Posts Tagged ‘CnC’

Feeling Secure

Monday, November 24th, 2008

The following depicts real, non-fictional events. Names have been altered to protect the victims.

On Monday, October 20th, Dave’s antivirus reported that it found and deleted a virus. Dave was relieved that his computer and his files were not damaged, and that he had antivirus turned on. Phew!

Forensic Chronicle

October 7th 14:10

Malware named Sinowal (aka Torpig) made its way onto Dave’s work computer. Sinowal is a sophisticated trojan designed to steal banking and other login information.

…………………………………..

October 7th 15:59

Dave logged into his SunTrust online banking account. Sinowal captured and transmitted his login credentials to a Command-and-Control (CnC) server located in California.

…………………………………..

October 8th 10:26

Dave logged into his Bank of America online banking account. Sinowal captured and transmitted his login credentials along with additional security question-answer challenges.

…………………………………..

October 8th 13:21

Dave logged in to check his email, and Sinowal captured and transmitted his Gmail username and password to the CnC server.

…………………………………..

October 20th 11:40

Last communication from the bot to the CnC server recorded.

The trojan was prolific in its communication, checking in with the CnC at times as often as every 10 minutes. During the two-week period it proceeded to send passwords every time Dave logged into his accounts.

Luckily for Dave, shortly after these incidents occurred, the computer security team at his work was notified about them. Dave was promptly informed of what happened. The thieves did not get a chance to withdraw money …

After recovering from the initial dismay of what happened, Dave got serious about what he could do to protect himself. He now pays attention to what online security features each of his financial institutions offer. He is also grateful to his employer for looking out for him. But Dave has also learned a very important lesson – he must always look out for himself.

- Irina Connelly, Damballa Researcher

Tags: , , , ,
Posted in Threat Research | No Comments »

Circumstantial Evidence

Thursday, September 18th, 2008

Damballa’s engineering team uses an interesting internal lexicon for the various technologies employed by our Failsafe solution for enterprises. In many ways, our product architecture is modeled on the American legal system. Evidence is collected, perpetrators and victims are identified by name and other known aliases, a jury is assembled, a trial conducted, and the presence of a crime is decided by the jury’s consideration of all of the evidence.

Network security staff in many enterprises often struggle to grasp this concept, because they have been well trained in the model of host-based antivirus. They expect to be shown host-based evidence, such as a specific virus name and information about which files, registry keys, or other modifications to the compromised system confirm that the compromise is present. Damballa often cannot provide this level of precise host-based information for compromises we identify, and some of our customers initially view this as a weakness of our solution. It’s the network equivalent of lacking habeas corpus.

In many ways, however, this “weakness” is actually a key strength. Our Failsafe solution is incredibly non-disruptive compared with deployment requirements for the plethora of other, much less effective security tools. You don’t have to deploy software to each of your 100,000 Windows workstations or pass all of your Internet traffic through one of our devices in order to get the actionable information you need about compromises that exist on your network and how to eliminate them.

Instead, we look at the circumstantial evidence. It’s the network monitoring equivalent of who talked to whom, when, and what is said to each other. Some of our technologies are focused specifically on identifying patterns in these communications that are indicative of Command-and-Control (CnC) and/or attack behaviors (who, whom, and when). Other parts of our proprietary technology stack inspect what was said in the more suspicious of these conversations. Finally, we use sophisticated decision logic to correlate communication patterns with the transmission of high-risk content to draw our conclusions about who the victims are, what crimes were perpetrated against them, and by whom.

Our enterprise customers receive a full summary of each of these network crimes and the ability to view all of the evidence we collected that lead to the verdict that was rendered. Damballa provides network-derived evidence for these network-enabled crimes. That said, we are increasingly able to extract more intelligence from the network about specific host-based modifications, as well.

Much of our proprietary technology currently in development is focused on extending the actionable intelligence we provide to include specific instances of malware that have likely been installed on victim hosts, and detailed information about what modifications that malware likely made to them. These details are especially useful intelligence, as a vast amount of malware we identify is not recognized by the latest host-based tools and signatures from other vendors. Stay tuned as Damballa continues to lead the industry in these innovative technologies.

- Tripp Cox, Damballa VP of Engineering

Tags: , , , , , , ,
Posted in Threat Research | No Comments »