Treat Malware like the Disease It Is

March 1, 2013 by Leave a comment

In a new article by Hal Hodson of the New Scientist, he suggests treating the difficult task of classifying different kinds of malware as a biology problem. By treating computer viruses as biological puzzles we could help cyber security specialists better understand the wide world of malware.

An example of this methodology was recently conducted by Ajit Narayanan and Yi Chen at the Auckland University of Technology, New Zealand. In their work, they converted the signatures of 120 worms and viruses into an amino acid representation. Malware signatures are typically presented in hexadecimal format – a base-16 numbering system which uses the digits 0 to 9 as well as the letters a to f. According to Narayanan and Chen, they believe the amino acid “alphabet” is better suited to machine-learning techniques, enabling these machines to analyze a piece of code and determine whether it matches a known malware signature.

“Generally, malware experts identify and calculate the signatures of new malware, but it can be hard for them keep up. While machine learning can help, it is limited because the hexadecimal signatures can be different lengths: Narayanan’s team found that using machine learning to help classify the hexadecimal malware signatures resulted in accuracy no better than flipping a coin”, said Hodson.

However, some techniques used by bioinformatics for comparing amino acid sequences take differing lengths into account in their methodology. Using this same methodology but applying it to malware, Narayanan and Chen were able to achieve average accuracy of 85% for classifying the signatures automatically using machine learning.

Classification is just one we may be able to utilize amino acid methodologies to fight malware. Narayanan and Chen note that further studies of malware using this framework may show that malware evolution follows some of the same rules as amino acids and proteins.

Malware threats continue to grow in volume and sophistication. Proactive methodologies, like those proposed by Narayana and Chen, are directly in line with our thinking here at ThreatSTOP. Providing IT departments with greater understanding and control of their networks leads to increased security. The IT security industry could learn another lesson from bioinformatics. That is, disseminating information around pathogens, diseases, or in this case amino acids, to the community rather than holding it in a silo, leads to breakthroughs and cures. Our world of IT security often operates in different silos, despite the fact that we are all dealing with the same threats. We created ThreatSTOP for this very reason: to develop a product that leveraged the community and turned it against the attackers, while simultaneously learning from the collective knowledge of these attacks and disseminating that information back out to the community.

Filed under Technology, ThreatSTOP in use

Infoblox leverages ThreatSTOP technology to bolster intelligent malware detection product offering

February 25, 2013 by Leave a comment

ThreatSTOP, Inc., a leader in proactive network defense using the cloud, has been selected by Infoblox to provide intelligent malware detection through the Infoblox DNS Firewall. Through the partnership ThreatSTOP will provide data to the Infoblox DNS Firewall, enabling customers to detect and block the communications channels for malware, botnets and other cyber security threats.

“We believe better control of the network is the best way to achieve greater security”; said Arya Barirani, VP Product Marketing, Infoblox. “Proactively blocking outbound connections to known bad actors both prevents Infoblox customers from being victims, and enables pinpointing and cleaning up infected devices. We selected ThreatSTOP because of their experience and track record in delivering effective feeds for proactive network defense.”

By using Infoblox DNS Firewall, Infoblox customers gain greater control of their corporate IT networks and meet the need for increased security created by forces such as bring-your-own-device (BYOD), cloud computing, and the evolving cyber-threat landscape. This product offering is part of a growing trend of IT organizations employing more proactive cyber security methodologies.

“We’re proud that Infoblox, an established leader in network management and stability, has selected ThreatSTOP as its partner,” said CEO Tom Byrnes. “Infoblox understands that providing IT departments with greater control of their networks leads to increased security, a core principle we share.”

Using a real-time, expert-generated malware data feed powered by ThreatSTOP, the Infoblox DNS Firewall automatically populates recursive DNS servers’ Response Policy Zones with a current list of all known malicious domain names and IP addresses. When malware code or a user attempts to make a connection with a malicious destination, Infoblox DNS Firewall will now be able to prevent the connection from happening, pinpoint the infected device and alert IT teams to take appropriate action.

Infoblox and Infoblox DNS Firewallare trademarks of Infoblox Inc., in the U.S. and other countries.

About ThreatSTOP 
 

ThreatSTOP is a real-time IP Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user’s firewalls, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s firewall. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA. For more information, visit http://www.threatstop.com.

Filed under ThreatSTOP in use

ThreatSTOP Poised for Growth, Adds to Team: Board Member, VP of Sales, and Agency of Record

February 20, 2013 by Leave a comment

ThreatSTOP, Inc., a leader in protecting enterprise networks from malware and botnets, today announced the appointment of a new member to the board, a VP of Sales, and an official creative agency of record. These moves come as ThreatSTOP strengthens its offering amid exponential sales growth in the rapidly growing IT Security and Software Defined Networking markets.

Board

ThreatSTOP announced the appointment of Brian Nugent to its Board of Directors, “We’re proud to welcome Brian to our board,” said ThreatSTOP CEO and Chairman Tom Byrnes. “Brian has decades of success helping IT companies scale. His experience and connections are a major addition to the resources ThreatSTOP needs to handle, and increase our growth in the years ahead.”

Brian Nugent is a seasoned technology industry entrepreneur, board director and investor, with a record of driving IT companies to market leadership positions. Brian’s heritage of high-impact board experience within the software and hardware arenas includes coaching many technology CEO’s to successful trajectories and liquidity events. His twenty-year industry operational experience spans executive leadership posts across public and private companies in general management (CEO/COO), sales, marketing, product management, corporate development, business development and customer service across the security, communications, cloud, social media, telecom and internet commerce industries. Brian was most recently the Chief Operating Officer at EdgeWave, where he led a year-long business transformation process. Prior to EdgeWave Brian was Chairman & CEO of Applied Identity, which was acquired in March of 2010 by Citrix Systems.


Sales

ThreatSTOP appointed Chris Lee as its new VP of Sales. Lee comes to ThreatSTOP from VirtualArmor, where he served as Vice President of Sales and Marketing. He brings more than 10 years of experience as a technology executive and sales leader with a proven track record of progressive impact and results.

In his role at ThreatSTOP, Lee will bring his extensive experience and understanding of innovative and effective sales and marketing approaches to ThreatSTOP’s product and sales teams. Chris will accelerate ThreatSTOP’s leadership in protecting networks against the most serious information security problem today – criminal malware and botnets, which are frequently referred to as Advanced Persistent Threats.

“I’m excited to join the ThreatSTOP team” said Chris Lee. “ThreatSTOP is uniquely positioned to solve real problems faced by all companies today. ThreatSTOP’s flexibility, cost effectiveness, ease of implementation and broad compatibility make it a joy to sell. ThreatSTOP presents the opportunity to do well while doing good, defending the Internet against cyber-criminals and nation-state attackers, in a way that can be used, immediately, by every network.”

CEO Tom Byrnes commented, “I’m excited to have Chris join our team,” says CEO Tom Byrnes. “Chris brings seasoned, serially successful, sales leadership. Chris is a true entrepreneur who has successfully built multiple sales teams that have taken companies from startup to multi-million $/year sales. We look forward to having him build on the success we have achieved so far, and take ThreatSTOP to the next level.”


Agency of Record

ThreatSTOP selected La Jolla-based Accelerate-IT IMS as its creative agency of record. As ThreatSTOP’s brand partner, the agency will focus on creative strategy and marketing communications.

“We were looking for a partner that would be immediately effective, agile, and innovative in taking ThreatSTOP to the next stage of market awareness. Accelerate-IT IMS has a track record of bringing insightful and creative thinking to building brands within the IT space and working with companies that have created disruptive platforms like ours” said CEO Tom Byrnes.

“ThreatSTOP is disrupting the IT security space and shifting what is traditionally reactive thinking in a silo, towards a proactive community driven model,” said Patrick O’Neill, Director of Marketing for Accelerate-IT IMS. “We’re honored its team has trusted us with its business.”


About ThreatSTOP

ThreatSTOP is a real-time IP Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user’s firewalls and routers, using the ubiquitous DNS protocol, so they can enforce it rapidly. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s firewall. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA.

Filed under ThreatSTOP in use

ThreatSTOP To Host Second Installment of Four-Part Cyber Security Series: The Art of Cyber Security: Sun Tzu’s lessons for preemptive cyber security in 2013: know yourself, know your ground, know your enemy

February 1, 2013 by Leave a comment

ThreatSTOP, Inc., a SaaS leader in proactive network defense built on a predictive learning platform, today announced that on February 13th, the company will be hosting the second installment of its four part webinar series entitled: “The Art of Cyber Security: Sun Tzu’s lessons for preemptive cyber security in 2013: know yourself, know your ground, know your enemy.” ThreatSTOP’s “The Art of Cyber Security Series” gives participants the tools to develop a sound preemptive response to meet the ever-growing cyber security threats. This four-part online seminar series highlights the evolution of cyber crime over the past year, the three key cyber security threats for 2013, and the framework for developing a proactive plan to mitigate these threats.

This second installment, Part 2: Know your Enemy: Cyber Diversion, will be available live via webinar at their referenced start times, taking place February 12th, 2013. Please visit the following link to view the webinars: click here.

“In Part 2 of the series we will analyze cyber diversion tactics that are used to mask larger and more coordinated attacks on your sensitive data.” – Tom Byrnes

About ThreatSTOP 
ThreatSTOP is a real-time IP Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user’s firewalls, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure like Juniper JunOS MX/SRX systems to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s firewall.  Founded in 2009, ThreatSTOP is headquartered in San Diego, CA. For more information, visit http://www.threatstop.com. or connect with ThreatSTOP on Twitter and Facebook.

ThreatSTOP Blog – http://blog.threatstop.com/
ThreatSTOP – http://threatstop.com/
Twitter – @threatstop
Facebook – http://www.facebook.com/pages/ThreatSTOP/316126528415728

Filed under ThreatSTOP in use

Join Us: Webinar on defending against the new wave of Cyber-Attacks

December 11, 2012 by Leave a comment

We’re hosting a webinar this week on Thursday, December 13th 2012 at 9:00am PST (12:00pm EST) and at 2:00pm PST (5:00pm EST).  During the webinar we will be discussing how to Defend against the new wave of Cyber-Attacks.

Criminal malware are the biggest problem in information security today because they cause great financial and reputational damage to their victims. The current crop of solutions do not prevent breaches caused by this malicious malware effectively.  Using IP Reputation is emerging as a viable method to address this growing problem and become a required component of an effective layered defense against cybercriminals, just like anti-virus did starting 15 years ago.

We will also be giving away to one lucky attendee a $100 gift card to Amazon.   

Reserve your Webinar seat now at:

Thursday, December 13th at 9:00am PST (12:00pm EST)https://www3.gotomeeting.com/register/631485534

Thursday, December 13th at 2:00pm PST (5:00pm EST)https://www3.gotomeeting.com/register/571549302

Filed under News/Announcements, ThreatSTOP in use Tagged with , ,

Know Someone Attending College? Is That University Using ThreatSTOP?

October 25, 2012 by Leave a comment

College admission forms ask for just about everything under the sun from you when determining whether or not you’ll be eligible to attend the following Fall. But what lengths do they go to, to protect the information they collect.

This isn’t a bold question when it’s not uncommon to have information such as:

  • Addresses
  • Bank Routing Numbers
  • Social Security Numbers

…Are all normal requirements on many applications.

Well that’s exactly what a group of hackers now have in their possession after a massive security breach at Northwest Florida State College has affected 300,000 records in the school’s computer systems. 3,000 of those records belonged to employees, of which 50 have already reported some attempt at fraud or identity theft.

Without a doubt, the College surely had a firewall in place along with a host of anti-virus software and additional security measures in place, but as we’ve noted before today’s problem extends beyond that.

Filed under ThreatSTOP in use Tagged with , ,

Nitol Takedown: How ThreatSTOP can help identify affected machines.

September 21, 2012 by Leave a comment

There’s a lot of noise out there about “Nitol” and the takedown. What, exactly, does that mean to you?

Before we get into that, let’s do a quick re-cap on what has happened:

Microsoft received a court order to allow them to redirect all subdomains of a dynamic DNS provider called 3322.org. This enabled Microsoft to block tens of thousands of domain names that were being used to serve up malware and commit cybercrime. Now, instead of DNS requests for anything in 3322.org getting resolved by 3322.org’s servers, they’re being resolved via Microsoft’s security group. This applies equally to any domain that is not hosting cybercrime that happened to use 3322.org so that they could provide dynamic DNS (required in order to run your own web or mail server if you have a dynamic IP address, as with a home Internet connection).

It was only a matter of time before action was taken against 3322.org, as it was widely known as a popular haven for Malware authors and unresponsive to researchers and operators seeking to have malware domains shut down.

You can read more here:

Official Microsoft Blog

Krebs on Security

Full Set of Legal Docs

Now, what does this mean for you?

For starters, Microsoft has been granted quite a bit of power…and any connections from your network to anything in 3322.org and its subdomains will either be resolved, or not, based on what Microsoft decides. Currently, it appears that Microsoft’s approach is only intercepting some of the domain names, and recursively resolving the rest through the actual 3322.org nameservers.

In theory, this should only interfere with the malicious domains and do nothing to the legitimate ones. In order to be effective, the list of domains Microsoft is using MUST be accurate (ensuring no false positives), and the domain names Microsoft is intercepting must be the only names the malware uses. The first case seems to be true, but the second is problematic, as it has been our experience that most malware uses multiple ways to call home, and usually multiple domain names.

Gunter Ollmann of Damballa has a very good post discussing the issue with this sort of incomplete takedown.

There have been some problems with MX (mail exchanger, how the Internet routes e-mail) lookups, which have resulted in e-mail to legitimate sub-domains of 3322.org not being deliverable.  Microsoft is working to resolve them. Aside from this, there are many policy issues involved that are under discussion, but out of the scope of this post. If you want to learn more about that, Suresh Ramasubramanian has a very detailed discussion in his blog post.

So, what is ThreatSTOP doing about it?

Currently, ThreatSTOP is propagating a block on the sinkhole that Microsoft is using to trap the botnet domains.

Those IPs are in our Sinkhole feed, but we can’t publicize exactly which ones, due to reasons of confidentiality.

What this will do is stop connections to sinkholed domains from completing, and give you a log of when a system in your network tried to connect to those domains. The IP address that will show as making the attempted connection in your ThreatSTOP reports is the compromised endpoint.

If you are not a ThreatSTOP subscriber, you can use our ThreatCHECK tool on a system you are concerned about, or log all connections outbound on your firewall, and use our Sinkhole Check tool to see if you had any connections to known Sinkholes.

If you see connections to anything on our Sinkhole feed, you should consider that system as infected. Systems that are infected with Malware should be RE-INSTALLED. Cleaning can never guarantee removal of all malware, since, once they get control of a system, cybercriminals install custom software that antivirus may never get a signature for. If you want to know exactly WHICH malware a given sinkhole represents, please contact us.  If you need help, we’re here for you! Don’t hesitate to contact our support.

ThreatSTOP is actively involved in the security community, and works tirelessly to keep our data up to date, so you can stay ahead of the latest threats such as this one. If you aren’t familiar with ThreatSTOP then consider a trial on your firewall today.

Filed under News/Announcements, Specific Threats, ThreatSTOP in use Tagged with , , , , , , ,

ThreatSTOP blocking new OSX/Morcut malware

July 27, 2012 by Leave a comment

As noted by The Register and other places, there’s a new cross-platform vulnerability out that installs via a piece of Java that does a check for “Windows or Mac” and then installs the malware suitable for the platform.

The Mac malware it installs, called either OSX/Morcut or OSX/Crisis – depending on the AV researcher – is most easily detected and blocked by seeing where it tries to go. Intego reports that it calls home every 5 minutes to a single IP address (176.58.100.37) to get instructions and upload anything it may have found.

ThreatSTOP has added this IP address to our feeds and so all ThreatSTOP customers are protected from this malware. Our reporting tool will report the internal IP addresses that are attempting to contact this host, making it easy for IT departments and network administrators to identify and then remediate infected machines.

If you aren’t familiar with ThreatSTOP then consider a trial on your firewall. ThreatSTOP’s IP reputation service provides a way for firewalls to block currently active criminal IP addresses. The list is updated automatically and applies to both inbound and outbound traffic, such as the traffic to known botnet command & control servers.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , , ,

Is there anything in Ukraine except cyber crime?

May 29, 2012 by Leave a comment

On the Kaspersky SecureList blog there’s an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim’s webcam and stream the data back to the crooks.

So while this is clever, what has it got to do with ThreatSTOP or with the title of this post – the cyber crime in Ukraine? Well the answer is fairly simple. It seems that the malicious flash plugin is downloaded from the “statistiktop.com” domain which currently resolves to 91.206.200.17 and previously resolved to 91.206.200.79, both of which are IP addresses owned by a Ukrainian hosting provider. While said hosting provider is not the worst in our list its 512 IP addresses do contain a number of recent hits and the entire range has been blocked by us via the “Russian Business Network” feed for at least a year.

In practical terms this means that anyone who uses ThreatSTOP would not have been infected by this malicious plugin (and of course it is likely that any call home from it would have been blocked by our SpyEye feed) but while that’s clearly a good thing, it isn’t the thrust of this post.

The point of this post is that, while the attack vectors get smarter using, for example, flash plugins to control a webcam, and they use endless multitudes of domain names as part of their business, the criminals keep on using the same limited numbers of “safe houses” and “fences” – or rather their cyber equivalent, bullet proof hosting companies and compromised servers – to transmit their malware and get the data back.

Many of the places the cyber criminals reuse a lot are in Eastern Europe. If you take a look at the current threat status part of our home page you’ll see that Ukraine is the ‘Worst Large Country’ with about 6% of the 12 million or so IP addresses assigned to it being on our lists. This is not a once time thing. The percentage of bad ip addresses has gradually crept up but Ukraine has been our “worst large country” during the entire time we have run this particular report. Apart from a brief period where the Penguins of Antarctica were our worst small country, that “honor” has almost always gone to one of Haiti, Latvia or the Seychelles. Interestingly Latvia, while still bad, only has 5.9% of its 1.6 million IP addresses on our lists which is a significant improvement and now better than Ukraine.

Fundamentally though, if you don’t do business with countries like Ukraine, you can protect yourself from a lot of malware by simply blocking traffic to/from those countries at the firewall. We created our “Eastern Europe” list precisely because we recognized that this was a useful thing to do. And really when more than 1 in 20 of the IP addresses in a country are suspicious it just makes sense to err on the side of caution.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , ,

ThreatSTOP Blocks Android Malware Drive-By

May 3, 2012 by Leave a comment

The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new “update” that users are tricked to install.

It turns out that the domain hosting the malware is “androidonlinefix.info” and that has usually resolved to the IP addresses 109.236.86.172 and 217.23.10.40. The good news for ThreatSTOP subscribers is that anyone using their smartphone to browse the internet from behind a ThreatSTOP protected firewall would not be infected because we already knew about and blocked those IP addresses. In fact we’ve been blocking them for over a year because they have been used by many different criminals for many different scams as they are a part of the “Russian Business Network”.

This isn’t the only link to the RBN, the initial domain – gaoanalitics.info – is hosted by a Ukrainian ISP that also hosts 17 other IP addresses associated with the RBN, as well as a number of other malicious entities, indicating that it is probably a “bulletproof” hosting facility used by all sorts of criminals.

PS Talking of the “Russian Business Network”, we have an interesting video from their President of Vice Business Development.

Filed under News/Announcements, ThreatSTOP in use, Uncategorized Tagged with , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: