ThreatSTOP blocking new OSX/Morcut malware

July 27, 2012 by Leave a comment

As noted by The Register and other places, there’s a new cross-platform vulnerability out that installs via a piece of Java that does a check for “Windows or Mac” and then installs the malware suitable for the platform.

The Mac malware it installs, called either OSX/Morcut or OSX/Crisis – depending on the AV researcher – is most easily detected and blocked by seeing where it tries to go. Intego reports that it calls home every 5 minutes to a single IP address (176.58.100.37) to get instructions and upload anything it may have found.

ThreatSTOP has added this IP address to our feeds and so all ThreatSTOP customers are protected from this malware. Our reporting tool will report the internal IP addresses that are attempting to contact this host, making it easy for IT departments and network administrators to identify and then remediate infected machines.

If you aren’t familiar with ThreatSTOP then consider a trial on your firewall. ThreatSTOP’s IP reputation service provides a way for firewalls to block currently active criminal IP addresses. The list is updated automatically and applies to both inbound and outbound traffic, such as the traffic to known botnet command & control servers.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , , ,

ThreatSTOP Founder & CEO at Navy Gold Coast Event

July 26, 2012 by Leave a comment

ThreatSTOP Founder and CEO, Tom Byrnes will take part in an expert Cyber Security Panel at the upcoming 24th Annual Navy Gold Coast Small Business Procurement Event. Joined by fellow panelists from SPAWAR, Taranet, CUBIC and McKenna Law, he will discuss what small businesses need to know about cyber security before they can offer services to the government. Registration is $25 for Non-Gold Coast Registrants and Free for Gold Coast Registrants & Government/Military.

Details:

Monday, August 6, 2012 12:00 p.m. – 4:30 p.m.

Register Now

Advanced Topics:

• When Government Contractors Turn Criminal
• The 7 Deadly Sins of Prime and Sub Relationships
• What small businesses need to know about cyber security before they can offer services to the government

FEATURING SPEAKERS FROM:

· Northrop Grumman
· McKenna, Long & Aldridge
· BAE
· Price Waterhouse Cooper
· Lockheed Martin
· Raytheon
· GDIT
· SAIC
· Boeing
· SPAWAR
· Cubic
· Taranet
· ThreatSTOP
· 3C Advisors and Associates, Inc.
· Security Business Bank of San Diego
· Naval Criminal Investigative Service
· Defense Criminal Investigative Service
· U.S. Attorney’s Office -Southern District of California
· DCMA Contract Integrity Center
· Small Business Administration

Walk-in Registration: 10:00 a.m.
Preregistered Check in: 11:00 a.m.

Register Now!

Filed under News/Announcements Tagged with ,

Criminals don’t follow the rules

July 12, 2012 by Leave a comment

If you are a criminal and trying to steal things then breaking the law in other ways is unlikely to concern you. To me such a statement seems obvious, but apparently it isn’t – and I’m not just talking about cyber-criminals here.

The classic example in the physical world is the bank robber, who not only breaks the law by robbing the bank but also commits firearms offenses by being a felon in possession of one, violent crimes up to and including murder, traffic offenses in the getaway car and so on. The robber doesn’t care whether, as a result of running a red light, he causes a major traffic accident (as long as he’s not in it) – indeed he may actually like that because it slows down the pursuit.

A moment’s thought shows that the same applies to the cyber-criminal hoping to steal money using your electronic banking credentials. Just as the bank robber neutralizes the guards, the malware that infects your computer disables your anti-virus. And like the way the robber ignores traffic rules, the malware is not going to necessarily bother about using the nameservers, web proxy, configured default protocols etc., that have been set up to make your job as the defender easier. Moreover it certainly isn’t going to be concerned about obeying protocol conventions to call home and get the data back to the criminals. For example, it will pretend to be posting an image to google or yahoo but will actually not use a google IP address (or upload a real jpeg).

The problem here is that a lot of security tools work like traffic lights. They slow down and inspect the law-abiding genuine data flows but don’t do anything about the outlaw ones that, in one way or another, ignore or circumvent them.

The only way to stop them is the cyber equivalent of the roadblock that inspects every vehicle trying to go past and which is placed in such a way that all traffic has to go through it. In computer networking the only device in that position in the overwhelming majority of organizations is the Internet connected firewall.

Tools that don’t see every packet inbound and outbound can only stop malware that doesn’t make the simplest efforts to evade detection. Engineering around any type of protocol specific inspection, directory service, or other resources used by normal traffic is relatively trivial. In fact, in much the same way that the bank’s CCTV system shows the bank-robber’s masked face to investigators after they have fled with the cash, these systems might warn you that a particular computer is infected but they don’t do much about stopping the malware on the computer from calling home. They just make the criminal have to be marginally aware of the usual countermeasures – a bit like how the CCTV means the robber has to wear a disguise.

In the physical world the people that really care about security (e.g. the military) have adopted a policy of ensuring that everything going in and out of a secure location goes through a checkpoint and it is scanned (metal detector, ID check etc.) as it passes through. In theory, organizations have the same policy for the Internet when they place a firewall on the border of their network. In practice, these firewalls work more like the border between the US and Mexico: they are very restrictive on things coming in, but make only cursory checks of anything leaving, if at all. As anyone who has sat at the San Ysidro crossing for hours coming back from Baja knows, full scanning (deep inspection) leads to large increases in latency for legitimate traffic. The result is that, in most cases, organizations elect to skip it for most outgoing traffic and almost all incoming traffic that is related to an outgoing request.

The key insight behind ThreatSTOP is realizing that on the Internet, unlike in the physical world, traffic cannot lie about where it is going to (or coming from for TCP packets). We use a variety of sources and methods to figure out what actual IP addresses malware tries to go TO. This makes it possible for the firewall to block on the IP address. Firewalls are designed to do this very quickly for lots of source and destination pairs. The result is that good traffic is not slowed down.

ThreatSTOP allows your existing firewall to do the job you bought it for, for all traffic, not just the Internet equivalent of the door-to-door salesperson (spammer), gang attire wearing tagger (Website defacement) or opportunistic petty criminal.

With ThreatSTOP it doesn’t matter what the criminal malware does while it tries to call home from your network, it gets stopped (and the attempt logged) as soon as it tries to leave.

The malware can:

  • fake its protocol and port
  • run roughshod over or sneak around your web proxies, DNS and Active Directory (including any outsourced ones)
  • it can obfuscate urls and encrypt content
  • or try a dozen other tricks

but no matter what it has to use a REAL, non encapsulated, routable IP to actually communicate with its masters and “gang”.

If it tries to contact an IP address that we know is an active C&C host it is stopped at the firewall, the internal IP is logged, and there’s no way around our block.

Filed under Technology Tagged with , , , ,

On Monday July 9th, Will Your Internet Work?

July 6, 2012 by 1 Comment

By now you have probably heard there is a chance that you could wake up Monday, unable to log on to the Internet, thus bringing the day’s productivity to a screeching halt and causing an endless ringing of that old technology we call the phone.

The culprit? A little pest of malware called the DNS Changer. With the LA Times, WIRED, and PC World all offering up their own theories of the magnitude of this worldwide threat, only time will tell. If you haven’t heard of this piece of malware until this post, you should probably read some of those links and educate yourself. More importantly, if you are a network or security administrator, we’ve created a tool that will quickly and easily ensure you’ve pinpointed infected computers on your network and eliminated any chance of this pest making your Monday any worse.

The beauty of our ThreatSTOP DNS Changer Checker is that we detect any infected machines on your network entirely through the analysis of your firewall logs. We know what an impossible task it would be to try to have all the users on your network individually visit DNS Checker sites. That being said, the firewall is the only place on your network that sees all traffic in/out of your network, so we’re able to ensure the security of your network at the main point of entry and exit.

Do yourself and your network users a huge favor, head on over to the ThreatSTOP DNS Changer Checker and follow the instructions there. That way you can minimize downtime and maximize peace of mind knowing your users won’t be some of the tens of thousands stranded come Monday.

Filed under News/Announcements, Specific Threats Tagged with ,

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: