation, known threats only • Behavioral Detection • Monitor the browser process, check for anomalous activity • Pro: false positives low, immune to obfuscation and detect new threats • Con: success required, false negatives, expensive • Reputation and AV checks (pluggable: Google, Trend) http://nullcon.net/ http://null.co.in/

Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts http://nullcon.net/ http://null.co.in/

Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts • API version • Focus on bulk user, integration, research • Single URLs, Maps, or site with crawling http://nullcon.net/ http://null.co.in/

Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts • API version • Focus on bulk user, integration, research • Single URLs, Maps, or site with crawling • Available: qualys.com/stopmalware • Contact: pthomas@qualys.com for API access http://nullcon.net/ http://null.co.in/

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA

BrowserCheck http://nullcon.net/ • https://browsercheck.qualys.com • Security check for Browsers and Plug-ins • End user focus, free and easy to use

BrowserCheck http://nullcon.net/

BrowserCheck http://nullcon.net/ • https://browsercheck.qualys.com • Security check for Browsers and Plug-ins • End user focus, free and easy to use • 200,000 visits – Jul 2010 / Jan 2011 • IE, Firefox, Safari, Chrome, Opera • Windows, Mac OS X and Linux

BrowserCheck http://nullcon.net/

BrowserCheck Stats http://nullcon.net/ http://null.co.in/

BrowserCheck Stats http://nullcon.net/

BrowserCheck Stats http://nullcon.net/ • Operating System: • Windows XP – 47 % • Windows 7 – 32 % • Browser: • IE 8 – 36 % • Firefox 3.6 – 34 % • Plug-in: ? • Country:

BrowserCheck Stats http://nullcon.net/

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall

Ironbee – Web App Firewall • Open source effort led by Ivan Ristic • Author of mod_security • WAF technology renewed • Focus on accuracy and usability • WAS and MDS (neptune) integration • Available at: www.ironbee.com • SSL Labs – SSL usage statistics V2 is coming • http://ssllabs.com http://nullcon.net/ http://null.co.in/

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal

Dissect – Malware portal http://nullcon.net/ • Led by Rodrigo Branco - www.kernelhacking.com • Team in Brazil, Malware and Vulnerability Research • Malware exchange system up and running • Malware analysis in alpha • Static analysis • Runtime analysis on virtual and real machines • Integration with Neptune MDS coming in • Community oriented effort • Contact: rbranco@qualys.com

New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal

Honeynet • Nemean Networks acquisition • University of Wisconsin research team • Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html • Honeynet/Signature/IDS system • Global Honeynet Effort • Centralized Signature generation – open-source • Snort/Suricata plug-ins – open-source http://nullcon.net/ http://null.co.in/

Contacts http://nullcon.net/ Wolfgang Kandek – wkandek@qualys.com Amit Deshmukh – adeshmukh@qualys.com

Qualys Vulnerabilities, Statistics and… Malware ?