Introduction

In this interview, Patty Hatter shares with Gartner Vice President Michael Leckie the story of how she lead the charge on a series of high-value, enterprise-wide initiatives to enable new business capabilities that have driven both productivity and improved digital experiences for not only employees, but McAfee’s partners and customers as well. The need to establish a collaborative working relationship with the BUs, Sales and the other business functions became a catalyst to orchestrate change across Operations and IT — reshaping these underperforming departments into a highly regarded transformation engine that benefits the entire enterprise.

After years of acquisitions, McAfee’s infrastructure was a patchwork of disparate, loosely bound legacy systems and regional processes. The result? Inefficiencies, productivity drain and a poor customer experience had severely affected both the bottom and top lines. By 2011, McAfee had reached an inflection point.

Enter Patty Hatter. Formerly VP Business Operations at Cisco, Patty was recruited to lead McAfee operations and soon after, enterprisewide IT as well, with a mission to team with the BUs to build a full Infrastructure as a Service stack for McAfee product teams, enabling a faster and higher quality time-to-market for their products as well as providing a full spectrum of enhanced business capabilities across the company.

[Note: This article speaks of a period of time leading up to McAfee’s integration with Intel and is not the current state of Intel or Intel IT. Patty was SVP of Operations and CIO of McAfee – but through acquisition is now Intel – her title is now: VP and GM, Intel Security and Software IT & CIO, Intel Security Group]

The First Year

Out of Necessity, a Shared Vision

When there’s a general recognition that something is not working, it gives you permission to make changes.

Michael Leckie: As VP/General Manager as well as CIO, it must be challenging to wear multiple hats. How do you effectively balance the priorities of your dual roles?

Patty Hatter:   Having the dual IT and operations roles has been helpful, especially given where we (McAfee) were in our development at the time that I was brought in. After years of acquisitions, there was not a lot of integration from an infrastructure perspective and a product perspective. The functions and product portfolio had become disjointed, and the architecture, processes and systems that ran the company weren’t connected, which made it hard to get anything done. To the rest of the organization, it felt as if we were walking through molasses. It was an inflection point for us.

In that first year, I pulled together my Ops Team and the leaders across all the business functions, and said, “Going forward, what is it we are trying to do? What do we think is most important? We have all these projects queued up, but in the past, we have spent a lot of money on projects that we just couldn’t get over the line.”

First, we put together a connected governance model. Here’s the money we want to spend and here are our common priorities for big projects. This allowed us to put available resources and dollars toward the most important common priorities. The good news was that out of that first year came a common roadmap in which we all agreed on the most important things to focus on from a business perspective. The bad news was that we had three to five years’ worth of work to do in one year.

Nothing like a burning platform to motivate people —and we had that.

About that same time, I took over IT, which was a blessing and a curse. We would not have been able to change the culture — not just within my own teams but across the company — if there hadn’t been a shared vision and understanding that getting it all done in one year was a business imperative that would require every business function — not just IT — to “up their game” in a huge way. Sometimes there’s nothing like a burning platform to motivate people — and we had that.

Michael: We tend to think about delineating along different departments and party lines, but you brought the party together out of necessity. Would you say that turned out to be an advantage in the end?

Patty: Absolutely. For us, having that shared vision was the way forward, and it was incredibly fortunate that there was a new connectedness between Ops and IT. In that transformative first year, we had to change out every transactional system. Luckily, the first big program that had to be completed that first year was sponsored by my Operations team. We had to change out a 12-year-old order-processing platform that was creaking at each quarter end due to business volume growth. They had tried three times before I joined the company to get a new platform that fit the business processes we wanted to go forward with but were never able to do it. We used this first program to demonstrate a new level of, “Hey, we can do this!”

Because we had no earlier proof points, no success with any large programs, this project had to work. It was the first one, everybody was watching. We were able to successfully get it over the line — and it brought value to the business. This success set the tone for all the other work we had to do with other business functions for the remainder of that year, and for subsequent years as well.

The more you can blur organizational lines, to get people to see the bigger picture — not just of their own group or function, but how the entire company needs to move, how the business model and processes need to evolve, and how we can work differently with partners — the more teams can share the a common worldview and vision, that’s what will propel our organization forward.

Modeling Courage

“You have to show your organization that you’re willing to take the tough calls and make those tough choices if you’re asking them to.”

After the governance model, the next big piece of our success was the leadership changes we made. IT had a lot of technically strong individual contributors, but we had issues at the leadership level. Within three quarters, we went from having six VPs reporting to me on the IT side, to three — and only one was the same. Even though it involved a lot of change and some difficult conversations, our individual contributors saw that I was willing to make the tough decisions to move the whole organization forward. This made potentially traumatic organizational changes a relief.

Many organizations might see that as risky. Leaders often pause in making bigger personnel decisions involving their direct reports. But I’m a huge advocate of showing your organization that you’re willing to make the tough calls. That was another key for us in being able to move as quickly as we have over the past three years.

I thought it was more risky for us to stay in the position we were in.

Michael: You did something that was symbolic of the change and the integration you wanted and you did it at the leadership level first. You said, “I’m willing to take the risk to do this and we’re going to start here.”

Patty: I looked at how I had to draw the lines for what we needed to do. The leadership team roles were fractured and didn’t give any of the leaders enough critical mass to move forward — plus we had the wrong leaders in those roles. At that level of change, you want to take the opportunity to get the right people into the right roles. Some people thought it was too risky; I thought it was more risky for us to stay in the position we were in.

Change is scary. I encourage people to take a deep breath and make the changes they’re thinking about as quickly as possible, because business requires IT to move quickly these days and it sets the tone for the organization. Of course, you always need a contingency plan in case things don’t go as expected. But do things out of the ordinary, keep reinventing yourself and be willing to take the risk and manage through it.

In the end, it comes down to the risks leaders are willing to take. People will follow that in the same measure, “Okay, this person is not just saying we want to move fast and take a risk; they’re actually doing it!”

Aggressive Transparency

The entire organization needs to be willing to put every issue on the table and feel like it’s okay.

Michael: What helped you go ahead with something that was seen as risky without it being stalled by others in the organization?

Patty: I had a few things in my favor. First, there was the consensus that we were in a bad situation and that something had to be done — back to that burning platform being a motivator. When there’s general recognition among your peers and the leadership of the organization that something is not working, it gives you permission to make changes. People supported us because what previously had been done wasn’t getting us where we needed to be.

Secondly, the president of McAfee was a vocal and visible supporter of the need for change and how we were going about it. That provided a lot of air cover for what we were doing and why we were doing it.

The third component was aggressive transparency at all levels. Keeping everyone on the same page was something that we talked about and instilled in our culture early on. When you’re trying to change so much so quickly, the entire organization, not just the leaders, needs to be willing to put every issue on the table — whatever they are seeing — and feel like it’s okay to do so.

We want all the news — good or bad. I would tell my team all the time, “The only thing I’ll be upset about is if you know there’s a problem and you don’t say it.” Any problem you bring to the table is good, because I know we can fix it; but if we let a problem linger (like a problem in any of the corporate apps or problems in the infrastructure of any of our products), it is only going to get worse. A problem that isn’t addressed today will only be worse tomorrow, and even worse in a week. Everybody needed to be comfortable and willing to say what had to be said.

“These people are telling us what they think; they are fixing every issue they raise. We can trust them.”

We also took that level of transparency to our stakeholders. From the beginning, folks knew that even if we were coming with bad news, we would tell them exactly what we saw and the plan to remediate. That helped to quickly build trust, not only at the leadership level, but at all levels. It’s hard to argue with that. “These people are telling us what they think; they are fixing every issue they raise. We can trust them.”

When I took over IT, my peers had questions about the budget and where the money was going. So one of the things I did to build trust, from the beginning, was to say, “If you ever want to go through all the financials, I’m here.” In every enterprise, IT has a large budget, one of the largest budgets, and I wanted people to understand that we were good stewards of the company’s money. And for services where we needed to bring down the cost base, we would take that responsibility.

Nobody ever took me up on it, but just letting people know that you’re not hiding and you’re willing to share all the information, changes the dynamic from, “I don’t trust that person; they might be hiding something,” to, ”There’s no way they can hide given the information they are putting on the table. Give them a break and let’s all just move forward.”

Creating New Stories to Tell

Build the reputation within your organization that whatever you know, you will say — even when times are challenging!

Michael: You did a really good job creating the psychological safety for people to come forward and say this is a problem, this isn’t working — to challenge leadership. Did that come fairly quickly?

Patty: People believe you when they see your actions are consistent with what you’re saying. There are always those first few brave people who will try out acting in accordance with your statements. There’s nothing like supportive chatter within an organization when somebody tries their hand at what leadership is saying. Those first few people who reached out and put me to the test went back into their teams and shared the positive results of what happened. That filtered throughout the organization quickly, and greatly helped start turning the tide.

Additionally, we built in a lot of touch points. We had small groups of people together in more intimate settings where they could feel more comfortable saying what’s on their minds. And then we had larger group settings where we focused more on strategy and where the organization was going. We also used those large settings to recognize teams and managers and individual contributors for specific work they’ve done.

It’s important to have a reliable framework for how things are communicated —and couple that with frequent communication. That’s how you build the reputation that whatever you know, you will say — even when times are challenging. You need the goodwill of the organization that you built during an up cycle to help you manage through a down cycle. We needed a new dialogue and I think we’ve done a great job at it, but we spent a lot of time building it.

The Core Set of Strategies

Pick a set of strategies you wouldn’t change out every year. Consider these your multiyear journey.

Michael: What would you advise your peers in a similar situation?

Patty: You need to balance being busy with a thousand projects, big and small, with giving the team a connection to where you are headed strategically — what you are trying to build, what capabilities you need to build a better organization, and how that connects with the broader mission of the company. We were able to put that in place and it helped us move forward quickly.

You need to balance getting good at executing projects and programs — that is, table stakes — with building a thriving IT organization that has the core capabilities to accelerate transformational opportunities for the company.Choose a set of strategies that will form the core of your multiyear journey. We have five core strategies. Talent is first and always the most important; we apply a lot of energy around talent. The other four are: service orientation, strategic engagement, product enablement and user experience. For each of these strategies we have a number of deliverables. Each deliverable lasts two or three quarters. These core strategies are the foundational work you need to put in place to enable the projects and programs that you’re doing for the business. In this way, you have a consistent strategy that drives the work you are doing. This balance between being an execution engine and being strategic definitely helped us.

Good ideas all have a shelf life; they’re not good ideas forever.

Patty:  Another thing I would point out, is the willingness of leaders, and not just in IT, to keep reinventing. It’s easy to not want to change if you see something working. You want to just keep riding it forever. This is true in IT even more than in other parts of the organization. CIOs especially need to be willing to stop programs that may have worked well when they were put in place but that now need to be jettisoned to keep moving forward. Good ideas all have a shelf life; they’re not good ideas forever.

Likewise, leaders need to be on a regular pace of meaningful evolution. Evolution doesn’t mean more of the same but with different technology. The organization itself has to keep evolving. We’ve been internalizing that over the past few quarters. I see pieces we’ve put in place that have been successful, and now we’re undoing them to come up with something better — even great programs aren’t going to have the same impact after two or three years.

Michael: You have got to keep reinventing yourself. Your Madonna moments. You need to ask, “Is this past its prime and what’s next — to make that cyclical and a discipline of how you lead an organization.

Patty Hatter: That’s probably part of why the lifespan of CIOs is what it is at most companies. You get to the point where it’s not just the projects and technology, but how the organization operates that needs to be refreshed. That’s hard to do when you’re the one who put it all in place. As the CIO have to be okay with this level of change or your organization isn’t going to be okay with it.

Beyond IT

Cultural Change

It set a tone, not just for IT, but for the company as a whole … that was a watershed moment.

Michael: Let me go back to when you first moved into the IT role. You mentioned that the credibility of IT wasn’t where it needed to be. How did you assess that, and what was the first thing you did to address it?

Patty: In my operations role, I had been a customer of IT; so I had the luxury of having observed the IT organization for a year in advance. One of the first things we did was to make the leadership and structural changes I mentioned earlier — moving from six VPs to three with only one being the same. In hindsight, I would do that even faster. Getting the right leaders in place is the only way to go forward. You can’t limp along knowing it isn’t the right person or the right role. The sooner you address the situation, the better it is for the organization.

Each of the past three years has been so different from that first year where we changed out all the transactional systems and reduced our data center footprint by half. I wouldn’t love to do that every year, but it was great because it was so fast paced and involved every organization across McAfee. It set a tone for the company as a whole — that we were capable and we proved it. We set higher expectations for ourselves. That was a watershed moment. It happened fast, but it changed the culture within the entire company. After that, we were able to turn our sights toward fundamentally restructuring our relationship with the product teams.

With the growth from acquisition, MacAfee was behaving like a normal software company — every product team made every technology decision on its own and was running a lot of its own infrastructure. That model is not cost-effective and it’s not effective from a service management and SLA point of view either. With the credibility we built that first year with the business applications, we were able to transform the relationship with each of the product teams.

Reset Relationships     

If you’re an engineering team and you feel like you can’t rely on IT, you’ll do what you have to do.

The single best thing we did to launch that relationship in a different direction was to put in place a cross-IT, cross-BU, cross-engineering architectural team. We said, “Let’s get this team together and look at the technology stacks each product is using. Let’s make decisions together. Let’s put all of our use cases on the table, and where we can use the same thing, let’s use the same thing. Let’s try to get beyond the 80:20 rule; let’s see if we can reach 95:5, so we’re not all starting from a blank sheet of paper.”

Suddenly, the engineering teams from each of the BUs were saying, “This is speeding things up because I’m not having to reinvent the wheel every time.” They were able to leverage what people were thinking and doing across the whole company. Getting that process started enabled more consistent adoption of IT as the infrastructure service provider for all of our products. Before then, every product team was doing its own thing. That’s very costly. But, if you’re an engineering team and you feel like you can’t rely on IT, you’ll do what you have to do. I would do the same if I were in their shoes. You have to get to a certain level of credibility and reliability of services. As our service levels went up and our ability to influence architectural decisions across the organization increased, the conversation changed to, “Okay, let’s agree on the stack of services you’ll supply across all of the products and that will let us all scale faster.”

There aren’t many times when you can get the personalities, the credibility and the timing right to make such a big a move so quickly. It was a huge step forward for us as an IT organization and as a company. Our whole lot in life is to help the company move forward faster with the business capabilities and infrastructure we are able to provide to the product teams. We want every one of their engineers to be able to focus on value-add, on speeding up the product development and time-to-market for our products.

If IT can take on more of the burden of the infrastructure, and it’s reliable, scalable, performs better and has a better cost base, then that’s what we need to be doing. Enabling engineering to focus on the product, not the infrastructure, has been a huge step forward for our relationship with the product teams.

Michael:          You went from deep vertical expertise to a more collaborative, broader business needs focus. You really reset the organization.

Patty:               Exactly. There was no misunderstanding what we were doing.

Visible Destruction

We had to make a dramatic point by changing quickly.

Patty: The IT organization under the prior CIO was so fragmented that a customer of IT had to negotiate with multiple VPs in IT to get a service or business capability. You had to go to one person to try to get one agreement and then go to another person to try to get another agreement and so on. It was simply too hard to do business — just for the sake of some artificial silos within IT. Within the IT organization itself, the redundancies caused too many issues. And from customer model point of view, it did not work. It had to end quickly.

Michael: You visibly broke down those silos and said to your business partners, “Look, we are now easier to do business with. That’s what we are here for.” What might you advise others if they were making a similar change?

Patty: We had to make a dramatic point by changing quickly. It’s a sign within IT and a sign across the business: “I hear you. I know what we need to fix, and we are quickly getting on it.” Visible change buys you time. Change is a journey. It’s not going to happen overnight, but you want to let your stakeholders, peers and organization know you’re serious. Demonstrable and dramatic change buys you the time you need to keep going with the rest of the transformation. There are multiple benefits from the visible destruction.

Michael: Were there others that you drew in, counted on, relied upon or were coached by? What was your support network during this time?

Patty: I’m a big believer in developing as many relationships as you can across the organization, within your team, with your stakeholders and with your boss. You want people to understand what you’re doing so that they can feel comfortable with what to expect from you and your organization. People expect that consistency — in your strategy, in your execution and in how you behave. That gives them the ability to tie what they see you doing to the strategy. It helps pave the road for change.

Cultural Connectedness

It feels more like a family than an organizational structure.

I mentioned this before, but I don’t think it can be emphasized enough — you have to invest in spending time with your own organization. That will pay dividends down the road. My classic example: Traditionally, I do six all-hands meetings a quarter. One might ask how that is possible. We do a day and an evening so we can redo a live all-hands for our teams in Asia. We do an AM/PM all hands for our operations team and AM/PM all hands for our IT team and then we do a joint AM/PM all hands for not just Ops and IT, but also Finance. We have always partnered closely with Finance.

At the time we were both starting out here at McAfee, the head of Finance and I found out from our employee engagement survey that we had similar challenges. We decided to pool our resources and have our teams work closely together. We would do joint calls every quarter. That consistency in messaging meant that people knew they could ask any question and that we’d answer every question we knew how to answer — and if we didn’t know, we’d get back to them later.

We used it as an opportunity to pull in the leaders across the organization to speak with the rest of the team. That provided a personal connection between our leaders and the whole global team, and it kept our leadership team glued together. Any one of us could talk about any of the others’ organization. This is powerful, because it says that you don’t just have a strategy on paper; you have it operationalized across your leadership team, and it’s visible to the whole organization.

This built assurance that all the leaders were rowing in the same direction, and that if you asked one of them a question in one forum and asked another somewhere else, you’d get the same answer. That kind of consistency threads your organization together and builds cultural connectedness at every level. People mention that it feels more like a family than an organizational structure.

Michael: You are developing trust by doing what you say and saying what you’re going to do — then saying it consistently so that people can actually see that you do what you say. There’s interesting research on the neuroscience behind leadership. One of the positive triggers for people is certainty.

Patty: I very much believe in that. During a phase when the business environment is undergoing a lot of change, people want to be able to hold on to something. They can hold onto the culture of an organization even when the technology and business strategies might be changing. There’s got to be something fundamental that they know is consistent and certain.

High Expectations

There’s a shared history and a common view of how we need to move forward, but with high expectations

Michael: Another trigger was “relatedness” among different members of the organization. You spoke about a sense of family. Some people may think, “Oh, that’s nice, but really not important.” Did the fact that you knew each other well, were able to share values and purpose and create a feeling of “family,” help things to fall into place and drive the cultural change in your organization?

Patty: When they hear, “family,” some people may think, “They must be coddling or not trying hard.” Anybody who came to our staff meetings or to our all-hands meetings would see that we’re blunt with our expectations of high quality and we’re business focused. When I say, “family,” I mean shared history and a common view of how we need to move forward with high expectations.

This environment takes time to establish. It takes investment in setting it up and moving it across your organization. But it’s an important investment that leaders have to make because it will pay dividends in the end.

Michael: As we conclude, do you have guidance to someone embarking on this level of change or for taking on multiple roles?

Patty: I think it’s a great time for CIOs to seek opportunities on the business side. In my case, it helped that I also had the operations side. We were able to pull operations along, and that pulled the other business functions along. My advice would be to seek opportunities as a rotation or different career opportunity. There is so much technology out there — and that’s a great thing — but how does it apply to the business? How does the organization get business benefit? That’s the question that organizations have.

The more a CIO is able to understand the go-to-market strategy, how a company works with its supply chain, its partners across the business units and into the product team, and the more the CIO has personal experience in those areas, the more valuable they’re going to be. I would encourage CIOs to at least team with peers in other parts of the organization or take on rotational roles — anything that provides operational responsibility in different areas.

It may feel a bit scary at first, but having that broader experience of putting yourself in the shoes of your peers is invaluable in being able to best contribute to the company.

Michael: Thank you Patty for sharing McAfee’s transformative journey in preparation for a smooth integration with Intel Security this coming July 1.

Professional Profiles

Patty Hatter

Patty Hatter is now VP and GM, Intel Security and Software IT & CIO, Intel Security Group for Intel Corporation, an American multinational corporation headquartered in Santa Clara, California. A dual-role leader, Ms. Hatter has led an aggressive, transformational effort that drives enhanced IT and information and software security effectiveness and scalability across a global organization.

Ms. Hatter applies dynamic innovation while establishing strategic solutions to support world-class business operations and infrastructure. Her responsibilities are to drive and empower cross-functional partnerships that align to achieve real, bottom-line profitability and IT security. A key to Patty’s success is vigorous employee engagement and global collaboration.

Michael Leckie

Michael Leckie is a Vice President of Service Delivery, managing the Northeast U.S. for Gartner Executive Programs. Mr. Leckie leads a team of highly experienced former CIOs and IT executives. He is responsible for service delivery excellence and strategic business development across the region.

Before joining Gartner, Mr. Leckie worked in consulting, focusing on change enablement, strategy and business transformation (including IPO and M&A). He also held global executive HR and OD roles in Gartner and industry-leading organizations.

Mr. Leckie has an extensive background in talent management and professional development, as well as coaching skills. He speaks regularly on the art and science of leadership, change and influence, in addition to the changing role of the technology leader.

The post Leading Enterprisewide Transformation – an Interview with Gartner appeared first on McAfee.

Trying to keep up with your kids online feels a bit like patching holes in a sinking boat at times doesn’t it?

A recent Intel Security study reveals a gap in what parents perceive kids to be doing online, and what’s actually taking place in behaviors such as cyberbullying, creating aliases, and the amount of time spent online. The study, “The Realities of Cyber Parenting: What Pre-teens and Teens Are Up To Online,” examines the online behaviors and social networking habits of American pre-teens and teens ages 8 to 16 years old.

But rather than get overwhelmed or discouraged when we hear the latest stats, we can use this new information to restart reality—and refuse to let denial run the show.

Here are 3 common lies parents tell themselves and some realities to help you recalibrate your thinking.

1. I can trust my kids online. This is a favorite, bliss-painted lie parents tell themselves. While it may be true that you can trust your kids in general, the online world poses temptations and threats that even the savviest parent—and the most trustworthy teen—can’t begin to anticipate. Predators, scammers, and bullies are part of life and only amplify their tactics in the online arena. Social networks, texting, and now live streaming apps have transformed parenting priorities and establishing a new kind of trust.

Another reality check: Kids’ brains are not fully formed until they are about 21 years old. So even the most predictable kids can and will make surprising decisions.

Truth: Yes, trust your kids in general but don’t trust the Internet. Take the same precautions you would take if you let your kids hang out in a big city. Educate them. Coach them. Know their favorite digital hangouts and guide them along the way just as you would if you were teaching them how to drive.

Talk candidly and openly about relevant digital issues. Keep up on technology, slang, and trends as they affect your kids. Find common ground and communicate often. Don’t wait for your kids to tell you, stay informed about popular technology and ask your kids if they are using risky apps.

2. Been there, done that. We’ve had the online safety talk already. This lie is one that is not only naïve, it’s dangerous. While you may have reviewed the basics of online safety, it’s not enough. Technology moves too quickly, new temptations arise, and simply put—kids forget the basics all the time (like brushing their teeth or taking out the trash)—so they need a parent’s guidance as part of everyday conversation.

Truth: Talking about online safely with kids and teens is pretty much like making them eat their vegetables. You can bet if you weren’t around they’d likely be eating Captain Crunch! Internet safety is a topic you need to visit often. Keep the conversation lighthearted but real when it comes to the potential dangers online. This game plan is a great place to start.

3. My kids understand this tech stuff better than I do—they will be fine. Many parents feel disconnected and out of touch with their digital children; so much so, they throw their hands up and simply hope for the best. But having tech skills does not equate to having tech wisdom, which is where you, parent, come in. 

Truth: Yes, your child’s online life is a lot to keep up with but making a hero’s effort to stay informed is far better than sticking your head in the sand. Your kids need you now more than ever. Be aware of your kid’s digital paths—where they go and with whom they converse. Pour into them the integrity and awareness it takes to become a strong—and savvy—digital citizen.

You are right. Technology is moving too fast. You spend hours a week keeping up with, monitoring, and guiding your kids in the digital realm. However, by staying involved, you can prepare them for making the best digital decisions as they mature in this vast digital space.

What’s your biggest challenge as a parent of a digital tween or teen? Do you believe you are in touch with your child’s online life?

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post 3 Lies Parents Tell Themselves That Can Put Their Kids at Risk appeared first on McAfee.

Cyberespionage attacks pose a challenge for the security industry as well as for the organizations trying to protect against them. Last year, McAfee Labs predicted that in 2015 these attacks would increase in frequency and become stealthier, and we have seen this occur. Cyberespionage aims at specific organization or sectors that are high-value targets, with most attacks flying under the radar.

The McAfee Labs research team has tracked an advanced persistent threat for the past couple of months. This group has evolved a lot in sophistication and evasion techniques to defeat detection by security products. This group has been active since at least 2014 and uses spear-phishing campaigns to target enterprises. We have observed this group targeting defense, aerospace, and legal sector companies.

The Attack

The preceding email provides a clear indication that the attackers have researched their target and its employees. Social media sites such as LinkedIn, Twitter, and Facebook are good sources of such valuable information, which can be used for social-engineering attacks.

The Excel attachment opens with a “password protected” window, tricking the victim into believing the file requires a password to display the content.

The Excel file is laced with a malicious macro that runs in the background. To prevent easy detection, the macro is obfuscated using Base64. The Excel file drops an .hta file, which contains the backdoor functionality.

This attack uses some novel techniques:

• A JavaScript backdoor component, unlike most exploits or malicious Office files, which use an embedded or a direct download of a binary.
• The JavaScript backdoor is obfuscated and dropped to %Appdata%\Microsoft\Protect\CRED. It persists on the machine using a registry run entry created by the mshta application.
  
• The launched window is hidden using the JavaScript command “window.moveTo(-100,-100), window.resizeTo(0,0).”

JavaScript backdoor capabilities

The attack minimizes its footprint by running only a script, which has lower chance of being flagged as malicious. Some of the backdoor capabilities:

• Querying system information using WMI.
• Using a proxy server for connections.
• Downloading and executing remote files.
• Using file/directory/network/process/registry and system operations.

Control servers

The WMI queries collect system-related data. The following parameters are collected and Base64 encoded before posting to the control servers:

• Hash of volume serial number
• Computer name
• IP address
• Current username
• Operating system
• Proxy server

The JavaScript backdoor connects to a gateway that receives additional commands from the attacker. Some of the control servers:

• hxxp://humans.mooo[.]info/common[.]php
• hxxp://mines.port0[.]org/common[.]php
• hxxp://eholidays.mooo[.]com/common[.]php

One of the attacker’s first actions is to profile the infected host by executing commands that display a list of domains, computers, or resources shared by the specified computer (using the net view command). This is followed by gathering more information about the files on the desktop and other drives. An attacker can use this information for further lateral movement. All the data is posted to the control server as Base64-encoded data.

Detection

Defending against these highly targeted social-engineering attacks involves a human element. Although technical controls mitigate the risks, it’s imperative that organizations establish policies to help employees spot suspicious events.

McAfee Advanced Threat Defense provides zero-day protection against this attack based on its behavior.

The following Yara rule detects the OLE attack vector:

rule APT_OLE_JSRat
{
meta:
author = “Rahul Mohandas”
Date = “2015-06-16″
Description = “Targeted attack using Excel/word documents”

strings:
$header = {D0 CF 11 E0 A1 B1 1A E1}
$key1 = “AAAAAAAAAA”
$key2 = “Base64Str” nocase
$key3 = “DeleteFile” nocase
$key4 = “Scripting.FileSystemObject” nocase

condition:
$header at 0 and (all of ($key*) )
}

I thank my colleague Kumaraguru Velmurugan of the Advanced Threat Defense Group for his invaluable assistance.

The post Stealthy Cyberespionage Campaign Attacks With Social Engineering appeared first on McAfee.

Got a great business idea? Want to expand with less risk? Build a good product, develop some training, put them together into a repeatable formula, and collect the royalties from your franchisees. This model, used successfully for everything from fast food to hair salons to tax preparation, is now available for criminal ransomware.

Cybercriminals have long been making their tools available to others, whether due to pride of authorship or as a means of raking in some extra cash. However, the ransomware-as-a-service model is relatively new and has resulted in a massive increase in ransomware attacks (as reported in the latest quarterly Threats Report). CTB-Locker and Tox are two examples of how malware uses different business models to flood the Internet with attacks, trying to catch more victims before threat notices, signature updates, and other defensive measures catch up.

Since the servers for CryptoLocker were taken down last year, CTB-Locker has become one of the most common sources of ransomware attacks. CTB-Locker uses an affiliate program to drive growth and revenue. Criminals who sign up as an affiliate get the tools to distribute this ransomware to their own selection of targets and collect 70% of the resulting revenue. Distribution vectors are typically phishing emails such as delivery notifications and fake software updates. Once your files are encrypted, you are left with .bmp, .txt, and .html files that contain information on how to pay the ransom to get your files back. Removing the malware is relatively easy. However, decrypting the files, which are encrypted with RSA 2,048-bit private-key encryption, is close to impossible. Payment is expected in Bitcoin, which preserves the criminal’s anonymity.

Malware For Hire

Tox is another ransomware that is growing in popularity. The authors of Tox offer a ransomware kit that requires very little in the way of technical skills. Simply provide the ransom amount and “cause” for which you are fundraising, and you get your own executable file. Install or distribute as you see fit for a mere 20% of your gross ransoms, also payable in Bitcoin. Both Tox and CTB-Locker use the TOR network to get their encryption keys and hide the IP addresses of their servers to avoid the fate of CryptoLocker and evade endpoint security systems.

Bitcoin and other virtual currencies are an important part of ransomware. By protecting anonymity, data kidnappers can go after more lucrative targets, which might otherwise have the ability to track down the perpetrators. As a result, these attacks are shifting from consumer systems to business systems, in the hopes of getting more and bigger ransoms. Many organizations appear to be paying ransoms to get their data back, validating the model and fueling further attacks.

Ransomware has evolved and is spreading quickly, but it can be stopped. Frequent backups and user awareness remain the best protection against ransomware, followed by multipoint defenses. Anti-spam systems will catch many of the phishing emails, especially if they are configured to detect and block compressed files and executables. Consider blocking TOR network connections to prevent the ransomware from getting the encryption keys. Finally, keep system patches up to date and advanced security features configured and enabled on the endpoints.

View the original post on Dark Reading.

The post Franchising Ransomware appeared first on McAfee.

This post was written by Haifei Li of Intel Security and Xiaoning Li of Intel Labs.

Microsoft Office documents play an important role in our work and personal lives. In the last couple years, unfortunately, we have seen a number of exploits, especially some critical zero-day attacks, delivered as Office documents. Here are a couple of standouts:

• CVE-2014-4114/6352, the “Sandworm” zero-day attack, reported in October 2014. McAfee Labs has provided in-depth root-cause analysis about this vulnerability as well as Microsoft’s initial failed patch.
• CVE-2014-1761, a highly crafted zero-day attack spotted by Google in March 2014. Read here to understand why we conclude it’s highly crafted.
• CVE-2013-3906, a zero-day vulnerability in Microsoft Graphics Component but delivered as an Office document. This zero-day attack was detected and reported by McAfee Labs in October 2013.
• CVE-2012-0158/1856, two vulnerabilities in MSCOMCTL.OCX that are quite old, but they have been attackers’ favorites for years. Exploits are still spotted in the wild.

At McAfee Labs we are performing some leading research on Office security to drive innovations on exploit detection and protection. Recently, we have seen an increase in attacks leveraging the Sandworm vulnerability. Most important, the threat actors have introduced some interesting detection-evasion techniques, which we want to share with the security community.

PPSX vs. PPS

We have seen quite a number of Sandworm exploits (CVE-2014-4114) masquerading as .pps (PowerPoint Show) format rather than the current .ppsx format. The original Sandworm samples were packed as .ppsx, which uses the Office Open XML Format, a replacement of the older Office Binary Format. The binary format is still supported by Office for compatibility. Because the Open XML Format is transparent and open, it is easy to parse and understand for third-party applications including security products. Thus most security vendors have no problem detecting CVE-2014-4114 exploits that use the Open XML Format.

It’s a different story with .pps documents using the Office Binary Format. Even though Microsoft has released the specification, the format is not easy to understand. As a result, security products have difficulty detecting exploits that use this format. Of course, the bad guys have realized this, and they have started to deliver CVE-2014-4114 exploits in .pps rather than .ppsx format. One example is the spear phishing campaign reported few days ago by ThreatGeek. (We are tracking the campaign as well.) In this campaign, the exploits are repacked as .pps, which successfully avoids most AV detections.

Plain PPS vs. encrypted PPS

Fortunately, even though the binary format is hard to parse, it is still a “plain” format, meaning that if there is a good signature with generic patterns, the malicious bytes won’t be able to hide. But the exploit writers are not content with only moving to .pps. At McAfee Labs we see that they are now encrypting their exploits to make them even harder to detect.

Let’s take a look at what a normal .pps and an encrypted .pps look like by examining a sample we spotted in plain .pps. As we can see in the following image, the key bytes (the string “package”) can still be seen, which suggests the bytes are not encrypted.

And here is an encrypted .pps:

In the encrypted version we can’t find any malicious bytes at all.

Let’s try open and edit the sample with PowerPoint. To avoid playing it, we first rename it to .ppt from .pps.

The exploit authors have cleverly leveraged a feature in Office that allows an author to protect documents from viewing or editing. In this example, the author has encrypted the document with a password, allowing anyone to view but not edit. (When we open a .pps (PowerPoint Show) document, we are actually “viewing” it; that’s why the exploit works without a password prompt.) On the other hand, because the document can’t be edited, it prevents security products from analyzing the content, and also prevents researchers from statically analyzing the malicious sample.

We have tracked threat campaigns with encrypted Office exploits for some time. Here is one older than the spear phishing example. This campaign, with MD5: 2E63ED1CDCEBAC556F78F16E8E872786, arrived with the filename “Attachment Information（English Version）.pps” and was first seen on VirusTotal on May 12. As of July 2, there was still no detection on VirusTotal due to the encryption.

Analyzing the malware in the encrypted exploit

In exploiting CVE-2014-4114, this malicious .pps sample dropped one malware into the temp directory and ran it as update.dat (9421D13AA5F3ECE0C790A7184B9B10B3).

The file’s main function:

The main function performed several tasks:

• Decrypted the encrypted .exe file data into $AppData\Roaming\SearchCache.dll (97FE2A5733D33BDE1F93678B73B062AC)
• Ran a new rundll32.exe process to call the exported API_flushfile@16 in SearchCache.dll (C:\Windows\system32\rundll32.exe $AppData\Roaming \SearchCache.dll”,_flushfile@16 $AppData\Local\Temp\update.dat)

In the exported API _flushfile@16, the code at first slept to avoid detection, and then deleted the original update.dat and created a new thread to perform other tasks.

The new thread connected to a control server, collected local system information, and sent the data to the control server. This thread also downloaded irmon32.dll and registered a service for it for future malicious actions. The detailed steps:

Threat intelligence

To help our fellow defenders with their analyses, here are some of the sample hashes (MD5) related to these campaigns:

0BC232549C86D9FA7E4500A801676F02
12F8354C83E9C9C7A785F53883C71CFC
142B50AEAEBE7ABEDA2EC3A05F6559B6
1E479D02DDE72B7BB9DD1335C587986B
209470139EE8760CA1921A234D967E40
2E63ED1CDCEBAC556F78F16E8E872786
3EA3435FC57CECB7AD53AEE0BBE3A31D
4AF0B2073B290E15961146E9714BD811
6360DDC19A858B0CE3DB7D1E07BC742F
710A39FA656981A81577D2EE31B46B18
719A7315449A3AE664291A7E0C124F0A
822F13D2A8AE52836BB94D537A1E3E3C
864EC7ED23523B0DC9C4B46DE3B852D1
8675174A45AABC8407C858D726ABB049
8A6A6ADCDE64420F0D53231AD7A6A927
96432AC95A743AC329DF0D51C724786F
AD2A5B0AF9B3188F42A5A29326CDDB0E
B4F788E76E60F91CF35880F5833C9D27
B86297F429FFBC8AFD67BDDD44CBB867
D57DF8C7BA9F2119660EA1BCE01D8F4A
E5BEF07992F88BCF91173B68AC3EA6BC
E7399EDE401DA1BACB3D2059A45F0763

Conclusion and response

These evasion tricks produce a real challenge for defenders. Although security is always a seesaw battle, we need to stay ahead of the bad guys. This case also highlights the fact that in today’s computing environment, no single security product (whether network-, endpoint-, or sandbox-based) can stop all threats. For this type of threat, our sandbox-based Advanced Threat Defense and Host Intrusion Prevention are ideal choices. (And if you haven’t patched the Sandworm vulnerability, you’d better get to it.) McAfee AntiVirus provides detections for the two campaigns we discussed, including both the “plain” and “encrypted” exploits.

Furthermore

Speaking of Office security, we will make a presentation at this year’s Black Hat USA 2015 security conference in Las Vegas in August. We will present some of our original, cutting-edge research on the important OLE feature in Office. We want to help the community understand the risk of Office OLE and better protect users from threat actors.

Special thanks to Bing Sun and Stanley Zhu of Intel Security for their valuable input.

The post Threat Actors Use Encrypted Office Binary Format to Evade Detection appeared first on McAfee.

It’s likely to be the first question you get after telling your kids to turn off their phones (for the zillionth time) this summer. If you haven’t gotten it yet, just wait. Wait. A little longer . . . okay . . . and there it is!

“What am I supposed to do?!”

Chimani

That’s your cue to smile and say, “Well, I’m glad you asked.”

We found a few boredom-busting apps to put in your arsenal to help make the last month of summer more than SnapChat and Instagram.

Just a few: 

Wannado app includes a list of events and activities going on in your area, many which are free. You’ll find activities like music concerts, movies in the park, museum events, stage shows, dinner theatres, festivals, and fairs. Other apps in this family of to-dos include Eventbrite, Time to Enjoy, Gravy, and Goby. (Free, iOS, Android)

AllTrails app includes over 50,000 hiking and biking trails around the U.S. Look up some trails near you and go! (Free, iOS, Android)

Sky Guide

Chimani app includes National Parks in the U.S. as well as and overview of historical data and attractions. (Free, iOS, Android)

AllStays app helps you find local camping spots as well as services that rent tents, RVs, and camping supplies. (9.99, iOS, Android)

Groupon is a well-known coupon site with great deals on area activities. Find tickets to museums, sporting events, shows, and restaurants, Just enter your city and go! (Free, iOS, Android)

Craftsy

Audubon Birds Pro app identifies 821 different bird species. This may a bit out of the box for your family but once your kids check out the recorded birdcalls, and maps, they may just become bird fans! (9.99, iOS, Android)

Craftsy app has hours, days, and weeks of how-to videos on everything from jewelry making, cake decorating, photography, woodworking cooking, painting, you name it. The app includes some free classes but you will have to pay for others. You can also take classes online at craftsy.com. Similar apps: Craftgawker,Guidecentral. (Free, iOS, Android)

Curious

Curious app is packed with hours of summer learning. Like Craftsy, you can learn new craft or hobby skills but Curious ups the learning with tech courses, survival skills, goal setting, even learning to write code! You can also dive into history, math, a language or learn how to do a budget. The app is 4.99 a month but you can try it free for 30 days. It’s available on iOS and has an online site at curious.com.

Skyguide app makes it easy to study the stars on a beautiful summer night. Grab a blanket and have hours of fun locating constellations and learning about the wonderland overhead. (1.99, iOS, Android)

What are your family’s favorite adventure/learning apps? Please share below!

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @IntelSec_Family. (Disclosures).

The post Apps to Get Kids Offline and Outside this Summer appeared first on McAfee.

For several weeks after we released the McAfee Labs Threats Report, May 2015, in which we discussed the topic of ransomware in depth, we frequently saw the same questions: “Why is ransomware increasing, and why is it so successful?

In our report we offered a few answers to this question. We’d like to zoom in a bit more on one of them: the ease of getting ransomware and how the affiliate program works.

A ransomware author starts an affiliate program to earn money with as little risk as possible. How does that work? An affiliate buys an interest in a ransomware campaign. Usually we see a maximum of 8 to 10 affiliates because more would likely overlap their campaigns and target the same countries. The revenue split is discussed upfront and embedded in affiliate or distribution servers. These are the hidden servers that an affiliate logs into to track campaigns and much more.

The revenue-split model differs, but we have seen 80/20 and 75/25 models in which the larger percentage goes to the affiliate and the smaller to the author/owner of the ransomware infrastructure. Why such a low percentage for the author/owner? They bear the least risk. The affiliate, on the contrary, has to create or buy a custom packer/crypter to make the sample less detectable by antimalware solutions, rent a botnet or exploit kit to spread the samples, buy lists of email addresses, detect ways to bypass security solutions, etc.

Besides the spreading the threat, the affiliate needs to track the campaigns, monitor the Bitcoin wallets for payments, and redistribute these amounts over several wallets before cashing out. The telemetry options in the affiliate/distribution server give an affiliate information on how successful a campaign is and which countries pay the best. In some cases we have even seen the exact amount of files and total file size encrypted on a victim’s machine. This telemetry data is very useful to determine, for example, which language to support in the next release (because country X pays well). In the past after payment of the ransom, the private key was not always received. This hardly happens today; ransomware authors want to keep their reputations healthy.

Here’s an anecdote about language support. In a recent underground market, one author announced support for Russian in his ransomware. Shortly thereafter, the author received a few nasty comments asking why he would target Russian-speaking countries with his ransomware.

Whenever the big guys make money, there are always others who want to make a few dollars. However, they don’t see the (personal) damage, disruption, and financial loss they cause with their actions. A few hours of research on forums and market places on the Deep Web reveal a lot of people offering their services or code to create ransomware. Here are a few:

A group of Russian hackers offering their services:

Another author offered ransomware:

The marketplace data of this advertisement revealed that this particular package had already sold 16 times since April, and the average price was around US$34.

An example of Multilocker:

One advertisement demonstrates the ambition of the author: “Let’s kidnap the planet!”

We are just scratching the surface of the possibilities of today’s ransomware. We have seen attempts on mobile devices, but restoring files from a phone backup or the cloud is easy and is enabled by default once you connect your phone to your computer or the Internet. In the Intel Security Malware Operations Labs we are working with different scenarios and possible ransomware variants that we expect to surface in a short time. Our goal is to protect our customers from those threats. Intel Security not only operates on the detection and prevention of ransomware, but we are also heavily involved in working with law enforcement and other organizations to combine our forces and battle against ransomware.

The post Ease of Buying Ransomware Fuels Affiliate Program appeared first on McAfee.

Limiter et protéger votre entreprise contre les attaques de type Dridex peut se faire à différents niveaux d’interception : Fichiers, Registre, URL et IP, et celà à travers plusieurs technologies des gammes de produits Intel Security. La protection contre ce type de codes malveillants extrêment volatile nécessite une approche multi niveaux et une coordination entre les différents outils.

Pour tous les détails sur DRIDEX et le downloalder l’accompagnement:

1. https://kc.mcafee.com/corporate/index?page=content&id=PD25689 – W97M/Downloader
2. https://kc.mcafee.com/corporate/index?page=content&id=PD25982 – Dridex

Au niveau de vos Endpoints:

Il est primordial au niveau du Endpoint de mettre en place et d’activer les détections par réputations à travers le Global Threat Intelligence sur toutes les technologies utilisées.

Il est possible de plus au regard du fonctionnement des codes DRIDEX d’activer des régles de détections au niveau de la protection d’accés de Virusscan Enterprise.

Pour plus de détails sur les étapes à suivre pour mettre en place les régles de protections ou d’alertes d’accés :

How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console

How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

DRIDEX présente un comportement dans lequel il se copie dans le répertoire Admin d’Application Data en utilisant le terme Edge ou edg et une valeur numérique aléatoire, voici des exemples :

Win XP:

 C:\Documents and Settings\Administrator\Application Data\Local Settings\edge or edg[random.hex].exe

 WIN7:

C:\Users\Administrator\Appdata\local\edge or edg[random.hex].exe

Nos utilisateurs peuvent ainsi utiliser une régles d’Access Protection pour restreindre ou auditer la création de nouveaux fichiers ou repertoires :

Selectionner New files being created et ajouter les information suivantes : File or folder name to block:

• [OS installed drive]\Documents and Settings\[administrator]Application Data\Local Settings\edge or edg[random.hex].exe

[random. hex] peut être remplacé par ‘*’ ou par un élément plus précis ce qui peut donner par exemple *.tmp ou edge123.tmp.

Example Access Protection Rules

Windows 7:

 Windows XP:

Pour la DLL droppée:

Il est possible aussi de bloquer des éléments de DRIDEX via Host Intrusion Prevention

• Pour blacklister une application avec une signature personnalisée Host Intrusion Prevention (Host IPS) KB71329.
• Pour bloquer un binaire à travers une règle KB71794.
• Pour créer une règle qui protége contre le hooking entre executables KB71794.

*** Disclaimer: Usage of *.* in access protection rules will prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include”, the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

Au niveau des passerelles mails :

Il n’est pas nécessaire de repasser trop de temps sur les basiques mais néanmoins réenforcer l’attention des utilisateurs reste clef :

• Ne pas ouvrir les pièces jointes venant d’expéditeur inconnu
• Si un email parait trop intéressant, sur-vendeur, ou étrange supprimez le
• Aucun organisme ne vous demande jamais vos coordonnées bancaires

Le renforcement des régles dans les passerelles mails permet aussi de limiter les impacts de DRIDEX via :

• Interdiction des executables en pièces jointes
• L’activation de la fonction : Find all macros and treat as infected

Enfin formez vos utilisateurs avec des outils comme : https://phishingquiz.mcafee.com/

Nouvelles technologies:

Il est a noter que la technologie Threat Intelligence Exchange associée à Advanced Threat Defense vous permet de protéger vos employés des attaques de type DRIDEX. De plus ces technologies vous permettent aussi d’utiliser les IOCs d’autres sources afin d’augmenter votre niveau de protection global: https://www.youtube.com/watch?v=Wxvizasvj8k&feature=player_embedded

Dans TIE la régle :  Malware Dropped by Infected Microsoft Office Documents permet une anticipation de la menace, plus d’information sur : https://community.mcafee.com/docs/DOC-6908

Enfin Application Control permet une couverture optimale sur les machines.

Conclusion:

Même si les techniques utilisées par DRIDEX ne sont pas nouvelles il est toujours compliqué de bloquer toutes les variantes avec une approche uniquement basée sur les signatures. L’activation de GTI , la soumission d’échantillons permettent une amélioration significative du taux de couverture. La meilleure approche étant l’utilisation de la Sécurité Connectée à travers TIE, et ATD afin de travailler sur le comportement et découvrir les patients zéros afin de protéger le reste de l’infrastructure à travers le partage d’intelligence https://community.mcafee.com/docs/DOC-6462

Merci à mes collégues, Emmanuel Flores, Vinoo Thomas et John Health.

The post Dridex Best Practices appeared first on McAfee.

Last month, cybersecurity journalist Brian Krebs broke the news that adult site AshleyMadison.com was hacked. This breach risked the exposure of 32 million users’ personal information, including email addresses, physical addresses, and credit card information. It comes as no surprise that this news made headlines immediately and the resulting aftermath has kept it in the news almost every day since then.

Spammers have a history of using current events to their advantage and the Ashley Madison scandal is ripe for such exploitation. Based on our tracking of spam emails designed to exploit its customers, Intel Security’s Messaging Security Team has put together a list of samples seen in the wild.

Sample email subjects:

• Ashley Madison hacked, is your spouse cheating?
• Ashley Madison records leak
• Hacked: Emails by Ashley Madison
• How to Check if You Were Exposed in Ashley Madison Hack
• How to search the Ashley Madison leak

Sample “From” addresses, mostly spoofing news outlets to dupe readers into believing the sources are legitimate:

• “Ashley Madison Alert” <info@baizetwit.com>
• “CNN News” <info@baizetwit.com>
• “CBS News” <info@baizetwit.com>
• “Fox News” <info@baizetwit.com>

Upon opening the spam, a user sees this:

The link embedded in the samples follow this pattern:

hxxp://mx7c68.baizetwit.com/random_string/random_string/random_string

The URL redirects to the following link, which appears to deny connections from security vendor IP space:

By using a free web proxy, we can follow the campaign through to the next layer of redirection:

The preceding .html document contains an HTTP refresh to accomplish the final layer of redirection, ultimately leading to a “gaming wonderland” toolbar download:

At this point, when the user installs the toolbar, the spammer monetizes his or her efforts through an affiliate program:

We also identified a second spam campaign leveraging a more direct approach to monetizing the stolen data. In this case, spammers have created several look-alike domains to increase the perception of legitimacy. WHOIS lookups confirm that either the domains do not exist or were created on or after August 23.

Here are a few observed sending addresses:

• bounce@ashleymadisondata.co.uk
• bounce@ashleymadisondata.info
• bounce@ashleymadisonnews.net
• bounce@ashleymadisonteam.com

Sample subjects associated with this campaign:

• Your Ashley Madison Account
• Your Ashley Madison Profile
• Ashley Madison

With this variant, there is no convoluted trail of web links to monetize the topic matter. Instead, we see a clear attempt at extortion, threatening to notify friends and family of the Ashley Madison account holder unless funds are paid into a Bitcoin account. Here is the text contained within the email:

Your data was leaked in the recent leaking of Ashley Madison and I now have your information. I have also used your info to find your Facebook page, using this I now have a direct line to contact all your friends and family.

If you would like to stop me from sharing this dirt with all of your known friends and family (and perhaps even your employers too?) then you need to send exactly 1.05 bitcoins to the following BTC address.

Bitcoin Address:
112ZTAjYSBqgppj1HB5ewFsHp4ZXXXXXXXX

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings on Facebook so no one can view your friends/family list. So go ahead and
update that now (I have a copy if you don’t pay) to stop any future e-mails like this.

You can buy Bitcoin’s using online exchanges easily. If the Bitcoin is not paid within 3 days of 23 – August – 2015 then my system will automatically message all your friends and family. The bitcoin address is unique to YOU.

Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?

Sincerely,
Duran

With both campaigns, no evidence was found indicating  recipients were targeted by leaked data, so the risk is not limited to Ashley Madison clientele. Our research indicates that even the idly curious are at risk. Spammers have a history of using current events to motivate victims to divulge personal information they shouldn’t, visit a risky website, and even unwittingly install a virus. Just as scam artists have taken advantage of natural disasters to dupe people into giving money to them, scammers are taking advantage of this social turmoil as well.

Intel Security customers are protected from these threats. Anyone who sees one of these campaigns in his or her inbox should submit the email to the IT help desk for analysis and delete the message before curiosity wins out over suspicion.

The post AshleyMadison Hack Demonstrates Power of Scam Artists appeared first on McAfee.

Mitigating the Dridex threat at multiple levels like file, registry, url and ip address can be achieved at various layers of McAfee security products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.

We build several documentations regarding DRIDEX and variants :

1. https://kc.mcafee.com/corporate/index?page=content&id=PD25689 – W97M/Downloader
2. https://kc.mcafee.com/corporate/index?page=content&id=PD25982 – Dridex

Basic rules on handling emails:

Email from unknown senders should be treated with caution. If an email looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs.

Opening file attachments, especially from unknown senders, harbors risks. Attachments should first be scanned with an antivirus program and, if necessary, deleted without being opened.

Never click links in emails without checking the URL. Many email programs permit the actual target of the link to be seen by hovering the mouse over the visible link without actually clicking on it (called the mouse-over function).

Configuring Access Protection in VirusScan Enterprise

 Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:

How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console

How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Dridex usually copies itself into the Administrator’s Application Data folder using edge or edg with the random numeric numbers at the end, like the following examples:

On Win XP:

 C:Documents and SettingsAdministratorApplication DataLocal Settingsedge or edg[random.hex].exe

 WIN7:

C:UsersAdministratorAppdatalocaledge or edg[random.hex].exe

Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses.

Select New files being created and add the following file location in File or folder name to block:

• [OS installed drive]Documents and Settings[administrator]Application DataLocal Settingsedge or edg[random.hex].exe

[random. hex] can be replaced with a ‘*’ thus for example you can either input edge*.tmp or edge123.tmp.

Example Access Protection Rules

Windows 7:

 Windows XP:

For the dropped DLL:

WINDOWS XP

Windows 7

Configuring Host Intrusion Prevention

• To blacklist applications using a Host Intrusion Prevention (Host IPS) custom signature refer to KB71329.
• To create an application blocking rules policies to prevent the binary from running refer to KB71794.
• To create an application blocking rules policies that prevents a specific executable from hooking any other executable refer to KB71794.
• To block attacks from a specific IP address through McAfee Nitrosecurity IPS refer to KB74650.

*** Disclaimer: Usage of *.* in access protection rules will prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include”, the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

Nouvelles technologies:

You need to know that McAfeeThreat Intelligence Exchange in cooperation with à Advanced Threat Defense can give you a very efficient protection level against DRIDEX variants. In addition through these technologies you might used IOC or IOA to find other infections sources or patient zero in your network:

https://www.youtube.com/watch?v=Wxvizasvj8k&feature=player_embedded

With TIE the rule:  Malware Dropped by Infected Microsoft Office Documents gives you a way to proactively scan and detect DRIDEX behaviors :  : https://community.mcafee.com/docs/DOC-6908

In addition McAfee Application Control gives you a full protection against DRIDEX.

Conclusion:

Even if DRIDEX infections technics are not new, this is always tricky to block all variants by only using signatures based approach.

GTI activation and samples submissions are still very efficient in order to increase the global detection level.  However the Best Approach is to build a security Connected platform and connect technologies such as TIE , ATD to work on behaviors and code analysis https://community.mcafee.com/docs/DOC-6462

This approach gives you also the ability to share the intelligence between the different component in your network and by this way to increase your global security posture.

Thanks to my colleagues, Emmanuel Flores, Vinoo Thomas and John Health.

The post Best practices for preventing Dridex infections appeared first on McAfee.

August 19 marks the fifth anniversary of the announcement that Intel would acquire McAfee. For those of us who have been here since that day, it’s been an incredible ride.

In the McAfee Labs Threats Report: August 2015, published today, we look back at those past five years and compare what we expected to happen with what actually happened in the cybersecurity landscape. Twelve key people who have been here during this period share their unique perspectives around such topics as the evolution of actors, their behaviors, and their targets; how the economics of the cybercrime marketplace have changed; and how the cybersecurity industry has responded to evolving threats. It’s a great read for anyone interested in cybersecurity history.

During the development of this article, some insights inevitably landed on the editor’s floor. In the weeks ahead, we will discuss additional findings from our interviews. Watch for those blog posts here.

In the August report, we also discuss data exfiltration. We examine attacker types, their motivations, and their likely targets; the methods and mechanisms they use to steal data; and policies businesses should embrace to better detect exfiltration. It’s a very interesting examination of this critical step in the cyberattack process.

And if you are interested in what security professionals have to say about top data exfiltration categories and techniques, their major concerns about data loss, and popular tools companies use to prevent data exfiltration, I encourage you to attend a webinar on September 16 during which we will present findings from a recent CISO survey.

Finally, we include a short piece in the August report on GPU attacks. This topic was prompted by public discussions about the viability of this form of cyberattack. The good news is that it remains very difficult to use GPUs for any meaningful form of cyberattack.

You can download the McAfee Labs Threat Report: August 2015 here. Happy reading.

The post Intel Security Looks Back Five Years appeared first on McAfee.

Malware development continues to remain healthy. Intel Security Group’s McAfee Labs Threat Report: August 2015 shows malware’s quarterly growth at 12% for the second quarter of 2015. The overall count of known unique malware samples has reached a mesmerizing 433 million.

Oddly, this confirms a very stable trend. For many years malware detection rates have remained relatively consistent, at about a 50% annual increase.

Which makes absolutely no sense!

Cybersecurity is an industry of radical changes, volatile events, and chaotic metrics. The growth of users, devices, data, new technologies, adaptive security controls, and dissimilar types of attacks differ each year. Yet the numbers of malware being developed plods on with a consistent and predictable gain.

What is going on?

I believe we are witnessing a macro trend that incorporates the natural equilibrium occurring between symbiotic adversaries.

Let me jump off topic for a moment. Yes, cyberattackers and defenders have a symbiotic relationship. There, I said it. Without attacks, security would have no justification for existence. Nobody would invest and most, if not all, security we have today would not exist. Conversely, attackers need security to keep their potential victims healthy, online, and valuable as targets. Just as lions need a healthy herd to hunt to avoid extinction, attackers need defenders to insure computing continues to grow and be more relevant. If security was not present to hold everything together, attackers would decimate systems and in short order nobody would use them. The herd would disappear. So a healthy electronic ecosystem has either a proper balance of both predator and prey, or a complete lack of both.

Back to the trend in malware growth. I believe the steady increase in malware samples is a manifestation, at a high level, of the innumerable combined maneuverings of micro strategies and counter tactics. As one group moves for an advantage, the other counters to ensure they are not defeated. This continues on many fronts, all the time. There’s no clear winner, but no complete loser either. The players don’t consciously think this way; instead it is simply the nature of the symbiotic adversarial relationship.

I have a malware theory and only time will tell if this turns into a law or dust. My theory is “malware rates will continue to steadily increase by 50% annually, regardless of the security or threat maneuvering.” This reflects the adversarial equilibrium between attackers and defenders. Only something staggering that would profoundly upset the balance will change that rate. If my theory is correct, we should break the half-billion mark in Q4 2015.

So I believe this trend is here to stay. It also provides important insights to our crazy industry and why we are at this balance point.

Even in the face of new security technologies, innovative controls, and improved configurations, malware writers continue to invest in this method because it remains successful. Malware continues to be the preferred method to control and manipulate systems, and to access information. It just works. Attackers, if nothing else, are practical. Why strive to develop elaborate methods when malware gets the job done? (See my rants on the path of least resistance for more on understanding the threats.)

Defensive strategies are not slowing down malware growth. However, this does not mean defensive tools and practices are worthless. I suspect the innovation in security is keeping attacks somewhat in check, but not slowing them enough to reduce the overall growth rates. Without continued investment, we would likely be overrun. We must remain vigilant in our defense against malware.

The rate of increase is a reflection on the overall efficacy of security. Malware must be generated at a rate of 150% per year, to compensate for security intervention and achieve the desired success. Flooding defenders is only one strategy, as attackers are also demanding higher-quality, feature-rich, smarter, and more timely weapons.

Malware must land somewhere in order to operate and do its dirty deeds. PCs, tablets, phones, servers, cloud and virtual machine hosting systems—soon to be joined by droves of devices from the Internet of Things—are all potential hosts. Thus endpoints will continue to be heavily targeted and defenses will continue to be challenged on this crucial battleground. Ignore anyone who claims host-based defenses are going away. The truth is just the opposite.

At a rate of more than 300,000 new unique samples created per day, I speculate much of the malware is being generated automatically. It is interesting to see on the defensive side that antimalware companies are beginning to apply machine-learning, community reporting, and peer-validation to identify malicious code. These methods show promise. But just wait: Malware writers can use the same type of machine-learning and community reporting to dynamically write code that either subverts detection or takes advantage of time delays in verification. Malware code can quickly reinvent itself before it is verified and neutralized. This struggle should be an interesting arms race. Can my malware theory sustain itself? I suspect this battle, although potentially significant, may be exactly what the malware model anticipates. The malware metronome ticks on.

Twitter: @Matt_Rosenquist
LinkedIn: http://linkedin.com/in/matthewrosenquist

The post Malware Trend Continues Relentless Climb appeared first on McAfee.

Cybercriminals have fully embraced ransomware. This specific form of malware encrypts files and extorts money from victims, and is a favorite among criminals. Ransomware is easy to develop, simple to execute, and does a very good job of compelling victims to pay to regain access to their precious files or systems. Almost anyone and every business is a potential target. More important, people are paying. Even law enforcement organizations have fallen victim, only to concede defeat and pay the criminals to restore access to their digital files or computers.

Ransomware is on the rise in 2015. Intel Security Group’s McAfee Labs Threat Report: August 2015 shows new ransomware growth at 58% for the second quarter of 2015.

In just the first half of 2015, the number of ransomware samples has exploded—with an almost 190% gain. Compare that to the 127% growth for the whole of 2014. We predicted a spike in such personal attacks for this year, but I am shocked at how fast code development has been accelerated by the criminals.

Total ransomware has quickly exceeded four million unique samples in the wild. If the trend continues, by the end of the year we will have more than five million types of this malware to deal with.

Cybercriminals have found a spectacular method of fleecing a broad community of potential victims. Ransomware uses proven technology to undermine security. Encryption, the long-time friend of cybersecurity professionals, can also be used by nefarious elements to cause harm. Encryption is just a tool. How it is wielded determines if it is beneficial or damaging. In this case, ransomware uses encryption to scramble selected data or critical systems files in a way recoverable only by a key the attacker possesses. The locked files never leave the system, but are unusable until decrypted. Attackers then offer to provide the key or an unlocking service for a fee. Normally in the hundreds of dollars, the fee is typically requested in the form of a cryptocurrency such as Bitcoin. This makes the payment transaction unrevocable and almost impossibly difficult to track attribution and know who is on the receiving end.

This type of an attack is very personal in nature and specific in its targets. It may lock treasured pictures, game accounts, financial records, legal documents, or work files. These are important to us personally or professionally and their loss provides a strong motivator to pay the criminals.

Payment simply encourages attackers to reuse this method and adds resources for their continued investment in new tools and techniques. The technical bar for entry into this criminal activity has fallen as malware writers are making this type of attack easier for anyone to attempt. In June, the author of the Tox variant offered ransomware as a service for other criminals to distribute. The variant handles all the back-end transactions and provides the author a 20% skim of ransoms being paid. Fortunately, the author was influenced to a better path after being exposed by Intel Security. More recently, an open-source kit, Hidden Tear, was developed for novices to create their own fully functioning ransomware code. Although not too sophisticated, Hidden Tear marks a watershed moment—showing just how accessible this type of malware has become. I expect future open-source and software-as-a-service efforts to rapidly improve in quality, features, and availability.

Ransomware will continue to be a major problem. More sophisticated cybercriminals will begin to integrate with other exploitation techniques such as malvertizing ad services, malicious websites, bot uploads, fake software updates, waterhole attacks, spoofed emails, personalized phishing, signed Trojan downloads, etc. Ransomware will grow, more people and businesses will be affected, and it will become more difficult to recover without paying the ransom. The growth in new ransomware samples is an indication of things to come.

Twitter: @Matt_Rosenquist
Intel IT Peer Network: My Previous Posts
LinkedIn: http://linkedin.com/in/matthewrosenquist

The post Ransomware a Favorite of Cybercriminals appeared first on McAfee.

Trying to learn more about cyber security, I have been reading articles online and I keep running into a constant theme: How to keep business’ most valuable asset/your information safe. Many of these articles and experts keep saying the same thing and mentioning the same topics over and over: are you in compliance, are you vulnerable, are you secure, and are you compromised? I even read an article that mentioned that CISOs typically spend 70% of their time on ways to protect their assets. As well, I keep having the same conversation after conversation with clients and prospects and they are repeating the theme. It’s like a broken record! Let me answer these questions for you.

• Are you in compliance? We have concluded that it is more probable than not… with regulations changing similar to the direction of the wind how can you make 100% sure that you are or are not compliant?
• Are you vulnerable, YES! If someone REALLY wants that information… they are going to get it (two words, user error).
• Are you secure? No (see above).
• Are you compromised, probably and you do not even know it.

Shouldn’t the more appropriate questions be: what do you do after you get hit by an attack, how fast can you respond to defending an attack, how quickly can you lock down the ‘bad guys’ once they get in, and what happens once the assets leave your network? My point is I believe that we are not asking the right questions. We as an industry are spending more time on traditional methods of security in a world where attacks are created faster than a Bugatti Veyron Super Sport can go 0-60 mph (2.4 seconds) rather than solving real world problems and looking for proactive solutions. Attacks are morphing faster than ever and now they are published publicly and the ability to grab an attack, injecting a ‘morphing code’, and release it into the wild to create havoc is a point and click away.

There are 345 threats every minute that’s close to 6 every second; the McAfee Labs malware zoo grew 12% from Q1 2015 to Q2 2015, and the number of new ransomware samples grew 58% from 773,000 in Q1 to 1.2 MILLION in Q2. Think about that for a minute… over 150 threats just got created in the time it took you to read that statement. Also think about: 6.7 million attempts per hour were made to entice our customers into connecting to risky URLs (via emails, browser searches, etc.), 19.2 million infected files per hour were exposed to our customers’ networks, 7 million PUPs per hour attempted installation or launch, and 2.3 million attempts per hour were made by our customers to connect to risky IP addresses or those addresses attempted to connect to customers’ networks. (MFE Labs August 2015 Threats Report) How fast is your network getting attacked? Way too fast!

Congratulations though, you are taking the first step! You are at least thinking about the questions, even if you just read them above and are more than likely in the middle of defending yourself against an attack right now. One of the biggest recommendations I can give is get involved. Join user groups (if you do not know of one ,start one), get out to local conferences, talk to others in your vertical, or at the very least meet with anyone and everyone that calls and ask them where they get their knowledge base from. If you want help in where to start, just ask. I may not know everything but I bet I know a guy. “Knowing the enemy enables you to take the offensive, knowing yourself enables you to stand on the defensive.” Sun Tzu

The post Asking the right questions in IT Security? appeared first on McAfee.

The practice of using maliciously signed binaries continues to grow. Digitally signing malware with legitimate credentials is an easy way to make victims believe that what they are downloading, seeing, and installing is safe. That is exactly what the malware writers want you to believe. But it is not true.

Through the use of stolen or counterfeit signing credentials, attackers can make their code appear trustworthy. This tactic works very well and is becoming ever more popular as a mechanism to bypass typical security controls.

The latest numbers from the Intel Security Group’s McAfee Labs Threats Report: August 2015 reveals a steady climb in the total number of maliciously signed binaries found in use on the Internet. The report shows a disturbingly healthy growth rate with total numbers approaching 20 million unique samples detected.

Although it takes extra effort to sign malware, it is worthwhile for the attackers. No longer an exclusive tactic of state-sponsored offensive cyber campaigns, signed malware is now used by cybercriminals and professional malware writers, and has become a widespread problem. Signing allows malware to slip past network filters and security controls, and can be used in phishing campaigns. This is a highly effective trust-based attack, leveraging the very security structures initially developed to reinforce confidence when accessing online content. Signing code began as a way to thwart hackers from secretly injecting Trojans into applications and other malware masquerading as legitimate software. The same practice is in place for verifying content and authors of messages, such as emails. Hackers have found a way to twist this technology around for their benefit.

The industry has known of the emerging problem for some time. New tools and practices are being developed and employed. Detective and corrective controls are being integrated into host, data center, and network-based defenses. But adoption is slow—which affords a huge opportunity for attackers.

The demand for stolen certificates is rising, driven by increasing use and partly by an erosion effect of better security tools and practices, which work to reduce the window of time any misused signature remains valuable. Malware writers want a steady stream of fresh and highly trusted credentials to exploit. Hackers who breach networks are harvesting these valuable assets, and we now see new malware possess the features to steal credentials of their victims. A new variant of the hugely notorious Zeus malware family, Sphinx, is designed to allow cybercriminals to steal digital certificates. The attacker community is quickly adapting to meet their needs.

Maliciously signed malware is a significant and largely underestimated problem that undermines the structures of trust which computer and transaction systems rely upon. Signed binaries are much more dangerous than the garden variety of malware. Until effective and pervasive security measures are in place, this problem will grow in size and severity.

Twitter: @Matt_Rosenquist
Intel IT Peer Network: My Previous Posts
LinkedIn: http://linkedin.com/in/matthewrosenquist

The post Signed Malware Continues to Undermine Trust appeared first on McAfee.

Be afraid. Seriously. Ransomware is growing up fast, causing painful disruptions across the Internet, and it will get much worse in 2015.

Ransomware is the criminal activity of taking hostage a victim’s important digital files and demanding a ransom payment to return access to the rightful owner. In most cases files are never removed, simply encrypted in place with a very strong digital lock, denying access to the user. If you want the key to restore access to precious family photos, financial documents, or business files, you must pay.

An entertaining and enlightening opinion piece in The New York Times highlighted how an everyday citizen was impacted, the difficulties in paying the ransom, and how professional the attackers support structure has become.

Everyone is at risk. Recently, several law enforcement agencies and city governments were impacted.  Some of them paid the attackers for their “decrypt service.” This form of digital extortion has been around for some time, but until recently it has not been too much of a concern.  It is now rapidly gaining in popularity as it proves an effective way of fleecing money from victims both large and small.

With success comes the motivation to continue and improve. Malware writers are investing in new capabilities, such as Elliptic Curve Cryptography for more robust locks, using the TOR network for covert communications, including customer support features to help victims pay with cryptocurrency, and expanding the technology to target more than just static files.

Attackers are showing how smart, strategic, and dedicated they are. They are working hard to bypass evolving security controls and processes. It is a race. Host-based security is working to better identify malware as it lands on the device; but a new variant, Fessleak, bypasses the need to install files on disk by delivering malicious code directly into system memory. TorrentLocker has adapted to avoid spam filters on email systems.  OphionLocker sneaks past controls via web browsing by using malicious advertising networks to infect unsuspecting surfers.

One of the most disturbing advances is a newcomer RansomWeb’s ability to target databases and backups. This opens an entirely new market for attackers. Web databases have traditionally been safe from attacks due to technical complexities of encrypting an active database and the likelihood of good backups, which can be used in the event of an infection. RansomWeb and the future generations that will use its methods will target more businesses. Every person and company on the web could come across these dastardly traps and should be worried.

Cybersecurity Predictions

In this year’s Top10 Cybersecurity Predictions, I forecast the growth of ransomware and a shifting of attacks to become more personal. The short-term outlook is definitely leaning toward the attackers. In 2015 we will see the likes of CryptoWall, CoinVault, CryptoLocker, RansomWeb, OphionLocker, Fessleak, TeslaCrypt, TorrentLocker, Cryptobit, and others continue to evolve and succeed at victimizing users across the globe. It will take the very best security minds and a depth of capabilities working together to stunt the growth of ransomware.

Security organizations will eventually get the upper hand, but it will take time, innovation, and a coordinated effort. Until then, do the best you can in the face of this threat. Be careful and follow the top practices to protect from ransomware:

• A layered defense (host, network, web, email, etc.) to block malware delivery.
• Savvy web browsing and email practices to reduce the inadvertent risk of infection.
• Be prepared to immediately disconnect from the network if you suspect malware has begun encrypting files.
• Healthy, regular backups in the event of you become a victim and must recover.

Alternatively, if you choose not to take protective measures, I recommend becoming familiar with cryptocurrency transfers and stress management meditation techniques.

Twitter: @Matt_Rosenquist
Intel Communities Site: My Previous Posts
LinkedIn: http://linkedin.com/in/matthewrosenquist

This post was originally published on May 21, 2015, on the Intel communities site. 

The post Why Ransomware Will Continue to Rise in 2015 appeared first on McAfee.

Malware is working hard to undermine and punish those who employ security sandboxes. Meanwhile, security innovators are working hard to stay one step ahead.

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers. Suspicious files can be placed in a digital sandbox, in which security can watch, look, and listen to determine what the code does, whom it communicates with, and if it plays nice as expected. This helps determine if a file is benign or malicious. The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory that is reinforced to allow malicious files to execute but not cause any real damage. It is all under the control and watchful eye of the security tool set. After analysis is complete, the entire digital sandbox is deleted, with any potentially harmful activities and changes disappearing with it.

Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow. Similar tools are employed by forensic experts to dissect malware and unravel the inner workings. The stratagem has proven worthwhile at confidently detecting dangerous code. So much so that malware writers began embedding features into their software to detect when they have been put in a sandbox. In order to remain elusive, upon detection the code either goes silent, temporarily acts innocently, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers.

Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment. This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart.

In most instances it is passive contest. That is, until Rombertik. Given the adversarial nature of the industry, nothing stays secure forever, even security tools. Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools.

Our security colleagues at Cisco have done a great job highlighting the antisandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors. Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it. Rombertik contains a number of mechanisms to undermine, overflow, and detect sandboxes. Once Rombertik believes it is under the microscope, it attacks. The malware attempts to overwrite the machine’s master boot record or destroy all files in the user’s home folder, with the goal of making the system inoperable after rebooting.

The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics.” It is an insightful report and I strongly recommend reading it.

The idea of a safe area to test suspicious code is not new. The original sandbox was simply an extra PC that could be isolated and completely wiped after the analysis. But that was not a very scalable or terribly efficient practice. The revolution really came when software could create virtual sandboxes as needed. Such environments are quick to create, easy to configure, and simple to delete and start anew. Dozens or even hundreds could be created and be running simultaneously, each testing for malware. But software has some inherent security limitations. Malware can sometimes break out of “jail” and escape the protected sandbox to cause real harm. Plus, the most sophisticated attackers can actually turn the tables to get under the virtual environment—running the security environment in a sandbox managed by the attacker!

This maneuvering gets more complex over time as both sides escalate their tactics through innovation. How much longer can software-created sandboxes remain one step ahead? Nobody is sure.

What we need is a more robust means of building improved sandboxes. Beneath software resides the hardware, which has the advantage of being the lowest part of the stack. You cannot get “under” the hardware and it is much more difficult to compromise than operating systems, applications, and data, which run above. Hardware advances may revolutionize the game with better sandboxes that are more difficult to detect and undermine. I think time will tell, but the move to hardware seems to be where the battle is heading. What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders in the war of cybersecurity.

Twitter: @Matt_Rosenquist
Intel Peer Network: My Previous Posts
LinkedIn: http://linkedin.com/in/matthewrosenquist

This post was originally published on August 11, 2015, on the Intel communities site. 

The post Security Sandboxes Challenged by Evolving Malware appeared first on McAfee.

This post was prepared with the invaluable assistance of Rakesh Sharma.

In recent weeks, McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu (“thief” in Japanese) has circulated since April, and attacks primarily Japanese banks.

Installation

This malware arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting compromised sites. Upon installation the malware drops the following files:

• %All Users Profile%\Application Data\{random}.tmp.bat
• %Application Data%\{random characters}. Contains logs of running applications and accessed applications

It drops and executes the following files:

• %All Users Profile%\Application Data\{random}.exe

The malware creates a run registry entry to execute itself every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\RunIntelPowerAgent9 = rundll32.exe shell32.dll, ShellExec_RunDLL %All Users Profile%\Application Data\{random}.exe

Obscuring techniques

This recently discovered malware family makes use of a large arsenal of tricks to avoid being detected by traditional security solutions. It terminates itself if the computer name of the machine is SANDBOX or FORTINET.

It terminates itself if any of the following files are found:

• c:\sample\pos.exe
• %Systems%\drivers\vmmouse.sys
• %Systems%\drivers\vmhgfs.sys
• %Systems%\drivers\vboxmouse.sys
• c:\analysis\sandboxstarter.exe
• c:\analysis
• c:\insidetm

The following image shows the malware searching for c:\sample\pos.exe.

The malware terminates if it is being debugged. The IsDebuggerPresent API detects if the program is being debugged and if it is, the malware can change its behavior. (We commonly find this API in malware samples.) Using these techniques, the malware developers are trying to make the malware analyst’s task more difficult. Shifu also uses the sleep API, which can set the application to sleep for an infinite amount of time.

Shifu can also check for antiautomation. Generally, in a normal system the foreground window changes when the user switches between tasks. In an automation system, though, there is usually only a single task running a possibly malicious sample and monitoring its behavior. The malware makes cunning use of this difference between the two types of systems. First, it checks by calling GetForegroundWindow() and saves the handle of the window. After that it checks whether the foreground window has changed by continuously calling the same function. The rest of the code won’t be executed until the window has changed.

Injecting asynchronous procedure calls

Thread creation usually requires overhead, so malware often use asynchronous procedure call injection, which can invoke a function on a current thread. These calls can direct a thread to execute some other code prior to executing its regular execution path. The malware checks running processes on infected systems via the CreateToolhelp32Snapshot method that PoS RAM scrapers commonly use. In the following snapshot we can see the malware targeting code by looking for API calls such as Createtoolhelp32snapshot (takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process. The malware retrieves all processes lists and saves them in its own memory. One of the injected malicious code threads is responsible for periodically scraping the memory of active non–system processes on the infected machine for credit card information.

The malware uses HTTP POST requests to exfiltrate the stolen data it scrapes and sends it to a control server. The stolen information is then relayed back to the control server. Here malware injects code into one of the two running process, explorer.exe and csrss.exe.

Shifu uses the domain generation algorithm to create random domain names for covert botnet communications. Here’s a look at the traffic, which shows the generated random domain names:

The malware uses mailslot for one-way interprocess communications between processes both locally and over a network. It can also store the track information and stolen data in mailslot and send the data to its control server using a POST request.

Shifu retrieves the path of the currently running executable by GetModuleFileName call. The GetModuleFileName call is needed because the malware may not know its directory or filename. By dynamically obtaining this information the malware can install the service no matter which executable is called or where it is stored.

The malware uses SHGetValueA to get a value from an open registry key or from a named subkey.

As usual, the unpacked code is injected in the newly remapped memory.

The malware sends the victim’s version info, PC name, GUID, etc. through HTTP Post to the remote server. A code snippet:

This is just the tip of the iceberg. As we dig deeper into this malware and unearth more we will update you.

Intel Security products detect this malware as Trojan-Shifu! [Partial hash], with DAT Version 7930 and later.

The post Japanese Banking Trojan Shifu Combines Malware Tools appeared first on McAfee.

On October 2 at Virus Bulletin’s VB2015 conference in Prague, Virus Bulletin Editor Martijn Grooten announced that Anand Bodke, Abhishek Karnik, Sanchit Karve, and Raj Samani from McAfee Labs have won the Péter Ször Award. The award is given annually for the best piece of technical security research published during the year.

Sanchit Karve accepts the Péter Ször Award on behalf of the coauthors.

The team won for their report Catch Me If You Can: Antics of a Polymorphic Botnet, which details the worm known as W32/Worm-AAEH, VObfus, Beebone, and other names; the botnet used to download it; and, most important, the joint public-private takedown operation that led to its demise.

Public-private collaboration

In fact, it was the cooperative and collaborative nature of the investigation and takedown that was key to the success of the operation, which took place in early April. McAfee Labs and Shadowserver worked together to develop the necessary threat intelligence that became the technical basis for the takedown. Research results from that investigation can be found in the report.

The takedown, known as Operation Source, was led by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT). Most EU member states and law enforcement partners around the world coordinated in the action. The High-Tech Crime Unit of the Dutch Police Services Agency led the J-CAT effort. The U.S. Federal Bureau of Investigation provided valuable support.

Operation Source clearly demonstrates the value of public-private partnerships to combat cybercrime. From the outset, the work of identifying the threat was shared with appropriate law enforcement agencies, and the analysis was shared with other security companies to maximize global remediation efforts.

Grooten noted that “Research like this helps make everyone more secure, which was also the case for the enormous amount of research the late and great Péter Ször performed. As such, these researchers are worthy winners of the second Péter Ször Award.”

I am very proud of the team’s expert analysis and the way in which they worked together with global law enforcement to take this criminal operation offline.

The post McAfee Labs Team Wins Péter Ször Award appeared first on McAfee.

That was the message I got from a CEO when we presented evidence that their organization had been compromised and the attackers had been free to roam for months, resulting in the theft of terabytes worth of data. Actually, the exact words were “So we’ve been hacked, eh? Well, it’s Friday afternoon now so I will get my IT guy to look into it on Monday.”

This response is not uncommon, and to be fair it is better than the usual indifferent response of “So what?” Yet it is disheartening to act as messenger only to realize that your audience has left the auditorium. It is partly because of this level of apathy that we undertook the research which has resulted in the new report I coauthored with my colleagues Francois Paget and Charles McFarland: The Hidden Data Economy: The Marketplace for Stolen Digital Information. Released today, the report highlights what happens with stolen data after a data breach.

In the past, we have covered the concept of “Hacking-as-a-Service,” and although that research did touch on the sale of stolen data—namely credit cards—it just scratched the surface. In this report, we delve deeper into the topic, highlighting ways in which all sorts of stolen data is monetized.

What worries us the most is just how personal some of the data is. Want to be an identity thief? Simply order the person you wish to become. I remember one conversation with law enforcement as we were writing the report. When we uncovered some individuals whose lives were being traded by criminals, we offered advice to the police on what to tell the victims. The conversation went along the lines of “You may not be aware of this, but your entire digital life including that of your family is being sold by criminals somewhere on the Internet.”

This is why data theft matters—it is often very personal. It is easy to talk about cybercrime having something to do with computers, but the reality is that the systems are just objects used in attacks. It matters because it can be about not being able to get a mortgage because someone has destroyed your credit rating. Or about being accused of sending hateful messages via your social media account because someone gained access to your mailbox. The truth is that cyber theft can, and often does, affect peoples’ lives in profound ways.

The post We’ve Been Hacked! Okay, I’ll Deal With It Next Week appeared first on McAfee.