DOCSLIB.ORG

Kelihos Botnet: a Never-Ending Saga CDFSL Proceedings 2017

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Kelihos Botnet: a Never-Ending Saga CDFSL Proceedings 2017 Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 KELIHOS BOTNET: A NEVER-ENDING SAGA Arsh Arora, Max Gannon, Gary Warner University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 fararora, gannonm, [email protected] ABSTRACT This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom. From this perspective, the paper has two objectives: encouragement and observation. First, by providing insight into the methodology and tools used by student researchers to document and understand a botnet, the paper strives to embolden other academic programs to follow a similar path and to encourage such discovery. Second, the paper shares observations and insights gathered about the botnet's recent spam activity showing evidence of the \spam as a service" model and demonstrating a variety of unique and dangerous spam campaigns conducted via the Kelihos botnet, including banking trojans, credential phishing, and ransomware attacks. Keywords: Kelihos, Botnet, Malware, Spam, Ransomware, Banking Trojan, Pharma, Pump and Dump, Geo-Targeting 1. INTRODUCTION CrowdStrike, Dell Secureworks, Kaspersky, and others sinkholed 100,000 nodes of the While the Kelihos botnet first debuted in Kelihos.B malware [Kerkers et al., 2014]. At 2009, the current botnet is a functional deriva- RSA Conference 2013, CrowdStrike demon- tive of two other famous botnets, Waledac, strated a repeat performance, targeted Ke- and the Storm Worm [Adair, 2012, Bureau, lihos.C [Rossow et al., 2013, Werner, 2013]. 2011]. The Kelihos botnet is known by a Despite these admirable attempts, Kelihos number of aliases in the community includ- continues to send significant volumes of spam ing Hlux and Slenfbot [Singh et al., 2014]. on a daily basis [Stringhini et al., 2014]. Even Kelihos evolved and became sophisticated after all of the takedown attempts, Kelihos over time, but no interruption could stop the was still ranked as the top spam-sending bot- working of Kelihos. Two widely celebrated net in 2015 and continues to yield a signifi- takedowns of Kelihos have been performed by cant spam volume today [McAfee, 2016, Tech, security companies. The first was Operation 2016]. b79, conducted by Microsoft in September of 2009 [Nadji et al., 2013]. In March of 2012, The Kelihos botnet utilizes a peer to peer c 2017 ADFSL Page 9 CDFSL Proceedings 2017 Kelihos Botnet: A Never-Ending Saga network infrastructure that hides the loca- ilies. tion of the true command and control server Another addition to the spam campaign [Dietrich et al., 2013]. Kelihos-infected com- is sending links to a Word document that puters communicate with one another and will drop a variant of Zeus, specifically, geo- are used in two primary ways, depending targeting for German and United Kingdom on whether they have a publicly reachable banks. In the current iteration, it uses stolen IP address or not. Nodes which cannot be SMTP credentials to login as a legitimate addressed from the Internet just send spam. user to a large number of mail servers and Internet addressable nodes help to anonymize sends spam. the location of the C&C server by acting as a multi-tiered proxy, receiving requests for 2. NETWORK spam details from spamming nodes, and re- questing those same details from other nodes, eventually leading to a job server which is leased infrastructure and communicates with the C&C server, as documented by Fortinet's Kyle Yang at BlackHat [Yang, 2012]. The most unique aspect of Kelihos is the di- versity in its spam and its delivery mechanism. The spam diversity is primarily because Keli- hos provides \spam as a service" offering the use of its spamming infrastructure for hire to deliver any messages for a sender who is will- ing to pay their fees. The spam messages are Figure 1. Courtesy: Kyle Yang outlining Kelihos dominated by pharmaceutical spam, but are distribution network [Yang, 2012] not limited to it. Pharma spam seems to be Although the division of the botnet's oper- the fall-back position, when other higher pay- ation appears to be clear in Figure 1, the path ing customers have not hired the botnet to is actually complex. Starting from the bot- deliver something else. Kelihos has been ob- tom, the chart displays the worker or client served sending spam for pump and dump ma- nodes, which sends spam to the end user and nipulation of different stock symbols, money only communicate to the servers at the proxy mule job applications, and credential phish- level. The proxy level is the most interesting ing for Polish and French financial institu- one as it connects with other proxies, clients, tions. In the summer of 2016, Kelihos began and job servers. This 3-way communication geo-targeting for email delivery sending dif- makes it the most attractive and the one that ferent messages and payloads based on the contains maximum information. The proxy country-code Top Level Domain (ccTLD) of level receives templates from other proxies the email recipient ('.pl','.uk'). Malware, in- and also communicates with the job servers. cluding ransomware and Zeus banking tro- While Kelihos-infected Windows computers jans, were delivered only to certain geogra- serve as the proxy and worker nodes, job phies using this technique. Kelihos has been servers are leased hardware controlled by the seen spamming ransomware, sending Wild- criminals. Job servers are the ones that serve Fire [Arora & Warner, 2016b], CryptFile2 as the main operators to the command and [Arora & Warner, 2016a] and Troldesh [Arora control center. Job servers are often in dis- & Warner, 2016f] encryption ransomware fam- guise and try to be invisible under the shadow Page 10 c 2017 ADFSL Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 of different proxies; thus, making detection extremely complex and difficult. Lastly, the command and control center is handled by the bot herder and provides the information, spam templates, and updates needed to be distributed across the botnet. 3. INITIALIZATION In this section, researchers will describe the pattern that is followed by the Kelihos bi- nary to initiate, then communicate to its command and control center and eventually send spam. The process will be illustrated with screen captures from OllyDbg and Wire- shark. The details are shared so that they can be easily replicated by any individual Figure 2. Architecture of Kelihos Malware who has expertise with OllyDbg. The fol- lowing analysis was performed in a virtual 3.1.1 Parent Process environment (VMWare) operating in NAT In the following sub-section, researchers will network mode. demonstrate some breakpoints in OllyDbg 3.1 Processes that are helpful in performing the analysis. To attain optimum results, the following steps In the subsequent section, researchers will should be followed in the order mentioned. describe the process of how a Kelihos binary After introducing a Kelihos binary into performs when we try to self-infect. The pre- the virtual environment, start Process Hacker liminary observations can be viewed with the and OllyDbg as an administrator. Next, open help of programs such as Wireshark, Process the Kelihos binary in OllyDbg. Now, one Hacker, and OllyDbg 2.0 version. Next, we can see a process being activated in Process will explain the process of self-infecting with Hacker. The following breakpoints should a complete description of the process as de- be enabled under the Executables (E) tab of picted in Figure 2. As soon as we launch the OllyDbg: binary, it initiates and starts a child process. 1. Ntdll.dll Once the child process gets fully activated, it terminates the parent process and starts the (a) RtlReportSilentProcessExit communication process. Initially, it tries to (b) NtTeminateProcess make a TCP connection with several Internet (c) NtResumeThread Protocol (IP) addresses which are hard-coded 2. kernel32.dll in the binary. There is a unique identifier in the message that helps to authenticate the (a) Resume Thread communication coming from the Kelihos bi- nary. Once a connection is established, it makes a request for configuration (config) files. The config files contain the information Figure 3. Breakpoints for Parent Process about the spam template and the email ad- The researchers provide the specific break- dresses to be used for sending spam messages. points in Figure 3, so that the results may be c 2017 ADFSL Page 11 CDFSL Proceedings 2017 Kelihos Botnet: A Never-Ending Saga easily replicated. Once we start debugging the program, it will stop at the breakpoints in the following manner: 1. RtlReportSilentProcessExit Figure 5. Pre-loaded Dlls at Virtual Protect 2. NtTerminateProcess break 3. RtlReportSilentProcessExit 4. NtTerminateProcess 5. ResumeThread 6. NtResumeThread The process is complicated, but this method seems to obtain the maximum infor- mation from the parent process before mov- ing to the child process. This child process can be observed in Process Hacker. The tim- ing of when to attach to the child process is crucial, if one does it before or after the Figure 6. New DLLs loaded shown in Red following steps mentioned above, the desired result may not be obtained. Next, we attach Next, the binary will decrypt itself and the child process in a new OllyDbg window then proceed towards its communication with administrative rights. channel. 3.1.2 Child Process 3.2 Preparing for Take-Off Once the child process is attached success- This section demonstrates a decoding loop fully, we check the Executables (E) box and that is run across the code within the binary. set a breakpoint in the child process at the Figure 7 displays a certain memory address following location displayed in figure 4.
Load more

Recommended publications
  • Éric FREYSSINET Lutte Contre Les Botnets
    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
    [Show full text]
  • Download Slides
    Scott Wu Point in time cleaning vs. RTP MSRT vs. Microsoft Security Essentials Threat events & impacts More on MSRT / Security Essentials MSRT Microsoft Windows Malicious Software Removal Tool Deployed to Windows Update, etc. monthly since 2005 On-demand scan on prevalent malware Microsoft Security Essentials Full AV RTP Inception in Oct 2009 RTP is the solution One-off cleaner has its role Quiikck response Workaround Baseline ecosystem cleaning Industrypy response & collaboration Threat Events Worms (some are bots) have longer lifespans Rogues move on quicker MarMar 2010 2010 Apr Apr 2010 2010 May May 2010 2010 Jun Jun 2010 2010 Jul Jul 2010 2010 Aug Aug 2010 2010 1,237,15 FrethogFrethog 979,427 979,427 Frethog Frethog 880,246880,246 Frethog Frethog465,351 TaterfTaterf 5 1,237,155Taterf Taterf 797,935797,935 TaterfTaterf 451,561451,561 TaterfTaterf 497,582 497,582 Taterf Taterf 393,729393,729 Taterf Taterf447,849 FrethogFrethog 535,627535,627 AlureonAlureon 493,150 493,150 AlureonAlureon 436,566 436,566 RimecudRimecud 371,646 371,646 Alureon Alureon 308,673308,673 Alureon Alureon 441,722 RimecudRimecud 341,778341,778 FrethogFrethog 473,996473,996 BubnixBubnix 348,120 348,120 HamweqHamweq 289,603 289,603 Rimecud Rimecud289,629 289,629 Rimecud Rimecud318,041 AlureonAlureon 292,810 292,810 BubnixBubnix 471,243 471,243 RimecudRimecud 287,942287,942 ConfickerConficker 286,091286, 091 Hamwe Hamweqq 250,286250, 286 Conficker Conficker220,475220, 475 ConfickerConficker 237237,348, 348 RimecudRimecud 280280,440, 440 VobfusVobfus 251251,335, 335
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Mcafee Labs Threats Report August 2015 Ransomware Continues to Grow Very Rapidly— with the Number of New Samples Rising 58% in Q2
    Report McAfee Labs Threats Report August 2015 Ransomware continues to grow very rapidly— with the number of new samples rising 58% in Q2. About McAfee Labs Introduction McAfee Labs is one of the world’s leading sources for threat This month marks the five-year anniversary of Intel’s research, threat intelligence, and cybersecurity thought announcement that the company would acquire McAfee. leadership. With data from millions of sensors across key Much has changed in the security space since then, so we threats vectors—file, web, message, and network—McAfee decided to look back on these years and compare what we Labs delivers real-time threat intelligence, critical analysis, thought would happen with what actually happened. and expert thinking to improve protection and reduce risks. We interviewed a dozen key people who have been with McAfee is now part of Intel Security. Intel or McAfee since the acquisition to get their views on the major developments of the past five years around the www.mcafee.com/us/mcafee-labs.aspx cyber threat landscape, including how the types of threat actors have changed, how attackers’ behaviors and targets Follow McAfee Labs have changed, how the economics of cybercrime have changed, and how the industry has responded. We also wanted to know what they didn’t anticipate or what truly surprised them. We hope you enjoy the retrospective. This quarter, we also discuss two very interesting Key Topics. In McAfee Labs Threats Reports, we spend a lot of time examining ways in which attackers enter a trusted network or system, but we spend little time looking at how they exfiltrate the information they want to steal once they have successfully breached the network or system.
    [Show full text]
  • Microsoft | Security Intelligence Report
    Battling Botnets for Control of Computers Microsoft | Security Intelligence Report Volume 9 January through June 2010 Microsoft | Security Intelligence Report Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMA- TION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2010 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 January through June 2010 Authors David Anselmi Jimmy Kuo Navaneethan Santhanam Digital Crimes Unit Microsoft Malware Protection Center Bing Richard Boscovich Scott Molenkamp Christian Seifert Digital Crimes Unit Microsoft Malware Protection Center Bing T.J. Campana Michelle Meyer Frank Simorjay Digital Crimes Unit Microsoft Trustworthy Computing Microsoft Trustworthy Computing Neil Carpenter Bala Neerumalla Holly Stewart CSS Security Microsoft Secure SQL Initiative Team Microsoft Malware Protection Center Greg Cottingham Daryl Pecelj Adrian Stone CSS Security Microsoft IT Information Security and Risk Management Microsoft Security Response Center Joe Faulhaber Anthony Penta Matt Thomlinson Microsoft Malware Protection Center Microsoft Windows Safety Platform Microsoft Security Response Center Vinny Gullotto Paul Pottorff Jossie
    [Show full text]
  • Download Hong Kong Security Watch Report
    Hong Kong Security Watch Report 2019 Q1 1 Foreword Better Security Decision with Situational Awareness Nowadays, a lot of \invisible" compromised systems (computers and other devices) are controlled by attackers with the owner being unaware. The data on these systems may be mined and exposed every day, and the systems may be utilized in different kinds of abuse and criminal activities. The Hong Kong Security Watch Report aims to provide the public a better \visibility" of the situation of the compromised systems in Hong Kong so that they can make better decision in protecting their information security. The data in this report is about the activities of compromised systems in Hong Kong which suffer from, or par- ticipate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. Computers in Hong Kong are defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is \.hk". Capitalizing on the Power of Global Intelligence This report is the fruit of the collaboration of HKCERT and global security researchers. Many security researchers have the capability to detect attacks targeting their own or their customers' networks. Some of them provide the information of IP addresses of attack source or web links of malicious activities to other information security organizations with an aim to collaboratively improve the overall security of the cyberspace. They have good practice in sanitizing personal identifiable data before sharing information. HKCERT collects and aggregates such valuable data about Hong Kong from multiple information sources for analysis with Information Feed Analysis System (IFAS), a system developed by HKCERT.
    [Show full text]
  • Hong Kong Security Watch Report Q4 2013
    Hong Kong Security Watch Report Q4 2013 Foreword Better Security Decision with Situational Awareness Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed everyday and the computers may be utilized in different kinds of abuse and criminal activities. The Hong Kong Security Watch Report aims to provide the public a better “visibility” of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security. The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. Capitalizing on the Power of Global Intelligence This report is the fruit of the collaboration of HKCERT and global security researchers. Many security researchers have the capability to detect attacks targeting their own or their customers’ networks. Some of them provide the information of IP addresses of attack source or web links of malicious activities to other information security organizations with an aim to collaboratively improve the overall security of the cyberspace. They have good practice in sanitizing personal identifiable data before sharing information. HKCERT collects and aggregates such valuable data about Hong Kong from multiple information sources for analysis with Information Feed Analysis System (IFAS), a system developed by HKCERT.
    [Show full text]
  • Kelihos Botnet: a Never-Ending Saga
    2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings May 15th, 10:00 AM Kelihos Botnet: A Never-Ending Saga Arsh Arora University of Alabama, Birmingham, [email protected] Max Gannon University of Alabama, Birmingham, [email protected] Gary Warner University of Alabama, Birmingham, [email protected] Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, OS and Networks Commons, Other Computer Sciences Commons, and the Science and Technology Studies Commons Scholarly Commons Citation Arora, Arsh; Gannon, Max; and Warner, Gary, "Kelihos Botnet: A Never-Ending Saga" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 4. https://commons.erau.edu/adfsl/2017/papers/4 This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an (c)ADFSL authorized administrator of Scholarly Commons. For more information, please contact [email protected]. Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 KELIHOS BOTNET: A NEVER-ENDING SAGA Arsh Arora, Max Gannon, Gary Warner University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 fararora, gannonm, [email protected] ABSTRACT This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom.
    [Show full text]
  • Research and Education Cyberthreat Briefing (PDF)
    RESEARCH AND EDUCATION CYBERTHREAT BRIEFING Todd Herring, REN-ISAC Membership Services Director Kim Milford, REN-ISAC Executive Director © 2016 Internet2 REN-ISAC - Background ● Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. ● Within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. ● Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships. [ 2 ] REN-ISAC - Background ▪ Hosted at Indiana University ▪ Board of Directors ▪ Advisory groups ▪ Ad hoc special interest groups and projects ▪ Over 480 member institutions and over 1400 member representatives [ 3 ] REN-ISAC Membership Type of Instuon Number Percent of Membership US College, Private for-profit 2 0.4% US College, Private not-for-profit 162 33.3% US College, Public 235 48.4% Medical Science / Medical Center 13 2.7% University Department, non-medical 2 0.4% Non-US College 31 6.4% Research Center 20 4.1% Network 8 1.7% Consorum 13 2.7% [ 4 ] REN-ISAC Growth Since August 2004 1600 1400 1200 1000 800 600 400 200 0 Instuons Member Reps [ 5 ] Membership Fees [ 6 ] Human-centered Intelligence Sharing • Community of trusted cybersecurity staff at R&E institutions • Sharing actionable information for operational protection and response • Confidentiality [ 7 ] Human-centered Intelligence Sharing o CSIRT for .EDU space
    [Show full text]
  • Mcafee Labs Threats Report May 2015 Mcafee Labs Saw Almost Twice the Number of Ransomware Samples in Q1 Than in Any Other Quarter
    Report McAfee Labs Threats Report May 2015 McAfee Labs saw almost twice the number of ransomware samples in Q1 than in any other quarter. About McAfee Labs Introduction McAfee Labs is one of the world’s leading sources for threat This Threats Report marks the first time that we explore research, threat intelligence, and cybersecurity thought firmware-based attacks. In our lead Key Topic, we leadership. With data from millions of sensors across key provide new details about malware from a secretive threats vectors—file, web, message, and network—McAfee outfit calledthe Equation Group. This threat is capable Labs delivers real-time threat intelligence, critical analysis, of reprogramming hard disk drive firmware. Our analysis and expert thinking to improve protection and reduce risks. shows the reprogrammed firmware can reload associated malware each time the infected system boots and that McAfee is now part of Intel Security. it persists even if the hard drive is reformatted or the operating system is reinstalled. We suspect this type of www.mcafee.com/us/mcafee-labs.aspx threat will be a hot topic at Black Hat and DefCon this year. Follow McAfee Labs We also focus on two familiar faces—ransomware and Adobe Flash exploits—because McAfee Labs saw massive increases in new samples this quarter from both types of threat. For ransomware, we attribute much of its growth to a new, hard-to-detect ransomware family—CTB-Locker— and its use of an “affiliate” program to quickly flood the market with phishing campaigns, leading to CTB-Locker infections. And for the rise in Flash exploits, we attribute those to the growing number of Flash instances across many platforms (most notably mobile devices), the number of known, unpatched vulnerabilities, and the difficulty in detecting some Flash-based exploits.
    [Show full text]
  • CERT Prezentacija Palestina-V1
    IT security overview in Latvia 21.11.2012, Riga TAIEX Study Visit on Information & IT Security Outline • Legal environment and policies • CERT.LV overview • Current situation overview • CERT.LV activities and awareness raising Legal environment and policies IT Security Law • In force since 1 February 2011 • Sets CERT.LV tasks and responsibilities • Defines responsibilities for: • Public sector • ISPs • Critical IT infrastructure owners IT Security Law – Public sector • In every institution – IT security officer responsible for: • Creating IT security documents for institution • Organising IT security audits • Educating all employees at least once per year • Reporting to CERT.LV on security incidents • Participating in CERT.LV seminars IT Security Law - ISPs • All ISPs have to submit to CERT.LV “Action plan for continuous operations” • Report to CERT.LV on major incidents • CERT.LV can request • IT Security documentation • IT Security audits • Disconnection of an end user for 24h IT Security Law – Critical infrastructure • List – State secret • Report incidents to CERT.LV • Establishes IT Security documentation • CERT.LV can do penetration testing National IT Security Strategy • Improvement of legal regulations • Increasing human and material-technical resources for state institutions • Rising cooperation at a national scale • Intensifying international cooperation • Hardening of education, science and social responisbility MoU with NATO – January 2012 CERT.LV overview CERT.LV • Information technology security incident response institution
    [Show full text]
  • Microsoft Security Intelligence Report
    Security Intelligence Report MICROSOFT SECURITY INTELLIGENCE REPORT Volume 9 (January 2010 through June 2010) www.microsoft.com/sir About Security Intelligence Report volume 9 Malware Key findings covers – Vulnerability Disclosures – Usage Trends for Windows update, and Microsoft update – Security Breach Trends – Malware and Potentially Unwanted Software trends – Email Threats – Malicious and Compromised Websites – Phishing Sites and Traffic – Analysis of Malware Hosts Report Report – Analysis od Drive-By Downloads Sites – Automated SQL Injection Attacks Contains data and intelligence from the past several years, but focuses on the first two quarters of 2010 Intelligence (1Q10, 2Q10) Security Security Intelligence Report volume 9 Data sources Spyware and Potentially Main Customer Segment Malicious Software Available at Unwanted Software Main No Product Name Distribution Additional Scan and Real-time Scan and Real-time Methods Consumers Business Charge Remove Protection Remove Protection Prevalent Windows Malicious Software WU/AU ● Malware ● Removal Tool Download Center Families Download Center Windows Defender ● ● ● ● Windows Vista/ Windows 7 Windows Live OneCare ● ● ● ● Cloud safety scanner Microsoft Security Essentials ● ● ● ● ● ● Cloud Forefront Online Protection for ● ● ● Cloud Exchange Forefront Client Security ● ● ● ● ● Volume Licensing Report Report Hotmail - more than 280 million active users Internet Explorer the world’s most popular browser with SmartScreen, Microsoft Phishing Filter Microsoft Forefront Online Security for Exchange
    [Show full text]