Update on latest Malware Threats and Issues - Cyberthieves using banking trojans and malware to steal from companies

1. New Malware Threat These are Criminals stealing money – Not kids making a big splash or ‘hack for fun’ Well organized and VERY stealthy Growing network of attackers, ‘ecosystem’ Many basic defenses do NOT work at all “Blended threats” are tough to counter Represent a NEW level of threat to businesses Companies have NO protection like consumers

2. Is this a Real Threat? Malware thefts in 2009 “recently in the news”: Bullitt County KY - $415,000 via rogue wire transfers W. Beaver School District PA - $700,000 stolen in 74 transactions Slack Auto Parts GA - $75,000 stolen ($69,000 intercepted) Extremely stealthy malware: “Clampi / Ligats / Rscan Trojan” Remotely controlled funds transfers into ‘normal’ accounts Thieves leverage “money mules” in US and other countries Recruit Money Mule accomplices via web sites The Junior Group – www.junior-group.cn Part of ‘Russian Business Network’ – front for money laundering

3. Clampi Trojan Analysis SecureWorks Threat Analysis Initial install of ‘loader’ via web page ‘drive by’ View malicious HTML (ad, hidden frame, email) No user admin. privilege needed to start Sets up a ‘mini-VM’ environment Links to ‘Exploit Server’ and Bot herders Exploits sent and launched from ‘bridgehead’ Malware encrypted, running & session C&C Injects code into ‘Normal process’ to hide

4. Clampi Trojan Analysis Installs malware into System and User keys Attaches encoded malware to ‘normal files’ Each malware function uses ‘normal process’ Not easily detectable by signature or by usual host / network intrusion detection Uses new malware VMPacker tough to decode Modules are added and spread over time Password key LOGGER and FORM injector Password guess ACCOUNTS and SOCKS sender

5. Malware Impact Hackers find a ‘banking PC’ via exploits Guess passwords and map out inside LAN Collect user data, account data – exfiltrate it Watch for banking activity – inject extra forms Collect data and control wire transfers Send money to their mules (not easily flagged) Continue to collect data and control transfers Also continue to spread inside firewall

6. Mitigate? Things that typically do not work well: Scan / signature based AntiVirus ‘Host Intrusion Detection’ via Blacklist / Scan Network Intrusion Detection sees Encryption Things that help prevent spread of Clampi: Special Security Around ‘Banking Clients’ Fully patched machines / Complex passphrases “Whitelist Only” Application Client Lockdown LUA Users on Banking Clients – perhaps ALL clients Network IDS on ALL Exiting Traffic Correlated Logs on IDS / Firewall and Some Clients Reimage Banking Client Even on Suspicions of Malware

7. Dealing With Modern Malware Patch all Microsoft and ADOBE product! Use IE8 (if you can) and “Zones” / GPO control If not then use SandboxIE or similar OR use FireFox and NoScript (Banking Client at least) Limit user rights to slow down exploits… Leverage AppLocker / Whitelist if you can… Funnel all outbound traffic – IDS – Logs If any suspicions – Rebuild from clean image!