battling malware in the enterprise

Ayed Alqarta | @aqarta

IT Security Consultant

Malware trends in 2012 Malware Stats: State of Kuwait How Malware infiltrates Enterprise Today Effective Malware Mitigations

Malware Newsws

Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)

Malicious Trojans will spread in more innovative ways. (Facebook and twitter)

Attacks targeting corporate networks (Espionage) More malware attacking Mac OS (Flashback) Web exploits toolkits are on the rise with more zer0-

day vulnerabilities

Symantec Intelligence Quarterly: July - September, 2011

Symantec Intelligence Quarterly: July - September, 2011

Botnet C&C Activity by country

Source: Umbradata Red countries: over 1,501 vetted C&C

Top observed botnet families at multiple enterprise customers: Palevo.C

Palevo.18

Mariposa.P

Mariposa.F

Conficker.B

Conficker.D

Virut

Sality

• Compromised websites (infected with malware)

• Malvertising (Malicious Ads)

• Malware websites

• Software downloads

• P2P/Torrent websites

• Social Networks

• Blogs

Web

Email

Removable Media

Laptops (Personal,

Work, Vendor, Contractor)

Wireless and 3G/Edge

Virtual Private Network /

Remote Access

ATM (Yes, they run Windows

too !)

Mobiles

Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.

Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.

UTM Proxy Spam Filter

Email Server

File Server

Endpoints

Multiple layers of mixed-vendor virus scan engines

Defense-in-Depth

Device & Application control

Block removable drives like “USB Flash” disks to prevent AutoRun attacks.

If not possible, only allow documents and trusted files to run from USB, except executables.

Disable the “Auto Play” functionality in Windows.

Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.

Device & Application control

Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.

App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).

Patch management (OS/Browsers/Apps) Be up-to-date with latest patch related information from

various source

Download patches and run extensive tests to validate the authenticity and accuracy of patches

Install security and critical patches/service packs for OS and 3rd party applications.

Maintain a testing environment to test patches before approving them to production systems.

Generate reports of various patch management tasks

Monitor the patching progress in the enterprise

Patch management (OS/Browsers/Apps)

Top Attacked applications by web exploit kits

Kaspersky

Patch management (3d Party Apps)

• Java Run Time Environment (JRE)

• Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player

• Mozilla Firefox

• Mozilla Thunderbird

• Google Chrome

• Apple Safari, iTunes, QuickTime

• Microsoft Internet Explorer

• Microsoft Office

• RealNetworks RealPlayer

Vulnerabilities Research Resources

http://technet.microsoft.com/en-us/security/bulletin http://www.kb.cert.org/vuls/ http://secunia.com/community/advisories/ http://www.symantec.com/security_response/landing/vulnerabi

lities.jsp http://tools.cisco.com/security/center/publicationListing http://www.vupen.com/english/security-advisories/ http://www.us-cert.gov/current/ http://www.adobe.com/support/security/ http://www.verisigninc.com/en_US/products-and-

services/network-intelligence-availability/idefense/public-vulnerability-reports/index.xhtml

Web filtering Block access to malicious domains (Malware, Phishing, Botnet C&C,

Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)

Proxy must include an antivirus/antispyware engine to scan downloaded files

Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)

Generate reports and warn top policy violators

Manually block domains/URLs which are not-categoriezed by vendor (blocklist)

Geo-based filtering (top-malware hosting countries) Block inbound/outbound to these countries (China, Russia, Korea,

Brazil, Thailand, Taiwan, Japan, Poland, Peru)

Logs (UTM/Proxy) will help detecting possible infections

This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)

A proactive security technique to prevent threats

Threat Intelligence Feeds / Blacklists Integrate threat feeds with security products in the enterprise

to block traffic from/to bad reputation hosts

Proactively secure the network from zer0-day threats without relying on signatures

Threat intelligence can be integrated with SIEM tools

Threat feeds will contain: ▪ Malicious code senders

▪ Spam senders

▪ Phishing senders

▪ Botnet C&C servers

▪ Compromised Hosts

▪ Malware Domains

Battling Malware in The Enterprise Malware Forensics Dojo

Learn from an experienced malware expert

Practical skills and applicable knowledge

Real world scenarios from the field

Thank you

@aqarta a.qarta@gmail.com