Category Archives: Malware

Ask The Experts Series – Workstation Malware

Posted on by
1

This time around we had a question from a reader (thanks for the question!):

“My organization is very concerned about malware on desktop machines. We run anti-virus on all user systems but have difficulty keeping them clean and are still having outbreaks. What else can we do to keep infected machines from hurting us? –LW”

Phil Grimes (@grap3_ap3) responds:

In this day and age, preventing infection on desktop workstations is a losing battle. While Anti-virus and other measures can help protect the machine to some extent, the user is still the single greatest point of entry an attacker can leverage. Sadly, traditional means for prevention don’t apply to this attack vector, as tricking a user into clicking on the “dancing gnome” often launches attacks at levels our prevention solutions just can’t touch.

Realizing this is the first, and biggest step to success here.

Once we’ve embraced the fact that we need better detection and response mechanisms, we start to see how honeypots can help us but also how creating better awareness within our users can be the greatest investment an organization might make in detection. Teach your people what “normal” looks like. Get them in the habit of looking for things that go against that norm. Then, get them to want to tell someone when they see these anomalies! A well trained user base is more efficient, effective, and reliable detection mechanism an organization can have. After that, learn how to respond when something goes wrong.

John Davis added: 

Some of the best things you can do to combat this problem is to implement good, restrictive egress filtering and ensure that users have only those local administration rights to their workstations that they absolutely need.

There are different ways to implement egress filtering, but a big part of the most secure implementation is whitelisting. Whitelisting means that you start by a default deny of all outbound connections from your network, then only allow those things outbound that are specifically needed for business purposes. One of the ways that malware can infect user systems is by Internet surfing. By strictly limiting the sites that users can visit, you can come close to eliminating this infection vector (although you are liable to get plenty of blowback from users – especially if you cut visiting social networking sites).

Another malware infection vector is from users downloading infected software applications to their machines on disks or plugging in infected portable devices such as USB keys and smart phones to their work stations. This can be entirely accidental on the part of the user, or may be done intentionally by hostile insiders like employees or third party service providers with access to facilities. So by physically or logically disabling users local administration rights to their machines, you can cut this infection vector to almost nil.

You still have to worry about email, though. Everybody needs to use email and antivirus software can’t stop some malware such as zero day exploits. So, for this vector (and for those users who still need Internet access and local admin rights to do their jobs), specific security training and incentive programs for good security practices can go a long way. After all, a motivated human is twice as likely to notice a security issue than any automated security solution.

Adam Hostetler also commented:

Ensure a policy for incident response exists, and that it meets NIST guidelines for handling malware infections. Take the stand that once hosts are infected they are to rebuilt and not “cleaned”. This will help prevent reinfection from hidden/uncleaned malware. Finally, work towards implementing full egress controls. This will help prevent malware from establishing command and control channels as well as combat data leakage.

Got a question for the experts? If so, leave us a comment or drop us a line on Twitter (@microsolved). Until next time, stay safe out there! 

Handling Unknown Binaries Class Available

Posted on by
2

 

J0289552

Recently, I taught a class on Handling Unknown Binaries to the local ISSA chapter and the feedback was excellent. I have talked to many folks who have asked if this class was available for their infosec teams, help desk folks and IT staff on a group by group basis. I am thrilled to announce today that the MSI team is making that same class available to companies and other groups.

The course abstract is as follows:

This is a hands on class and a laptop is required (you will need either strings for windows/Cygwin or regular Linux/OS X). This class is oriented towards assisting practitioners in covering the basics of how to handle and perform initial analyses of an unknown binary. Course will NOT cover reverse engineering or any disassembly, but will cover techniques and basic tools to let a security team member do a basic risk assessment on a binary executable or other file. Given the volume of malware, various means of delivery, and rapidly changing threats, this session will deliver relevant and critical analytical training that will be useful to any information security team.

The course is available for scheduling in early September and can be taught remotely via Webex or onsite for a large enough group. 

To learn more about this and other training that MSI can conduct, please drop us a line at info[at]microsolved[dot]com or give an account executive a call at (614) 351-1237. You can also engage with me directly on the content and other questions on Twitter (@lbhuston). 

As always, thanks for reading and stay safe out there.

CSO Online Interview

Posted on by
6

Our founder & CEO, Brent Huston (@lbhuston) just had a quick interview with CSO Online about the Gauss malware. Look for discussions with Brent later today or tomorrow on the CSO site. Our thanks to CSO Online for thinking of us!

Update 1: The article has been posted on CSO Online and you can find it here

Brent would also like to point out that doing the basics of information security, and doing them well, will help reduce some of the stomach churning, hand wringing and knee-jerk reactions to hyped up threats like these. “Applying the MSI 80/20 Rule of InfoSec throughout your organization will really give folks better results than trying to manage a constant flow of patches, updates. hot fixes and signature tuning.” Huston said.

Malware Alert: Will You Lose Your Internet Access On Monday?

Posted on by
1

We’re always keeping our eyes and ears open when it comes to malware. If you’ve not heard of this report before now, it would be good to check your computer to see if it has been infected with a nasty piece of malware whose creators were finally caught and shut down by the FBI late in 2011.

From AllThingsD:

Next week, the Internet connections of about a quarter-million people will stop working because years ago their computers became infected with malware.

The malware is called DNSChanger, and it was the centerpiece of an Internet crime spree that came to an end last November when the FBI arrested and charged seven Eastern European men with 27 counts of wire fraud and other computer crimes. At one point, the DNSChanger malware had hijacked the Internet traffic of about a half-million PCs around the world by redirecting the victims’ Web browsers to Web sites owned by the criminals. They then cashed in on ads on those sites and racked up $14 million from the scheme. When the crackdown came, it was hailed as one of the biggest computer crime busts in history.

Complete Article

The listed site for checking if you have the malware is (not surprising) getting slammed. Try to refresh the address a few times and it will show you if your system is infected or not, plus will give you a link for how to fix your site.

Here’s to seeing “green” for everyone!

Audio Blog Post: Malware Trends

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, Inc., discusses with Chris Lay, Account Executive, the new malware trends and a new perspective needed in dealing with attacks. In this audio blog post, you’ll learn:

  • How language is making a difference
  • How the attackers are getting more clever
  • What infected USB keys are now doing
  • What is ‘Flame’?
  • What to do when you identify malware in your organization

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

Search for Malware by MD5 Hash

Posted on by
5

Got a file that you want to know more about? Have the MD5 hash for it, and want to know if it is known to be malware? This seems to be a common problem. 

 Here are three links that might help you:
1. Search VirusTotal by hash (simply put the hash in the search box): https://www.virustotal.com/#search
3. Search Eureca by hash (replace xxx with your hash): http://eureka.cyber-ta.org/OUTPUT/xxx/
Even if these sites don’t turn anything up, the file still might be malware. It may simply have been modified or specially crafted. However, if these sites turn up hits, you should be extra secret squid careful with the binary, since it is very likely to actually be malware of some sort.
Hope that helps folks. Thanks for reading!
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

Talking to Your Management Rationally About Malware

Posted on by
2
Malware with comparisons to Stuxnet are all the rage these days. CNN and other popular media outlets now run stories about new Trojans, viruses and exploits. Much of what is in the media is either hysteria, hype, confusion or outright wrong.
 
There are often nuggets of truth scattered about in the stories, but few of the fears and scenarios whipped into a frothy story have a rational bearing on reality, let alone your business. Nonetheless, executives and even end-users take this stuff in and start to talk about information security topics (which is usually a good thing), but without a rational view, they may use that information to make decisions without regard to risk or the exposures that truly matter to the organization.
 
This is where YOU come in. As an infosec practitioner, your job is to explain to folks in a rational way about the trends and topics in the news. You need to be able to discuss the new piece of malware they saw last night on the news and explain carefully, truthfully, and rationally how it might impact your organization.
 
You need to discuss the controls you have in place. You need to explain the recovery and response processes you have been honing over the last few years. You also need to carefully walk them through how attacks like this work, how your team would be able to detect it (or not), and what you need to be able to do in the future.
 
You need to do this without breathlessly going into detail about the newest evasion techniques it uses, how cool the new exploits are that it leverages, or otherwise spreading uncertainty or fear to your management team. Now, I am NOT suggesting you tell them you have everything under control if you don’t. However, I am suggesting that this conversation should be rational, fair and flat — and offer to come by their office later to discuss future enhancement capabilities and projects that could be funded to assist your team with defending against these and other threats in the future. Then, do it at a time when they have intellectual and emotional stability. 
 
You must also learn about these threats. Be ready to discuss them in real-world (non-IT geek), business language. You have to be able to explain them clearly and concisely, including their rational impacts. If, for example, CNN is running a story about malware that destroys reactors or deletes records of uranium deposits and your organization doesn’t own a reactor or track uranium, then explain the impacts of the attack are not likely to be anything more than an annoyance to your organization and offer to discuss it with them or present on the topic at a later time. Keep them up to date, but whatever you do, keep them rational and make sure that you precisely explain potential impacts clearly. If the worst outcome of a popular malware infection is that your network traffic would rise 12% for a 48 hour period and then drop back to previous levels when the malware doesn’t find what it’s looking for and deletes itself, explain that to them.
 
If the malware is designed to target and exfiltrate the secret sauce to your chicken nuggets, and that’s how your company derives income, then explain that to them in clear, unemotional terms and tell them what you are doing about it and how they can help. 
 
That’s about it. I think the point is clear, but I will repeat it again. Explain new threats rationally to your management when they ask. Share with them realistic impacts, what you are doing about them and how they can help. Offer to give them a deep dive at a later time when they are emotionally and intellectually stable. Avoid the FUD and stick to the facts. You will be doing yourself, your organization, your profession, and maybe even the world a big favor in doing so.
 
Thanks for reading!