ThreatSTOP Announces Improvements to Reporting

ThreatSTOP is pleased to announce a new release of its web portal that significantly improves the speed an utility of the logfile analysis and reporting it provides to subscribers. The new reporting UI presents data in a way that is in line with how our customers prefer to analyze the data.

The most important information is which types of attack have been seen and so the order of the default tabs has been changed so that “Summary by Threat” is the first one displayed. Within that tab, we have broken the attacks down by threat category (Botnets, Malware, Inbound …) and then within each category we detail the number of hits in particular target lists.

SummaryByThreat

In addition to changing the “Summary by Threat” tab, we have also changed the “Summary by IP” tab to make it quicker to identify vulnerable internal hosts. Rather than displaying communication pairs, it now shows internal IP addresses only. Clicking on a particular internal IP address shows what communications with it have been blocked.

SummaryByIP

Finally we have tweaked the “Summary by Date” tab to display the busiest date/hour and to provide breakdowns of traffic by hour. This can be particularly useful to identify infected devices that are “calling home” when no one is in the office.

SummaryByDate

We do of course welcome feedback from our subscribers and suggestions from them on additional ways to enhance our reporting UI.

In addition to the layout changes some back end work has been done to improve performance, particularly for our larger customers. The combined result of the back end database changes and the UI changes is that ThreatSTOP’s customers get to see the firewall log data they care about immediately so that they can take action to remediate compromise internal hosts or handle sustained attacks on internet facing devices.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP adds active Heartbleed attacker list to our feeds

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for the Heartbleed* openSSL vulnerability. This is due to data received from from malware researchers we know as well as visitors to some honeypots we set up ourselves. These addresses have been added to a new expert mode target list called “Heartbleed” as well as to our standard mode “unix server” target list.

We recommend that any of our hosting provider partners who are using us in expert mode update their policies. Similarly, any of our standard mode users who have servers behind a firewall or router running ThreatSTOP and who do not have the “unix server” feed enabled are recommended to add it.

This list is currently fairly small, however we suspect it may grow significantly over the next few days. As we noted in our blog post yesterday, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers, but adding known attackers to our feeds improves our coverage against this threat. Relatedly, we are also in the process of analyzing our customer log data to see if we can determine when this vulnerability became know to the cyber criminals. This should help identify the potential window of vulnerability to this bug and may well help to answer questions about whether the bug has been widely exploited or not.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP not vulnerable to Heartbleed

The Heartbleed vulnerability* has burst into public consciousness and generated a lot of justified concern that login information and other confidential data may have been at risk because of it.

ThreatSTOP is pleased to confirm that our servers and service are not susceptible to this bug.

ThreatSTOP customers do not need to be concerned that their ThreatSTOP credentials or anything else on our portal have been put at risk by this vulnerability, because our system architecture, using our, and our partners’ technology in a multi-layered, “belt and suspenders” design, protect against known and unknown threats.

The servers behind ThreatSTOP’s web portal are accessed via traffic management and security appliances from our partner A10 networks  that are not vulnerable to this bug

We have audited our infrastructure and have verified that no systems are, or were, vulnerable to this exploit.

Regarding our blocking services: we distribute our blocklists via DNS queries which do not use TLS encryption (but are secured by other means); ONLY subscribers can access our servers; only the specific subscriber can query their policies, from their configured IP addresses; and connections to our service are ONLY over TCP (thereby eliminating spoofing).

Finally (and as a general point), people are being advised by hysterical media pundits to change their passwords NOW. In general, this is bad advice, at least in the short term.

It only applies to sites that 1) were vulnerable but 2) have now patched themselves so that they no longer are.

If the site is not yet patched then changing your password means an attacker can quite possibly see your new password!

In short: Your ThreatSTOP account, and credentials, are safe. Your other accounts may not be, but don’t change them until the site updates their security.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

 

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP blocking Heartbleed

It looks like ThreatSTOP has been protecting our service provider customers from the Heartbleed vulnerability* for some time now.

Although the vulnerability was announced on Monday, it has been reported as having been under active attack for a couple of weeks according to Seacat, who discovered accidentally that they were logging attacks on it.

It has been subject to far greater scanning and exploit since the news broke about it on Monday.

Our preliminary analysis indicates that ThreatSTOP has blocked many attacks seeking to exploit this vulnerability. This is hard to confirm, as ThreatSTOP blocks connection attempts before the attacker can try any SSL activity.

However, ThreatSTOP would have stopped about two thirds of the active scanners listed in the Seacat post linked above. This would, for ThreatSTOP customers, have raised a big red flag about a spike in attacks on port 443, and alerted them on any successful compromise, if traffic left their network to the password stealing hosts.

This is not a fluke. Attackers who are trying to exploit this vulnerability are using the same compromised infrastructure that they use for other attacks. Since we and our research partners have identified these hosts when they made other attacks, they are already in our block lists.

ThreatSTOP blocks all attacks on all open ports from known offenders so it doesn’t matter whether the vulnerability is in web traffic (HTTPS), email, SSL VPN or any of the other protocols that use TLS as a security mechanism so there is less urgency to update software that you may not know has compiled in openssl or linked to its own copies of the library.

*The hearbeat bug is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems (not actually) protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

Blocking Neutrino EK and Ponmocup Droppers

ThreatSTOP and DNS Firewall Blocking Two New Malware Types

ThreatSTOP has started blocking two new varieties of malware for our subscribers and those of our OEM partner Infoblox.

The first malware type is the Neutrino Exploit Kit, for which we are blocking the servers that drop the kit onto vulnerable computers. The Kit is sold on underground forums to criminals who use it to gain access to a computer and then download other malware onto it. This is an extremely dangerous malware kit and it is updated regularly to contain the latest exploits, primarily in Java.

The second is the Ponmocup Adware Botnet also known as Trojan.Milicenso. Ponmocup is currently considered less harmful as it seems to be used mainly for adware and clickfraud but there is no reason to assume that this will remain the case.

To learn more read this article

About ThreatSTOP 
 

ThreatSTOP is a real-time IP and Domain Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user’s firewalls and nameservers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s firewall, or by enabling DNS Firewall (RPZ) on their Infoblox Grid. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA. For more information, visit http://www.threatstop.com.

Blocking Cryptolocker Ransomware

ThreatSTOP and DNS Firewall block Cryptolocker

Stop extortion by cybercriminals using IP and Domain Name reputation.

ThreatSTOP has started blocking a new variety of malware called “cryptolocker” for our subscribers and those of our OEM partner Infoblox. Cryptolocker is a new and widely spreading form of “Ransomware” that encrypts files on an infected Windows computer and any networked file systems it has access to.

We are blocking access to the known Cryptolocker servers and other associated infrastructure. This stops Cryptolocker from working on networks protected by ThreatSTOP and Infoblox DNS Firewall.

Cryptolocker is being spread in many different ways. As a result, the only really effective way to stop it is to block access to the servers that are used to get the key to encrypt your data so they can ransom it.

While no current security solutions can completely prevent you from being infected by Cryptolocker, blocking communications to the criminals’ encryption servers does prevent the malware from encrypting your data. This protects you from being extorted, and if you know which internal system was blocked (a key part of the ThreatSTOP and Infoblox DNS Firewall services), lets you clean it up before further damage occurs.

What is cryptolocker?

Cryptolocker is an updated and more virulent on-line version of a very old crime: taking something you really care about or need hostage, and extorting money to get it back.

cryptolocker

The first online version of this was called “MoneyPak“. Moneypak infected computers that connected to sites advertising illegal or prurient content (mostly child pornography or other obscene content that no-one would admit to looking at), via e-mail, or via trojaned legitimate hosts. Once MoneyPak was on a system, it impersonated their local law enforcement (in the US the FBI, in Europe, Interpol), locked up their system so they couldn’t access it, and extorted money to give them back access. Unfortunately for the victims, when they paid, MoneyPak didn’t let them back in. The criminals relied (correctly) on the victims unwillingness to have law enforcement evaluate their computers. However, unlike with Cryptolocker, there were ways to regain access without paying if you got hit with MoneyPak.

It was obviously a proof of concept. It was called “ScareWare“, but it worked. ThreatSTOP and our associates have been tracking this system for over a year.

The Criminals took notice, and now, just in time for Halloween, they are back with a REAL Vampire: Cryptolocker. The first detailed explanation of how Cryptolocker functions came from Emisoft, who also appear to have been some of the first people to see it in the wild. The way it works is like this: you get the malware on your system, it calls back to a criminal server that generates a key that is kept on the server, the malware then encrypts all the data on your hard disk (and all the network shares it connects to) using that key, and then it pops up a message demanding that if you’d like to see your data again then you have to pay. Oh, and by the way, they will not wait forever before they delete your key from their servers (probably because they need to keep moving servers).

As this Ars Technica article explains – it prices your data at $300 (or €300 so it’s better to pay in USD :) ). If you are infected there are a number of ways you can pay the crooks and get them to give you a key.

The Cryptolocker crooks appear to be pretty honest – if you pay them they do give you the removal key – but clearly no one wants to pay $300 and, of course, there’s absolutely no guarantee that you won’t get reinfected some time later.

Cryptolocker is far worse in a corporate environment because if an infected computer has open connections to other LAN connected files systems, such as shared drives on a file-server, then these may also be encrypted. Even worse, some organizations use a file-server drive as a shared backup drive for multiple users, meaning that all online backup files could be encrypted too.

Another exhaustive examination of Cryptolocker is available from BleepingComputer.

How does ThreatSTOP stop Cryptolocker?

Thanks to work by extremely talented malware researchers the critical command and control (C2) infrastructure of Cryptolocker, and how they move it to the next set of servers, has been identified. We are propagating the result of this work as a block list in both our IP reputation (ThreatSTOP) and RPZ (DNS Firewall) services.

As a result our users stop infected computers from “calling home”. By blocking these communications they prevent the malware from creating and sharing the encryption key with the criminals and, as a result, the infected machine’s hard disk remains unencrypted.

This is not, and cannot be, a permanent fix. If a computer is infected with cryptolocker then it needs to be cleaned up (reimaging is the only true solution to any active malware) as soon as possible, before cryptolocker finds a way to call home that is not protected by ThreatSTOP.  As an example, when someone takes their laptop home.

How to Protect Yourself

ThreatSTOP and DNS Firewall stop the cryptolocker malware from communicating with its controllers and therefore stops it from actually encrypting your data. Our alerts and log analysis tools tell you which systems tried to contact those servers, and therefore are infected. This allows network and systems administrators to quarantine and clean up infected devices before they can cause data loss.
Implementing ThreatSTOP and/or Infoblox DNS firewall, both of which are available for a 30 day, no obligation, trial, is the simplest and most effective way to identify any systems in your network infected with Cryptolocker, before they actually encrypt your data.

For more information, contact ThreatSTOP Sales or your Infoblox account executive.

About ThreatSTOP 
 

ThreatSTOP is a real-time IP Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user’s firewalls, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s firewall. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA. For more information, visit http://www.threatstop.com.

Treat Malware like the Disease It Is

In a new article by Hal Hodson of the New Scientist, he suggests treating the difficult task of classifying different kinds of malware as a biology problem. By treating computer viruses as biological puzzles we could help cyber security specialists better understand the wide world of malware.

An example of this methodology was recently conducted by Ajit Narayanan and Yi Chen at the Auckland University of Technology, New Zealand. In their work, they converted the signatures of 120 worms and viruses into an amino acid representation. Malware signatures are typically presented in hexadecimal format – a base-16 numbering system which uses the digits 0 to 9 as well as the letters a to f. According to Narayanan and Chen, they believe the amino acid “alphabet” is better suited to machine-learning techniques, enabling these machines to analyze a piece of code and determine whether it matches a known malware signature.

“Generally, malware experts identify and calculate the signatures of new malware, but it can be hard for them keep up. While machine learning can help, it is limited because the hexadecimal signatures can be different lengths: Narayanan’s team found that using machine learning to help classify the hexadecimal malware signatures resulted in accuracy no better than flipping a coin”, said Hodson.

However, some techniques used by bioinformatics for comparing amino acid sequences take differing lengths into account in their methodology. Using this same methodology but applying it to malware, Narayanan and Chen were able to achieve average accuracy of 85% for classifying the signatures automatically using machine learning.

Classification is just one we may be able to utilize amino acid methodologies to fight malware. Narayanan and Chen note that further studies of malware using this framework may show that malware evolution follows some of the same rules as amino acids and proteins.

Malware threats continue to grow in volume and sophistication. Proactive methodologies, like those proposed by Narayana and Chen, are directly in line with our thinking here at ThreatSTOP. Providing IT departments with greater understanding and control of their networks leads to increased security. The IT security industry could learn another lesson from bioinformatics. That is, disseminating information around pathogens, diseases, or in this case amino acids, to the community rather than holding it in a silo, leads to breakthroughs and cures. Our world of IT security often operates in different silos, despite the fact that we are all dealing with the same threats. We created ThreatSTOP for this very reason: to develop a product that leveraged the community and turned it against the attackers, while simultaneously learning from the collective knowledge of these attacks and disseminating that information back out to the community.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: