1. Dell Data Protection
Protected Workspace
aWord doc spear-phish malware analysis
by InvinceaThreat Research Group Analyst: ARMON BAKHSHI
CHRIS CARLSON
DIRECTOR, PRODUCT MARKETING, INVINCEA
MAR 14 2014
2. Starting in July 2013, Dell OEMs Invincea’s security suite
packaged as Dell Data Protection | Protected Workspace,
shipping on 20+ million Precision, Latitude, and OptiPlex
systems a year.
4. On March 12, 2014
a Dell Protected Workspace user
5. On March 12, 2014
a Dell Protected Workspace user
successfully detected and blocked
6. On March 12, 2014
a Dell Protected Workspace user
successfully detected and blocked
a spear-phish attack delivered as
7. On March 12, 2014
a Dell Protected Workspace user
successfully detected and blocked
a spear-phish attack delivered as
an infectedWord document through email
8. Phishing
is the act of attempting to acquire information
such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an
electronic communication. (Wikipedia)
First, some definitions…
9. Phishing
is the act of attempting to acquire information
such as usernames, passwords, and credit card
details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an
electronic communication. (Wikipedia)
Spear phishing
Phishing attempts directed at specific individuals
or companies with a malicious payload
First, some definitions…
10. “95% of all attacks on enterprise networks
are the result of successful spear-phishing.”
(Allen Paller, director of research, SANS Institute)
11. WHY a 95% success rate??
BECAUSE USERS LOVE…TO…CLICK...!
Sending at least 18
emails in a spear-
phishing campaign
guarantees at
least one click!
(Verizon Data Breach Investigations Report – 2013)
12. Spear-phishing attacks are looking
more official all the time….
2011
Fairly rudimentary – sending fromYahoo, no
images, spelling/typos, etc.
13. Spear-phishing attacks are looking
more official all the time….
2011 2013
Fairly rudimentary – sending fromYahoo, no
images, spelling/typos, etc.
Very advanced – forged “from” address,
embedded images, looks official
14. Dell Protected Workspace uses Invincea
FreeSpace security software to protect an end-
user by securely isolating malware from
the host operating system.
15. Malware is safely contained in a secure
virtual container that uses behavioral sensors
to automatically detect and block any known
and unknown (zero-day) malware.
16. Malware activity on anonymized user systems is
securely transmitted to Invincea’s Threat
Research Group for detailed analysis.
18. Here’s what we found…
User opened a
Word doc
Uh-oh! Code is
injected intoWord
– not normal
behavior!
19. Here’s what we found…
User opened a
Word doc
Uh-oh! Code is
injected intoWord
– not normal
behavior!
Auto-start
process was
created
20. Here’s what we found…
User opened a
Word doc
Uh-oh! Code is
injected intoWord
– not normal
behavior!
Auto-start
process was
created
More files created
on the (virtual)
filesystem
21. Here’s what we found…
User opened a
Word doc
Uh-oh! Code is
injected intoWord
– not normal
behavior!
Auto-start
process was
created
More files created
on the (virtual)
filesystem
Network
listeners set up
22. Let’s look at a Time Line view to see what the
malware is doing from start to finish….
23. By letting the malware run in our secure
container, we can see that it opened up
connections to an external host for a
command-and-control session.
24. We determined that this is a ZeusTrojan
variant through partner analysis, ThreatStream:
Destination IP
for command
and control
(C&C)
High
confidence
that it’s a
malware
C&C server
25. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
26. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
- It was a variant of an existing “Zeus” bankingTrojan that one
can buy cheaply on the black-market
o Logging keystrokes
o Steal bank credentials
o Launch distributed denial-of-service (DDoS) against
financial institutions
27. Summary of Analysis:
- This was not a zero-day attack, but is still effective
o If it was zero-day, Invincea can still contain and detect zero-
day attacks because we analyze behavior, not signatures
- It was a variant of an existing “Zeus” bankingTrojan that one
can buy cheaply on the black-market
o Logging keystrokes
o Steal bank credentials
o Launch distributed denial-of-service (DDoS) against
financial institutions
- If the payload was encrypted and opened on the client endpoint,
it would sneak past perimeter control systems and execute
successfully – need endpoint protection!
28. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
29. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
30. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
31. And now the clean-up…
Simply closing the infected, contained application removes all
traces of the malware.
This is not a re-image – the machine was never infected in the
first place. Everything was contained inside the Invincea
FreeSpace container.
Delete
infected
container
< 1 second
32. For more details…
The Invincea Threat Research Team further
analyzed similar malware samples from the same
command and control host.
Follow-on analysis can be viewed here:
http://www.invincea.com/2014/03/a-dfir-analysis-
of-a-word-document-spear-phish-attack/
33. See more malware analysis “Killed in Action”
(KIA) at:
http://www.invincea.com/category/kia/
And learn more about Invincea at:
http://www.invincea.com/why-invincea/