Cyphort Labs Threat Report

Cyphort Labs Threat Report
Summary Prepared for:
Vandelay Industries
Cyphort Labs Threat Report Summary : Vandelay Industries
About this report
At Cyphort, we understand that it takes more than just an effective threat monitoring & mitigation
product to successfully defend against the modern attacks and threats. A proof-of-concept (POC)
deployment represents the very first step in learning about the specific needs of threat protection in
the customer environment, the possible observation points in the network in order to gain sufficient
visibility to all traffic of interest, the desired workflow for security monitoring and incident response,
and the ultimate security posture that the customer would like to achieve given their resource and
priority considerations.
When customers choose to be part of the Cyphort Threat Intelligence Network, Cyphort Threat
Labs becomes actively involved in the POC process through daily monitoring of incident alerts
on customers networks. Cyphort researchers will provide customers with proactive email
communications on any significant incidents of potential interest on an as-needed basis, and create
threat summary reports on the customer’s behalf toward the end of the POC period.
The Cyphort Labs Threat Report Summary is designed to provide a more comprehensive view on:
™™ Significant threat incidents discovered during an extended period of time, typically several
weeks so that traffic fluctuation associated with time-of-day activity patterns is accounted for.
These will include the whole spectrum of alerts including serious threats, suspicious activities
and adware, and any instance of noisy alerts.
™™ Visibility stats that shed lights on what types of files are being moved across the customer
network, at what volumes, and through what agents (e.g. human browsing the web vs. automated
programs). We believe that good visibility and awareness goes a long way in helping with a
strong defense posture.
™™ More details on selected threats and malware objects. The details are based on deep-dive
research conducted by the Cyphort threat researchers to reveal things like attack payloads,
threat intent, and other threat indicators. A set of mitigation actions and best-practice
recommendations are also included when applicable.
™™ Background and other useful references. While it is important to take immediate mitigation
actions in order to contain the threats and minimize potential impact, it is more important to
take steps to improve long-term postures by implementing continuous monitoring capabilities,
extending coverage of threat vectors, and addressing security practice and policy needs.
This report is based on observations made at customers spanning the period from November 2013
to March 2014. Monthly data are based on the actual aggregates in the respective month while the
daily data is based on specific days duly noted. In those cases, we simply picked a specific day that
seems fairly typical of a weekday regarding the reported stats.
As always, the Cyphort Threat Labs welcome all your feedback and suggestions for improving
these reports. Please send your feedback to [email protected].
2
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Incident Alerts Summary
High Severity Threats
Malware download incidents including:
¡¡ Zeus Trojan
¡¡ Cidox malware
Suspicious Apps And Adware
186 Adware instances:
¡¡ Genieo
¡¡ Conduit
¡¡ ShadyOffer
¡¡ Wajam
¡¡ InstallCore
¡¡ MyWebsearch
¡¡ and others
Noise
¡¡ 36 false positives (out of 384,000 objects scanned)
3
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Monthly Activity Summary
Date
Unique IPs
HTTP Downloads
Unique Files
March 2014
17k
550k
157k
February 2014
23k
288k
101k
January 2014
25k
215k
52k
December 2013
22k
250k
89k
November 2013
9k
80k
37k
Daily Top Analyzed Files
File Type
File Count (As of 3/12/2014)
ZIP Archive
50,713
PDF
5,576
Mac Executable
1254
Windows Executable
534
Microsoft Office
157
Daily Human vs. Auto Browsers
4
OS Mappings
Downloads (As of 3/12/2014)
MacOS
48,107
Unknown
5,537
Windows
1,402
Apple IOS
1,297
Android
134
™™ “Unknown” count corresponds
to apps using “non-standard”
User-Agent strings, no ready OS
mapping.
™™ Cyphort new release will ingest
endpoint scan data for accurate OS
mapping
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Actions & Recommendations
Zeus Trojan instance
[19c77b56269a31a01aa0572da78e1b15]
¡¡ Clean the machine immediately using System Restore
¡¡ Block CNC IP address in Korea - 61.38.200.5
Cidox Trojan instance
[ace4334e7bbe67a4e4f639c62689f812]
¡¡ Clean the machine immediately using System Restore
¡¡ Block CNC - sugar-freez.com, networksecurityx.hopto.org
Adware
¡¡ Conduit is a browser hijack in that it changes your home page and search provider. This
component insures that any changes made to the search provider subsequently will
revert back to Conduit. We suggest removing it.
¡¡ Genieo is an adware for the Mac platform that intercepts users searches. We suggest
removing it.
¡¡ ShadyOffer is an adware that monitors mouse and keyboard.Block CNC : http://stub.
goobzo.com/p.ashx
¡¡ Wajam is an adware that hijacks search results. We suggest removing it.
5
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Zeus Trojan Background
¡¡ Zbot or Zeus malware family is one of the most dangerous malware families (http://www.
microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fZbot)
¡¡ Sophistication: three key components
1.
a toolkit for creating and delivering the threat
2. the Trojan that gets installed and controls victims’ machine
3. the command & control (C&C) server that controls the malicious activities and
facilitate data theft
¡¡ Spread infection by social engineering, spear-phishing, & drive-by download
¡¡ Known malicious activities so far: shutdown machine, delete files, browser hijack, data
theft, Trojan dropping cookie stealing, bank fraud, bitcoin stealing.
Conduit Background
¡¡ Conduit is an adware program that changes your browser home page and default
search engine to search.conduit.com.Conduit creates a toolbar on your browser and
whenever your are doing a search, it will display on the first search results their own ads.
Conduit is installed together with freeware/shareware programs: MP3 rippers, YouTube
downloaders, etc. Some Trojans distribute it as well. 6
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Genieo Mac Adware Background
¡¡ Genieo comes in as a Mac dmg file. Inside is an adware that customizes your Internet
browser page to display products that it believes you’ll find interesting. It was being
distributed through installers that pretend to be something they are not, such as fake
Adobe Flash Player installers. It intercepts searches on Google, Bing and Yahoo and
silently redirects them to Genieo or its partner engine.
See http://en.wikipedia.org/wiki/Genieo
¡¡ Once Genieo.dmg is downloaded, it installs Genieo.app and adds it to the Login Items
so that it will be restarted at login.
¡¡ It also installs a Launch Agent:
/Library/LaunchAgents/com.genieo.engine.plist
¡¡ Along with two dynamic libraries:
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
¡¡ Libgenkit.dylib is added to OS X’s global launched configuration file:
/etc/launchd.conf
7
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
ShadyOffer Adware Background
Shadyoffer has the following malicious behavior:
¡¡ Steals System Information
¡¡ Monitors Mouse and Keyboard
¡¡ Downloads files
¡¡ Shows Pop-ups from the notification that offers to install another software
After some delay time it starts to show a notification bar which offers the infected user free
backup software called “MyPC Backup”. That software will offer a “Protect Now” Button
which that asks the user for a monthly payment to properly protect your files.
8
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
Cyphort Labs Threat Report Summary : Vandelay Industries
Wajam Adware Background
¡¡ Wajam is an adware browser extension that bills itself as a social search engine that
gives you recommendations from your friends everywhere you like to search. Wajam is
monetizing its service through affiliate links to Shopping.com . Unwanted installations
of Wajam also have the capability to hijack a browser’s search functions and display
undesired ads. See http://en.wikipedia.org/wiki/Wajam
¡¡ Wajam was founded by Martin-Luc Archambault, who was previously the President of
Zango Canada.
¡¡ Zango, formerly ePIPO,
180solutions and
Hotbar, was an adware
company that was
charged by the Federal
Trade Commission for
“Deceptive Failure to
Disclose Adware”, “Unfair
Installation of Adware”,
and “Unfair Uninstall
Practices” in violation
of the Federal Trade
About Cyphort:
Commission Act.
Founded in 2011 by a team
of security experts, Cyphort
advanced threat defense goes
beyond malware detection to
reveal the true intent of the attack
and the risk to your organization
with prioritized and expedited
remediation. Our software-based
approach combines best-inclass malware detection with
knowledge of threat capabilities
and your organizational context
to cut through the avalanche of
security data to get at the threats
that matter and respond with
velocity, in hours not days.
CYPHORT, Inc.
5451 Great America Parkway
Suite 225
Santa Clara, CA 95054
P: (408) 841-4665
F: (408) 540-1299
9
Sales/Customer Support
1-855-862-5927 (tel)
1-855-8-MALWARE (tel)
1.408.540.1299 (fax)
Email: [email protected]
PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.
©2015 Cyphort, Inc. All rights reserved.