2. Agenda
Dodi Glenn, Malware Response Manager Brian Jack, Lead Security Analyst
• Current threats, what's prevalent
Some of the most dangerous and complicated threats in the wild
• How application vulnerabilities leaves the door open
Malicious PDFs & rogue AV
• Best Practices‐Protection and Remediation
How to protect your network
Using tools like Sunbelt’s CWSandbox™ as part of a cyberdefense strategy for
your enterprise
• Q & A
3. Current Threats
Significant rise in PDF Exploits
• In Q4 2009, 80% of in the wild
exploits were from PDFs¹
• 20 Software Flaws (CVE) issued for
Adobe Reader for the past 3
months²
¹ ScanSafe
²Nist.Gov
6. Current Threats
Distribution Vectors
• “Drive‐by”
Infections are becoming
more prevalent
• Tools to create malicious
PDFs
Readily available online
• Exploit kits
YES, Eleonore, and
Neosploit
Purchasing on black market
& require little to no
programming skills to
operate
7. Current Threats
What is the typical payload?
• PDF exploits
Drops rogue AV downloaders or
backdoors ie. Zbot
• Specific rogues
Antispyware Soft and Digital
Protection are distributed by
malicious PDFs
• Antispyware Soft changes proxy
settings
Routing traffic to malware’s C & C
8. Best Practices
Layered Security
• Application Security
Disable JavaScript
support in Adobe
Reader
Disable “PDF in
Browser”
• OS Security
Machines are updated
and patched
• Use Anti‐virus
AV software is
installed and updated
9. Turn the Tables
Resources
• Free Sunbelt Tools
Public sandbox
http://SunbeltSandbox.com
VIPRE Rescue
http://live.sunbeltsoftware.com
• SunbeltLabs Licensed Tools
CWSandbox‐in house
analysis
ThreatTrack™‐data feeds
10. Malware Unmasked
CWSandbox can analyze almost any file
Non‐Executables Executables
•Flash •pdf •gif •exe
•HTML •doc •mp3 •bat
•JavaScript •xls •wmv •dll
•JavaApplets •ppt •avi •com
•URLs •mdb
Extensive logging and reporting of all analysis data:
11. Analyst vs. CWSandbox
Analyst CWSandbox
• Multiple Applications • 1 Application
• Multiple Reports • 1 Report
• ½ Hour – Days per Sample • Parseable reports
• Multiple Platform Comparisons
• 1 – 3 Minutes per Sample
• Searchable Repository