To Customer Support To Customer Support

Malvertising, weaponized documents continue to threaten networks

  • 22 February 2016
  • 17 replies
  • 25 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
February 22nd 2016  By Kacy Zurkus
 

How to be prepared for a browser-based attack

 
                         http://images.techhive.com/images/article/2015/11/tripbox-malvertising-2-100627715-primary.idge.jpg
                               
How a large video malvertising campaign attacked users according to The Media Trust.
Credit: The Media Trust
 
When a catastrophic attack hits, companies either have to start over or pay the ransom, as we've seen far too often in the headlines.
 
"One of the first things anybody needs to do is create a backup of their system. They need a backup system for long term storage of the data that they love," said Invincea’s director of security analytics, Pat Belcher.  "You’d be surprised at how many veterans ignore this as well."
Belcher offered an overview of what Invincea has identified as the most advanced endpoint threat trends of browser-based attacks along with some suggestions for prevention, detection, and response.
 
Full Article

17 replies

R
Rank
Userlevel 7
Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@Antus67 wrote:
Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.
Well I would say WSA's Web Shield and Identity Shield would have the same protection in this case.
 
Daniel
 


 

RetiredTripleHelix
Rank
Userlevel 7
Badge +56
I get bad attachments all the time: ? ? ? have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
Mon 2016-02-22 13:47:29.0201 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0412 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0631 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0632 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0632 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0860 Agent Bits : 0
Mon 2016-02-22 13:47:29.0966 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [(null)]
Mon 2016-02-22 13:47:30.0116 Begin passive write scan (1 file(s))
Mon 2016-02-22 13:47:30.0800 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:30.0800 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
 
 
 


 


 


 


 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
I get bad attachments all the time: @ @ @ have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
 
 


 


 


 


 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!
Another perfect example of an email that should be deleted before even opening it. 
 
-Dan
Webroot Threat Research
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
Another perfect example of an email that should be deleted before even opening it. 
 
-Dan
Correct!
 
Daniel
C
Rank
Userlevel 5
Badge +1
@ wrote:
@ wrote:
I get bad attachments all the time: @ @ @ have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
 
 


 


 


 


 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!
Another perfect example of an email that should be deleted before even opening it. 
 
-Dan
Yes indeed, but....when you are expecting an important package to arrive and it does not turn up or the delivery was missed and then the user sees such an email from Fedex or wherever, then perhaps not we, but many others WILL open it! Good to see that WRSA will jump on it, but still, I'd prefer that it's detected and destroyed much sooner!
C
Rank
Userlevel 5
Badge +1
@Antus67 wrote:
Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.
HMP.alert is a great barrier to this kind of malware but I had too many problems when running it alongside WRSA, so fell back to just using reliable WRSA on most of my PCs.
C
Rank
Userlevel 5
Badge +1
So few companies detected that one, wow. Behavioral is definitely the way to go, but as an extra layer I really want also online lookup signatures and delete the little buggers as soon as possibe off my drive!  ;)
 
Baldrick
Rank
Userlevel 7
Hi cavehomme
 
I have tested and run HMP.A with WSA over a number of months and have not had a single issue. If you would like to share what you have been seeing may be I can help out here.
 
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
Yes indeed, but....when you are expecting an important package to arrive and it does not turn up or the delivery was missed and then the user sees such an email from Fedex or wherever, then perhaps not we, but many others WILL open it! Good to see that WRSA will jump on it, but still, I'd prefer that it's detected and destroyed much sooner!
In this case WSA detected the payload as the DOC file ran a script trying to download the payload after opening so the actual DOC was not an infection but the payload was and detected by WSA. So as @ said when you see attachments from people you don't know it's best to just delete them.
 
And this is the detection of the Payload: https://www.virustotal.com/en/file/f6070599b201e0220bdd5c751766aa8cfb00faab3ab404b3b3ad8738ee575963/analysis/
 
Mon 2016-02-22 13:47:29.0201 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0412 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
 


 
Daniel 😉
C
Rank
Userlevel 5
Badge +1
Thanks Baldrick, but I removed .alert a while ago and now just relying upon HMP as a second opinion.
 
I'm curious though, if WRSA works so well, why would we need to have an anti-exploit layer?
 
By the way, I've gone full-circle on my main laptop and it's now running WRSA again. I discovered in my tests that Windows Defender did not detect some malware when scanned, whereas on Virustotal the Windows malware engine did detect the sample I uploaded. This happened to quite a few, and I had the latest signatures, so there seems to be an issue with WD on PCs whereas on Virustotal it's picking up most things that I throw at it.
 
Despite potential shortcomings WRSA does seems to be the best all-round software including the ability to safely do online banking.
Baldrick
Rank
Userlevel 7
Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
C
Rank
Userlevel 5
Badge +1
@ wrote:
Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 
 
Baldrick, which version of Windows are you running? My issues between WRSA and HMP.alert were with Windows 7, not tried it yet on 10.
C
Rank
Userlevel 5
Badge +1
@ wrote:
Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 
...and you run Voodoo Shield as well as .alert?
Baldrick
Rank
Userlevel 7
HI cavehomme
 
I run Windows 10 Pro on the system that I have HMP.A installed.Yes, I run VS AND HMP.A because I am an official beta tester for both apps...that is the reason, and not because I do not believe that WSA is enough protection on its own.
 
Before becoming a beta tester for both products I ran WSA all on its own and it did a sterling job protecting me on a number of occassions when there was a need.
 
Now personally, I do like a goodly amount of control of what runs on my system and if I were not beta testing it then I would use VS as a replacement for UAC (which is a major pile of doodoo IMHO...;)).
 
Regards, Baldrick
 
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
R
Rank
Userlevel 7
Sorry don't agree with you. Its always important to have layers of
protection for back up or second opinion. No......single security
application is 100% fool proof.
R
Rank
Userlevel 7
I agree with you 100% Baldrick on you assessment of security applications

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.