New Malware Threat
Upcoming SlideShare
Loading in...5
×
 

New Malware Threat

on

  • 734 views

Update on latest Malware Threats and Issues - Cyberthieves using banking trojans and malware to steal from companies

Update on latest Malware Threats and Issues - Cyberthieves using banking trojans and malware to steal from companies

Statistics

Views

Total Views
734
Views on SlideShare
732
Embed Views
2

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

New Malware Threat New Malware Threat Presentation Transcript

  • New Malware Threat
    These are Criminals stealing money –
    Not kids making a big splash or ‘hack for fun’
    Well organized and VERY stealthy
    Growing network of attackers, ‘ecosystem’
    Many basic defenses do NOT work at all
    “Blended threats” are tough to counter
    Represent a NEW level of threat to businesses
    Companies have NO protection like consumers
  • Is this a Real Threat?
    Malware thefts in 2009 “recently in the news”:
    Bullitt County KY - $415,000 via rogue wire transfers
    W. Beaver School District PA - $700,000 stolen in 74 transactions
    Slack Auto Parts GA - $75,000 stolen ($69,000 intercepted)
    Extremely stealthy malware: “Clampi / Ligats / Rscan Trojan”
    Remotely controlled funds transfers into ‘normal’ accounts
    Thieves leverage “money mules” in US and other countries
    Recruit Money Mule accomplices via web sites
    The Junior Group – www.junior-group.cn
    Part of ‘Russian Business Network’ – front for money laundering
  • Clampi Trojan Analysis
    SecureWorks Threat Analysis
    Initial install of ‘loader’ via web page ‘drive by’
    View malicious HTML (ad, hidden frame, email)
    No user admin. privilege needed to start
    Sets up a ‘mini-VM’ environment
    Links to ‘Exploit Server’ and Bot herders
    Exploits sent and launched from ‘bridgehead’
    Malware encrypted, running & session C&C
    Injects code into ‘Normal process’ to hide
  • Clampi Trojan Analysis
    Installs malware into System and User keys
    Attaches encoded malware to ‘normal files’
    Each malware function uses ‘normal process’
    Not easily detectable by signature or by usual host / network intrusion detection
    Uses new malware VMPacker tough to decode
    Modules are added and spread over time
    Password key LOGGER and FORM injector
    Password guess ACCOUNTS and SOCKS sender
  • Malware Impact
    Hackers find a ‘banking PC’ via exploits
    Guess passwords and map out inside LAN
    Collect user data, account data – exfiltrate it
    Watch for banking activity – inject extra forms
    Collect data and control wire transfers
    Send money to their mules (not easily flagged)
    Continue to collect data and control transfers
    Also continue to spread inside firewall
  • Mitigate?
    Things that typically do not work well:
    Scan / signature based AntiVirus
    ‘Host Intrusion Detection’ via Blacklist / Scan
    Network Intrusion Detection sees Encryption
    Things that help prevent spread of Clampi:
    Special Security Around ‘Banking Clients’
    Fully patched machines / Complex passphrases
    “Whitelist Only” Application Client Lockdown
    LUA Users on Banking Clients – perhaps ALL clients
    Network IDS on ALL Exiting Traffic
    Correlated Logs on IDS / Firewall and Some Clients
    Reimage Banking Client Even on Suspicions of Malware
  • Dealing With Modern Malware
    Patch all Microsoft and ADOBE product!
    Use IE8 (if you can) and “Zones” / GPO control
    If not then use SandboxIE or similar OR use FireFox and NoScript (Banking Client at least)
    Limit user rights to slow down exploits…
    Leverage AppLocker / Whitelist if you can…
    Funnel all outbound traffic – IDS – Logs
    If any suspicions – Rebuild from clean image!