Embed Size (px)
Citation preview
Ayed Alqarta | @aqarta
IT Security Consultant
Malware trends in 2012 Malware Stats: State of Kuwait How Malware infiltrates Enterprise Today Effective Malware Mitigations
Malware Newsws
Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)
Malicious Trojans will spread in more innovative ways. (Facebook and twitter)
Attacks targeting corporate networks (Espionage) More malware attacking Mac OS (Flashback) Web exploits toolkits are on the rise with more zer0-
day vulnerabilities
Symantec Intelligence Quarterly: July - September, 2011
Symantec Intelligence Quarterly: July - September, 2011
Botnet C&C Activity by country
Source: Umbradata Red countries: over 1,501 vetted C&C
Top observed botnet families at multiple enterprise customers: Palevo.C
Palevo.18
Mariposa.P
Mariposa.F
Conficker.B
Conficker.D
Virut
Sality
• Compromised websites (infected with malware)
• Malvertising (Malicious Ads)
• Malware websites
• Software downloads
• P2P/Torrent websites
• Social Networks
• Blogs
Web
Removable Media
Laptops (Personal,
Work, Vendor, Contractor)
Wireless and 3G/Edge
Virtual Private Network /
Remote Access
ATM (Yes, they run Windows
too !)
Mobiles
Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
UTM Proxy Spam Filter
Email Server
File Server
Endpoints
Multiple layers of mixed-vendor virus scan engines
Defense-in-Depth
Device & Application control
Block removable drives like “USB Flash” disks to prevent AutoRun attacks.
If not possible, only allow documents and trusted files to run from USB, except executables.
Disable the “Auto Play” functionality in Windows.
Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
Device & Application control
Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.
App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
Patch management (OS/Browsers/Apps) Be up-to-date with latest patch related information from
various source
Download patches and run extensive tests to validate the authenticity and accuracy of patches
Install security and critical patches/service packs for OS and 3rd party applications.
Maintain a testing environment to test patches before approving them to production systems.
Generate reports of various patch management tasks
Monitor the patching progress in the enterprise
Patch management (OS/Browsers/Apps)
Top Attacked applications by web exploit kits
Kaspersky
Patch management (3d Party Apps)
• Java Run Time Environment (JRE)
• Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player
• Mozilla Firefox
• Mozilla Thunderbird
• Google Chrome
• Apple Safari, iTunes, QuickTime
• Microsoft Internet Explorer
• Microsoft Office
• RealNetworks RealPlayer
Vulnerabilities Research Resources
http://technet.microsoft.com/en-us/security/bulletin http://www.kb.cert.org/vuls/ http://secunia.com/community/advisories/ http://www.symantec.com/security_response/landing/vulnerabi
lities.jsp http://tools.cisco.com/security/center/publicationListing http://www.vupen.com/english/security-advisories/ http://www.us-cert.gov/current/ http://www.adobe.com/support/security/ http://www.verisigninc.com/en_US/products-and-
services/network-intelligence-availability/idefense/public-vulnerability-reports/index.xhtml
Web filtering Block access to malicious domains (Malware, Phishing, Botnet C&C,
Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)
Proxy must include an antivirus/antispyware engine to scan downloaded files
Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)
Generate reports and warn top policy violators
Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
Geo-based filtering (top-malware hosting countries) Block inbound/outbound to these countries (China, Russia, Korea,
Brazil, Thailand, Taiwan, Japan, Poland, Peru)
Logs (UTM/Proxy) will help detecting possible infections
This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)
A proactive security technique to prevent threats
Threat Intelligence Feeds / Blacklists Integrate threat feeds with security products in the enterprise
to block traffic from/to bad reputation hosts
Proactively secure the network from zer0-day threats without relying on signatures
Threat intelligence can be integrated with SIEM tools
Threat feeds will contain: ▪ Malicious code senders
▪ Spam senders
▪ Phishing senders
▪ Botnet C&C servers
▪ Compromised Hosts
▪ Malware Domains
Battling Malware in The Enterprise Malware Forensics Dojo
Learn from an experienced malware expert
Practical skills and applicable knowledge
Real world scenarios from the field
