Offical Blog

Barrier1 Stops Bredolab Trojan

 
Bredolab Trojan is dangerous in that it works secretly in the background. If the machine is not protected with security tools, Bredolab may be able to make quite a mess without raising any suspicions. It delivers various malwares on a computer. Bredolab isn’t capable of corrupting files or stealing information but the programs it installs may cause multiple damage.

The Trojan downloader usually downloads and runs fraudulent security tools, but it may also download keyloggers, adware, web browser toolbars and other malicious applications. Removing Bredolab is a necessary action in order to prevent further infections and keep a computer safe. Bredolab Trojan also changes system files. The following is just a few.

\digeste.dll
\digiwet.dll
\mcenspc.dll
\msansspc.dll
%startup%\asgupd32.exe
%startup%\dfqupd32.exe
%startup%\dmaupd32.exe
%startup%\fmnupd32.exe
%startup%\ihaupd32.exe
%startup%\imiupd32.exe
%startup%\legupd32.exe

As with all blended threats, Win32/Bredolab has mutated over time. At the time of installation when older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:
\digeste.dll
\digiwet.dll
\mcenspc.dll
\msansspc.dll

The registry is then modified to ensure that the DLL is loaded. For example:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: “SecurityProviders”
With data: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll”

Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed. Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Some variants of Win32/Bredolab may create the following file during execution:
• %appdata%\wiaserva.log

Several variants of Win32/Bredolab have been the focus of various spam mass-mailings. Here is a selection of an e-mail, used in the wild, to distribute Bredolab onto user’s computers:

Example email #1

Subject: Postal Tracking #IARN863188FLP4G

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

Example email #2

Subject: Shipping confirmation for order -08244007

Hello!

Thank you for shopping at our internet shop!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered Samsung GO N310-13G.
You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.
We hope you enjoy your order!

Barrier1 has Virtualized Network Security

Barrier1 has brought Virtualization to Network Security. Virtualization is designed to be helpful in making more efficient use of underutilized hardware and yet keeping networks isolated from one another.. The classic case involves a rack of servers each using a fraction of their resources. Once a virtual network is attached to a physical network adapter, it is exposed to the same security risks as that physical network adapter. Virtual machines cannot intercept network packets from the host operating system. Similarly, the host operating system cannot intercept network packets from a virtual machine. This isolation is enforced by the virtual machine network services driver, which determines whether a network packet is routed to the host operating system or to a virtual machine.

Barrier1 Network Security Virtualization brings individual VM protection as well as inter-VM protection. To truly mitigate the risks within the virtual environment, especially those related to inter-VM communication, individual inspection of all 7 OSI layers in near real time is required. Barrier1, along with its “AARE Engine” has an architecture that delivers effective multi-layered defense and self-protection.on a per VPM basis. By enforcing policies at the VM level, integrating network security protection elements that inspect and have knowledge of all aspects of the 7 OSI layers is key to the overall security architecture within VM.

• VM Enforcement of policies and integrating all network security point solutions such as Firewall, IDS, Anti-Spam, Anti Virus, Web Application Firewall, provides granular visibility and control of individual VM as well as inter-VM and network traffic. Enforcing individual or group VM policies stops inter-VM malware propagation more effectively than one-size-fits-all rule bases. Default policies are automatically applied to every new VM, mitigating the risks of VM sprawl.

• Guaranteed VM Isolation between and within trust levels (e.g., production, QA) makes vitalizing mission critical systems and customer data viable. This further boosts the ratio of VMs to host servers, giving enterprises a greater return on their virtualization investments.

• Migrations are achieved by continuous inspection of all network security tools in production as VMs automatically move from host to host.

• Barrier1 monitors & stores all network connections. Thus giving Barrier1 the ability to block attacks and other unauthorized connection attempts from VMs.

Barrier1 identifies flaws in SSL-VPN

SSL-VPN’s have become very popular. However, there are several security flaws beginning to become understood. The use of null characters has been used for exploits for several years. The concept is to insert a string of 0’s in key areas. This has the effect of alerting, changing, or redirecting depending on when and where this technique is used.
In SSL-VPN certificates are used. When a string of 0’s or some other strings are inserted, hackers can re route a user to a site they were not intending to go to. This can also allow access to host computers.

Barrier1 with its ability to inspect all 7 OSI layers and Intelligent Behavior Analysis known as “AARE” inspects for null character insertion from multiple points of inspection. Whether this technique is used in the application code itself, like SSL-VPN, or from a data stream that has been altered, Barrier1 will identify and stoop this technique.

VOIP and Security

VOIP is now entrenched in the world for voice communications. That places VOIP clearly on the radar for Cyber Criminals. Unfortunately VOIP was not designed with security in mind. In fact the vary nature and standards set make VOIP even more vulnerable to Security Breaches.

In order for VOIP to be accepted it must be as good as or better than the PSTN. Therefore, security can not change the specs. For H.323, SIP, RTP, and others but must performs its role without compromise. In addition, a voice call may travel through 15- 20 different systems.

The major issues are

Latency- G.114 requires 150 ms. For 1 way traffic, 100 ms across N.America, and 400 ms for international traffic. The entire  end      to  end VOIP call includes Call Set up, Encryption, Encoding, Sample Capture, Parkerizing, to the final Move to Output will take up to 121 ms.
Jitter     – Out of Sequence Packets
RTP        - Special Header fields that reassemble packets into a voice signal are carried
                   as payload by UDP.

Several Immediate Security Vulnerabilities

1. VOIP  – protocols are based on a very well accepted set of Stds.
2. RTP    – through conversions from voice signals to data signals in the payload sector to voice again RTP would be vulnerable.
                 – Voice Packets are carried as Payload and most security appliance do not
                  inspect payload.
                – Packets are carried Out of Band and accessible by Cyber Criminals.

These aspects of VOIP bring vulnerabilities and opportunity for Cyber Criminals to launch a DDOS, Flood on SIP Messages, Capturing Customer Records, and others.

Barrier1 introduces only 12.4 microsecs. Delay, SIP aware, and H.323 compatible. Barrier1 has been providing Network Security for VOIP for over 4 years without modifications.

  Barrier1 used for Police Squad Cars and Emergency Vehicles brings greater effectiveness and affordability

 IF Your Police Squad Car or Emergency Service Vehicles have a Laptop and are connected to YOUR Network via wireless, YOU ARE VULNERABLE FOR A CYBER ATTACK just like Land Lines

 There is a growing demand to install laptops into Police Squad Cars and other emergency vehicles and connect them via wireless thus giving access to needed information where ever they are.  Access to information can truly save lives, increase job performance, increase efficiency and increase utility of services provided.  However, you also open your self up for Cyber Attackers

 The problem has been the traditional VPN like IP Sec. IP Sec is very sensitive to delay, jitter, and clocking. We all know that wireless signals are spotty in terms of strength. Thus, the connection is dropped. This is not acceptable when Police are required to respond to all corners of the city, county, or state. They have to have access to perform their duties and assignments.  Barrier1 and its clientless SSL-VPN will deliver the speed, connection state, and price that allows for a successful and Implementation of this application.

 Barrier1 brings greater effectiveness, accuracy, and affordability than any other product attempting to provide security for this type of application.

Barrier1 was Designed to Stop Polymorphic Attacks

 The race between the hackers/cyber criminals and the security pros over the protection of digital assets and sensitive information continues and is actually escalating at a furious pace. Over the years, attackers began to change there methods. The security pros countered with solutions that required individual “Point Solutions”. Firewalls, Anti-Spam, Anti-Virus, Web Content filtering, IDS/IDP, Traffic Shaping, etc. were brought to the market to solve the security problems at hand. Then cyber attackers began to change again and a “List Based Systems” were brought to the market. Today, static libraries of signatures and definitions used to detect attacks are no longer the total solution. The spamming and virus writing community has learned how to get around these list based systems. At the same time everyone thinks they are secure- YOU ARE NOT. NOW WE HAVE POLYMORPHIC ATTACKS.

 Polymorphic attacks are not new but there abilities are showing up more often.  Polymorphic are designed with the purpose of not being detected.  They accomplish this goal by having the ability to mutate with each instance. This gives the attacker the ability to walk through the traditional signature and list-based systems. One of the mutating or changing aspects of these attacks is the “Data Payload”. Each attack has different byte content.  The method used to skirt most IDS systems and Anti-Virus systems is a method which changes the byte frequency in the payload.  The signature only and the Packet Header IDS systems will not detect this. Barrier1, will detect polymorphic attacks because they have learned what is a normal data payload stream for the organization. Thus, when any deviation from the normal profile occurs, it is blocked and reported.  Yet, it gives a high degree of accuracy in terms of false positive and false negative measures.

 Barrier1 with its Advanced Intelligence will detect polymorphic attacks.  Barrier1 with its designed criteria of “ Intelligence”, monitors the Packet Header and signatures as well as the “Data Payload” and learns what normal traffic on your network is. In the event there is an abnormal or unusual change in the Data Payload, Packet headers, and other attack vectors,  Barrier1 would alert and if in full automation mode, would block the transmission then report..

Barrier1 and Speed

During the past year there has been a lot of emphasis and marketing claims on appliances increasing the speed of the appliance.  Barrier1 was designed for speed. Barrier1 and its Industry breaking design has always brought best in class speed.

Results:

• Max Throughput                                                   11,797.1  Mbs
• Avg. Top-end                                                       11,286.0  Mbs
• Max Avg. Top-end Throughput/port                            940.5  Mbs
• Concurrent TCP Capacity
  • Number of Concurrent user sessions:                           179
  • Number of inbound ports:                                                6
  • Barrier1 CPU idle:                                                       198%
  • Barrier1 CPU usage                                                        2%
  • Number of Errors:                                                          0
  • Aggregate number of users to max Barrier1          106,326
  • Total Max TCP connections                                1,667,052
  • HTTP Transfer Rate                                       647,311,500
  • IP Fragmentation Handling                             415,754,400
  • Illegal Traffic Handling                                  417,604,200 bpsec. Transfer rate
  • Latency                                                      
    • Packet Size            Av. Latency
      • 64                197.89
      • 512              202.11
      • 1518            237.11
      • HTTP            234.33

Barrier1  Stops SQL Injection Attacks

Hackers have changed their sight to SQL injection attacks. As of the end of 2008, SQL injection attacks have grown by over 50%. This style of attacks is not new but signals a change. In fact many experts are stating that SQL injection is the attack method of choice. Hackers and Cyber Criminals have their sites and resources on malware-laden URLs on the web.  The sheer size and volume of these attacks also indicates the lack of attention and protection organizations have placed on their web site and web applications. 

To stop SQL injection type of attacks requires new tools. The traditional Firewall, Anti Virus, URL filtering, and IDS run as independent process is not going to stop an SQL injection. SQL injection was designed to get around the traditional network security protections.  Most websites need to be public and therefore must allow public web traffic to communicate with your web application generally over port 80/443.  SQL is the only way the web application interacts with the Dbase.  That includes the relational dbases from Oracle, Microsoft Access, MS SQL, File maker Pro

Barrier1 Stops Smallest  Executables known as Portable Executables (PE 133 bytes)

 Recently a County IT department had experienced being blocked from a Web site that previously was open. The obvious question was “Why’. Today’s cyber criminals continue to refine there attacks. Why not, they want the information and they do not want to get caught. Portable Executables is an integral part of the entire Microsoft OS. If you can figure out a way to control and manipulate the Portable Executables files you have access and control

What is Null Byte Poising?

• The attacker can alter the command line.
• Replace key areas of the string with null bytes and  the program behavior is changed.  The Null Byte forces the string to end at that point.

Why Traditional Security Appliances and Individual Point Solutions do not work

• ALL Firewalls including Stateful Firewall look at only 5 things.
• IDS/IDP look for only patterns that are known
• Anti Virus only looks for known patterns in email
• Web Application Firewalls look at only layer 7 of OSI

How Does Barrier1 Stop Null Byte Positing?

• Barrier1 “AARE Engine” learns what the requests are and compares the return strings.

It is the ability to identify the changes to a network and its traffic that give Barrier1

• Barrier1 can inspect all 7 OSI layers in Near Real Time