The document discusses trends in malware and effective mitigation strategies. It notes that in 2012, mobile malware increased through SMS and social media. Malware also targeted corporate networks through espionage. The document then provides statistics on prevalent botnet families and malware infiltration methods like compromised websites and social networks. It recommends multiple defenses including device control, application whitelisting, patch management, web filtering, threat intelligence integration, and geo-blocking of high-risk countries.

1. Ayed Alqarta | @aqarta
IT Security Consultant

2.  Malware trends in 2012
 Malware Stats: State of Kuwait
 How Malware infiltrates Enterprise Today
 Effective Malware Mitigations

3. Malware Newsws

4.  Trojans for mobile platforms (SMS to premium
###, defeat SMS-based dual-factore info stealing,
Zeus/SpyEye)
 Malicious Trojans will spread in more innovative
ways. (Facebook and twitter)
 Attacks targeting corporate networks (Espionage)
 More malware attacking Mac OS (Flashback)
 Web exploits toolkits are on the rise with more zer0-
day vulnerabilities

5. Symantec Intelligence Quarterly: July - September, 2011

6. Symantec Intelligence Quarterly: July - September, 2011

7. Botnet C&C Activity by country
Source: Umbradata Red countries: over 1,501 vetted C&C

8.  Top observed botnet families at multiple enterprise customers:
 Palevo.C
 Palevo.18
 Mariposa.P
 Mariposa.F
 Conficker.B
 Conficker.D
 Virut
 Sality

9. • Compromised websites
(infected with malware)
• Malvertising (Malicious Ads)
• Malware websites
• Software downloads
• P2P/Torrent websites
• Social Networks
• Blogs
Web

10. Email
Removable
Mobiles
Media
Laptops
ATM (Yes, they
(Personal,
run Windows
Work, Vendor,
too !)
Contractor)
Virtual Private
Wireless and
Network /
3G/Edge
Remote Access

11. Malvertising (from "malicious advertising") is the use of online
advertising to spread malware.
Internet advertisement networks provide attackers with an effective
venue for targeting numerous computers through malicious banner
ads.
Such malvertisements may take the form of Flash programs that look
like regular ads, but contain code that attacks the visitor's system
directly or redirects the browser to a malicious website.
Malicious ads can also be implemented without Flash by simply
redirecting the destination of the ad after the launch of the
campaign.

14. Exploit kits
A type of crimeware Web application developed to help hackers take
advantage of unpatched exploits in order to hack computers via malicious
scripts planted on compromised websites. Unsuspecting users visiting these
compromised sites would be redirected to a browser vulnerability-exploiting
malware portal website in order to distribute banking Trojans or similar
malware through the visiting computer.
Most exploit kits are based on PHP and a MySQL backend and incorporate
support for exploiting the most widely used and vulnerable security flaws in
order to provide hackers with the highest probability of successful
exploitation. The kits typically target versions of the Windows operating
system and applications installed on Windows platforms.

18.  Multiple layers of mixed-vendor virus scan engines
Spam Email File
UTM Proxy Endpoints
Filter Server Server
Defense-in-Depth

19.  Device & Application control
 Block removable drives like “USB Flash” disks to
prevent AutoRun attacks.
 If not possible, only allow documents and trusted
files to run from USB, except executables.
 Disable the “Auto Play” functionality in Windows.
 Consider using “Secure Flash disk”, which has
onboard antivirus scan engine to protect it against
malware.

20.  Device & Application control
 Use App control solution (standalone / apart of
endpoint security) to lockdown critical systems.
 App control policy can protect against all kind of
malware including zer0-day, since there is no need
for signatures (Whitelisting).

21.  Patch management (OS/Browsers/Apps)
 Be up-to-date with latest patch related information from
various source
 Download patches and run extensive tests to validate the
authenticity and accuracy of patches
 Install security and critical patches/service packs for OS
and 3rd party applications.
 Maintain a testing environment to test patches before
approving them to production systems.
 Generate reports of various patch management tasks
 Monitor the patching progress in the enterprise

22.  Patch management (OS/Browsers/Apps)
Top Attacked applications by web exploit kits
Kaspersky

23. Patch management (3d Party Apps)
• Java Run Time Environment (JRE)
• Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player
• Mozilla Firefox
• Mozilla Thunderbird
• Google Chrome
• Apple Safari, iTunes, QuickTime
• Microsoft Internet Explorer
• Microsoft Office
• RealNetworks RealPlayer

24.  Vulnerabilities Research Resources
 http://technet.microsoft.com/en-us/security/bulletin
 http://www.kb.cert.org/vuls/
 http://secunia.com/community/advisories/
 http://www.symantec.com/security_response/landing/vulnerabi
lities.jsp
 http://tools.cisco.com/security/center/publicationListing
 http://www.vupen.com/english/security-advisories/
 http://www.us-cert.gov/current/
 http://www.adobe.com/support/security/
 http://www.verisigninc.com/en_US/products-and-
services/network-intelligence-availability/idefense/public-
vulnerability-reports/index.xhtml

25.  Web filtering
 Block access to malicious domains (Malware, Phishing, Botnet C&C,
Compromised Websites, Malware hosting, Advertisements,
Pornography, Dynamic DNS, Social Networks Games, Computer
Software, Uncategorized)
 Proxy must include an antivirus/antispyware engine to scan
downloaded files
 Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)
 Generate reports and warn top policy violators
 Manually block domains/URLs which are not-categoriezed by vendor
(blocklist)

26.  Geo-based filtering (top-malware hosting
countries)
 Block inbound/outbound to these countries (China, Russia, Korea,
Brazil, Thailand, Taiwan, Japan, Poland, Peru)
 Logs (UTM/Proxy) will help detecting possible infections
 This filtering will stop/decrease (SPAM, Malware, Malicious websites,
Phishing)
 A proactive security technique to prevent threats

27.  Threat Intelligence Feeds / Blacklists
 Integrate threat feeds with security products in the enterprise
to block traffic from/to bad reputation hosts
 Proactively secure the network from zer0-day threats without
relying on signatures
 Threat intelligence can be integrated with SIEM tools
 Threat feeds will contain:
▪ Malicious code senders
▪ Spam senders
▪ Phishing senders
▪ Botnet C&C servers
▪ Compromised Hosts
▪ Malware Domains

28.  Battling Malware in The Enterprise
 Malware Forensics Dojo
 Learn from an experienced malware expert
 Practical skills and applicable knowledge
 Real world scenarios from the field

29. Thank you
@aqarta a.qarta@gmail.com