What The IPS Saw

Analysis of HP TippingPoint intrusion prevention system alerts from the past five years reveals how attackers pump out exploits in wake of patches, and how old threats never die

Researchers have drilled down into billions of alerts from intrusion prevention system (IPS) worldwide in an effort to get better picture of the anatomy of todays attacks.
The preliminary findings shed light on spikes in attacks, as well as the source of the types of attacks plaguing organizations. HP researchers Sathya Chandran Sundaramurthy and Sandeep Bhatt of HP Labs, and Marc Eisenbarth of HP TippingPoint, analyzed more than 35 billion alerts issued by its TippingPoint IPS devices between 2007 and 2012 at more than 1,000 of its customer sites around the world, and plan to present their findings at a big data conference next month called BADGERS12 in Raleigh, N.C.
One thing they found: those old-school attacks like SQL Slammer are alive and well. The HP researchers saw the IPSes triggered alerts for the near-decade old Slammer worm more than one hundred times as much as any other threat. In fact, Slammer accounts for almost 2% of all alerts raised by 6,000 filters over the 5 year period, the researchers wrote in their paper.
More than half of its customers had a Slammer infection, followed by Nimda (46 percent); Back Orifice (31.4 percent); Storm (8.29 percent); and Code Red (2.29 percent). Slammer, which was first discovered in 2003, was spotted in HPs data set in January of 2009, and hasnt been seen since mid-February of this year, the report says. The alerts for the worm hit a high of 42 million on February 15, 2011.
There have been reports ... that Slammer activity, which always exists in the background, dipped significantly between March 1 and April 12, 2011. This is consistent with our findings; it is likely that, in response to the February 15 spike, administrators initially took measures to weed out Slammer infections, the researchers said. Many people have noted that Slammer persists on the Internet as a sort of background radiation and our results are consistent with this, except for a specific high volume denial-of-service attack using the Slammer payload targeting just one customer. While it is certainly possible that the target was a vulnerable instance of Microsoft SQL Server, it is also quite possible that the intended victim was a piece of security or networking equipment in hopes that it could not keep up with the attack volume.
Bob Walder, chief research officer for NSSLabs, says the phenomenon of old-school malware re-emerging is a good reality-check. The frequency and volume of probes from machines infected by 10-year old malicious code is a constant source of amazement, and a reminder that some of these machines may never be disinfected, at least not until they simply die of old age, says Bob Walder, chief research officer for NSSLabs. It is also a salutary reminder that when choosing a security product like an IPS it is important to verify that the vendor does not age out older signatures too aggressively in order to improve performance of the product. SQL Slammer is showing no signs of dying out, and even old chestnuts like the LAND attack can reemerge as programmers forget lessons learned years ago. If any IPS vendor tries to tell you that old vulnerability signatures dont matter, it is time to run far, run fast.
The IPS alerts also provided a glimpse into how attackers respond to vendors disclosing and patching their bugs. It basically illustrated the concept of Exploit Wednesday, the day after Microsofts Patch Tuesday release. The data shows in some cases, a vendors patch results in jump in exploit attack attempts, researchers say. HP TippingPoints IPS had a filter back in 2005 to detect some JavaScript bugs in Mozilla Firefox, Thunderbird, and SeaMonkey that had not yet been patched by the company. Mozilla issued a fix for the bugs in April of 2010: and it was then that the IPS spit out a wave of alerts about attacks it detected exploiting those bugs: The number of alerts increased after the patch release date, while there was very little activity for the prior years, the researchers said in their report.
When Microsoft on October 12, 2010, issued a patch for its Extended OpenType fonts flaw, the IPSes detected a massive increase in exploit attempts. (TippingPoint had a filter to detect exploits of the flaws back in 2006). We believe that attackers became aware of this vulnerability and started hosting malicious websites that contain EOT fonts crafted and embedded in a way that would compromise Windows client machines, the researchers wrote. Even though the filter just detects the download of EOT font over the network (which could be benign), the fact that the download increased after a patch disclosure is suspicious.
[UPDATE]: HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project, says while its true that patches often drive exploitation, there are a few catches here. Notably, IPS signatures are frequently subject to false positives. My hunch is that most of the pre-disclosure and post-disclosure baseline levels of alerts are actually false positives with those specific filters, Moore says. I saw this firsthand while testing IPS products at BreakingPoint -- sending enough random data for a long enough period of time results in all sorts of signatures firing on benign traffic. The nature of client-side exploits ... is that evasion is incredibly easy: the true level of attacks could be much higher, but hidden in gzip compression, chunked encoding, JavaScript encoding, SSL, and other forms of evasion, all of which are common in typical drive-by attacks.
NSSLabs Walder says exploit spikes are inevitable after vulnerabilities get disclosed. Many of these will be successful as security practitioners struggle to keep up with patching vulnerable software deployed on their network, or are unable to do so due to vulnerabilities being disclosed without first giving the software vendors time to formulate a fix, Walder says.
Take the recent Java exploit exposed last month, which quickly was added to the BlackHole crimeware kit and the open-source Metasploit penetration testing tool. Within days, it [the exploit] became a major threat to Internet users, he says.
[Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit. See
New Reliable Java Attack Spreading Fast, Uses Two Zero-Day Bugs
.]
Thats where IPSes with timely signatures can come in handy as a stopgap measure prior the release and application of a patch. When purchasing an IPS, it is very important to focus on the signature-writing capabilities of the vendor, whether or not they have a history of producing timely and accurate updates, and whether their signatures are vulnerability- or exploit-focused, he says.
[UPDATE]: Rapid7s Moore says hed like to see more analysis of the initial IPS data from HP. I would love to see a deeper dive into this data with more clear-cut examples of the pre-disclosure and post-disclosure periods. The report includes a lot of great data to chew on, but I dont believe they make a compelling case for post-patch exploitation increases today, he says.
The researchers say they plan to continue their analysis, according to the report.
Moore says the publication of HPs analysis of the data was intriguing. The most surprising thing about this report was the fact it was released at all. It is amazing that 1,000 of TippingPoints customers agreed to provide their IPS alert data for this analysis, he says.
HPs research paper is
available here
for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
What The IPS Saw