Transcription
Insights from Collective Threat IntelligenceDuring 2014, Webroot encountered tens of millionsof instances of malware and potentially unwantedapplications (PUAs), monitored billions of IPaddresses and URLs, analyzed millions of new andupdated mobile apps for malicious behavior, andstudied major malware trends based on data frommillions of endpoints. This report contains insights,analysis, and information on how collectivethreat intelligence can protect organizations fromsophisticated attacks.APRIL 2015
CONTENTSForeword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4How BrightCloud Threat Intelligence is Captured, Analyzed, Classified, Correlated and Published85,000 Net New Malicious IPs are Launched Every Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Webroot BrightCloud IP ReputationKey Findings on IPsLess than 55% of all URLs are Trustworthy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Webroot BrightCloud Web Classification and Web ReputationKey Findings on URLs30% of Internet Users Access Phishing Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Webroot BrightCloud Real-Time Anti-PhishingKey Findings on Phishing15% of New Files are Malicious Executables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Webroot BrightCloud File ReputationKey Findings on FilesOnly 28% of Mobile Apps are Trustworthy or Benign. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Webroot BrightCloud Mobile App ReputationKey Findings on Mobile AppsConclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
FOREWORDWebroot has seen a continuedrise in the number of maliciousURLs, IP addresses, malware, andmobile applications, used to enablecybercriminals to steal data, disruptservices, or cause other harm. Withmore breaches at major retailers,financial institutions and technologycompanies in the headlines andscores of other, smaller breaches in2014, the trend shows no signs ofslowing down.Hal Lonas,Chief Technology OfficerWebroot, Inc.Each of these organizations had some form of securityinfrastructure. But if this is the case, to what can weattribute these breaches? A likely contributing factor isdependence on outdated security practices. They likely alsolacked suitable insight and intelligence into today’s dynamicthreat landscape, the ability to block previously unseenattacks, and the tools to minimize time-to-detection forbreaches that had gone unnoticed.At Webroot, we believe that it is essential for IT departments,users and others to have access to up-to-date intelligenceon threats to their systems and endpoints of all types.Threats are constantly changing, so security controls mustadapt accordingly. These security controls include beingaware of the latest malicious IPs, the types of websites thatare most often impersonated in phishing attacks, and thecategories of apps that are most likely to be malicious.Real-time, contextual, and predictive threat intelligencethat spans the spectrum of attack vectors is a criticalcomponent to implementing a defense-in-depth strategy totake on today’s cybercriminals, giving companies the edgethey need to combat both new and known threats.3
INTRODUCTIONThe Webroot 2015 Threat Brief provides an overview of the threats against awide range of organizations and individuals during 2014. It is based on analysis ofthreat intelligence metrics automatically captured, analyzed and correlated acrossthreat vectors by BrightCloud, a Big Data security engine that acts as the backbonefor all Webroot endpoint solutions and threat intelligence services.During 2014, BrightCloud found tens of millions of instances of malware andpotentially unwanted applications (PUAs), monitored billions of IP addresses andURLs, analyzed millions of new and updated mobile apps for malicious behavior, andstudied major malware trends based on data from millions of endpoints.This report also contains supplementary insights from the Webroot Threat Research team, and includes:Analysis ofIP addressesassociated withmalicious activityDetails on theclassification andreputation of URLsPhishing detectionstatistics4Insights intomalware andpotentially unwantedapplicationsInformation on mobileapp security forAndroid devices
How BrightCloud Threat Intelligence is Captured, Analyzed,Classified, Correlated and PublishedWebroot endpoint and threat intelligence solutions areall powered by BrightCloud, which was purpose-builtas a revolutionary approach to next-generation threatprotection. BrightCloud integrates billions of pieces ofinformation from millions of sensors to create the world’slargest malware detection net. The next-generation threatintelligence produced is available to Webroot partnersthrough BrightCloud Threat Intelligence Services forproactive protection for their customers against bothknown and never-before-seen attacks. These servicescover URL classification and reputation, IP reputation,file reputation, anti-phishing, and mobile security.Collective ThreatIntelligencePartner End Users Protected (27 Million)Figure 1: BrightCloud5
Its powerful, real-time threat analysis engine has enabled Webroot to pull insights together from across the internetlandscape for this threat brief. The massive data processing capacity, coupled with Webroot’s proprietary implementationof the most advanced machine learning technology available and a powerful contextual analysis engine, has enabledWebroot to:12Monitor3CategorizeAccurately monitor the entire IPv4 space and in-use IPv6addresses and continuously update a dynamic list ofapproximately 12 million malicious IP addressesCategorize millions of files that are seen acrossmillions of Webroot customer endpointsClassify and score over 95% of the internet on a daily basis anddetect phishing sites in real timeAssess the risk of millions of mobile apps (over 7 millionnew and updated in 2014)Classify4AssessIn addition, Webroot has mapped all of this data across vectors, linking URLs, IPs, files, and mobile applications to eachother to provide greater insight and accuracy, and enabling predictive risk scoring based on those relationships. Forexample, a URL may seem benign when examined independently, but may be connected to malicious IPs, files, and/ormobile apps, which would affect its reputation score within the Webroot system.While this system is primarily used to keep ahead of the exponential proliferation of threats facing companies and endusers today, the Webroot team has analyzed data from this system to develop an overarching view of the threat landscape.20 7 600 15 4 10 Billion URLsBillion File Behavior RecordsMillion DomainsMillion Mobile AppsBillion IP AddressesMillion Connected Sensors6
net new malicious IPs are launched every day.Webroot BrightCloud IP ReputationOne of the most effective methods to prevent attacks isby blocking activity from IP addresses that are known tohave malicious intent. Webroot continuously monitorsand maintains a database of over 4 billion IP addresses,from which a subset of high-risk IP addresses is updatedfor customers and made available to Webroot partnersevery five minutes, or as often as they would prefer. Thisfrequency is necessary to identify the latest threats andprovide protection against them. Frequent reassessmentof IP threats is also necessary, for example, as infectedhosts are cleaned and remediated, making them benignagain, and as hosts change IP addresses.Figure 2: BrightCloud IP Reputation IndexBrightCloud analyzes and correlates data acrossnumerous dimensions to create a predictive risk score,which falls into one of five rating bands ranging fromtrustworthy to malicious. The BrightCloud IP ReputationIndex provides scores ranging from 1 to 100, with tiers splitinto Trustworthy, Low Risk, Moderate Risk, Suspicious,and High Risk. Numerically lower, i.e. higher risk, scoresindicate an IP is more likely to be or become bad, and aremonitored at a greater frequency than trustworthy IPs.701-20High RiskThese are high risk IP addresses. Thereis a high predictive risk that these IPswill deliver attacks – such as maliciouspayloads, DoS attacks, or others – toyour infrastructure and endpoints.21-40SuspiciousThese are suspicious IPs. There is ahigher than average predictive risk thatthese IPs will deliver attacks to yourinfrastructure and endpoints.41-60Moderate RiskThese are generally benign IPs, buthave exhibited some potential riskcharacteristics. There is some predictiverisk that these IPs will deliver attacks toyour infrastructure and endpoints.61-80Low RiskThese are benign IPs, and rarelyexhibit characteristics that expose yourinfrastructure and endpoints to securityrisks. There is a low predictive risk ofattack.81-100TrustworthyThese are clean IPs that have not beentied to a security risk. There is a very lowpredictive risk that your infrastructureand endpoints will be exposed to attack.
Key Findings on IPsWebroot’s dynamic list of known malicious IP addressescontains approximately 12 million IPs at any given time.On a daily basis, approximately 36% of these addressesare dropped from the list, and this percentage remainsrelatively consistent throughout the year. Malwaredesigners and other attackers know that an IP addressis only useful for attack-launching or attack-controlpurposes until it is detected as malicious. Becauseblacklisting can occur within minutes of the appearanceof new malicious activity for an IP address, attackersmust change hosts and IP addresses frequently. However,because the Webroot IP blacklist is constantly updated,these changes are rapidly detected and mitigated,minimizing the window of opportunity for attackers.many IP addresses that weren’t previously malicious tothe blacklist. Throughout 2014, the average number of netnew IP addresses added per day was over 85,000. Thisreinforces the importance of using an IP blacklist that isconsistently updated in near real time to enable securityteams to proactively block threat actors behind those IPs,such as stopping spam and distributed denial of service(DDoS) traffic by limiting the exposure to dangerous orrisky IPs. As an example, a highly security conscious bankmay choose to block anything with a score lower than 80,while others may choose to accept traffic from IPs withscores higher than 60 as long as the site being accessedis affiliated with a partner.Malicious IP addresses come from all over the world,but are concentrated in certain countries and regions.The United States accounts for over 30% of maliciousIP addresses, followed by China and Russia, per Figure 3(below). In fact, half of malicious IP addresses are basedin Asia.While most IP addresses on the blacklist drop off anddon’t reappear, there is a core set of IP addresses thatresurface repeatedly on the blacklist. In particular, thetop 10,000 malicious IP addresses are reused quiteoften, on average dropping off and reappearing on theblacklist nearly four times a month. Webroot also addsFigure 3: Top 10 Threat IP Origin Countries831%United States23%China10%Russian Federation8%South 1%Netherlands
Another interesting finding from the malicious IP addressdata involves threat types, such as spam sources,scanners, proxies, web attacks, phishing, and others.Based on the types of malicious activity that each IPaddress is involved in, it is categorized as having a primarythreat type. Spam sources make up the vast majority ofall malicious IPs by threat type—approximately 90%.These threats are typically very short-lived, often existingfor only hours or even minutes, but by using currentblacklists, organizations can successfully stop spam andrelated botnets by blocking the associated IP addresses.Figure 4 shows the percentage of malicious IPs by threattype, excluding the predominant spam/botnet sourcestype. Scanners make up roughly half of the remainingthreats, with proxies following closely behind.Other 2%Web Attacks 6%Scanners 51%Proxy 41%Figure 4: Malicious IPs by threat type in 2014, excluding spam sources9
of all URLs aretrustworthy.Webroot BrightCloud Web Classification and Web ReputationWebroot regularly classifies and monitors the reputations of over 20 billion URLs, and makes thatintelligence available through the BrightCloud Web Classification Service and the BrightCloud Web Reputation Service.The Webroot BrightCloud Web Classification Service offers up-to-date and accurate websiteintelligence across 83 site security categories to help enterprises secure users against onlinethreats, control internet usage, and ensure compliance by implementing sensible web accesspolicies. Similar to the IP Reputation Service, the BrightCloud Web Reputation Service utilizes afive-tiered scoring system to assess the risk of a specific URL based on its site history, age, rank,location, networks, links, and real-time performance, as well as other contextual and behavioraltrends. This website security check adds a layer of real-time protection to web defenses byaccurately assessing the risk posed when opening a URL, independent of its category.At this time, the BrightCloud analysis engine classifies and scores over 2,500 URLs per secondwith much higher accuracy rates than can be achieved by human analysts. This speed andaccuracy allows for a unique perspective into the online world.10
Key Findings on URLsLow Risk 11%Not all risky URLs are created equal. Figure 5 shows thebreakdown of URLs scored by BrightCloud. It is importantto note that over half of the URLs assessed were foundto be trustworthy, and another 11% were determined lowrisk. While 30% were categorized as moderate risk, thisincludes URLs for which not enough data was availableto make a definitive classification (e.g., brand newwebsites.) Therefore, a URL that is labeled a moderaterisk is not necessarily malicious. So while the vastmajority of the web is not malicious, there are hundredsof millions of sites that organizations need to account forin their defenses.Moderate Risk 30%Trustworthy 54%Suspicious 2%High Risk 3%Figure 5: Risk assessment of URLs classified in 2014Another important characteristic to consider is whereURLs are hosted. Figure 6 depicts malicious URLs bycountry. The percentages in this chart are significantlydifferent from those in Figures 3 and 5. Countries suchas Russia and China, which had a major presence inmalicious IP origins, are not nearly so prevalent whenconsidered by the location of malicious URLs. Onereason for this is that attackers in high-risk countriesoften host their malware URLs in the United States orother countries that will not be blocked automaticallyby geo-filtering services. An example of such a serviceis an enterprise network that is configured to reject allconnection attempts involving URLs from a high-riskcountry. This underscores the importance of having URLreputation data independent of classification, as filteringpurely by IPs may not be enough to keep networks andusers secure.Figure 6: Top 10 countries that host malicious URLs1148%United States8%France4%Germany4%Russian Federation4%Netherlands2%United Kingdom2%China2%Canada2%Brazil1%Turkey
Users and networks need to be kept safe fromhundreds-of-millions of malicious websites.To further analyze this data, Webroot looked at the 83categories that are used to classify URLs, such ascontent delivery networks, online greeting cards, andtranslation services. The BrightCloud Web ClassificationService includes six categories of high-risk URLs, whichare known spam URLs, malware sites, phishing, proxyavoidance and anonymizers, spyware/adware, andbotnets. Excluding those categories, Figure 7 shows thetop 15 categories in terms of high risk and suspiciousactivity, and their relative distributions of suspicious,moderate risk, low risk, and trustworthy URLs. Theseare sites that may have been compromised and notremediated, or have been correlated to other maliciousURLs, IP addresses, files, or mobile apps.Online Greeting card websites have the highest likelihoodof being suspicious, followed by Dynamically GeneratedContent sites, which is, typically, a highly trustworthycategory. Computer and Internet Security sites have adisproportionately high percentage of high risk URLs,as they include references to security analysis thatmentions malicious URLs and related content, and mayeven include links for legitimate reasons, such as securityblogs. Please note that the All Categories designation is anaverage across all 83 categories, including the maliciouscategories mentioned earlier, accounting for the relativelyhigh risk naneticmigCaryalldsGenerdateContentMar ijuanaTransla tionWeb-sbaedEmailPer solnaStorageAbeusdDrugsMrotoCoVemphi n dlivtwNeiduorSalk intocgkAHigh Riskdevicoo&TlsQsuetiobleePertoPReSuspiciousFigure 7: Top 15 Suspicious to High Risk website categories, excluding Malicious categories12naeecrModerate RiskreatioHn&obbieLow RisksAall CtegoriesTrustworthy
Attackers in high-risk countries are hostingmalicious sites in more trustworthy countries.In Figure 8 (below), the left column shows the top 10 most commonly visited URL categories, while the right columnreflects the top 10 suspicious to high-risk URL categories. Naturally, URLs in malicious categories pose the most risk.When excluding those malicious categories, the greatest percentage of suspicious to high risk URLs are Business andEconomy, Society, Shopping, Travel, and Health and Medicine.Top 10 Categories for URLsTop 10 Categories Suspicious to High Risk URLs1Business and Economy21.2%1Spam URLs30.9%2Society12.8%2Malware Sites13.7%3Travel6.4%3Business and Economy7.8%4Adult and Pornography5.7%4Proxy Avoidance and Anonymizers6.7%5Shopping5.4%5Phishing and Other Frauds6.4%6Personal sites and Blogs4.8%6Society5.1%7Entertainment and Arts4.0%7Shopping5.1%8Health and Medicine2.7%8Travel2.7%9Computer and Internet Info2.5%9Health and Medicine1.8%10News and Media2.3%10Entertainment and Arts1.8%Figure 8: Breakdown of top 10 URL Categories in 2014Conversely, some categories that might be assumed suspicious or unwanted due to their nature are relatively reputablewhen compared to average scores. An example is URLs tied to the Cheating category, for which nearly 85% are Trustworthyor Low Risk, as compared to the average for all URLs of 65%. Other such categories include Hate and Racism (82%Trustworthy or Low Risk), Gross (81%), Violence (77%), Illegal (67%), Adult and Pornography (65%), and Nudity (65%).While enterprises—and households, for that matter—may not want their users to visit these types of sites, access andlimitations thereof must be based on reliable classifications, as reputation scores alone cannot cover these sites basedon preference.A list of categories used by Webroot can be found at www.brightcloud.com.13
of internet users access phishing sites.Webroot BrightCloud Real-Time Anti-PhishingThe Webroot BrightCloud Real-Time Anti-Phishing Service provides time-of-need analysis ofsites to automatically determine whether they are phishing sites within milliseconds. Real-timeanalysis is critical with
threat intelligence metrics automatically captured, analyzed and correlated across threat vectors by BrightCloud, a Big Data security engine that acts as the backbone for all Webroot endpoint solutions and threat intelligence se
