DOCSLIB.ORG

Copyrighted Material

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Copyrighted Material Index Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations. A discretionary access controls, 22 elements, 8–11 AAA protocols, 31–32 email, 182 abstraction exam essentials, 39–41 object-oriented programming, 512 federated identity management, 30–31 in security, 211 identification. See identification software development, 317–318 identity and access provisioning life cycle, abuse in voice communications, 187–188 35–38 acceptable use policies, 182, 222 Kerberos, 28–29 acceptance, risk, 255 lattice-based, 23, 23, 445 access aggregation attacks, 53 mandatory access controls, 24–25 access control, 1 monitoring. See monitoring AAA protocols, 31–32 nondiscretionary access controls, 22 attacks, 47 overview, 2–3 access aggregation, 53 permissions, rights, and privileges, 4–5 asset valuation, 49–50 policies, 4 denial of service, 62 RADIUS, 32 exam essentials, 80–82 review questions, 42–45 overview, 48 role-based, 25–26 password, 54–58, 58 rule-based, 22–23 preventing, 62–64 security operations principles, 21–22 review questions, 83–86 single sign-on, 27–28, 30–31 risk elements, 49 summary, 38–39 smart cards, 61–62 TACACS+, 32 social engineering, 59–61 technical controls, 761 spoofing, 58–59 types, 5–7 summary, 79 users, owners, and custodians, 3 threat modeling, 50–52 written lab, 41 vulnerability analysis,COPYRIGHTED 53 access MATERIAL control lists (ACLs) written lab, 82 access control matrices, 443 authentication. See authentication DACs, 22 authorization, 33–34 firewalls, 33, 115 centralized vs. decentralized, 26–27 access control matrices, 33, 443–444 CIA Triad, 3–4 access control triples, 448 content-dependent, 288–289 access points in wireless networks, 132–137 defense-in-depth strategy, 7–8, 8 access review audits, 75 Diameter, 32–33 bbindex.inddindex.indd 883333 330/05/120/05/12 66:44:44 PPMM 834 accessibility security in site design – annexes in Common Criteria accessibility security in site design, 750 administrative physical security accountability controls, 747 access control, 11 Administrator group audits, 76 description, 515 admissible evidence, 715 monitoring, 71–72 Advanced Encryption Standard (AES), 135, security governance, 220 391–392 accounts Advanced Persistent Threat (APT), 52 dual administrator, 76–77 advisory policies, 222 lockout controls, 63 adware, 339 managing, 64 AES (Advanced Encryption Standard), 135, reviews, 36 391–392 revocation, 37–38 agents accreditation in evaluation models, DoS attacks, 191 466–468 overview, 279–280 ACID model, 286–287 relay, 181 acknowledge (ACK) packets, 102, 104–105 aggregation ACLs (access control lists) access aggregation attacks, 53 access control matrices, 443 databases, 290–291 DACs, 22 agile software development, 308–309 firewalls, 33, 115 AHs (Authentication Headers), 159, 426 ACTA (Anti-Counterfeiting Trade alarms, 758, 761 Agreement), 692 ALE (annualized loss expectancy) acting phase in IDEAL model, 311, 311 impact assessment, 629 active content in malicious code, 339 threat/risk calculations, 249–251 active IDS responses, 594 algorithms, defined, 367 ActiveX controls alternate processing sites, 657 signing, 340 cold sites, 657–658 vulnerabilities, 281, 506–507 continuity planning, 632 actual cash value (ACV) clause, 654–655 hot sites, 658–659 ad hoc networks, 133 mobile sites, 659–660 Adams, Douglas, 122 multiple, 661 Address Resolution Protocol (ARP) service bureaus, 660 cache poisoning, 109 warm sites, 659 description, 109 alternative systems, 632 purpose, 94 ALUs (arithmetic-logical units), 494 spoofing, 194 American Civil War, cryptography in, 363 addresses amplifiers, 120 IP. See IP (Internet Protocol) analog communications in LANs, MAC, 94, 112 141–142 addressing memory, 494 analysis of incidents, 732 Adleman, Leonard, 406 analytic attacks, 428 administrative access controls, 7, 8 AND operation, 369 administrative law, 684–685 annexes in Common Criteria, 463 bbindex.inddindex.indd 883434 330/05/120/05/12 66:44:44 PPMM annualized loss expectancy (ALE) – asynchronous dynamic password tokens 835 annualized loss expectancy (ALE) ARP (Address Resolution Protocol) impact assessment, 629 cache poisoning, 109 threat/risk calculations, 249–251 description, 109 annualized rate of occurrence (ARO) purpose, 94 likelihood assessment, 627, 629 spoofing, 194 threat/risk calculations, 249–250 arpspoof tool, 194 anomaly detection, 592 “Arrangement on the Recognition of Anti-Counterfeiting Trade Agreement Common Criteria Certificates in the (ACTA), 692 Field of IT Security”, 461 antivirus (AV) mechanisms, 332–333, 581 ASs (authentication services), 28 APIPA (Automatic Private IP assembly code, 300 Addressing), 169 assembly language, 300 applets assessments hostile, 330 BIA. See business impact assessment vulnerabilities, 280–281, 505–506 (BIA) application attacks, 344 recovery plan development, 665 back doors, 346 vulnerability, 554–555 buffer overflows, 344–345 asset valuation exam essentials, 354–355 attacks, 49–50 masquerading, 352–353 defined, 243 privilege escalation attacks, 346 risk, 245–248 reconnaissance attacks, 350–352 asset value (AV) in BIA, 626, 628 review questions, 356–359 assets summary, 353–354 defined, 242 TOCTTOU issue, 345 managing, 549–550 Web applications, 346–350, 348 in threat modeling, 51 written lab, 355 assignment of risk, 255 application issues, 276 assurance distributed computing, 278–281 evaluation assurance levels, 463–464 local/nondistributed computing, overview, 454 276–277 software development security, 298 logs, 66 asymmetric cryptography, 365, 405 Application layer El Gamal, 408 OSI model, 98–99 elliptic curve, 408–409 TCP/IP model, 99–100, 100–101, 109–110 hash functions, 409–412 application-level gateway firewalls, 116 keys approval in continuity planning, 633 algorithms, 383–386, 384 APT (Advanced Persistent Threat), 52 managing, 419–420 arc radius of cable, 124 public and private, 405–406 arithmetic-logical units (ALUs), 494 RSA, 406–407 ARO (annualized rate of occurrence) asynchronous communications likelihood assessment, 627, 629 in LANs, 142 threat/risk calculations, 249–250 asynchronous dynamic password tokens, 16 bbindex.inddindex.indd 883535 330/05/120/05/12 66:44:44 PPMM 836 asynchronous tokens – backups asynchronous tokens, 15–16 Diameter, 32–33 asynchronous transfer mode (ATM), 177 Kerberos, 28–29 ATO (authorization to operate), 241 multifactor, 20–21, 63 atomicity in ACID model, 286 overview, 11–12 attachments, email, 184–185 passwords, 12–14 attackers protocols, 154 defined, 48 RADIUS, 32 threat modeling, 51 remote access, 163 attacks security governance, 218–219 access control. See access control smart cards, 14–15 application. See application attacks tokens, 15–16 cryptography, 428–430 Authentication Headers (AHs), 159, 426 defined, 244 authentication services (ASs), 28 incremental, 519 authorization network. See networks access control, 10–11 password. See passwords mechanisms, 33–34 preventive measures. See preventive security governance, 219 measures for attacks authorization to operate (ATO), 241 wireless communications, 136 automated provisioning systems, 35 attenuation, cable, 127 automated recovery, 608 attributes in relational databases, 283 automated recovery without undue loss, 608 auction sniping, 280 Automatic Private IP Addressing audio streaming, 692 (APIPA), 169 audit trails, 11 automatic rollover, 502 physical access, 761 auxiliary alarm systems, 758 purpose, 68–69 AV (antivirus) mechanisms, 332–333, 581 auditors, 73, 210 AV (asset value) in BIA, 626, 628 audits and auditing, 73–74 availability access controls, 64 CIA Triad, 3–4, 217–218 access review, 75 techniques for, 452–453 configuration, 314 AVG function, 290 entitlement, 75 awareness training, 263–264 external, 78 inspection, 74–75 privileged groups, 75–77 B report handling, 77–78 security, 561–562 back doors, 346, 516, 518 security governance, 219 back up keys, 420 authentication background checks, 259 access control, 9–10 backups, 666–667 biometric factors, 17–20, 19 best practices, 668–669 configuration, 314 disk-to-disk, 668 cryptography for, 365–366, 366 neglecting, 667 bbindex.inddindex.indd 883636 330/05/120/05/12 66:44:44 PPMM badges – brouters (bridge routers) 837 tapes black-box approaches formats, 667–668 key management, 420 protecting, 547–548 object-oriented programming, 512 rotating, 669 black-box testing, 315, 600–601 sensitive information, 541–542 black boxes in phreaking, 189 badges, 757 blackouts, 652, 764 bandwidth on demand, 176 block ciphers, 380 base+offset addressing, 494 blocking attachments, 184–185 baseband cable, 124–125 Blowfish block cipher, 390 baseband technology, 142 blue boxes, 189 baselines, 556, 557 Blue Screen of Death (BSOD), 299 images, 557–558, 557 bluebugging, 132 security governance, 222–223 bluejacking, 132 Basic Input/Output System (BIOS), bluesnarfing, 132 500–501 Bluetooth standard, 132 basic preventive measures, 579 Boca Ciega High School, 18 Basic Rate Interface (BRI), 174 Boehm, Barry, 306, 308 basic service set identifiers (BSSIDs), 133 Boeing record retention case, 545 bastion hosts, 117 bombings, 650 batch processing, 501 book ciphers, 379–380 battery backup power, 606, 764 Boolean mathematics, 368–371 BCI Good Practices Guide, 664 boot sectors, 330 BCP. See business continuity planning (BCP) Bootstrap Protocol (BootP), 110 beacon frames, 134 botmasters, 336 behavior-based detection, 591–593 botnets, 336, 587 behavioral biometric methods, 17 bots, 191, 279–280 behaviors in object-oriented bottom-up
Load more

Recommended publications
  • Large-Scale Malware Experiments
    LARGE-SCALE MALWARE EXPERIMENTS ... CALVET ET AL. LARGE-SCALE MALWARE • Unlike with in-the-wild experiments [1], there are fewer ethical or legal issues to deal with than when performing EXPERIMENTS: WHY, HOW, AND arbitrary attacks against infected computers. SO WHAT? • Having an in vitro environment provides us with a way to Joan Calvet, Jose M. Fernandez conduct computer security research in a scientifi c way: we École Polytechnique de Montréal, Montréal, Canada can reproduce experiments and test the effect of various independent variables. Email {joan.calvet, jose.fernandez}@polymtl.ca We decided to use the Waledac botnet as a fi rst experiment for the following reasons: Pierre-Marc Bureau ESET, Montréal, Canada • Thanks to prior reverse engineering [2], we had in-depth knowledge of this threat family. Email [email protected] • This malware does not replicate, thus limiting the risk of running an experiment that might get out of control. Jean-Yves Marion LORIA, Nancy, France • There exists a set of vulnerabilities in Waledac’s peer-to- peer protocol that were worth investigating. We wanted to Email [email protected] evaluate the impact of a mitigation scheme against the botnet. ABSTRACT 1.1 The Waledac case study One of the most popular research areas in the anti-malware The architecture of the Waledac botnet is split into four layers. industry (second only to detection) is to document malware The fi rst layer contains infected hosts with private IP addresses characteristics and understand their operations. Most initiatives that are referred to as spammers. They are essentially the are based on reverse engineering of malicious binaries so as to ‘worker’ bots and constitute approximately 80% of the botnet.
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • The Exceptionalist's Approach to Private Sector Cybersecurity
    The Exceptionalist’s Approach to Private Sector Cybersecurity: A Marque and Reprisal Model By Michael Todd Hopkins B.A., June 2000, University of Nevada, Reno J.D., May 2003, Southern Methodist University A Thesis submitted to The Faculty of The George Washington University Law School in partial satisfaction of the requirements for the degree of Master of Laws August 15, 2011 Thesis directed by Gregory E. Maggs Interim Dean; Professor of Law Acknowledgement I wish to thank Interim Dean Gregory E. Maggs for his feedback and comments in this endeavor. Any errors or omissions are solely that of the author. ii Disclaimer Major Michael T. Hopkins serves in the U.S. Air Force Judge Advocate General’s Corps. This paper was submitted in partial satisfaction of the requirements for the degree of Master of Laws in National Security and U.S. Foreign Relations at The George Washington University Law School. The views expressed in this paper are solely those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense or United States Government. iii Abstract The Exceptionalist’s Approach to Private Sector Cybersecurity: A Marque and Reprisal Model As practitioners and academics debate our nation’s cybersecurity policy the focus remains upon our national security interests as the federal government lacks the resources and people to protect all areas of society. However, this approach largely ignores the private sector despite an estimated global loss of one trillion dollars annually to cyberattacks and exploitations. Moreover, current domestic and international law do little to provide self-defense options for the private sector.
    [Show full text]
  • Downloading and Running
    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    APRIL 2010 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT A FUTILE BATTLE? Are takedowns an exercise in futility? Mary Landesman evaluates recent botnet takedown efforts. 3 NEWS page 2 VB2010 programme announced CYBER WARFARE All star superstars Terry Zink looks at the increasingly common Dangerous places to be online phenomenon of hacktivism and details three recent cyber warfare attacks. 3 VIRUS PREVALENCE TABLE page 11 FEATURES EXPLOIT KIT EXPLOSION 4 Evasions in Intrusion Prevention/ In the fi rst of a two-part series introducing exploit Detection Systems kits Mark Davis outlines the basic details of the dime-a-dozen kits used in drive-by browser-based 11 Botnets, politics and hacktivism – an interesting partnership attacks. page 21 15 ‘Signatures are dead.’ ‘Really? And what about pattern matching?’ RECORD VB100 ON XP In VB’s largest ever VB100 21 TUTORIAL comparative review, a total of 60 Exploit kit explosion – part one products are put to the test on April 2010 Windows XP. John Hawes has all 23 COMPARATIVE REVIEW the details. page 23 VB100 – Windows XP SP3 68 END NOTES & NEWS ISSN 1749-7027 COMMENT ‘There is often little Troyak-AS resumed service under a new upstream provider, and this pattern was repeated numerous times. incentive for domain These less than dramatic results beg the registrars or hosting (multi)-million-dollar question: are such takedown providers to make efforts an exercise in futility? it more diffi cult for Certainly if one focuses only on short-term statistics, the answer would appear to be ‘yes’. However, if one criminals to obtain focuses on some of the precedents set during the fi rst services.’ quarter, tangible long-term impact may become a reality.
    [Show full text]
  • North Dakota Homeland Security Anti-Terrorism Summary
    UNCLASSIFIED North Dakota Homeland Security Anti-Terrorism Summary The North Dakota Open Source Anti‐Terrorism Summary is a product of the North Dakota State and Local Intelligence Center (NDSLIC). It provides open source news articles and information on terrorism, crime, and potential destructive or damaging acts of nature or unintentional acts. Articles are placed in the Anti‐Terrorism Summary to provide situational awareness for local law enforcement, first responders, government officials, and private/public infrastructure owners. If you have any comments to improve this summary or local information you would like to see in the summary please send the information to; [email protected] UNCLASSIFIED UNCLASSIFIED Quick links North Dakota Energy Regional Food and Agriculture National Government Sector (including Schools and Universities) International Information Technology and Banking and Finance Industry Telecommunications Chemical and Hazardous National Monuments and Icons Materials Sector Postal and Shipping Commercial Facilities Public Health Communications Sector Transportation Critical Manufacturing Water and Dams Defense Industrial Base Sector North Dakota Homeland Security Emergency Services Contacts North Dakota (North Dakota) Fargo fix takes on water. Some 100,000 volunteers from around the upper Midwest came together in a massive sand‐bagging operation last spring to save this city from a record flood of the Red River. Now, that unity is starting to show cracks. Planning is moving ahead for a more than $1 billion channel‐building project that is designed to protect the Fargo and Moorhead, Minnesota, metropolitan area from even the most severe floods. But the huge ditch could worsen the problem for people living downstream and has drawn opposition from those in its proposed path.
    [Show full text]
  • Kelihos Botnet: a Never-Ending Saga
    2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings May 15th, 10:00 AM Kelihos Botnet: A Never-Ending Saga Arsh Arora University of Alabama, Birmingham, [email protected] Max Gannon University of Alabama, Birmingham, [email protected] Gary Warner University of Alabama, Birmingham, [email protected] Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, OS and Networks Commons, Other Computer Sciences Commons, and the Science and Technology Studies Commons Scholarly Commons Citation Arora, Arsh; Gannon, Max; and Warner, Gary, "Kelihos Botnet: A Never-Ending Saga" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 4. https://commons.erau.edu/adfsl/2017/papers/4 This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an (c)ADFSL authorized administrator of Scholarly Commons. For more information, please contact [email protected]. Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 KELIHOS BOTNET: A NEVER-ENDING SAGA Arsh Arora, Max Gannon, Gary Warner University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 fararora, gannonm, [email protected] ABSTRACT This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom.
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    JUNE 2009 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT WHERE’S WALEDAC? Malware without a name is still malware Win32/Waledac is a trojan that is used to send spam. It also has the ability to download and execute arbitrary fi les, harvest email addresses 3 NEWS from the local machine, perform denial of service Obama pledges security education from attacks, proxy network traffi c and sniff passwords. boardroom to classroom Scott Wu, Terry Zink and Scott Molenkamp take a detailed look at the spambot. Beware of searching for lyrics page S1 VB100 ON WINDOWS SERVER 2003 3 VIRUS PREVALENCE TABLE This month’s comparative review tackles 4 TECHNICAL FEATURE the 64-bit Anti-unpacker tricks – part seven version of Windows Server 2003, with the platform CONFERENCE REPORTS bringing out quite a number of quirks and oddities 11 CARO mio, AMTSO mon amour in several of the products under test. John Hawes 12 EICAR 2009 in a nutshell: ich bin ein EICARer presents a round up of the results including the latest RAP testing data. page 14 14 COMPARATIVE REVIEW VB100 on Windows 2003 Server x64 28 END NOTES & NEWS This month: anti-spam news and events and a case study of the Waledac spambot. ISSN 1749-7027 COMMENT ‘At the rate malware is Automatically generated descriptions can easily detail the fi les that are added or modifi ed and the network currently released ... it connections that are made by the malware. The may be that the specifi c downside is that an automated system cannot adapt to malware that requires more specifi c conditions, whereas naming of malware is a a human can fi nesse a system into prompting additional dead concept.’ malicious behaviour from a sample, and better imitate user behaviour.
    [Show full text]
  • Articles Public-Private Cybersecurity
    Articles Public-Private Cybersecurity Kristen E. Eichensehr* Calls for public-private partnerships to address U.S. cybersecurity failures have become ubiquitous. But the academic literature and public debate have not fully appreciated the extent to which the United States has already backed into a de facto system of “public-private cybersecurity.” This system is characterized by the surprisingly important, quasi-governmental role of the private sector on key cybersecurity issues, and correspondingly by instances in which the federal government acts more like a market participant than a traditional regulator. The public-private cybersecurity system challenges scholarly approaches to privati- zation, which focus on maintaining public law values when government functions are contracted out to private parties. The informal and complicated structure of public-private relationships in cybersecurity renders concerns about public law values at once more serious and more difficult to remedy. This Article first explores the line between public and private functions and provides a descriptive account of the public-private cybersecurity system. It highlights the relative roles of the U.S. government and private sector in four important contexts related to international cybersecurity threats: (1) disrupting networks of infected computers used by transnational-criminal groups (“botnet takedowns”), (2) remediating software vulnerabilities that can be used for crime, espionage, and offensive operations (“zero-day vulnerabilities”), (3) attributing cyber intrusions to state-sponsored attackers, and (4) defending privately-owned systems and networks from sophisticated, nation-state-sponsored attackers. The Article then uses the public-private cybersecurity system to challenge and complicate existing scholarship on privatization. Procedurally, the public- * Assistant Professor, UCLA School of Law.
    [Show full text]
  • Malware Authors Don't Learn, and That's Good!
    Malware Authors Don’t Learn, and That’s Good! Joan Calvet, Carlton R. Davis Pierre-Marc Bureau Ecole´ Polytechnique de Montreal,´ ESET Montreal,´ QC, Canada San Diego, CA, U.S.A. {joan.calvet, carlton.davis}@polymtl.ca [email protected] Abstract installed by other malware families, such as Conficker [9]. The functionalities in Waledac have remained fairly con- The Waledac malware first appeared in November 2008, stant over time. The main changes are related to the mal- shortly after the Storm botnet became inactive. This mal- ware protection layer, i.e. the packaging of the binaries, ware is currently quite prominent and active. Its main prop- which is aimed at evading anti-malware detection software. agation mechanism is via social engineering schemes which The first variants of Waledac binaries were packed using entice or trick users into downloading and executing the the publicly available UPX packer [4]. This packer is well malware binaries. The Waledac malware differs signifi- known and it is used by a number of legitimate software cantly from the Storm malware. For example, unlike Storm, vendors; it offers very limited protection against reverse en- Waledac utilises strong cryptographic algorithms, such as gineering and detection by anti-malware softwares. In later AES and RSA with 128 and 1024-bit keys, respectively. variants of the malware, the UPX packer was replaced with There are however a number of design and implementation custom made packers and various anti-debugging and anti- errors and weaknesses in the malware which makes it rela- emulation techniques incorporated into the binaries to slow tively easy to intercept, analyse and modify and even to re- down or thwart reverse engineering analyses.
    [Show full text]
  • Email Threats 2017
    Internet Security Threat Report ISTR Email Threats 2017 An ISTR Special Report Analyst: Ben Nahorney October 2017 Contents Executive summary and key findings Malware Spambots BEC scams Spam User email behavior Protection and best practices Internet Security Threat Report Contents 3 Executive summary and key findings 5 Big numbers 7 Malware 8 Impact 9 Malware distribution 11 Spambots 12 Necurs 12 BlankSlate 12 Fioesrat 13 Silentbrute 13 Pandex 13 Oliner 13 Sarvdap 13 Emotet 13 Waledac 14 BEC scams 15 Latest trends 16 Beyond wire transfers 16 Typosquatting 16 Phishing Figures and Tables 16 Phishing scams of note 8 Email users targeted by malware per month 17 Spam 8 Percent of email users targeted by malware by industry 18 Advertising spam 9 Top three malicious email themes 19 Other distribution methods 10 Downloader detections by month 19 The cost of spam 10 URL malware rate 12 Necurs botnet activity 21 User email behavior 13 Waledac (Kelihos) botnet activity 23 Protection and best practices 15 BEC emails received per organization 24 Email security 15 Top subject lines in BEC scam emails 24 CloudSOC 16 Phishing rate 24 Download Insight 18 Spam rate by half year 24 Advanced antivirus engine 18 Spam campaign advertising pharmaceuticals 24 SONAR behavior engine 19 Bitcoin scam email 24 Ongoing development 19 Example Tofsee email 25 Best practices 19 The website Tofsee email links to 26 About Symantec 22 Broadly shared emails with sensitive information 26 More Information 22 Number of registered TLS email domains Internet Security Threat Report Executive summary and key findings Section 00 00 Executive summary and key findings Page 4 Email Threats 2017 Executive summary Key findings Email is everywhere.
    [Show full text]
  • The Real Face of KOOBFACE: the Largest Web 2.0 Botnet Explained
    The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained A technical paper discussing the KOOBFACE botnet Written by Jonell Baltazar, Joey Costoya, and Ryan Flores Trend Micro Threat Research THE REAL FACE OF KOOBFACE: THE LARGEST WEB 2.0 BOTNET EXPLAINED TABLE OF CONTENTS Table of Contents .................................................................................................................. i Introduction...........................................................................................................................The WALEDAC Botnet 1 Overview................................................................................................................................3 KOOBFACE DOWNLOADER................................................................................................ 5 SOCIAL NETWORK PROPAGATION COMPONENTS ................................................................... 6 WEB SERVER COMPONENT .................................................................................................. 7 ADS PUSHER AND ROGUE ANTIVIRUS INSTALLER................................................................... 8 CAPTCHA BREAKERS........................................................................................................ 8 DATA STEALERS.................................................................................................................. 9 WEB SEARCH HIJACKERS .................................................................................................. 11 ROGUE DNS CHANGERS...................................................................................................
    [Show full text]