Podec Malware ushers in another set of cyber-attacks.
Podec Malware circumvents the popular captcha. Captucha request are forwarded to an on line translation source where images are converted to text. This takes just a couple of seconds and then text is relayed back to the Malware code tricking the verification system.
This Malware uses Domain such an antigae.com, apt-downlad3.ru, and minegamevip.com. These sites are located throughout the world. In addition, new sites are being added and changed rapidly. Thus, rendering a pure list based system slow and not that effective.
Once connected, Podec request Adm privileges and if granted prevents disablement. Last, it employs obfuscators and code protection schemes that preserve the code.
Through the use of advanced algorithms, Barrier1 would be able to identify
• Existing and ever changing web sites.
• Since all of the Captucha request are forward to an on line translation source, this source is most likely different than the one used by the Manufacture.
• In the event that a Man-in-the- Middle method would be used to redirect the Captucha request, Barrier1 would identify both the change and the Man-in-the-middle.
LogPOS adds another dimension to other version of cyber activity for POS systems. This attack avoids detection of scanning for unencrypted credit cards by writing to a Mailslot.
Mailslots allows inter process with a number of clients at one time. Previous POS attacks required individual searches of its own memory, cannot open a file with write access at the same time, and they cannot use logs.
By using an IPC (inter process communication) is the backbone process that:
• Creates the Mailslots
• Sleeps for 500 millisecs
• Repeats the process
• Compares white list
• injectsShellcode into the process
• Scans for credit card tracks and validates using Luhns ( a check sum used to validate a variety of identification numbers)
• Reads from the Mailslot
• Sends out the data
After searching and a program is not found on a white list, code is injected into memory space using write process memory (shellcode that crawls to kernel 32) and starts building imports. Once found, shellcode begins to rebuild its imports via hashing techniques. Scanning memory the malware uses a custom search to find common sentinels.
Barrier1 and its Intelligent Threat Management Platform identifies and blocks LogPOS. Through the use of advanced sensors and algorithms, we are able to bring checks and balances throughout the inspection process so that if one aspect of LogPOS changes, Barrier1 will identify it.
Key areas that the patented Barrier1 process uses is; Shellcode detection, Behavior Algorithms, Rootkits detection, a version of YARA, and others
DDOS continues to change. In the case of “Reflection DDOS” they have been around a long time and yet are responsible for some of the large DDOS attacks in the past couple of months.
Reflection uses spoofing as one of the methods. The attacker will spoof the victim’s IP address and send a request for information via UDP. UDP is used because it is connectionless, unidirectional, and used as normal communication method between servers. So, a lot of servers will respond to such a communication protocol natively. The server answers the request and reflects the response to the victim’s IP address. Therefore, from the server’s perspective, the request is normal and appears to have come from the original request. This approach can turn any server running UDP a potential reflector. That includes DNS, SNMP, Game servers, and etc.
The amplification is the result of the reflector’s response being much larger than the original request. A DNS request (64 bytes) can result in a very large DNS response of over 3,000 bytes. Now take a 50 byte request sent to every byte sent to reflectors and you end up with a Gigabit of traffic coming at you.
IT is extremely difficult to stop reflection DDOS. A firewall alone will not be able to stop the packets from saturating your network.
Barrier1 and our Patented DDOS and Intelligence in Real Time Stops Reflection DDOS attacks.
• There is a good probability that these same source IP address have a reputation of being involved in some form of cyber activity. Those IP address that have not been used before or “change” will most likely becoming from a known IP range that has cyber activity. Barrier1 analytics will identify and block these IP Address.
• Barrier1 analytics will identify strange or abnormal communication types using UDP between servers. All networks have a style of normal communication. Those attributes can be picked up by sensors and when they change the Barrier1 AARE Analytical Engine will detect and block.
• Barrier1 inspects the complete data stream and can detect attributes. In this case a string stating “ANY” is a clue to the reflection DDOS attack.
• Barrier1 can detect abnormal or non-initiated scans or queries into zones containing DNSSEC data.
• Many servers are set to respond to any IP that sends certain UDP status queries. Barrier1 has sensors looking for these types of attributes that give clues to a Responder DDOS attack.
Barrier1 and its Patented Intelligence and DDOS protection platforms in Real Time Stops Reflection DDOS.
Released this past week the fact that hackers can infiltrate a network and remain undiscovered. This brings another level to the discussion on how do the bad guys get in, stay, capture, remove, and not get caught. This also explains another reason for the value placed on a set of stolen credentials. The vast majority of systems are not monitoring what type of traffic is going on internally. They are really only looking at who enters.
Once a cyber-criminal is inside a network, they are going to use lateral moves and disguises as well. The ability to catch a cyber-criminal inside requires the same Intelligence inside as it does outside. The key is to set a base line of standard behavior. All network have a pretty stable cadence. Each dept. has rights to go to and view certain areas, files, and information. The goal is to be positioned to see all the traffic via sensors throughout as well as the information leaving the organization. That includes standard entrance and exist points and Wi-Fi. Then make sure you have the ability to detect change factors, process, abnormal behavior, and etc.
Intelligence should play a major role in the inside security functions as well. Like on the outside, cyber attacker will use maneuvers to disguise and conceal. It takes the intelligence to put together that an individual in marketing has no business in the daily accounting records or legal dept. In addition, the security platforms should alert administrator and security individuals of abnormal behavior.
Intelligent Threat Management in Real Time is as important to the inside protection as at the perimeter.
New Rounds of data Wiping Malware
Data wiping Malware is not new. However, the latest version suggests Cyber Criminals are altering their strategies and process just enough to get in.
Prevention discussion still evolve around human intervention such as;
1. Do not open unknown attachments from people you do not know.
2. Individuals should be able to inspect a web site and decide if the site is safe.
The irony is this is the method of prevention that has been suggested for Years. If Malware is getting past the networks put together and secured by professionals, why are they still relying non-technical individuals to identify this for themselves?
Data Wiping Malware has attributes that can be detected within the data stream. This can all be identified in the data stream via Machine Analytics. Even though this Malware has changed or has become Polymorphic that are still part of the process. Second, with identifying attributes and adding Intelligent Threat Management, you can not only identify Process. The additional advantage with Intelligent Threat Management is you have checks and balances. If one attribute is missed, another is in a good position to identify the attack.
The last part of the human intervention aspect is that of speed. The most Intelligent and Skilled Cyber Security Experts can no longer identify and block cyber threats at the speed needed today. The world of rapid change and polymorphic attacks can easily defeat reactions that are within minutes. Rapid Change or Never before seen events require reaction within microsecs.
Barrier1 Intelligent Threat Management Inspects, Analyzes all Traffic and Traffic Types, and then reacts/blocks within microsecs.
Barrier1Zero Access Bot is another great example of a multi vector attack. In addition, it has shown resilience due to its flexibility in usage of the CnC component.
First it really is a Trojan. It is used to download malware and infect machines. Machines are infected via Click fraud and bitcoin. In order to stay hidden, it uses rootkit techniques. Zero Access also infect the master Boot record and random drivers. This give the Cyber-criminal total control. IN addition, it can disable Window Security Center and therefore leaving no FW protection and thus wide open.
In true form of today’s cyber-attacks there are several attack vectors used.
1. Social Engineering- by disguising as a legitimate file or including hidden code as additional payload in an executable.
2. Advertising- By the use of Click Advertising to lure user, once the ad is click the user is redirected to an infected URL.
3. 3rd parties are being hired to install rootkits.
First efforts by Microsoft were to kill the CnC connection. Not all CnC were using outbound destination IP. They were using P2P for outbound.
Barrier1 stops ZeroAccess Bot in several ways.
1. Barrier1 has 5 versions of Rootkits that are used for inspection.
2. Barrier1 inspects the Payload of all packets.
3. Barrier1 Analytics are used for the ENTIRE data stream and analyzed in Total. So, assuming the first CnC communications were standard destination and thus “Odd” outbound hand shaking and communications, Barrier1 would block, alert, and learn. When the CnC switches to P2P, Barrier1 would have learned enough about the previous CnC communication blocking to no STOP/BLOCK the P2P version of the CnC. This ability to learn and then apply would also work through a rapid change of IP Source Address throughout a multination BOT network.
Now Sony gaming has been hit again with a DDOS attack. It proves that a DDOS attack can be for hire. A mid size DDOS attack can be generated for around $100 then just use your PayPal account.
Time to rethink DDOS
Regin Malware has just been identified. Like most Malware, it is really not new. In many cases, new means just found. However, in reality, the Malware has been performing for sometimes years.
Regin, has several aspects that model former Malware. Flamer, Weevil, Dubuqu, Stuxnet, and etc. were similar. These early version introduced the concept of delivering in stages, have back doors, and customized for specific targets.
There are 5 stages. They are Dropper, 2 steps of the loading process, 2 steps for the Kernel and then Payload. A user is tricked into a spoofed version of a well-known web site. The dropper is installed via web browser or App. Regin has been found to originate from Yahoo, Instant Messenger, and etc. The remote access Trojans are using features and process found years ago and called RAT (remote access Trojans). They are intent on network monitoring, stealing passwords, and overall cyber theft. There are custom built and modified EVFS files, Encrypted RC5, ICMP/ping, embedded commands in HTTP Cookies, and custom TCP&UDP protocol usage.
Barrier1, with its extensive Intelligent Analytics that deals with the entire data flow and not individually, would identify Regin in several ways.
- RAT has been identified several years ago. Barrier1 has remembered how it operates and thus would detect and block.
- Barrier1 already has identified, blocked, and learned about Dubuqu, Stuxnet, Flamer, and weevil. The very attributes of this would be identified through Barrier1 AARE Engine and Analytics.
- Barrier1 extensive library of rootkits would detect the kernel frame work.
- Barrier1 inspect the Payload and thus would detect abnormal structures, request, and behavior.
- Barrier1 AARE Engine and Analytics would be able to detect spoofed web sites. Even those that are NOT on any URL black list.
- Barrier1 extensive library of Protocols would detect variants of RC5, ICMP pings, and the Customer TCP/UDP protocols would be different than the accepted RFC specs.
The following are threats to the Cloud Infrastructure
- Data segregation and session highjacking are threats
- Multi tenancy model is a great challenge to privacy
- Storage security at the cloud service providers data centers are often directly linked
- Tradition breach opportunities do not go away
- Malicious users can sniff network packets and gain extensive insight
- bypass the application logic to access the databases directly
- Cyber criminals have learned to move horizontal and thus making multi tenancy vulnerable
- Check you SLA do not assume service providers will be able to support electronic discovery or internal investigations of illegal activity
- What happens if the Cloud Provider goes out of business?
- Check your SLA, most of the time NONE of an organizations legal and regulatory compliance responsibilities are transferred to a provider when the organization adopts cloud services.
The cyber kill chain was documented to explain how cyber criminals were getting in. Several years ago, the single vector cyber-attack made its way to multi-vector approach. This also represents a process of events to accomplish goals set forth by the cyber-criminal.
These are individual steps. What was not addressed was the Rapidly Changing, Never before seen, polymorphic attacks. The principals are the same but solutions were put in place to perform functions at each stage.
The MISSSING Link was Intelligence in Real Time. The key attributes of Intelligence as defined in Wikipedia, is Knowledge, learning, memory, problem solving, and Reaction time. Intelligence delivers the ability to learn and remember what each of the steps in the Cyber Kill Chain did. Therefore, with the analysis or problem solving, and knowledge of the TOTAL situation, one can now React/block with extreme accuracy in Real Time.
Barrier1 Intelligent Threat Mgmt. goes beyond UTM- NGFW- Cloud Solutions, and Sandboxing