SlideShare a Scribd company logo

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea, Inc.
Invincea, Inc.

Invincea and Dell Protected Workspace blocks a spear-phish attack attempted by Zeus malware in Word document.

Technology
1 of 33
Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
On March 12, 2014
On March 12, 2014 a Dell Protected Workspace user
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
“95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
Here’s what we found… User opened a Word doc
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
Let’s look at a Time Line view to see what the malware is doing from start to finish….
By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computing
أحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
Alexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
Inder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
Emil Tan
 

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computing
أحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
Alexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
Inder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
Emil Tan
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Honey pots
Honey potsHoney pots
Honey pots
Dhaivat Zala
 
Honeypot
Honeypot Honeypot
Honeypot
Sushan Sharma
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
SILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
Shantanu Kumar Das
 
Honeypots
HoneypotsHoneypots
Honeypots
Rushikesh Kulkarni
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
Vishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
icanhasfay
 
Honeypot
HoneypotHoneypot
Honeypot
Syeda Khadizatul maria
 
Honeypots
HoneypotsHoneypots
Honeypots
Bilal ZIANE
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
Kirubaburi R
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
Invincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
CompanySeceon
 

More Related Content

What's hot

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Honey pots
Honey potsHoney pots
Honey pots
Dhaivat Zala
 
Honeypot
Honeypot Honeypot
Honeypot
Sushan Sharma
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
SILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
Shantanu Kumar Das
 
Honeypots
HoneypotsHoneypots
Honeypots
Rushikesh Kulkarni
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
Vishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
icanhasfay
 
Honeypot
HoneypotHoneypot
Honeypot
Syeda Khadizatul maria
 
Honeypots
HoneypotsHoneypots
Honeypots
Bilal ZIANE
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
Kirubaburi R
 

What's hot (19)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Honey pots
Honey potsHoney pots
Honey pots
 
Honeypot
Honeypot Honeypot
Honeypot
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 
Honeypots
HoneypotsHoneypots
Honeypots
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
Invincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
CompanySeceon
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
Null Bhubaneswar
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Cyber security
Cyber security Cyber security
Cyber security
ankit yadav
 
Venka sure Antivirus+Internet Security
Venka sure Antivirus+Internet SecurityVenka sure Antivirus+Internet Security
Venka sure Antivirus+Internet Security
Venkasys Technologies Pvt. Ltd.
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
John Steensen, MBA/TM, CISA, CRISC
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
frankvv
 
Computer virus
Computer virusComputer virus
Computer virus
Kaushik Vemani Venkata
 
After the Breach
After the BreachAfter the Breach
After the Breach
Gary Wilhelm
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
Tapan Khilar
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
Diane M. Metcalf
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
LakshayNRReddy
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014 (20)

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
NetWitness
NetWitnessNetWitness
NetWitness
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Cyber security
Cyber security Cyber security
Cyber security
 
Venka sure Antivirus+Internet Security
Venka sure Antivirus+Internet SecurityVenka sure Antivirus+Internet Security
Venka sure Antivirus+Internet Security
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
 
Computer virus
Computer virusComputer virus
Computer virus
 
After the Breach
After the BreachAfter the Breach
After the Breach
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

Recently uploaded

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 

Recently uploaded (20)

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

  • 1. Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
  • 2. Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
  • 4. On March 12, 2014 a Dell Protected Workspace user
  • 5. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
  • 6. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
  • 7. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
  • 8. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
  • 9. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
  • 10. “95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
  • 11. WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
  • 12. Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
  • 13. Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
  • 14. Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
  • 15. Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
  • 16. Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
  • 17. Here’s what we found… User opened a Word doc
  • 18. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
  • 19. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
  • 20. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
  • 21. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
  • 22. Let’s look at a Time Line view to see what the malware is doing from start to finish….
  • 23. By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
  • 24. We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
  • 25. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
  • 26. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
  • 27. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
  • 28. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
  • 29. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 30. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 31. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
  • 32. For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
  • 33. See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/