Application Security Architecture Authentication
CertificationsCorporate ComplianceCryptology
Disaster RecoveryEnterprise SecurityExploits
FirewallsIncident HandlingIntrusion Detection
OS SecurityPolicies and ProceduresSecurity Basics
Security ManagementSecurity ToolsServers
StandardsVoIPVulnerability Management
Web SecurityWiFi SecurityWorms and Viruses

Botnet Resiliency via Private Blockchains

by Jonny Sweeny

Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts.
» Read more

How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

by Nikhil Mittal

In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI) which is designed to target script-based attacks and malware. Script-based attacks have been lethal for enterprise security and with advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript etc. and drastically improves detection and blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and the code is scanned for malicious content. What makes AMSI effective is, no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t matter if the code came from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently, Windows Defender uses it on Windows 10. Has Microsoft finally killed script-based attacks? What are the ways out? The talk will be full of live demonstrations.
» Read more

Obfuscation and Polymorphism in Interpreted Code

by Kristopher L. Russo

Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.
» Read more

Securing DNS Against Emerging Threats: A Hybrid Approach

by John Pescatore

This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.
» Read more

Mirai: New wave of IoT botnet attacks hits Germany

by Semantec Security Response

A new wave of attacks involving the Mirai botnet has crippled internet access for nearly a million home users in Germany. The latest attacks used a new version of the Mirai malware (Linux.Mirai) which is configured to exploit a weakness found in routers widely used in Germany. New variant of malware used in attacks that knocked 900,000 home internet users offline. Read more in this posting by Semantec Security Response.
» Read more

PowerShell threats surge: 95.4 percent of analyzed scripts were malicious

by Candid Wueest

Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.

Of all of the PowerShell scripts analyzed through the BlueCoat Malware Analysis sandbox, 95.4 percent were malicious. This shows that externally sourced PowerShell scripts are a major threat to enterprises.
» Read more

Shamoon: Back from the dead and destructive as ever

by Semantec Security Response

Shamoon (W32.Disttrack), the aggressive disk-wiping malware which was used in attacks against the Saudi energy sector in 2012, has made a surprise comeback and was used in a fresh wave of attacks against targets in Saudi Arabia.
The malware used in the recent attacks (W32.Disttrack.B) is largely unchanged from the variant used four years ago. In the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a burning US flag. The latest attacks instead used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year.
» Read more

Avalanche malware network hit with law enforcement takedown

by Semantec Security Response

The Avalanche malware-hosting network has been dealt a severe blow following the takedown of infrastructure used by at least 17 malware families. The takedown operation, which was a combined effort by multiple international law enforcement agencies, public prosecutors, and security and IT organizations including Symantec, resulted in the seizure of 39 servers and several hundred thousand domains that were being used by the criminal organization behind the Avalanche network.
» Read more

Demystifying Malware Traffic

by Sourabh Saxena

In today’s world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual’s system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into “zombies” and “bots” forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware’s traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.
» Read more