Cyphort Labs Threat Report
Transcription
Cyphort Labs Threat Report
Cyphort Labs Threat Report Summary Prepared for: Vandelay Industries Cyphort Labs Threat Report Summary : Vandelay Industries About this report At Cyphort, we understand that it takes more than just an effective threat monitoring & mitigation product to successfully defend against the modern attacks and threats. A proof-of-concept (POC) deployment represents the very first step in learning about the specific needs of threat protection in the customer environment, the possible observation points in the network in order to gain sufficient visibility to all traffic of interest, the desired workflow for security monitoring and incident response, and the ultimate security posture that the customer would like to achieve given their resource and priority considerations. When customers choose to be part of the Cyphort Threat Intelligence Network, Cyphort Threat Labs becomes actively involved in the POC process through daily monitoring of incident alerts on customers networks. Cyphort researchers will provide customers with proactive email communications on any significant incidents of potential interest on an as-needed basis, and create threat summary reports on the customer’s behalf toward the end of the POC period. The Cyphort Labs Threat Report Summary is designed to provide a more comprehensive view on: Significant threat incidents discovered during an extended period of time, typically several weeks so that traffic fluctuation associated with time-of-day activity patterns is accounted for. These will include the whole spectrum of alerts including serious threats, suspicious activities and adware, and any instance of noisy alerts. Visibility stats that shed lights on what types of files are being moved across the customer network, at what volumes, and through what agents (e.g. human browsing the web vs. automated programs). We believe that good visibility and awareness goes a long way in helping with a strong defense posture. More details on selected threats and malware objects. The details are based on deep-dive research conducted by the Cyphort threat researchers to reveal things like attack payloads, threat intent, and other threat indicators. A set of mitigation actions and best-practice recommendations are also included when applicable. Background and other useful references. While it is important to take immediate mitigation actions in order to contain the threats and minimize potential impact, it is more important to take steps to improve long-term postures by implementing continuous monitoring capabilities, extending coverage of threat vectors, and addressing security practice and policy needs. This report is based on observations made at customers spanning the period from November 2013 to March 2014. Monthly data are based on the actual aggregates in the respective month while the daily data is based on specific days duly noted. In those cases, we simply picked a specific day that seems fairly typical of a weekday regarding the reported stats. As always, the Cyphort Threat Labs welcome all your feedback and suggestions for improving these reports. Please send your feedback to cyphortlabs@cyphort.com. 2 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Incident Alerts Summary High Severity Threats Malware download incidents including: ¡¡ Zeus Trojan ¡¡ Cidox malware Suspicious Apps And Adware 186 Adware instances: ¡¡ Genieo ¡¡ Conduit ¡¡ ShadyOffer ¡¡ Wajam ¡¡ InstallCore ¡¡ MyWebsearch ¡¡ and others Noise ¡¡ 36 false positives (out of 384,000 objects scanned) 3 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Monthly Activity Summary Date Unique IPs HTTP Downloads Unique Files March 2014 17k 550k 157k February 2014 23k 288k 101k January 2014 25k 215k 52k December 2013 22k 250k 89k November 2013 9k 80k 37k Daily Top Analyzed Files File Type File Count (As of 3/12/2014) ZIP Archive 50,713 PDF 5,576 Mac Executable 1254 Windows Executable 534 Microsoft Office 157 Daily Human vs. Auto Browsers 4 OS Mappings Downloads (As of 3/12/2014) MacOS 48,107 Unknown 5,537 Windows 1,402 Apple IOS 1,297 Android 134 “Unknown” count corresponds to apps using “non-standard” User-Agent strings, no ready OS mapping. Cyphort new release will ingest endpoint scan data for accurate OS mapping PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Actions & Recommendations Zeus Trojan instance [19c77b56269a31a01aa0572da78e1b15] ¡¡ Clean the machine immediately using System Restore ¡¡ Block CNC IP address in Korea - 61.38.200.5 Cidox Trojan instance [ace4334e7bbe67a4e4f639c62689f812] ¡¡ Clean the machine immediately using System Restore ¡¡ Block CNC - sugar-freez.com, networksecurityx.hopto.org Adware ¡¡ Conduit is a browser hijack in that it changes your home page and search provider. This component insures that any changes made to the search provider subsequently will revert back to Conduit. We suggest removing it. ¡¡ Genieo is an adware for the Mac platform that intercepts users searches. We suggest removing it. ¡¡ ShadyOffer is an adware that monitors mouse and keyboard.Block CNC : http://stub. goobzo.com/p.ashx ¡¡ Wajam is an adware that hijacks search results. We suggest removing it. 5 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Zeus Trojan Background ¡¡ Zbot or Zeus malware family is one of the most dangerous malware families (http://www. microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fZbot) ¡¡ Sophistication: three key components 1. a toolkit for creating and delivering the threat 2. the Trojan that gets installed and controls victims’ machine 3. the command & control (C&C) server that controls the malicious activities and facilitate data theft ¡¡ Spread infection by social engineering, spear-phishing, & drive-by download ¡¡ Known malicious activities so far: shutdown machine, delete files, browser hijack, data theft, Trojan dropping cookie stealing, bank fraud, bitcoin stealing. Conduit Background ¡¡ Conduit is an adware program that changes your browser home page and default search engine to search.conduit.com.Conduit creates a toolbar on your browser and whenever your are doing a search, it will display on the first search results their own ads. Conduit is installed together with freeware/shareware programs: MP3 rippers, YouTube downloaders, etc. Some Trojans distribute it as well. 6 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Genieo Mac Adware Background ¡¡ Genieo comes in as a Mac dmg file. Inside is an adware that customizes your Internet browser page to display products that it believes you’ll find interesting. It was being distributed through installers that pretend to be something they are not, such as fake Adobe Flash Player installers. It intercepts searches on Google, Bing and Yahoo and silently redirects them to Genieo or its partner engine. See http://en.wikipedia.org/wiki/Genieo ¡¡ Once Genieo.dmg is downloaded, it installs Genieo.app and adds it to the Login Items so that it will be restarted at login. ¡¡ It also installs a Launch Agent: /Library/LaunchAgents/com.genieo.engine.plist ¡¡ Along with two dynamic libraries: /usr/lib/libgenkit.dylib /usr/lib/libgenkitsa.dylib ¡¡ Libgenkit.dylib is added to OS X’s global launched configuration file: /etc/launchd.conf 7 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries ShadyOffer Adware Background Shadyoffer has the following malicious behavior: ¡¡ Steals System Information ¡¡ Monitors Mouse and Keyboard ¡¡ Downloads files ¡¡ Shows Pop-ups from the notification that offers to install another software After some delay time it starts to show a notification bar which offers the infected user free backup software called “MyPC Backup”. That software will offer a “Protect Now” Button which that asks the user for a monthly payment to properly protect your files. 8 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. Cyphort Labs Threat Report Summary : Vandelay Industries Wajam Adware Background ¡¡ Wajam is an adware browser extension that bills itself as a social search engine that gives you recommendations from your friends everywhere you like to search. Wajam is monetizing its service through affiliate links to Shopping.com . Unwanted installations of Wajam also have the capability to hijack a browser’s search functions and display undesired ads. See http://en.wikipedia.org/wiki/Wajam ¡¡ Wajam was founded by Martin-Luc Archambault, who was previously the President of Zango Canada. ¡¡ Zango, formerly ePIPO, 180solutions and Hotbar, was an adware company that was charged by the Federal Trade Commission for “Deceptive Failure to Disclose Adware”, “Unfair Installation of Adware”, and “Unfair Uninstall Practices” in violation of the Federal Trade About Cyphort: Commission Act. Founded in 2011 by a team of security experts, Cyphort advanced threat defense goes beyond malware detection to reveal the true intent of the attack and the risk to your organization with prioritized and expedited remediation. Our software-based approach combines best-inclass malware detection with knowledge of threat capabilities and your organizational context to cut through the avalanche of security data to get at the threats that matter and respond with velocity, in hours not days. CYPHORT, Inc. 5451 Great America Parkway Suite 225 Santa Clara, CA 95054 P: (408) 841-4665 F: (408) 540-1299 9 Sales/Customer Support 1-855-862-5927 (tel) 1-855-8-MALWARE (tel) 1.408.540.1299 (fax) Email: support@cyphort.com PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved. ©2015 Cyphort, Inc. All rights reserved.