SlideShare a Scribd company logo

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea, Inc.
Invincea, Inc.

Invincea and Dell Protected Workspace blocks a spear-phish attack attempted by Zeus malware in Word document.

Technology
1 of 33
Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
On March 12, 2014
On March 12, 2014 a Dell Protected Workspace user
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
“95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
Here’s what we found… User opened a Word doc
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
Let’s look at a Time Line view to see what the malware is doing from start to finish….
By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomwareAlexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
Emil Tan
 

Recommended

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Honey pot in cloud computing
Honey pot in cloud computingHoney pot in cloud computing
Honey pot in cloud computingأحلام انصارى
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
603535ransomware
603535ransomware603535ransomware
603535ransomwareAlexander Constantinou
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
Emil Tan
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Honey pots
Honey potsHoney pots
Honey pots
Dhaivat Zala
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 
Honeypots
HoneypotsHoneypots
Honeypots
Rushikesh Kulkarni
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
Vishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
icanhasfay
 
Honeypot
HoneypotHoneypot
Honeypot
Syeda Khadizatul maria
 
Honeypots
HoneypotsHoneypots
Honeypots
Bilal ZIANE
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
Kirubaburi R
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
Invincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
CompanySeceon
 

More Related Content

What's hot

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Honey pots
Honey potsHoney pots
Honey pots
Dhaivat Zala
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 
Honeypots
HoneypotsHoneypots
Honeypots
Rushikesh Kulkarni
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
Vishal Tandel
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
icanhasfay
 
Honeypots
HoneypotsHoneypots
Honeypots
Bilal ZIANE
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Honeypot
HoneypotHoneypot
Honeypot
Akhil Sahajan
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
Kirubaburi R
 

What's hot (19)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Honey pots
Honey potsHoney pots
Honey pots
 
Honeypot
Honeypot Honeypot
Honeypot
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 
Honeypots
HoneypotsHoneypots
Honeypots
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its types
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots
HoneypotsHoneypots
Honeypots
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypots for Network Security
Honeypots for Network SecurityHoneypots for Network Security
Honeypots for Network Security
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
Invincea, Inc.
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
CompanySeceon
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
Null Bhubaneswar
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Cyber security
Cyber security Cyber security
Cyber security
ankit yadav
 
Venka sure Antivirus+Internet Security
Venka sure Antivirus+Internet SecurityVenka sure Antivirus+Internet Security
Venka sure Antivirus+Internet Security
Venkasys Technologies Pvt. Ltd.
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
John Steensen, MBA/TM, CISA, CRISC
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsMehrdad Jingoism
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
frankvv
 
Computer virus
Computer virusComputer virus
Computer virus
Kaushik Vemani Venkata
 
After the Breach
After the BreachAfter the Breach
After the Breach
Gary Wilhelm
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
Tapan Khilar
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
Diane M. Metcalf
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
LakshayNRReddy
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 

Similar to Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014 (20)

Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptxHow Seceon could have stopped the Ransomware roll over Kaseya.pptx
How Seceon could have stopped the Ransomware roll over Kaseya.pptx
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
NetWitness
NetWitnessNetWitness
NetWitness
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Cyber security
Cyber security Cyber security
Cyber security
 
Venka sure Antivirus+Internet Security
Venka sure Antivirus+Internet SecurityVenka sure Antivirus+Internet Security
Venka sure Antivirus+Internet Security
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
 
Certified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection SystemsCertified Secure - Ineffective Detection Systems
Certified Secure - Ineffective Detection Systems
 
Computer virus
Computer virusComputer virus
Computer virus
 
After the Breach
After the BreachAfter the Breach
After the Breach
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

More from Invincea, Inc.

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Invincea, Inc.
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
Invincea, Inc.
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
Invincea, Inc.
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
Invincea, Inc.
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
Invincea, Inc.
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in Tapio
Invincea, Inc.
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Invincea, Inc.
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Invincea, Inc.
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
Invincea, Inc.
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 

More from Invincea, Inc. (11)

Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector Threats to the Grid | Cyber Challenges Impacting the Energy Sector
Threats to the Grid | Cyber Challenges Impacting the Energy Sector
 
Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware Webcast: The Similarity Evidence Explorer For Malware
Webcast: The Similarity Evidence Explorer For Malware
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Invincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in TapioInvincea: Reasoning in Incident Response in Tapio
Invincea: Reasoning in Incident Response in Tapio
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Invincea Dell Protected Workspace blocks Spear-Phish Word-doc-Mar-2014

  • 1. Dell Data Protection Protected Workspace aWord doc spear-phish malware analysis by InvinceaThreat Research Group Analyst: ARMON BAKHSHI CHRIS CARLSON DIRECTOR, PRODUCT MARKETING, INVINCEA MAR 14 2014
  • 2. Starting in July 2013, Dell OEMs Invincea’s security suite packaged as Dell Data Protection | Protected Workspace, shipping on 20+ million Precision, Latitude, and OptiPlex systems a year.
  • 4. On March 12, 2014 a Dell Protected Workspace user
  • 5. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked
  • 6. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as
  • 7. On March 12, 2014 a Dell Protected Workspace user successfully detected and blocked a spear-phish attack delivered as an infectedWord document through email
  • 8. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) First, some definitions…
  • 9. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (Wikipedia) Spear phishing Phishing attempts directed at specific individuals or companies with a malicious payload First, some definitions…
  • 10. “95% of all attacks on enterprise networks are the result of successful spear-phishing.” (Allen Paller, director of research, SANS Institute)
  • 11. WHY a 95% success rate?? BECAUSE USERS LOVE…TO…CLICK...! Sending at least 18 emails in a spear- phishing campaign guarantees at least one click! (Verizon Data Breach Investigations Report – 2013)
  • 12. Spear-phishing attacks are looking more official all the time…. 2011 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc.
  • 13. Spear-phishing attacks are looking more official all the time…. 2011 2013 Fairly rudimentary – sending fromYahoo, no images, spelling/typos, etc. Very advanced – forged “from” address, embedded images, looks official
  • 14. Dell Protected Workspace uses Invincea FreeSpace security software to protect an end- user by securely isolating malware from the host operating system.
  • 15. Malware is safely contained in a secure virtual container that uses behavioral sensors to automatically detect and block any known and unknown (zero-day) malware.
  • 16. Malware activity on anonymized user systems is securely transmitted to Invincea’s Threat Research Group for detailed analysis.
  • 17. Here’s what we found… User opened a Word doc
  • 18. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior!
  • 19. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created
  • 20. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem
  • 21. Here’s what we found… User opened a Word doc Uh-oh! Code is injected intoWord – not normal behavior! Auto-start process was created More files created on the (virtual) filesystem Network listeners set up
  • 22. Let’s look at a Time Line view to see what the malware is doing from start to finish….
  • 23. By letting the malware run in our secure container, we can see that it opened up connections to an external host for a command-and-control session.
  • 24. We determined that this is a ZeusTrojan variant through partner analysis, ThreatStream: Destination IP for command and control (C&C) High confidence that it’s a malware C&C server
  • 25. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures
  • 26. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions
  • 27. Summary of Analysis: - This was not a zero-day attack, but is still effective o If it was zero-day, Invincea can still contain and detect zero- day attacks because we analyze behavior, not signatures - It was a variant of an existing “Zeus” bankingTrojan that one can buy cheaply on the black-market o Logging keystrokes o Steal bank credentials o Launch distributed denial-of-service (DDoS) against financial institutions - If the payload was encrypted and opened on the client endpoint, it would sneak past perimeter control systems and execute successfully – need endpoint protection!
  • 28. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container.
  • 29. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 30. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container
  • 31. And now the clean-up… Simply closing the infected, contained application removes all traces of the malware. This is not a re-image – the machine was never infected in the first place. Everything was contained inside the Invincea FreeSpace container. Delete infected container < 1 second
  • 32. For more details… The Invincea Threat Research Team further analyzed similar malware samples from the same command and control host. Follow-on analysis can be viewed here: http://www.invincea.com/2014/03/a-dfir-analysis- of-a-word-document-spear-phish-attack/
  • 33. See more malware analysis “Killed in Action” (KIA) at: http://www.invincea.com/category/kia/ And learn more about Invincea at: http://www.invincea.com/why-invincea/