Highlights from the IBM X-Force 2012 Trend and Risk Report

Even though I am no longer an IBMer, this is still a great report to review trends.  The X-Force Blog has posted their highlights, with a link at the bottom to get the full report.  I’ve read through the report and here’s some bits I find interesting.

  • The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
  • The 2012 bank DDoS attacks appear to be coming in part not from infected PCs, but from compromised web servers that reside in high bandwidth data centers. By using security vulnerabilities in CMS systems and other popular web frameworks, the attackers were able to create a botnet of web servers that have a much longer connected uptime, as well as having more bandwidth in general, than home PCs. Because of Section I—Threats > Rising tide of security incidents > ABC’s and DDoS’s this, they were able to use fewer bots to more effectively generate larger amounts of traffic.
  • In addition to new toolkits and botnets of infected web servers, old reliable methods such as amplification attacks are being effectively used to generate high traffic. While amplification attacks such as an Internet Control Message Protocal based (ICMP) “Smurf Attack” have been used for a decade or more, attackers continue to use the same underlying principles to generate much more traffic today. In particular, DNS Amplification has been successful due to the many open or misconfigured DNS resolver servers on the Internet.
  • Malicious code activity overall continues to grow, helped along by the combined efforts of casual attackers, insider threats, cybercrime and Advanced Persistent Threats. Figure 7 demonstrates the “arms race” that exists in
    computer security today, with the number of techniques to compromise systems constantly growing, being countered, and growing again.

Bit9 2013 Server Security Survey

Bit9 2013 Server Security Survey Shows Concerns
about Targeted Malware Rising

1,000 IT and Security Pros Worldwide are Less Confident about Stopping Threats

WALTHAM, Mass.—March 21, 2013—Bit9, the leader in Trust-based Security, today announced the results of its second annual server security survey of nearly 1,000 IT and security professionals worldwide. Key findings include:

  1. 52 percent of respondents said targeted malware attacks are their top server security concern, up 15 percent from the prior year.
  2. 25 percent of respondents said their servers were attacked in 2012, up 8 percent.
  3. 12 percent of the survey group ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. 43 percent of respondents use more than 1 full-time employee to manage server security.

Click here to download the Bit9 2013 Server Security Survey report and the infographic The Truth about Server Security.

“These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources—before they execute—while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers—both physical and virtual—is to allow only trusted software to execute and prevent all other files from running. That’s how the Bit9 Platform protects our customers’ servers and endpoints against targeted attacks, zero-day threats and all other types of malware.”

Hackers, too Close to Home

I live in the far outskirts of Atlanta, Georgia.  It’s rural/suburban, with lots of horse farms and country clubs.  You never expect to have bad things happen near you home, myself included.  However, we do have some local drama that has bled in to my domain of information security.  It all started with this:

Acworth Teen Accused of Posting Nude Photos to Porn Sites

Authorities are investigating an Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites, according to a Cobb County criminal warrant.

Interesting.  At this point I find it odd, but not too interesting.  Some kids getting in trouble.  Stupid trouble, but it sounds like this guy is not a pedophile.  Then more information came out.

Police Seek More Victims in Acworth Teen’s Alleged Child Porn Scheme

The Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites created a company to gain the trust of the juveniles.

Cobb County Police Sgt. Dana Pierce said today that authorities believe Harrison High School senior Michael William Cook operated under the company name Maxi Focus Photography between Nov. 1, 2012, and Jan. 1, 2013, the time frame that he allegedly posted to pornographic websites “naked” or “erotic” photos of people that he obtained through fraudulent means.

Okay, now that steps it up a notch.  If true, this guy even got himself a fake business to entice girls.  So he may be more of a predator than I first thought.  At this point, it’s a wild story, but still a local quirky story.  It just happens to be walking distance from my home.  I was reading my security blogs this morning and came across this:

17-year-old arrested for hacking into phones, stealing and distributing explicit images of children

A US teenager has been charged with distributing child pornography he allegedly hacked out of minors’ cellphones with a bogus mobile text ad that installed phone-controlling malware.

According to 9News.com, Sgt. Pierce claimed that Cook sent text messages to victims from a company called “Maxi Focus Photography”.

When victims clicked on a link in the text message, it installed malware that essentially gave Cook access to all information stored on the phones.

That includes access to victims’ accounts on social network sites, such as Facebook and Twitter, as well as sexually explicit photos stored on the phones.

Cook allegedly downloaded offensive pictures and sent them to pornographic websites, Pierce said.

Now things are getting very interesting.  This is more than just using a fake photography “studio” to convince girls to get naked.  This was a lot more sneaky, if true.  I’ve done security forensics before and they almost always are child porn cases.  For me, I was always helping prove that someone knowingly downloaded child porn, and usually disproving the “It must have been a Virus” defense.

This is different.  If true, my neighbor was hacking into phones and stealing nude photos.  In my line of work, we talk about the various type of threats we have and what are their motivations.  Now we can add perverted 17 year old boys trying to find naked pictures of teenagers.  What if can across your banking info?  Think he’d buy himself a couple of video games?

I can think of several lessons here:

  • Everything on a computer is discoverable.  If you have a naked photo of yourself, it could get posted somewhere.  Those files seem to live forever.
  • This is even more true on phones.  Did you know that many photos are automatically “backed up” onto servers (especially on non-smartphones)?  Things like IM and texting are unsecure and can be read by others?
  • Teach your children about security.  Do you tell your children about dark alleys at night?  Then tell them how to avoid getting attacked on the internet.  Here’s a few good links:
  • Install Anti-Malware on your Smartphone and Tablets. Here are two of my favorite (and they’re free!):

I’ll keep monitoring the situation and see how things evolve.  For this kids sake, I hope it’s not true.  We’ll see how the investigation goes.

Wipe the Drive! or use Bit9

I just read a great article by Mark Baggett (@MarkBaggett) on the ISC Diary called Wipe the drive! Stealthy Malware Persistence Mechanism – Part 1 and Wipe the drive! Stealthy Malware Persistence – Part 2.  This was from his presentation at Shmoocom 2013.  He shows 4 different methods how malware can stick around even after it’s been “cleaned” by anti-malware products.  I completely agree with his advice: always “Wipe the Drive”.  It’s the only sure fire way to clean the system, but what if you can’t for some reason?  Maybe it’s a traveling employee or an executive at a conference.  Wiping and re-imaging is a costly procedure in most enterprises.

What if you had Bit9 installed?  How would these 4 situations play out?  Let’s go through them.  Bit 9 can be run in three protection modes: Monitor-only with Advanced Treat Indicators (ATIs), Block & Ask, and Block.  If you are running endpoints in Monitor-only mode with ATIs, you would get an alert on your Bit9 console for these actions.   This alert could be acted upon within Bit9 or from your SIEM.  For the other two modes, I’ll explain how each of these would be blocked, since that’s how most of our customers use Bit9.

TECHNIQUE  #1  – File Associations Hijacking

What happens when you click on a .TXT file?   The operating system checks the HKEY_CLASSES_ROOT hive for the associated extension to see what program it should launch.  …

What if the attacker or his malware changes this association?   Instead of launching notepad it tells the OS to launch NOTPAD.EXE.     NOTPAD.EXE is wrapper around the real NOTEPAD.EXE but it also contains a malicious payload.

This is pretty straightforward.  NOTPAD.EXE would be blocked because it isn’t trusted.  No matter how you tricked the user into running it, Bit9 is protecting you.  When you get the block alert, it’s time to wipe the drive, but only when get around to it… after all, you are protected by Bit9.


BITS is the Background Intelligent Transfer System.  This service is used by your operating system to download patches from Microsoft or your local WSUS server.   But this service can also be used to schedule the download of an attacker’s malware to reinfect your system.   Once the attacker or his malware are on on your machine he execute BITSADMIN to schedule the download of http://attackersite.com/malware.exe.   He schedules the job to only retry the URL once a day and automatically execute the program after it is successfully downloaded.  The attacker doesn’t put anything at that URL today.   Instead, he simply waits for you to finish your incident handling process and look the other way.   You can scan the machine with 100 different virus scanners.   Today there is no file on your system to detect.  You can do memory forensics all day.   Sorry, there is nothing running today.    Today it is just a simple configuration change to the OS.    Then when he is ready he places malware.exe on his site.   Your machine dutifully downloads the new malware and executes it.

Again, this is a very easy use case.  malware.exe wouldn’t be allowed to run.  When you get the block alert, it’s time to wipe the drive, but only when get around to it.  Bit9’s got you covered until then.

TECHNIQUE  #3  – Program.exe

When Jake and I were preparing for the Shmoocon talk that we gave on this subject, I suggested we include this technique in our presentation.    Jake disagreed because this thing has been around since the year 2000 and I quickly relented and agreed with him.  At the time we both thought that this technique is pretty lame and we shouldn’t have to worry about a THIRTEEN YEAR OLD vulnerability.   Instead I decided to do a post on the ISC to talk about the technique and see what response we got.    The response for you, our awesome supporters, was incredible.    ISC readers documented several dozen of these attacks in critical systems common to most corporate desktop images.    You made Jake a believer (he had a vulnerable OEM application you found on his laptop). The response was such that I am now convinced that an attacker can use this technique and have a great deal of confidence that his malware will be launched.   As a matter of fact, it will probably be launched by something that has system permissions.    I won’t repeat the full details of the technique here since I already covered it on the ISC.   You can check out this article if you missed it:


This is the scenario. Malware or an attacker is on your machine.   He has administrative or Power User access.   The attacker drops a file called “program.exe” on the root of your C drive.    “program.exe” is a small application that reads the command line parameters that were used to call it.  It launches the real program you had intended to call and then executes its malicious payload.   Simple but effective.

This one is interesting.  When you install the Bit9 agent, it locally approves all files on the system.  Then you setup a chain of trust.  If you have program.exe on old machines or existing gold images, Bit9 will trust it.

I would advise following the link above and understanding this issue.  It’s worth it to review gold images a bit closer when putting them in your trust based architecture in Bit9.  When doing this review, it’s a great use case for using cloud based reputation using Bit9’s Software Reputation Service (SRS).  If you have any questionable files on your image, run them through SRS.  Find out what the world thinks about them.  Another bit of advice for vetting gold images: review unsigned code!  You can even detonate files in a FireEye MAS, if you have one.

If you do find any malware like this program.exe, globally ban it in Bit9 (and delete it from your gold image)!  This will instantly protect all existing computers running the Bit9 agent.  Global Bans even work on Bit9 agents running in Monitor-only mode.  No need to wipe every drive immediately when you are protected with Bit9.

Technique #4 –  Service Failure Recovery Startups

You can configure Windows services with an automatic recovery action.  The defined action will be taken when the service crashes unexpectedly.    You can see these on the recovery tab for a service using services.msc.   Here you see this service first tries to restart the service, then it will …. ummm… whats that??  ..  RUN A PROGRAM.   Hmm.

This use case is also straightforward.  The malware has tricked the user, even tricked the system, but it hasn’t been tricked by Bit9.  Blocked, again.

I hope this helps shine the light on the amazing power of software whitelisting.  It changes the game in end-point protection.  You don’t have to go running after every trick in the book that may trick a user. You only have vet the software you trust, and you don’t have to wipe the drive immediately when an infection occurs.  Bit9 gives you the freedom to have endpoint protected while you wipe the drive at your convenience.

Learn about the new Bit9 Advanced Threat Detection


Hear Michael Bilancieri telling the compelling story about our new detection and forensics capabilities and innovative new Advanced Threat Indicators.

Bit9’s Trust-based Security Platform combines real-time sensors, Advanced Threat Indicators (ATI), and the cloud-based Bit9 Software Reputation Service to immediately detect advanced threats and malware. You won’t wait for signature file updates. No testing or updating .dat files. Bit9 specializes in advanced threat detection.

Gartner’s take on Endpoint Security

Since moving from network security to endpoint security, I’ve been soaking as much wisdom on various approaches, priorities, and opinions out there.  I came across this Gartner study titled “Predicts 2013: Endpoint Security Becomes Even More Important for Infrastructure Protection”.  It seems to hit home with many of the viewpoints I am hearing from my customers.  The Bit9 web folks have posted a copy on the Bit9 website, but here’s the gist:

Key Findings

  • Most endpoint security tools are designed to allow any application to run, unless it is known to be malicious. Restricting applications that are allowed to execute to a known set of preapproved applications is gaining acceptance as a more-effective security measure for dealing with rapidly morphing malware and advanced persistent threats.
  • Malware authors typically attack the easiest and most prevalent targets. Mobile devices offer a range of possibilities along these two scales.
  • As computer processing is dispersed into operational technology (OT) systems, data sources and access points expand exponentially. Some of these objects will require security due to the sensitivity of the processing they perform and the data they provide, particularly for OT-centric enterprises.
  • Most organizations are removing URL blocks and permitting most employees to access external social media from corporate-owned and managed endpoints and networks.


  • Consider application control a key requirement of endpoint protection systems. Favor vendors that have mature workflow processes for dealing with change and have large installed bases of users from which to draw samples.
  • Focus investments in platforms that have a default-deny application control environment, or be prepared for higher costs and more potential for infections.
  • If your enterprise is involved with OT such as supervisory control and data acquisition (SCADA) systems, process control, telemetering, sensors or similar OT, immediately try for IT/OT alignment, convergence and integration to develop plans for security oversight.
  • End-user organizations should anticipate continued investments in procedures and solutions focused on managing security risks in external social media. However, solutions in this space are immature, and organizations should expect regular changes in feature sets and vendors.