A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own.…
Posted: 9 Dec 2016 | 3:57 pm
Posted: 9 Dec 2016 | 10:57 am
In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.
2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.
At the same time, 2016 saw the world begin to unite to fight back:
The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.
This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.
What is ransomware?
Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.
“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”
GReAT, Threat Predictions for 2017
Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.
Locky ransomware has so far been spread across 114 countries #KLReportTweet
As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:
|Name||Verdicts*||percentage of users**|
|3||TeslaCrypt (active till May 2016)||Trojan-Ransom.Win32.Bitman||6.54|
* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.
Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.
TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReportTweet
Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.
Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.
Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.
Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.
Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReportTweet
The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.
Why bother with a file when you can have the disk?
New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible. Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive. This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software.
Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReportTweet
The ‘manual’ infection technique
Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine. Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system.
If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers.
In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money.
Shade downloaded spyware if it found financial software #KLReportTweet
Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.
Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.
Poor quality ransomware increases likelihood of data being lost forever #KLReportTweet
This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:
These trends are all expected to increase in 2017.
“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
GReAT, Threat Predictions for 2017
While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.
Ransomware is increasingly for hire on the criminal underground #KLReportTweet
This business model is increasingly sophisticated:
The Petya ransomware partner site
The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.
Petya payment table
There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.
With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.
The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation. Every step further encouraged the victim to pay.
Criminals offer customer support to ensure more victims pay #KLReportTweet
Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance. Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into.
Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more.
Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise.
In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1. By the end of Q3 this had increased to 23.9% – an attack every 40 seconds.
A business is attacked with ransomware every 40 seconds #KLReportTweet
According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack.
One in five SMBs never gets their data back, even after paying #KLReportTweet
Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness.
“We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.”
John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit
Some industry sectors are harder hit than others, but our research shows that all are at risk
There is no such thing as a low-risk sector anymore #KLReportTweet
|Industry sector||% attacked with ransomware|
Hospitals became a prime target – with potentially devastating impact as operations were cancelled, patients diverted to other hospitals and more.
Hosted desktop and cloud provider VESK paid nearly $23,000 dollars in ransom to recover access to one of its systems following an attack in September.
Leading media, including the New York Times, the BBC and AOL were hit by malware carrying ransomware in March 2016.
A small police station in Massachusetts, ended paying a $500 ransom (via Bitcoin) in order to retrieve essential case-related data, after an officer opened a poisonous email attachment.
Even motor racing was hit: a leading NASCAR racing team faced losing data worth millions to a TeslaCrypt attack in April.
The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use.
A new free, AV-independent anti-ransomware tool is available #KLReportTweet
Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software. The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity.
Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious.
On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data.
The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab. These can help to restore files encrypted by more than 20 types of cryptomalware. To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved.
No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReportTweet
In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.
Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon.
“Public/Private partnerships are the essence and the strength of the NMR initiative. They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.”
Steven Wilson, Head of Europol’s EC3
“We urge people to report an attack. Every victim holds an essential piece of evidence that provides invaluable insight. In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data. But we need to ensure that more law enforcement offices know how to deal with digital crime.”
Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unit
We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.
1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.
Posted: 8 Dec 2016 | 12:54 am
A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App Reputation Service.) One trend noticed during this time is that it closely mirrors the path paved by traditional ransomware: like other ransomware types, mobile ransomware is constantly evolving and growing.
This research began during my time at Politecnico di Milano (POLIMI), and Trend Micro’s mobile research team has contributed substantially to this research. Below are some of the technical aspects of prominent mobile ransomware variants, along with detection techniques to help mitigate these concerns.
What makes mobile ransomware tick? Locks and Fear
From what my colleagues and I have analyzed, locking the screen and scaring victims into paying to regain access to their devices is all it takes to be successful for mobile ransomware. Let’s take a look at the most interesting techniques for screen or device locking.
Locking the screen
The SMSLocker family (detected as ANDROIDOS_SLOCKER or ANDROIDOS_SMSLOCKER) was the beginning of what we now consider Android ransomware. Originally it didn’t use encryption, but simply hid targeted files beyond the reach of everyday users. The 2015 variant used encryption with per-device keys, which made it quite difficult to create a generic “unlocker.” It mostly uses SMS for command and control (C&C) communication; some variants use Tor. The biggest contribution that SLocker made to mobile ransomware was the abuse of the Android UI API to lock the device screen. This was the first time I saw malware taking control of a device using this technique, which can be summarized as follows based on the KeyEvent.Callback API call:
Figure 1. Documentation of the onKeyDown() function in the Android package index list
Android ransomware now commonly uses this technique to make the device unusable to an inexperienced user. Rebooting does not necessarily solve the problem, especially if the malware family uses persistency techniques. However, an experienced user can still uninstall the malicious app.
The current state-of-the-art locking technique is based on abusing the device-administration APIs. The attacker can leverage it to surreptitiously change the passcode with a randomly generated one to lock the device. While the device-administration APIs have a legitimate use case (that is, allowing enterprises to manage their employees’ devices) they offer an interesting attack surface.
For instance, the sample with the hash a6dedc5f639b2e1f7101d18c08afc66d (detected as ANDROIDOS_FAKETOKEN.FCA) uses this technique. The first place to inspect is the manifest, which must declare (and ask permission for) the usage of the API methods of interest:
Figures 2 and 3. Portions of example app manifest where the device-administration API permission and policy are requested.
The manifest above is sample code from the Android developer guide. If we dig into the (disassembled and decompiled) code of the aforementioned malware sample, we find this:
Figures 4 and 5. Code snippets from the malware
We find a call to the lockNow() function to lock the device, and, on another object method, a call to the removeActiveAdmin() function, which is needed to “remove” device-administering app (i.e., the malware). Before calling the lockNow() method, ransomware samples typically call the resetPassword() function, which forcefully change the passcode. LockDroid.E uses a randomly generated passcode, which is essentially the secret information that the criminal sends to victims upon receiving the payment.
The upcoming version of Android, Android 7.0 Nougat, has a countermeasure for this. Digging into the code reveals that Nougat checks whether there is a passcode already set by the user. If that is the case, no device-admin app—regardless of whether it is legitimate or not—is allowed to change or reset it.
Figure 6. Code from Android 7.0 Nougat
The above variants and techniques provide insight into how malware developers are able to lock mobile devices via modern ransomware. So how do attackers get their victims to pay?
How Mobile Ransomware Uses Fear to Win
When talking about how ransomware uses the fear factor, one interesting family to look at is Koler (detected as ANDROIDOS_KOLER). Although a fairly standard family from a purely technical perspective, it uses an extensive distribution network with localization for about 60 countries. The obligatory ransomware “warning” appears to the victim as if it were actually coming from local law enforcement agencies. This effort in creating well-localized campaigns is, of course, intended to persuade victims to pay the requested fee.
Figure 7. Ransomware warnings in various languages (Click to enlarge)
(Images provided by Kafeine)
The English version goes along the lines of the following example:
Figure 8. English-language ransomware warning (Image provided by Kafeine)
This ransom note is accompanied by the obligatory payment screen, similar to that seen here:
Figure 9. Ransomware payment screen (Image provided by Kafeine)
Another family that must be mentioned is Svpeng (detected as ANDROIDOS_SVPENG). It may have begun as a banking Trojan, but the 2,000 samples we analyzed now exhibit the classic features of modern mobile ransomware. For instance, here is how the encryption routine works:
Figure 10. Obtaining a Cipher class
After obtaining an instance of the Cipher class, the sample loops through all the files found on the SD card and encrypts them. This effect is similar to ransomware on the Windows platform: files that have been stored on the device are now inaccessible.
Figure 11. Searching for and encrypting files on the SD card
Mobile ransomware has adapted the very same tactics that made desktop ransomware such a potent threat, raking in millions of dollars for the persons responsible. How do we detect and block these threats? That is something we will discuss in our next blog post.
Posted: 8 Dec 2016 | 12:05 am
It’s been awhile since I updated this; my apologies for the delay to those who have been asking.
Many thanks to Kafeine for his expertise and invaluable feedback!
Posted: 5 Nov 2016 | 2:27 pm
The optimistic outlook is that the internet of things will be an enabling technology that will help make the people and physical systems of the world — health care, food production, transportation, energy consumption — smarter and more efficient.
The pessimistic outlook? Hackers will have something else to hack. And consumers accustomed to adding security tools to their computers and phones should expect to adopt similar precautions with internet-connected home appliances.
“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” said Michael Walker, a program manager and computer security expert at the Pentagon’s advanced research arm. “It’s a challenge for civilization.”
To help address that challenge, Mr. Walker and the Defense Advanced Research Projects Agency, or Darpa, created a contest with millions of dollars in prize money, called the Cyber Grand Challenge. To win, contestants would have to create automated digital defense systems that could identify and fix software vulnerabilities on their own — essentially smart software robots as sentinels for digital security.
A reminder of the need for stepped-up security came a few weeks after the Darpa-sponsored competition, which was held in August. Researchers for Level 3 Communications, a telecommunications company, said they had detected several strains of malware that launched attacks on websites from compromised internet-of-things devices.
The post Stepping up security for an Internet-of-Things World appeared first on CyberESI.
Posted: 18 Oct 2016 | 7:42 am
I saw a webcast done by Peter Ewane and Javvad Malik recently. The summary of what Peter had to say and Q&A follows; you can also view the recorded webcast.
Malware can be a lot of things. It can be a virus, a worm, spyware, a Trojan horse, or ransomware. It’s basically any malicious program that you would not want on your computer.
Lately it has become common to see malware hide in the Windows Registry. Why the Windows registry? The Windows registry is quite large and complex, which means there many places where malware can insert itself to achieve persistence. A good example of this behavior is Poweliks. Poweliks sets a null entry utilizing one of the built-in Windows APIs, ZwSetValueKey, which allows it to create a registry key with an encoded data blob. I’m not sure why the Windows API allows a null entry, but it does. This is one of the many ways that malware can utilize the Windows registry to hide out, autostart, and maintain persistence on many systems.
Here’s an OTX pulse on Poweliks: https://otx.alienvault.com/browse/pulses/?q=POWELIKS
Process injection is exactly what it sounds like. It is injecting some bits of code into a running process. Malware leverages process injection techniques to hide code execution and avoid detection by utilizing known “good” processes such as svchost.exe or explorer.exe. To inject itself into known good processes, malware writers use built-in Windows APIs. One of them is setting debug. When a process sets as debug, it gains access to many of the debug API calls, such as attaching to other processes and instructing processes to allocate additional memory. Once a process has allocate more memory, then a malicious process can inject whatever code it wishes into that process.
A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there. Poison Ivy does what we call “sharding.” Instead of having one giant memory block, it has a whole bunch of tiny memory blocks split all over the process and sometimes in various processes. A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there.
Here’s an OTX pulse on Poison Ivy: https://otx.alienvault.com/browse/pulses/?q=poison%20ivy
Another technique related to process injection is process hollowing. ‘Hollowing’ is a process where you take a known good process and start it in a suspended state. When that code is loaded and about to execute, you scoop some of the good code out (like with an ice cream scoop). Now there is available space where a bad guy can place whatever code they like, maybe change a few headers on the top and bottom to make everything seem okay, and then restart the execution process. As far as a user knows, this process looks like a normal system process started by Windows. It is therefore much more difficult for reverse engineers and memory forensics people to analyze.
Dridex is a very good example of a malware family that often uses process hollowing. Here’s an OTX pulse on Dridex:
Process List Unlinking is another key concept. A process is anything that is running on your computer, whether it be in user space or kernel space. Process List Unlinking involves a double-linked list that contains all “active” processes. It’s important because unlinking will result in a process being hidden from all “active” tools. This can be done using ZwSystemDebugControl() or by mapping \Device\PhysicalMemory. Inside the process list is a list of every single process that is running and inside the process object is forward-pointed and backwards-pointed into the process in front of it or the process behind it to make a double-linked list.
A Flink to the process before it and then Blink to the one in front of it effectively removes the process from the list. More advanced malware will take this a step further and after they remove that process from the list, they will also write over that bit of memory, so even with memory forensics you wouldn't be able to locate that process.
There are tools that security researchers can use to find hidden malicious code, such as
This is an example bit of code that somebody would use to unlink from the process list.
Malware can also hide by manipulating the DLL list. Just like the process list, a DLL list has a double-linked list that points to the DLL in front and behind, and again just like the process lists are APIs that can be called to rewrite entries in the DLL list, remove that DLL entry and wipe out that bit of memory to help hide the malware from memory forensics or from backup tools. This is used a lot in rootkit activity. Here’s a graphic explaining DLL lists:
Here we have another example of code used to unlink from the DLL list:
You can see where it is writing over the one in front, the one behind, and then wiping out the memory and the zero memory function call. One other thing to remember about DLL and process list linking is that all that can be done from the user space, so I don't need kernel-level administrative rights.
Kernel modules are the next level down. A kernel module is any of the modules that is loaded into the kernel. Like the DLL and process list, the kernel modules have their own list that can be queried with APIs and return every kernel module that is loaded. There are also debug APIs that can remove one DLL module from the list and zero it out. This is especially important because at the kernel level when something is zeroed out it makes it lot harder to find. This access is like ring zero access - definitely associated with rootkit activity. Generally, a piece of malware will execute in user space and then try a kernel-level exploit to get kernel administrative access; it then drops the main rootkit, which would then zero itself out inside the kernel module list process list. At this point, the malware is very well hidden and it will be very difficult to find.
How Kernel Module List Unlinking Works:
JAVVAD: So most malware sandboxes can’t deal with samples that remain dormant for a considerable amount of time before execution, such as Keranger. Have any new techniques been developed to overcome this?
PETER: Yes, there are a couple of different ways to overcome that. One way to tell malware remains dormant involves a certain amount system time. One way to manipulate that is to make the time go faster on the virtual machine, so every millisecond is actually ten minutes or every millisecond is actually five hours, defeating the dormant malware by waiting it out.
JAVVAD: How can AlienVault detect the malware hiding techniques that were described in the presentation?
PETER: Excellent question. One of the ways we can detect various hiding techniques described in the presentation, is based upon Windows logging. One example of such detection would be a processes acquiring the ability to utilize the built in Windows debug capabilities. There are known "Good" applications that use those functions, but outside of them it looks suspicious when other processes outside that circle utilize those debug capabilities which when then can alert on.
JAVVAD: Do you have anything to detect CryptoLocker or any other similar type family of ransomware?
PETER: Yes, we have correlation rules for CryptoLocker and various ransomware families.
JAVVAD: Is it anything specific that makes Ransomware different to look for compared to other sorts of malware, or is it pretty much the same techniques that you use?
PETER: These techniques are more about hiding. Ransomware generally is not very good at hiding, that is not its job. Its job is to be loud and in your face. So generally we can look for that being loud and in your face or any sort of network detector, so like it is connecting to known bad domains, etcetera.
JAVVAD: Is there a tool that can utilize OTX to scan a raw memory image file for IoCs?
PETER: What I would personally recommend is while you can't import memory images into OTX yet, you can use a tool such as Volatility to pull out IP and/or domains depending on what you want to scan, and then you can cross-reference with OTX based on the information that you pull up from the memory image.
JAVVAD: What is the general turnaround time between the AlienVault team capturing a sample of the zero-day attack and actually producing signatures?
PETER: That is hard to give an exact answer to because every bit of malware is different and every zero-day is different. Sometimes it can be a couple of hours, sometimes it may take longer than that.
JAVVAD: Yes. I will just add to that, actually. Last year, Adobe released a zero-day, and actually because the IoCs were being reused from previous campaigns, effectively we were blocking that zero-day three months prior to Adobe actually publicly announcing it. So it is not always the case that zero-days produce effects.
Peter Ewane is a security researcher at AlienVault. Follow him on Twitter https://twitter.com/eaterofpumpkin
Javvad Malik is the security advocate at AlienVault. Follow him on Twitter https://twitter.com/J4vv4D
Posted: 3 Oct 2016 | 6:00 am
Posted: 23 Aug 2016 | 9:19 pm