Seculert researchers closely follow the evolution of major malware families while examining the behavioral malware profiles that are a core part of our breach analytics platform. Back in 2013 I wrote about the enhancements to the DGA.Changer malware that allowed it to change its seed which in turn allowed it to connect to a different stream of domain names.
It would now appear that someone in the DGA.Changer “development community” has been working on a new “Imitation Game” features that makes the malware even harder to detect by traditional sandboxing security solutions.
Our research team discovered that this new suite of features begins by checking to see if the malware is running in a VM by looking for specific disk artifacts in the registry. The code checks for evidence of VMWare, VirtualBox, and others (Figure 1).
Figure 1: Code that checks if the malware is running in a virtualized environment (e.g. Sandbox)
If these checks reveal that the malware is indeed running in a virtual environment, the malware alters the generation seed in order to communicate with a list of fake generated domains (Figure 2). The attackers using DGA.Changer have actually purchased some of the fake domains, and pointed them to a server. While the server returns an executable file that does nothing more than to exit right after being executed (Figure 3), the goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components.
Figure 2: Code that generates fake domain list, using a different generation seed
Figure 3: Server behind fake domains will respond with payloads which include useless code
First variants of the new version were identified February, 2015. Since then we’ve seen several different iterations which include different initial and fake seeds.
The discovery of this new version of DGA.Changer highlights yet again the limitations of “sandbox only” prevention approaches and the need to complement them with post-infection analytics based detection techniques. In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.
Here are some MD5 hashes of the new variants:
Contributing researchers: Yevgeny Kulakov and Adi Raff
In an article for Bankingtech.com, Peter Cheney, the director of cybersecurity at independent global risk and strategic consulting firm Control Risks, has identified three essential questions that he believes enterprises must ask within the first 48 hours after a network breach:
About 15 years ago, a game show took public humiliation to new heights (or depths, depending on one’s perspective) by branding unsuccessful contestants as the weakest link in the group. They were then ushered offstage to the tune of the most soul-crushing “goodbye” in television history by the host.
Well, that game show is now off the air, but according to a recent Forbes article by Social Media and Compliance Specialist Joanna Belby, the weakest link in cybersecurity is, unfortunately, still very much alive: employees. Continue reading
A survey of 500 IT decision-makers in UK enterprises (250+ employees) has revealed that 54% lack the knowledge and capacity required to thwart sophisticated cyber attacks.
The survey, which was conducted by Symantec and Deloitte, also found that:
- 66% of respondents don’t think it’s necessary to regularly train employees on cyber security policies and practices
- 60% of respondents lack full confidence in their enterprise’s cyber security policies
- 55% of respondents depend on legislation, regulations, and other external factors to drive their infosec policy
- 49% of respondents fail to fully protect confidential data, including corporate intellectual property, and private information related to customers, employees, and finances
An automated and independent malware testing service has taken a quick break from analyzing malware such as worms, information stealers, and rootkits so that it can crunch some numbers — and the news isn’t good for enterprises that rely exclusively on prevention-based security software packages.
As reported by David Braue of CSO Online, the aggregated the results of the regular monthly test of 33 different malware threats, and found that in the second half of 2014 none of the eight security packages included in its analysis — each of which are produced by major vendors — detected 100% of threats. The best-performing package detected 86% of malware, while the worst detected just 12%. The average detection rate for all eight packages was 55%.
Seculert provides alerts on confirmed incidents of malware actively communicating or exfiltrating information from users’ devices. Seculert can even detect incidents relating to partners and/or customers. These alerts provide actionable and accurate information that identifies the infected device.
A just released, updated version of the Seculert API makes it easier to integrate all the insights from Seculert with your existing security infrastructure. You can automatically feed alerts about malware incidents into your SIEM, Splunk, secure web gateway, firewall, or IPS. Continue reading
In a DailySignal.com commentary, writer Jennifer Guthrie is urging lawmakers and business leaders to join forces and improve how they share information regarding cyber threats on both a micro and macro level — for the benefit of everyone. Continue reading
In a recent Forbes article, supply chain industry expert Steve Banker is warning enterprises that they need to view cybersecurity breaches as the new normal — not the rare exception.
Banker bases his argument on three key factors that combine to make it impossible for enterprises to prevent 100% of cybersecurity breaches, regardless of how sophisticated their network defense system might be: Continue reading
In a new article for Infosecurity Magazine, Vectra Networks CTO Oliver Tavakoli uses an analogy of a goldfish circling a fishbowl to illustrate a defining characteristic of perimeter security: it has no memory.
“While perimeter security has its place in a defense-in-depth security strategy, the reality is that perimeter security has the same perfect amnesia as a goldfish swimming in circles in its bowl,” writes Tavakoli. “Each time a goldfish circles the perimeter of the bowl, it has no memory of its prior journey. Similarly, each time perimeter security sees a threat or suspicious behavior, it is as if it is seeing it for the first time.” Continue reading
Citi Research, a division of Citigroup Global Markets Inc., has released its “2015 CISO Survey.” According to the 54 CISOs who participated in the survey, here’s how the spending intentions of this representative group will likely shape the enterprise IT security landscape in the year ahead: Continue reading