New Malware Threat


Published on

Update on latest Malware Threats and Issues - Cyberthieves using banking trojans and malware to steal from companies

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

New Malware Threat

  1. 1. New Malware Threat<br />These are Criminals stealing money – <br />Not kids making a big splash or ‘hack for fun’<br />Well organized and VERY stealthy<br />Growing network of attackers, ‘ecosystem’ <br />Many basic defenses do NOT work at all<br />“Blended threats” are tough to counter <br />Represent a NEW level of threat to businesses<br />Companies have NO protection like consumers<br />
  2. 2. Is this a Real Threat?<br />Malware thefts in 2009 “recently in the news”:<br />Bullitt County KY - $415,000 via rogue wire transfers <br />W. Beaver School District PA - $700,000 stolen in 74 transactions<br />Slack Auto Parts GA - $75,000 stolen ($69,000 intercepted) <br />Extremely stealthy malware: “Clampi / Ligats / Rscan Trojan”<br />Remotely controlled funds transfers into ‘normal’ accounts<br />Thieves leverage “money mules” in US and other countries<br />Recruit Money Mule accomplices via web sites<br /> The Junior Group –<br />Part of ‘Russian Business Network’ – front for money laundering <br />
  3. 3. Clampi Trojan Analysis<br />SecureWorks Threat Analysis<br />Initial install of ‘loader’ via web page ‘drive by’<br />View malicious HTML (ad, hidden frame, email)<br />No user admin. privilege needed to start<br />Sets up a ‘mini-VM’ environment<br />Links to ‘Exploit Server’ and Bot herders<br />Exploits sent and launched from ‘bridgehead’<br />Malware encrypted, running & session C&C<br />Injects code into ‘Normal process’ to hide <br />
  4. 4. Clampi Trojan Analysis<br />Installs malware into System and User keys<br />Attaches encoded malware to ‘normal files’<br />Each malware function uses ‘normal process’<br />Not easily detectable by signature or by usual host / network intrusion detection<br />Uses new malware VMPacker tough to decode<br />Modules are added and spread over time<br />Password key LOGGER and FORM injector<br />Password guess ACCOUNTS and SOCKS sender<br />
  5. 5. Malware Impact<br />Hackers find a ‘banking PC’ via exploits<br />Guess passwords and map out inside LAN<br />Collect user data, account data – exfiltrate it<br />Watch for banking activity – inject extra forms<br />Collect data and control wire transfers<br />Send money to their mules (not easily flagged)<br />Continue to collect data and control transfers<br />Also continue to spread inside firewall<br />
  6. 6. Mitigate?<br />Things that typically do not work well:<br />Scan / signature based AntiVirus<br />‘Host Intrusion Detection’ via Blacklist / Scan<br />Network Intrusion Detection sees Encryption<br />Things that help prevent spread of Clampi:<br />Special Security Around ‘Banking Clients’<br />Fully patched machines / Complex passphrases<br />“Whitelist Only” Application Client Lockdown<br />LUA Users on Banking Clients – perhaps ALL clients<br />Network IDS on ALL Exiting Traffic<br />Correlated Logs on IDS / Firewall and Some Clients<br />Reimage Banking Client Even on Suspicions of Malware<br />
  7. 7. Dealing With Modern Malware<br />Patch all Microsoft and ADOBE product!<br />Use IE8 (if you can) and “Zones” / GPO control<br />If not then use SandboxIE or similar OR use FireFox and NoScript (Banking Client at least)<br />Limit user rights to slow down exploits…<br />Leverage AppLocker / Whitelist if you can…<br />Funnel all outbound traffic – IDS – Logs<br />If any suspicions – Rebuild from clean image!<br />