SlideShare a Scribd company logo

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea, Inc.
Invincea, Inc.

Invincea and Dell Protected Workspace blocks a spear-phish attack attempted by Zeus malware in Word document.

Technology
1 of 33
Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
On March 12, 2014
On March 12, 2014 a Dell Protected Workspace user
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
“95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
Here’s what we found… User opened a Word doc
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
Let’s look at a Time Line view to see what the malware is doing from start to finish….
By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer securitySoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomwareAlexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer securitySoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomwareAlexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Honey pots
Honey potsHoney pots
Honey potsDhaivat Zala
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 
Honeypots
HoneypotsHoneypots
HoneypotsRushikesh Kulkarni
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Honeypot
HoneypotHoneypot
HoneypotSyeda Khadizatul maria
 
Honeypots
HoneypotsHoneypots
HoneypotsBilal ZIANE
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)Emil Tan
 
Honeypot
HoneypotHoneypot
HoneypotAkhil Sahajan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxCompanySeceon
 

More Related Content

What's hot

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)Emil Tan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network SecurityKirubaburi R
 

What's hot (19)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Honey pots
Honey potsHoney pots
Honey pots
 
Honeypot
Honeypot Honeypot
Honeypot
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 
Honeypots
HoneypotsHoneypots
Honeypots
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxCompanySeceon
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsMehrdad Jingoism
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systemsfrankvv
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptxTapan Khilar
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptxLakshayNRReddy
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014 (20)

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
NetWitness
NetWitnessNetWitness
NetWitness
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Cyber security
Cyber security Cyber security
Cyber security
 
Venka sure Antivirus+Internet Security
Venka sure Antivirus+Internet SecurityVenka sure Antivirus+Internet Security
Venka sure Antivirus+Internet Security
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
 
Computer virus
Computer virusComputer virus
Computer virus
 
After the Breach
After the BreachAfter the Breach
After the Breach
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

  • 1. Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
  • 2. Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
  • 4. On March 12, 2014 a Dell Protected Workspace user
  • 5. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
  • 6. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
  • 7. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
  • 8. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
  • 9. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
  • 10. “95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
  • 11. WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
  • 12. Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
  • 13. Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
  • 14. Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
  • 15. Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
  • 16. Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
  • 17. Here’s what we found… User opened a Word doc
  • 18. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
  • 19. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
  • 20. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
  • 21. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
  • 22. Let’s look at a Time Line view to see what the malware is doing from start to finish….
  • 23. By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
  • 24. We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
  • 25. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
  • 26. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
  • 27. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
  • 28. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
  • 29. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 30. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 31. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
  • 32. For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
  • 33. See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/