Should I bring all my shoes and glasses?

//DePaul ISACA Meeting on Zeus – Some Thoughts

General | | 11. November, 2012

I attended an ISACA presentation at DePaul the other evening given by Eric Karshiev from Deloitte on the Zeus malware family and had a few thoughts that I wanted to post (link to the event is at the end).

First, kudos to Eric for a decent presentation even though, self-admittedly, he hasn’t done much public speaking in his career….all I can say is that it only gets easier the more you force yourself to do it.

Second, while the presentation was at the right level of technical detail for an ISACA meeting, and I don’t mean that in a derogatory way ISACA, there were also some really good questions from the students in attendance, which was very encouraging.  I do believe an important first step in defending your organization comes from a through understanding of the threats you face as well as your risk profile based on what your company does, how it does it, and your likelihood of being targeted by attackers in addition to the general opportunistic attacks we see on a daily basis.

That being said, I think there were some great questions that may not have been fully answered during the course of the presentation, and I’d like to list those here and take a shot at answering.  I took the liberty of paraphrasing some questions and consolidating them where it made sense…so here we go:

1. What is the number one attack vector for malware in the recent past?

I made this question more broad and vague as was asked in the presentation, but I did that on purpose so I could answer it a few different ways.  First, social engineering and targeting the users is nothing new, so that is has been and will be an attack vector that is used.  More specifically, client-side browser exploits utilizing vulnerabilities in the browser, and more likely the plug-ins and 3rd party apps such as Adobe and Java (as an example, the new Adobe X 0-day that was, or will be, released soon).  I think this has been standard operating procedure for attackers for the past 4 years given how insecure and under-patched many of these applications are.  We are pretty good at patching the OS layer, but not so good at patching 3rd party applications, especially as they exists on mobile laptops that aren’t always connected to the corporate network.  One thing to keep an eye on in this space is HTML5.  If it ends up being as popular as Java/Flash look for an increase in vulnerability identification and use in attacks.  Don’t believe me?  Look at all of the exploit kits out there (last time I looked at my list I had 34 of them) and look at the CVE’s related to each of the exploit kits…they range from 2004-2011 and most target Java, Flash, and PDFs.

Want to see how insecure your 3rd party apps may be?  Download and run Secunia PSI (free for personal use) and review the report.

2. Is Zeus targeted or opportunistic?  Do I need to be more concerned about protecting a C-level exec, the rest of our users, or both?

Zeus, as a MITM banking Trojan, and by necessity is an opportunistic attack.  If it can steal $5 or $5000 it doesn’t really matter.  The more systems I have compromised the more money I can make, therefore from an attackers perspective it makes sense to spread this as far and wide as I can.  I don’t mean to generalize here, but my advice is to protect all of your user’s systems in the same way when it comes to opportunistic threats.  On the other hand, you do need to be concerned about targeted attacks against executives and ensure they, and their admins, understand that they may be targeted.  For example, we trained the exec at the law firm to help them proactively identify a targeted phishing attack.  One day we received a call from an exec stating that they received an email, it didn’t look legit, and had a PDF attachment that they didn’t open.  We immediately reviewed the attached PDF and it was weaponized (although poorly) to infect the system with a dropper and connect back to C2 to get a binary.  When we looked at the content of the email message we noticed that it was unique enough to comb through all received mail message for the same email and attachment.  What we noticed was that 5 other messages like the one we had in our possession were sent, but only to executives of the firm.  On top of that, each had a weaponized PDF attachment that was different from the others but had the same dropper functionality.  The polymorphism was likely in place to evade IDS, mail filters, and AV…all of which were bypassed without issue.

3. You said AV isn’t effective given that it is signature based.  What else can we do to protect users from being infected, and if we can’t protect them how can we detect malware?

This was a great question, and the one that actually spurred me to write this post, that went unanswered (at least to my satisfaction).  Yes, part of AV detection is signature based, but so are mail filters and IDS/IPS systems.  It is true that these commodity controls can protect us from the “known” malware that is floating around the internet, but it can’t protect us from new malware…I think this is an obvious statement given the number of systems that are compromised on a regular basis.

That being said, there are some controls we can implement that aren’t signature based that can detect malware based on behavior.  Since I mentioned social engineering, it may be helpful to give our users a hand in determining the “goodness or badness” of emails they receive by ranking them.  Email analytics is a good start, and products have now sprung up that play in this space.  ProofPoint is an example of a tool that may empower your users and allow them to make better decisions about emails they receive and what to do with them.  It isn’t full-blown security data analytics, but it is a start.  Another example of a vendor in this space is FireEye with their email and web products, which can identify executable attachments in email and those received from clicking on internet links (or drive-by downloaded), analyze them in a sandbox, and make a determination of the as to their “badness”.  Damballa is also another product focused on behavior analysis of malware as it uses the network…this makes sense as malware which doesn’t communicate to its owner isn’t very valuable.  Their technology makes use of the known C2 systems as well as DGA-based malware generating many resolution requests and getting a bunch of NX’s back.  Finally, Netwitness is an invaluable tool in both monitoring and incident response as it gives the visibility into the network that we have been lacking for so many years.  And yes, there is a lot of overlap in these tools, so expect some consolidation in the coming years.

I don’t mean to push vendors as a solution and would never throw technology at a situation to fix the underlying root causes  – unpatched OS, browsers, and 3rd party applications open a nice attack surface for the bad guys.  Why do we allow our users full control of their system?  Do they all need to be admin?  We also don’t seem to be doing a great job of monitoring the network and all of the systems we own…what bothers me most is that the attackers are attacking us on home turf.  We own the battlefield and keep getting our a$$es handed to us.

4. There was a comment on the use of Palo Alto and Wildfire in relation to the use of the cloud and how that may help.

Most all of the technologies mentioned above use the same mechanism, and this is nothing new as AV vendors have been doing this since they realized they could get good intel from all of their customers.  My only caution is that the benefit realized from sending all bad binaries to a cloud service for analysis is that it is dependent on how good that analysis is.

So to close, my suggestion to anyone interested in malware prevention, detection, and analysis is that there are some great resources on the internet as well as some decent classes you can take to better understand this threat.  If analysis is your thing then I’d recommend Hacking – The Art of Exploitation and Practical Malware Analysis as some good reads.  Setup a lab at home and experiment with some of the tools and techniques used by past and current malware…nothing beats hands on work in this space as the more you know the better you are at malware identification and response.

Link  to the presentation site – http://events.depaul.edu/event/zeus_malware_family_the_dark_industry#.UJ1baoXLDEs

Comments

  • Andy Moreno says:

    Great post, Deron. Thanks for mentioning the vendors that help monitor malware and the network… especially Netwitness. I’ll see if my company is using anything related and if not, suggest that we start to.

  • Swami Rabbiteema says:

    I mentored Eric sometime ago when he worked with me in an information security department some time back at a Canuck Bank. He’s a real trooper and a passionate info sec guy.

    It’s good to know after all these years he’s giving of his time and accumulated expertise to a forum of up and coming professionals.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    Next | Previous
    Theme made by Igor T. | Powered by WordPress | Log in | | RSS | Back to Top