Tag Archives: anti-malware

Rethinking the Patch Strategy in the ICS Domain

5 February 2017

In the past weeks I reviewed several drafts on Industrial Control System (ICS) security. Although of limited value in the ICS Domain, patching and malware protection are key issues of all drafts.

Especially the patch process, which works moderately satisfying in the Office-IT domain, cannot be directly applied to ICS systems because ICS systems cannot be just rebooted to apply the patch.

Industrial control system patch cycle

Industrial control system patch cycle

To reboot an ICS system a shutdown of the process is required. In the worst case, the operators have to wait several weeks or months for the next scheduled plant maintenance to implement the patch and to reboot the ICS. During this time the ICS is more vulnerable against the threats mitigated by the patch.

With this, we have to design and operate our ICS systems and networks such, that they are resilient against cyber-attacks during the time until the next scheduled maintenance.

The following are examples of technical measures:

  • Isolation of ICS and SCADA systems in secured network zones inside the production network and strict flow control across security devices between the zones are basic design principles for creating robust systems.
  • A secure remote maintenance solution which is completely under control of the plant operators, ideally a rendezvous solution to keep the external service provider in the DMZ.
  • A secure and controlled remote access solution for plant operators.
  • Strict Network Access Control in the entire production network to increase resilience against attackers from internal.
  • No Internet access and personal email in the entire production network. This is a quick win! The same holds for the deactivation of USB disk devices.

Have a good weekend.

Policies are an effective means for dealing with malware

5 March 2016

This week I was flooded with spear phishing emails in the office. Most of them dealt with late payment of invoices. In any case the attackers requested to study an attached file and to take immediate action to avoid the accrual of penalties.

Fortunately, the anti-virus scanner on the email gateway removed the payload from the attached zip files and filed the emails in the junk folder:

--------Begin Virus scanner message-----------------------------------------------
The company security policies do not allow to transfer file attachments of the specified type.
Removed attachment(s): B56d48d430000.000000000001.0004.mml; invoice_kOUEsX.js
--------End Virus scanner message-------------------------------------------------

It is important to note that the virus scanner removed the attachments because the company policy does not allow the transfer of such files with email. For the exchange of JavaScript files with a partner other secure communication channels must be used.

With this, the inherent risk of classic anti-malware systems is reduced. Unwanted attachments are removed even if they have not yet been identified by the anti-malware system.

Sending the payload in nested zip files is an often used technology to outsmart antivirus systems. Therefore, it is very important to let the antivirus system do in-depth scans on all attachments, even though many users will complain about this because in-depth scans delay the delivery of emails by some seconds. In the case an antivirus system cannot deal with nested archives just remove any content from the outer archive. Some more false positives are better than rebuilding hundreds of computers in the company network.

The malicious JavaScript attachment invoice_kOUEsX.js is identified by 33 of 55 antivirus systems on VirusTotal.com. Microsoft Defender identifies the file as TrojanDownloader:JS/Nemucod. And as always, the few relevant lines of code are hided in a mess of statements.

Have a good weekend.

Hollywood Presbyterian Medical Center Victim of Cyber Attack

20 February 2016

Hollywood Presbyterian Medical Center was hit by a ransomware attack around February 5th. At almost the same time some hospitals in Germany were hit by a similar attack.

In both cases the attack was initiated by emails with malicious attachments. In both cases the impact was nearly the same: Hospital operations came almost to halt. And in both cases the IT groups were able to prevent the worst by rapid and effective intervention.

IT operations, and thus medical operations, was massively hampered for some days because the malware rapidly changed its code. In such cases pattern based anti-malware systems have only a limited effect in recovery of IT operations.

From my point of view,  an effective ISMS is the best way to deal with ransomware. And the way the IT groups dealt with the attack shows, that they have an ISMS or something similar implemented and practiced.

Hospitals are becoming increasingly dependent on a fully operational IT infrastructure. Even a shutdown of some days is hardly possible. Therefore, we need an entirely new approach for providing services to hospital staff.

Spear phishing attacks, drive-by downloads, java script attacks, etc. are omnipresent today. Thus computers are potentially compromised because they are connected to the internet. This holds even if the computers are operated inside a company network only.

The ‘trusted computer in a trusted company network’ paradigm is no longer relevant. A shift to the ‘zero trust’ paradigm is imperative to prevent unacceptable outtakes.

The good news is that the technology for implementation of a ‘zero trust’ paradigm is ready today:

The hospital IT systems are isolated in a Core Data Services Network (CDSN). Access to the CDSN is provided via virtual desktops. The Virtual Desktop Infrastructure (VDI) is hosted in the CDSN.  Email- and internet access is blocked in the CDSN, as well as data exchange between the virtual desktops and the user workstations. Data exchange between the CDSN and the user workstations is controlled through secure gateways. Only the user workstations or smart devices have access to the internet and the company’s email system, which remains outside the CDSN.

This is just a blue print. With Software Defined Networking it’s easier to implement today.

The big advantage is that, even if a user’s workstation is compromised, the likelihood of an impact on the hospital’s IT systems and data in the CDSN is dramatically reduced. And recovery from an attack with ransomware is very easy: Run a fresh installation of Windows on the compromised computer. Sound’s easy, doesn’t it?

Have a good weekend.

TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!

Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

HTTPS encryption for all federal websites requires new endpoint protection concepts

13 June 2015

Starting in 2017, all federal websites that are publicly accessible in the US should have HTTPS encryption as the standard secure communication protocol.

This directive, issued by The White House Office of Management and Budget (OMB), is a real game-changer because it makes it harder for attackers to intercept sensitive communications or to steal personal data that is entered on federal web sites.

I just finished my preparations for my ISO 27001 Information Security Officer exam when I read the announcement in a LIFARS post. ISO 27001 deals with cryptographic controls in Annex 10.1. In the related chapter A.10.1 of ISO 27002 you learn:

When developing a cryptographic policy the following should be considered:

g. the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection).

Encryption means death for all traditional malware protection systems. Traditional malware detection tries to match patterns in a data stream with patterns stored in the pattern database of the anti-malware system. Since the patterns in the data stream are encrypted matches are no longer found. Game-Over!

This has only a minor impact on enterprises. They can use already available technology that breaks the SSL encryption for inspection, but this is too expensive for end-users.

Vendors of endpoint protection systems have to develop new concepts to protect consumers of unknown malware hidden in the encrypted data stream. And federal agencies have to grow their efforts to make sure that data exchanged through their websites does not contain malware.

‘HTTPS everywhere’ is indeed a real game-changer. Hopefully someone in the OMB has thought of the impact on endpoint protection.

Don’t panic… and have a good weekend.

Some thoughts on Email Filtering and Anti-Spam

14 March 2015

I fully agree with Paul Kubler’s post ‘Here’s Why Email Filtering Needs to be More than Just Anti-Spam’ published last Friday on LIFARS.

In my opinion we have to tackle this problem from at least 3 sides.

First of all it is time for the e-mail providers to take action. In my post about free email providers I showed, that none of the major German providers use properly configured anti-malware systems. I estimate that the number of phishing attacks could decrease by 90% if just the email providers would reject all mails with malicious content or attachments when they are deposited.

Second, it is important to spark the users attention. Awareness campaigns, with well-made but harmless phishing attacks, and direct feedback, will raise the attention and save a lot of hassle. Train the users in identifying the main features of phishing attacks and the proper counter measures to take.

Finally, we can implement some technical measures to support the users to act correctly in the case of malicious email:

  • Configure your email client program to display all mails in plain text.

In this case all links are displayed in plain text. Even an unexperienced user can see that the link is not part of the sender’s domain and most likely part of a cyber-attack.

Sample Phishing Mail displayed in plain text format

Sample Phishing Mail displayed in plain text forma

  • Turn off attachment preview.

A previewer must read an attachment for display. In the worst case malicious code included in an attachment is executed and compromises your system.

  • Turn on SmartScreen filtering.

SmartScreen Filtering will block access to know malicious sites.

That’s it for today. Have a good weekend.

Marco viruses on the rise – The Sleeping Beauty slumber is over

28 February 2015

For some month reports about macro viruses are constantly appearing in the IT press. Although the latest report, ‘Macro viruses reemerge in Word, Excel files’, published by Michael Heller on the TechTarget platform SearchSecurity at 24 February 2015, could make us feel somewhat insecure, there is in my opinion no reason to panic.

From the statistics created by security firm Kaspersky, we see that attackers used Microsoft Office in 1% of all cases for the distribution of exploits in 2014. In total Kaspersky products detected and neutralized 6.167,233,068 cyber-attacks in 2014. This means that Word or Excel were used in 61,763,330 cyber-attacks, 2.3 times more than in 2013.

Sounds anything but dangerous. Moreover, we are better prepared than 15 years ago, when macro viruses were most popular. Many protection measures are common sense, but sometimes it’s good to recap.

With that, I suggest:

  1. Please make sure that your anti-malware program is always up-to-date.
  2. Configure Macro Settings in Microsoft Office Trust Center. Choose ‘Disable all macros with notification’ as default:

    Disable Macros With Warnings Settings in Trust Center

    ‘Disable all Macros With Notifications’ in Trust Center

  3. Use Windows Update to keep Microsoft Office and Windows up-to-date with the latest patches.
  4. On 64 bit Windows please activate ‘enhanced Protection Mode’ in Internet Explorer. This will force Windows to run Internet Explorer in Container Mode at low integrity level. In addition, please download all files to the default download location.
  5. Enable SmartScreen Technology in Internet Explorer. Malicious files are downloaded from malicious sites. SmartScreen Technology supports you by blocking downloads from known malicious sites.
  6. Try working with standard user rights. This limits the impact of an attack to the operating system
  7. The last and perhaps the most important rule: Think twice before you click on a word or excel file stored in an untrusted site. As a rule of thumb the entire Internet is an untrusted site, and of course all email attachments.

There’s really no need to panic. Macro viruses are no rocket science. The available protection measures are enough to deal with this old stuff.

Have a good weekend!

Free email providers are preferred distribution channels for malware

21 February 2015

Thursday morning I got a very puzzling e-mail. A collection agency informed me of an allegedly not paid invoice and threatened me with defaulted interest and overdue fines.

But, I conduct no business with Pay Bank AG. In addition the mail was sent from a GMX, a Germany based free mail service, address and not from the Pay Bank AG domain.

This was just another spam mail, but, compared to others, well and convincing written. The message was crystal clear: Open the attachment!

In the evening I checked the attachment and found nested zip files. The inner zip file contained a program that appeared to be the data-gathering malware Win32/Zbot.gen!plock (TROJ_DLOADR.JCQ). Fortunately the anti-malware program on my computer removed the malware during download to my hard disk.

Sending malware in nested zip files ensures that the anti-malware systems on the e-mail provider’s mail-in servers become not aware of the malicious attachments. Scanning of archives is very time-consuming because the anti-malware system has to open the archive and to scan all files inside. Therefore nearly all anti-malware systems are configured to ignore nested zip files..

But what amazed me was that apparently no e-mail provider runs an in-depth scan of attachments. From the e-mail header I found that the mail was sent from the attacker’s computer PC14-050 to mail.gmx.com (GMX) and via mailin55.aul.t-online.de (T-Online) to SNT004-MC3F11.hotmail.com (Microsoft).

Since the malicious attachment wasn’t removed on his way to the inbox on my computer, GMX, T-Online and Microsoft use a similar, inadequate anti-malware configuration on their mail-in servers. As always, the last line of defense is the anti-malware system on the end-user’s computer.

In my opinion, this is an enormous waste of resources. Every day millions of malicious attachments clog the internet because of inadequate anti-malware configurations. We could save a lot of bandwidth for really important business, and much hassle, if mail-in servers would just reject any e-mail that has known malicious attachments.

That’s it for today. Please configure the anti-malware program, which is installed on your computer, to perform in-depth scans of attachments. Safety has priority over speed!

Have a good weekend.