hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015Other trendsIt is worth mentioning a mini-comeback 83 for Visual Basic for Applications (VBA) as a platformfor delivering malicious content through email attachments. VBA malware was particularlypopular in the last years of the 20th century, with macro viruses accounting for a significantproportion of all malicious samples. In the past, the malicious code would use OLE automationtechniques to access the Microsoft Outlook® automation interface, sending the infecteddocument as an attachment or simply propagating to all opened documents by insertingmalicious code into the standard Normal.dot template.For a long time it was thought that malicious VBA code was extinct thanks to Microsoft’sintroduction of additional <strong>security</strong> features that prevented automatic startup of code whena document was opened. However, this year we have observed VBA, embedded in MicrosoftOffice XML format documents, acting as the first stage of infection and downloading or droppingadditional malware components. This, however, had to be achieved by using social engineeringtricks to convince users to open the document and explicitly allow the VBA macro embedded inthe file to run.Another trend is the reappearance of Visual Basic Script (VBS) malware, with the most commonfamily being the Jenxcus 84 worm. Jenxcus is a relatively simple worm, which owes its success toinventive techniques used for spreading and launching itself.Figure 9. Top malware samples discovered by ReversingLabs in 2014, by volume per month1,000800High9796004002000Low116Jan Feb Mar Apr May Jun Jul Aug Sep Oct NovThe worm is often delivered through a fake Adobe Flash updater setup file whose download istriggered when the user visits a maliciously crafted website—for example, a spoofed YouTubesite. Once opened, Jenxcus enumerates mounted network drives and copies itself to them. Inaddition to that, Jenxcus creates a link with a base file name identical to the base name of afile that already exists on the drive. Users may unknowingly click on the malicious link insteadof the file and launch the malware on their systems. Jenxcus also provides a backdoor to theinfected computer by connecting to a website and allowing the attacker to send commands tocontrol it.We finish this brief overview of notable malware discovered in 2014 with Onionduke. 85Onionduke is malware delivered by a malicious TOR exit node. It works by interceptingdownloads of Windows executable files and modifying downloaded files on the fly to includeadditional malicious components designed to gather intelligence and steal user’s data that isuploaded to the malware’s command and control servers.83https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-VBA.84http://www.microsoft.com/<strong>security</strong>/portal/threat/Encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2.85https://www.f-secure.com/weblog/archives/00002764.html.The key take away from the Onionduke story is that using TOR may help users stay anonymous,but it will not make them secure. TOR users must remember that the Internet traffic is routedthrough TOR exit nodes, and not all participants in the TOR network can be consideredbenevolent. Furthermore, users should not download executable files via TOR (or anything else)without using some sort of network encryption mechanism such as VPN.28
HP Security Research | Cyber Risk Report 2015Proliferation of .NET malware in 2014There was a marked increase in .NET malware in 2014, and there are multiple reasons whymalware authors found this platform so attractive. The ease of the development platform, theavailability of extensive libraries, the promise of multiplatform support, and the somewhatrudimentary state of the instrumentation and emulation by AV engines—as well as the lack ofadvanced automated malware analysis that could target .NET applications—fueled an ongoinginterest in .NET malware development by various actors.While MSIL platform malware initially lacked the obfuscation and complexities of Win32malware, actors have become increasingly inventive in using MSIL code injections, MSILobfuscations and encryption. In 2014 we observed the following .NET malware and adware inthe wild.Figure 10. Top 20 .NET malware prevalence and distribution by family in 2014, from ReversingLabs dataBarysRanosKryptikDisfaBladabindiArchsmsFsysnaCodewallCryptosSisbotReconycDarkkometZusyKryptForuconIlcryptJintorBadurAsdLow: 3,894High: 15,1050 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000On the top of the list of most prevalent .NET malware families we see Barys, Ranos, Kryptik,Disfa, and Bladabindi. Fsysna, Codewall, and Sisbot appear at about the same level ofprevalence. Beginning from Fsysna the prevalence distribution becomes considerably moreeven, without major spikes. This shows that the vectors of propagation remain consistent andare mostly associated with spam and social engineering downloads and not with major productvulnerabilityexploits.29
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 27: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?