There are many tasks and responsibilities of the (lone) IT sysadmin, they are sometimes varied, sometimes monotonous. We know what they are without thinking about them, as if they are unwritten commandments, specific to the IT world.
Security has featured greatly in the world news over the past few years, and even more so within the IT circles. We have the aspects of social responsibility, who is watching the watchers, how should they be held to account (NSA, GCHQ). We have the more particular stories, such as Heartbleed, and the “simplicity” of gaining information from a system.
Sitting down and reading about the recently highlighted issue surrounding a fake Trojan copy of the popular terminal tool, PuTTY, I realized that over all, we spend a great deal thinking about security within IT systems. But sometimes we don’t think about security in the actions we take, or we forget to think about them. Read More »
Tags: it security, malware, security, security breach
This post was authored by Ben Baker and Alex Chiu.
Threat actors and security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples. Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.
Table of Contents
The 10,000 Foot View at Rombertik
A Nasty Trap Door
The Actual Malware
Coverage and Indicators of Compromise
It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).
Talos’ goal is to protect our customer’s networks. Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult. Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams. This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers. Read More »
Tags: malware, reverse engineering, Rombertik, Talos, Threat Research, threat spotlight
This post was authored by Nick Biasini and Joel Esler
Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days. While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.
When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs. The first PDF, which was used until March 17, contained some information about Viagra:
Figure 1: Sexual Dysfunction, what’s your function?
Read More »
Tags: malware, Talos, threat spotlight, upatre
To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.
When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be:
Read More »
Tags: forensic investigation, incident response, malware, threat intelligence
Cyber-Security: it has always been important for video entertainment companies. But times have changed- now it’s mission critical. Top of mind again this last few days, the events of the last 6 months have proven this point. If cyber-protection is not bullet-proof, any video entertainment company is living on borrowed time… and that bill is going to come due with potentially disastrous consequences.
There is a second change going on: security at video entertainment companies used to focus on protecting content in the distribution chain – DRM, CAS and the like. But there are many more ways to lose content – many more places in the “connected” production chain where content can be stolen. For instance, as has happened in the last few months, if an attacker can gain access to Read More »
Tags: #NABshow, attacker, Cisco, cyber security, cyber-protection, malware, national association broadcasters, security, security breach, Service Provider, threat-centric security solutions, video business, videoscape