“It was Just a Virus” – Full Data Breaches through Malicious Attachments

Process Monitor screenshot 3

If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”

I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.

Basically a corporate user would receive a crafted e-mail saying that they have receive a fax from their internal fax server. Sure enough the attached file would have a pdf looking attachment. But once the “attachment” is executed, the user gets a whole lot more than a fax.

The “.pdf” file is actually an executable malware file using a PDF logo as an icon. The file executes a data mining attack that searches the hard drive for personal data, browser caches, system files, registry settings, installed applications – including FTP and security programs, remote access programs, file manager programs, web site authoring software, and even clients for remote online storage.

Once it gathers this information, it tries to connect to a foreign server to upload the purloined data.

So should these attacks be considered as “just a virus”, or should this be considered a full data breach?

All the elements of “being hacked” are present. Private data files, including password files and databases could have been obtained. And then the information is sent out of the network to a remote hacker’s server set up to receive the info. Malware is already running on the system, so how hard would it be to use the system as a persistent backdoor into the corporation?

And lastly, these evil infiltrators are coded to bypass anti-virus and firewalls – only 2 AV companies detected one of the malicious executables I examined as containing a Trojan. And since the program connects back out to the malware server from your system after executing, your firewall does not block it.

Sure most companies consider that they were hacked when their server has been compromised, but what if a top engineer who kept classified research information on his system or an IT administrator of a secure facility allowed the phishing e-mail to run?

And how would these people even know that private data was sent out from their network if no network security monitoring was in effect? Would they just write off the attack saying, “It was just a virus…”?

Long gone are the misspelled fake looking social engineering attacks. E-mail attacks are getting much better, they look professional and are believable. Especially when your company uses some of the same software that the e-mail is pretending to be (like an incoming fax message).

Employees need to be warned about malicious e-mails and that they try to replicate legitimate communication. That if something looks or feels suspicious, that they should not run it and contact your support department.

Sure this will probably mean more calls to the data center, but if you can catch these things BEFORE they execute, you can take steps to protect your network. Especially if you find out what servers they are trying to connect out to as you can block the address so others who aren’t as vigilant will be protected too.

Bitdefender Security for Windows 8 Released

A few days ago Bitdefender released a new version of it’s award winning security software – Bitdefender Windows 8 Security. This release is the first Anti-Virus security program built especially for Windows 8.

If you are familiar with Bitdefender’s Internet Security Suite 2013, then the features will look very familiar to you. Sure, it has the award winning Anti-Virus and phishing defense, Firewall, Intrusion Detection System, Social Media and Online Banking/ Shopping protection. But there are several new features built in just for Windows 8.

Probably one of the top features is the Early Start-Up Scanner that loads Bitdefender first so that it can defend against malicious software from infecting your computer during start-up. Also very important is Bitdefender’s new support for Windows 8 Apps. And scanning is also quicker with Scan-Boost technology.

Bitdefender’s feature set far surpasses the built in Microsoft Anti-Virus. Their Windows 8 Security program costs $74.95 for for up to 3 PC’s for a Year. If you are still not convinced, and want to take it for a test drive you can download a free trial version from their website.

Bitdefender Windows 8 Security – Check it out!

Bitdefender Total Security 2013 Review and License Give Away!

Take one of the best anti-virus products out there and integrate a ton of client and online security add-ins and what do you have? Bitdefender Total Security 2013!

Again this year, Bitdefender has provided Cyberarms a review copy of its latest Total Security product for us to put through the ringer, and again it did not disappoint.

Okay, I am not going to spend a lot of time covering the antivirus engine this year. We covered the 2012 version and it received top marks. Even PC Mag gave Bitdefender’s Antivirus Plus 2013 its Editor’s Choice Award. This year I want to spend more time covering some of the new and updated features.

I will say though that the 2013 release seems just as robust against malware and phishing attempts, and better in some circumstances. In testing, 2013 correctly detected some compressed exploit files from a security conference that were in a huge zipped compilation. The drive was scanned with 2012 and the files were not detected.

Actually, Bitdefender anti-virus is the bane of my security research existence. 🙂

Let me explain.

I use Bitdefender on a couple dual purpose machines that are also used for security research.

I have to uninstall (not turn off!) Bitdefender from these machines when I play with Backtrack 5 and the Metasploit Framework. No matter how many times I encode or pack a malicious payload with Metasploit, Bitdefender catches and blocks it. And this is with Backtrack running in a virtual machine. Even with active scanning and the firewall service turned off, it still identifies and quarantines the payload. I have to completely uninstall Bitdefender from the machines to be able to perform Metasploit mayhem with them.

My only qualm about the anti-virus is that it seems to take a very long time to perform a full scan. But I usually set the scan engine to aggressive and scan every file.

The Anti-Virus engine is excellent, let’s move on.

Administrator Control Panel

One of the first things you will notice, if you are logged in as an administrator, is the control panel interface. The red “x” means that there is an issue that should be taken care of right away.

In this instance, the virus update had not been run in several days.

Simply clicking on the center of the control panel shows you what the issue is and how to remedy it.

The number in red tells you that there are events that should be reviewed, and how many there are to check.

Firewall activity – Displays a bar graph of Firewall activity. If you click on the Firewall Activity button, you can modify firewall settings, change rules or check network activity. They also have a pretty nifty “Paranoid Mode” that allows you to view every communication attempt with the option to either block or allow. This could be handy if you are investigating a possible breach in progress or monitoring strange communications.

Scanner Activity – The progress bar on the right side of the control panel shows scanning progress. Clicking on the scanner activity button allows you to view and modify anti-virus settings.

What is great is if you have a suspicious file or folder, you can just drag and drop it on the control panel and Bitdefender will scan it for you.

If there are no issues or event news, the control panel will look like this:

Finally, clicking on the ID Badge at the bottom will take you to the My Bitdefender page.

My Bitdefender

Apart from malware and e-mail phishing attempts, Identity Theft, and social engineering attempts through social media sites are top targets for the cyber criminal.

Twitter and Facebook protection are included in Total Security 2013. Just run through the quick setup in each and Bitdefender protection is extended to these social media programs. Incoming links from these sites are scanned for threats. Setup is fairly quick, and like all Bitdefender applets, it runs silently in the background.

Safebox brings Dropbox like features to Bitdefender. You get 2GB of free encrypted cloud storage included. It is very easy to create new folders, upload data and share files with other PCs, or mobile devices. It even gives you a Windows like Recycle Bin in case you deleted a file and change your mind.

SafePay

What a great idea, whenever you go to do online secure banking transactions, Bitdefender drops you into a barricaded session that protects both your wireless session if you are on Wi-Fi and a virtual keyboard to protect it from being sniffed by hackers.

Though an incredible idea, I did have problems with this. When your computer enters this protected Safepay session, you enter a sandboxed browser. Getting back out of it though, to check an account validation e-mail for example, was not very intuitive.

Once I exited the sandboxed session to get my validation e-mail so I could log in, it created a new session with my banking provider, so I would have needed another validation e-mail.

Though not perfect, this is a huge move in the right direction. Especially for PC users that need to use public networks for banking or shopping.

 Mobile Anti-Theft

Another new cool feature, Bitdefender allows you to view the location of your PC or mobile device, and gives you the option of remotely locking it or even wiping it. After installing the Anti-Theft app, the location of your device shows up on a Google map. Though not completely accurate for a PC without GPS (my computer showed up about a mile away from my house), this could be very handy for locating lost or stolen Mobile devices.

Conclusion

This was just a quick look at some of Bitdefender Total Security features. There are several others that I did not mention. If you want one of the best anti-malware solutions loaded with extra security features, that doesn’t inundate you with pop up warnings and messages, look no further than Bitdefender Total Security 2013!

GIVEAWAY

Want a chance to win a license for a full copy of Total Security 2013? Cyberarms in conjunction with Bitdefender is giving away 5 licenses of the award winning software. Simply share a link to this review on your favorite social media site. Then place a copy of the link in the comments field below. Winners will be chosen at random in two weeks (August 9th) from links in the comments section.

Don’t want to wait, why not try out Bitdefender’s excellent protection now? Go to Bitdefender’s website and click the “Try it FREE” link to download a time limited trial.

*** The contest is now over, congrats to our winners! ***

GFI WebMonitor Internet Monitoring and Web Security Review

Looking for a program that monitors your user’s internet use, allows you granular control over what sites and services they can access, and when? Coupled with comprehensive web security and threat detection that includes scanning with not one, not 2, but three Anti-Virus engines?

Look no further than GFI’s WebMonitor.

The wonderful folks at GFI recently provided me with a license key and asked if I would check out their software. Their timing was exceptional. I have been looking for a web monitoring solution for small to medium businesses. One that is feature packed, but easy to use. I fell in love with WebMonitor.

Here are some of the top features:

SITE BLACK LISTING

Simply select the website, IP address or user that you want to block access to and click add. Next, save settings and instantly the site that you do not want access to will be blocked:

Anyone trying to surf to a blacklisted page from your network will receive this error in their browser:

What is nice about WebMonitor is it also scans all downloads and looks for malicious pages as your user searches the web. If users try to search to a page that is suspicious, Webmonitor blocks it and the user will see this message:

WEBSITE RESTRICTIONS BY CONTENT TYPE

Want to block a user from certain websites by topic? Simply select the category from the list and select “Block”:

How about Streaming Media sites?

Just select “Block” on any of the sites or media types that you want to block and streaming video will be blocked. In the screenshot above we see that “Generic Site Streams” are blocked. So what will happen if someone tries to run YouTube videos?

“An error has occured. Please Try again later”. We could have just added YouTube to the black list and we would not have even been able to surf to the website. But this setting blocks streaming videos from all the websites. Nice!

BLOCKING BY POLICY

In almost every section of WebMonitor, internet blocking or restriction can be configured by user, by date or even by time. And again GFI’s easy to use interface really shines. Here we see the policy enforcement calendar for streaming media, with just two mouse clicks I disabled the policy for the weekend network users:

SECURITY AND SAFETY

WebMonitor protects against malware masking itself in HTTPS traffic, and has the ability to block attempts to circumvent web filtering. Also, downloads are scanned by three anti-virus engines:  BitDefender, Kapersky and Norman.

Why?

Because not every anti-virus will detect every single threat. Using several anti-virus engines increases the chances that malicious files will be detected. I have tested BitDefender heavily and it is VERY good at detecting and blocking encoded, obfuscated backdoor programs like the ones used in targeted phishing attacks.

And again the WebMonitor GUI makes it very easy to change AV settings if you don’t like the default values:

This is just a brief overview of some of the multiple capabilities of this feature rich program. I really didn’t touch on the monitoring side to much, but you can monitor all internet use and view it by user or computer. Actually the GFI documentation recommends just letting WebMonitor collect statistics for the first week so you can see where your employees are visiting and how much time they are spending online.

Then you can go in and block or restrict usage as necessary.

GFI WebMonitor is a very powerful tool that is easily configured through an intuitive graphical interface. The only negative I encountered was that it does seem to draw a lot of resources. I ran it on my main desktop and it noticeably affected both boot time and surfing.

But as this is a full time monitoring and security system, you probably want to install it on a separate system or on one that is not used heavily for other functions.

GFI WebMonitor is the most mature and feature rich monitoring/web security program I have seen to date. I was very impressed with this product and highly recommend it.

Want to try it out yourself? WebMonitor is available for a 30 day free trial!