AUGUST 2017 CYBER THREAT - Cyren · 5 CYREN MALWARE THREAT REPORT AUGUST 2017 “I’m the creeper....

THE MALWARE WARS ARE

HEATING UP

Fridrik SkulasonSecurity Pioneer Gives the Long ViewPAGE 7

CYBERTHREATAUGUST 2017

Report

2 CYREN MALWARE THREAT REPORT | AUGUST 2017

TABLE OF CONTENTS

Introduction ...........................................................................................................................................3

What is Malware? ..................................................................................................................................4

Malware Today: How Did We Get Here? .................................................................................................5

Interview with Fridrik Skulason: Pioneer Discusses 30 Years Fighting Malware ..................................7

Sandboxing Reinvented: Innovation Is the Only Defense ......................................................................11

Billion Dollar Industry? It’s Called Ransomware .................................................................................14

Ransomware Made Easy: Roll Your Own in Minutes .............................................................................15

HTTPS Is Not Secure: Malware Increasingly Hides in HTTPS Traffic ....................................................16

Best Practices: A Layered Architecture to Stop Malware .....................................................................18

Cyren GlobalView Threat Trends—Q2 2017 .........................................................................................19


If you want to know what a cyber-war looks like, read the news.

Possibly no time period since the advent of the Internet has experienced as many dramatic global incidents directly related to malware and cyberthreats as the last 12 months. From election hacks to global ransomware attacks, malware threats are at an all-time high. And, unfortunately, as long as it proves lucrative, the only certainty is it will only get worse.

In this cyber-war, with respect specifically to malware, three battlefronts stand out: ransomware, hyper-evasive malware, and malware distribution via HTTPS.

Ransomware has become a true money-spinner for cybercriminals. In May and June alone, massive-scale ransomware attacks have spread extremely quickly around the globe targeting governments, corporations, and private citizens. With hyper-evasive malware, cybercriminals are including code designed to specifically detect and evade conventional sandbox detection and analysis. And, with respect to encrypted HTTPS traffic from “secure” web sites, a recent Cyren study of traffic passing through the Cyren security cloud found that almost 40% of all malware being disseminated today is utilizing HTTPS connections for distribution or communications, yet recent surveys show that the majority of companies around the globe are not inspecting that traffic.

Clearly cybercriminals know the weak points in standard corporate defenses, and they’re optimizing their attacks to leverage these security gaps in every possible way.

One of the reasons that Cyren produces reports like this is to help businesses better understand the nature of the risks they are facing. In the past 25 years, malware has transformed from a mere nuisance into something that has the power to shut down hospital systems, steal millions from bank accounts, and significantly affect the well-being of businesses and people worldwide.

Today, no item or user connected to the Internet is immune to attack. While many businesses are still studying what security measures might be necessary, cybercriminals are “all in,” creating dangerous new tools to target companies, governments, and private citizens. We need to be mindful that the world has changed. Hyper-evasive malware and threat distribution via HTTPS are growing rapidly; mobile devices—both Android and Apple—are increasingly targets; and Internet of Things tools, from refrigerators to televisions, are an inviting new vector for criminal purposes.

Using data from our global cloud security platform, which processes some 25 billion transactions and blocks over 300 million threats each day, this malware report provides our readers with some in-depth insights into the nature of these threats with the potential to impair business operations and create a cost burden in time and treasure. It also provides a long view for the reader who might not have as much familiarity with how the malware industry got to its current state, underlining that if the threats have changed, so must the approach to security.

Lior Kohavi Chief Technology Officer Cyren

Introduction


MALWARE TYPES Adware—Malicious software that installs or renders advertising on a system to generate revenue.

Backdoor—Malware developed to target a hidden entrance or method to bypass traditional security within a system, device, computer, or on software.

Crypter—Malware containing encryption to obfuscate it from security.

Dropper—Malicious software designed to install another type of malware such as a virus or backdoor. Droppers are often designed to avoid detection by traditional antivirus protection or stay hidden from the software by activating at a later stage.

Exploit—Malware that takes advantage of a software vulnerability to gain access to a computer or system.

Macro—A virus written in a macro language and distributed in a Microsoft Word or Excel file attachment.

Packer—Malicious software that is compressed, and when executed, unpacks itself in memory. Packers make reverse engineering of the malware difficult and also help the malware take up a smaller size footprint.

Protector—Combines both a packer and a crypter to prevent reengineering and tampering.

Ransomware—Malware that limits or blocks users from accessing individual files or entire systems until a ransom is paid.

Rootkit—Malicious software that enables access to sections of the computer, software, or system that would normally not be accessible. Malware often contains rootkits to allow concealment by modifying the operating system so that the malware remains hidden from the user.

Spyware—Malicious software that spies on the computer user, capturing keystrokes, emails, documents, or even turning on the video camera.

Trojan—Non-replicating malicious software that contains hidden functionality. Typically does not attempt to propagate or inject itself into other files.

Virus—Malicious software that infects a system or computer and damages or alters the data on the system.

Worm—Malicious software designed to continually propagate itself.

What is Malware?Malware—MALicious softWARE specifically designed to harm a computer, a system, or data.

MALWARE DISTRIBUTION VECTORS Email—Malware arrives via attachments and also links to websites (see “Web”).

Local Access via USB, Bluetooth, or Other—Malware is embedded on a device, such as a USB drive, and installed when the USB is inserted into the port, or the distribution source’s proximity is close enough to the target machine (through Bluetooth or another local source) to deliver the malware.

Web—Malware is delivered via drive-by downloads (unseen by the user) when visiting a website or by convincing the user to download and run a file when the user is on a website.


“I’m the creeper. Catch me if you can!”

These playful words were the payoff for the first malware, known as “Creeper.” Created in 1971, this self-replicating virus was designed to do nothing more than transfer itself between mainframe computers connected to the ARPANET and display the above message on the teletypes of infected computers.

Forty-six years later, any such message would not be so innocuous. The chronology below provides a perspective on how malware has been transformed.

1971 TO 1975—PROGRAMMERS PLAY “GOTCHA” The first years of malware were marked primarily by experimentation and exploration on the part of programmers. Creeper (1971), The Rabbit (1974), and Animal (1975) were all essentially non-malicious viruses designed mostly as research tools or perhaps to amuse the programmer.

1971—The first “virus” known as ‘Creeper’ appears.

1974—The Rabbit virus replicates itself among three different IBM 360 mainframes, until the systems becomes overloaded and crashes.

1975—The first Trojan appears, called Animal, written for the UNIVAC 1108 system by John Walker (one of the co-founders of Autodesk/AutoCAD).

1981 TO 1989—THE PC LAUNCHES A NEW INDUSTRY: HACKING

While the early years of personal computers were marked by increased business productivity, they also launched the hacker era, with the first virus epidemic appearing in 1986, the first self-encrypting virus in 1987, the first worm in 1988, and the first ransomware in 1989.

1981—Elk Cloner virus written for Apple II and spread by floppy disk.

1983—Computer scientist Fred Cohn coins the term “virus.”

1986—First IBM PC virus epidemic (Brain Boot Sector aka “Pakistani Flu”) infects the boot sector of 360 kb floppies.

1987—First self-encrypting virus (Cascade).

1987—John McAfee founds McAfee and releases the first antivirus software.

1988—First worm in the wild (Morris Worm).

1989—First ransomware (AIDS Trojan).

1990S & 2000S—MORPHING MALWARE

Cybercriminals in the 1990s introduced increasingly sophisticated threats requiring increasingly sophisticated terminology. These threats were classified by experts into the categories polymorphic, metamorphic, and oligomorphic malware. Generally speaking, this new generation of malware was designed to evade detection by early antivirus software by mutating its code and changing appearance.

1990— Chameleon introduced as the first polymorphic malware.

1991— The first widespread polymorphic virus found in the wild (Tequila).

1992— DAME toolkit turns ordinary viruses into polymorphic viruses.

1995—The first macro virus is created.

2000—Loveletter.A spread via Outlook and infects millions of PCs in hours.

2001— Nimda spreads through vulnerabilities in Microsoft Windows.

2008— Conficker worm appears, created with at least five variants to prevent kill attempts.

Malware Today How Did We Get Here?


MID-2000’s: SERVER-SIDE POLYMORPHISM Around 2007, cybercriminals began to create server-side polymorphic malware, hiding the mutation engine in back-end web services. Advanced algorithms in the code mean that each time it is downloaded, a fundamentally different file is distributed, complicating detection, especially when combined with additional techniques like the use of encryption, droppers, and packers.

TODAY: HYPER-EVASIVE MALWARE

In the last few years, cybersecurity professionals have observed an emerging threat trend: hyper-evasive malware. Malware authors have evolved programming to the point where the code itself is often innocuous looking, containing nothing that is obviously suspicious. Hyper-evasive malware is typically characterized by the incorporation of many known evasion techniques, such as sandbox awareness and limited attack windows (usually only a few hours), to increase the odds against rapid detection by researchers or automated security systems. (For further detail, see the article on p. 11 “Sandboxing Reinvented: Innovation Is the Only Defense”)

Example 1: Cerber Ransomware— This hyper-evasive malware runs at least 28 processes to check if a debugger is installed to detect the malware, to confirm the presence of virtual machines, and to locate sandboxes. Cerber first appeared in March 2016, and encrypts/ransoms all images and files, converting them to .cerber files.

Example 2: Locky Ransomware—Locky emerged in February 2016 with multiple new variants appearing on a daily basis. Usually distributed hidden in emails with business or finance-related topics, Locky was distributed in vast quantities, with 40% of all malicious emails distributed in 2016 containing a Locky JavaScript variant. Cyren’s security cloud observed 1.5 million unique samples in a single 24-hour period in March 2016. In the first eight months after its initial launch, Locky’s creators repeatedly adapted it to evade detection, introducing new sandbox evasion techniques, new downloading decryptions, attachment format changes, changes to delivery methods, and the addition of obfuscation layers, among other tactical changes.

TOMORROW: THE FUTURE OF MALWARE

With tremendous amounts of money to be made exploiting the gaps in the security deployed by many companies and individuals, malware is unfortunately proving a growth industry. Criminals are continuously seeking ways to enhance malware delivery and the effectiveness of the delivered payload. Among our principal expectations for the near future:

More IoT-driven Malware—With little or no protection on so many Internet of Things (IoT) devices and enough computing power to host botnets and distribute malware, criminals will increasingly leverage these devices to distribute viruses, ransomware, and malware. Researchers report that IoT botnets ranging in size from 100,000 to 400,000 devices can be hired for $3,000 to $7,500 per attack, making their creation and use all the more attractive to criminals.

More Ransomware—The proliferation of exploit kits and self-service ransomware offerings is allowing even unsophisticated, untrained would-be hackers to get into the ransomware “business.” More ransomware will be distributed in a “Ransomware-as-a-Service” (RaaS) model, where affiliates distribute the ransomware, while the ransomware developers earn a commission from each ransom payment.

Early Advanced Malware TypesPOLYMORPHIC MALWARE—Decryptor-type malware with potentially highly variable elements, which affects the size and/or shape of the code, including altering subroutine creation and inserting large blocks of garbage instructions, code “islands”, or even algorithmic register initialization.

METAMORPHIC MALWARE—Uses a technique whereby the malware code, when executed, outputs a logically equivalent (but not exact) version of itself.

OLIGOMORPHIC MALWARE—Used by a virus to generate a decryptor (for itself) by randomly selecting pieces of the decryptor from several predefined alternatives.

1 MILLION TIMES THE MALWARE OF 1989!

continued from previous page

Known malware:

1989 . . . . . . . . . . . . . . ~60

Q2 2017 . . . . 60,677,485

Malware Today How Did We Get Here?


Interview with Fridrik Skulason Pioneer Discusses 30 Years of Fighting Malware

Tell us about your start in the AV industry?

Back in 1987, I started a small software company of my own. My first projects were developing a spelling software tool and a genealogy program for Icelanders. In 1989, I was looking around for something to do, so I took a job as a contract programmer for IBM in Iceland. One day when I was working in the IBM office, IBM got hit by a Cascade virus—a simple parasitic file infector. Everyone went into a panic mode because no one knew how to stop the virus. Since I was the only assembly language programmer around, I asked for and got a copy of the virus. I took it home and disassembled it. I wrote an antivirus code to stop it. At the time, John McAfee was paying people to do antivirus development. So, I sent the virus and solution to McAfee and he sent me his collection of then-known viruses.

To put this into perspective, at the time there were only about 50 known viruses. The malware industry is nothing like it is today. Today all malware is written for financial reasons. People want to make money one way or another. Back then, the purpose of distributing a virus was totally different. Authors were writing viruses to get attention. For example, the Michelangelo virus only infected a few hundred computers, but the publicity was such it that it convinced 100 million people that they needed antivirus software.

Did you think it would be this long term?

I thought “this is interesting but it is never going to be a serious business.” After I wrote the antivirus program in 1989, I thought “what am I going to do next year?”

What are the main changes that you have seen in malware over your career?

I think it has been a steady process. The rate of development since the late 1980s has been a doubling of new viruses every 11.5 months. We used to look at that statistic and joke that by the 21st century we are going to have hundreds of millions of viruses. Guess what? Today, we have hundreds of millions of viruses.

We’ve had a few breakthroughs in virus development and structure. We’ve seen parasitic viruses, macro-viruses, and script viruses. The most dramatic change I think is the amount of time it takes for a virus to spread. Back in 1989, the lifetime of a virus would have been measured in months, since it would take months for it to spread. Antivirus companies often wouldn’t even see a copy of the virus until after it had been in distribution for a few weeks. And, then the virus would continue to spread for a few months after. Today, the lifespan of malware is measured in minutes. We’ve seen the appearance of server-side polymorphics and sites that distribute malware, with the malware changing every few seconds.

Prior to polymorphism and short-lifespan malware, we had parasitic viruses that would infect all the systems with functionally equivalent versions of itself. Today, we’re not dealing with polymorphic malware, but instead a polymorphic generator that is continually spitting out new malware versions. We used to be able to analyze the malware and test the samples with enough time to get anti-malware tools distributed before significant damage was done. Today with server-side polymorphics, we are only able to see a small part of the malware, and we have to work hard to develop an anti-malware solution that works with all versions.

Early security innovator Fridrik Skulason puts today’s threats in perspective, and lets us know what the future holds.

About Fridrik Skulason — Known for his industry-first use of a heuristic engine for antivirus threat detection at the

end of the 1980s, today Fridrik is the Vice President of Antimalware Technologies at Cyren. He is a founding member of

CARO, the Computer Antivirus Research Organization, and served for many years as the Technical Editor of Virus Bulletin.

Fridrik holds a degree in computer science from the University of Iceland and has mentored many promising antivirus

researchers throughout the world.


Have you ever met a malware author? What motivates them?

I did once track one down. It was a long time ago. There was this malware called Denzuko—it was sort of harmless. It was a boot sector virus that put itself in the boot sector and then put the original boot sector on track 40 when you would boot your machine. It really didn’t do much damage, at least not until the 3.5” floppies appeared. They had 80 sectors. This type of malware suddenly became deceptive because it would overwrite a full track in the middle of the disc. I was analyzing the virus and noticed there was a sequence hidden in the code that didn’t make any sense—just four or five letters and numbers. It looked like a ham operator call sign. On a whim, I looked up the call sign and it turned out to belong to someone in Indonesia. This person was, in fact, the author of the virus. Originally, it was really common for malware authors to sign their creations somehow so the antivirus community would give attention to the right person. But this change when it became about financial gain. You don’t want to do anything that draws attention to yourself.

As an example of this, the author of the famous “Melissa” worm was eventually found. When he was asked “who is Melissa?” it turns out that he added the name of his favorite performer at local gentlemen’s club to the code.

In terms of what motivates malware authors, most of them today are someone that works full-time on writing malware. In Taiwan, there was recently a case where a group of malware authors were caught and pardoned in exchange for working for the military. There is also quite a lot of malware from Russia and Eastern Europe developed by an entire organization—an actual office of people that show up and spend their working day writing malware for a paycheck. Some of this malware coming out of Russia, Belarus, and the Ukraine is interesting because it has code that excludes infecting computers with language settings to Russian and Ukrainian. The infamous ransomware Locky was like this. It is hard to capture these criminals, because typically the police don’t bother the malware authors if they’re not trying to steal from the locals.

But then you also have people who work solo. There was a conference in Poland earlier this year where a case study was presented on a particular malware author and how his work has progressed over the years. The challenge for local police and organizations like the FBI and Interpol is that if you perform your crime somewhere else in the world it creates a lot of interesting legal loopholes that the criminals exploit. The person from this case study in Poland wasn’t doing anything sufficiently big enough for Interpol to get involved, so he was able to continue to do his work.

Are you still writing code?

I write code for part of the system that makes the detections. One of the big issues with polymorphic malware is that you want to write generic code—it can’t be specific to samples, because then you’re only getting an anti-malware solution for that sample. Today, the number of samples is so huge that we try to define closely related samples and write a generic detection so the anti-malware detects everything similar in that sample cluster.

What is the most difficult malware to deal with?

Server-side polymorphics can be dealt with because we get lots of samples and they’re easy to obtain. The really tough malware is targeted attack malware—the type that is written to get into one computer or system—such as industrial or military. With this type of malware, the criminals want to get their software onto the PC of a particular person because that person has something they really want, such as financial info that hasn’t been released, a new missile design, etc. And, the perpetrators behind this type of malware are sometimes governments which makes accessing this malware more difficult.

Can you tell us a little more about hover malware?

This is a new malware of malware that tricks the user into executing the malware simply by hovering over the link with the mouse. The malware itself isn’t complex, but because so many people are trained to check the veracity of the link by hovering over it, it is possible that more people could become infected with this type of malware if it gets past anti-malware solutions.

In truth, the most painful type of malware these days is ransomware. It is causing a lot of headaches and two-thirds of the victims don’t get their data back, even when they pay the ransom.




There are a lot of AV companies that claim they can stop ransomware based on activity. Will these approaches work?

Yes these approaches can work, but they could also potentially be bypassed. The ransomware might also be programmed to detect the AV and get around it somehow. For the past 30+ years, we have been stuck in an arms race. The malware authors come out with new techniques and we come up with new defenses, such as generic, heuristics, malware networks, machine learning algorithms, and then they respond.

What promising new AV technologies are you aware of?

So many companies claim they have a new approach. But, in reality the foundations for the anti-malware are essentially the same.

What about social engineering and malware?

The social engineering part is a big thing. For the past 20 years, people have found that social engineering of one type or another is the best way to bypass the human part of the system security. If you can convince someone to run something or authorize something, no technical solution, no matter how clever, is going to protect you. It is a primary tool when you have a targeted attack, because you have particular person that needs to do something special. In some cases, the malware criminals go to extremes, such as hacking a website that is specific to a person or pretending to be someone that works at the company. I’ve even heard of scenarios where the criminal calls someone at the company personally and pretends they’ve spoken to a senior executive who has instructed them to get information, passwords, etc.

What about locked-down environments like Apple and soon Microsoft? Can this work?

Unfortunately, it isn’t a simple question. In these scenarios, you’re creating an environment where someone else has the ability to completely control and restrict what goes on a personal computer. In a sense, this approach is like saying you’re protecting your computer by putting it into a block of concrete and dropping it the Atlantic Ocean. For organizations like the military, systems where users cannot install new software or visit a website that requires scripting support on the browser, this approach likely adds a level of protection for the organization. However, I don’t see it working for your “average joe” home user. My experience is that the average user hears about a certain type of software that is interesting and if it isn’t available on his app store, he’ll just get it elsewhere. It always comes down to the human factor. In the end it is just hard to educate people that don’t have computer skills.

Is mobile malware a real threat? Most of it seems to be adware. Is it hard to get it into the app stores?

For all practical purposes, mobile malware isn’t a significant threat. The main Android and Apple app stores do a reasonable job of weeding out malicious software. You can use social engineering to trick someone into installing from a questionable source, but in general that is not the case. With mobile malware, there is a limit to how much it can do. Our phones are smarter and have more sensitive stuff, so mobile malware could be target for certain users—for example, people who use mobile banking systems—but in the end, delivery is still difficult. Many of the methods of delivery and infection, such as emailing content, sending office documents with macros, and using malicious scripts don’t really work well on mobile devices. Once mobile devices get updated to handle these forms of content then malware will be more common on mobile.




Can you talk a little bit about malware and the Internet of Things?

Today we do have remarkable things going on with IOT. One of the primary issues as it relates to malware and IOT is that these IOT items are cheap and mass produced. A good example is light bulbs. When you’re mass producing something like a smart lightbulb, you don’t really want to spend anything more on security than you absolutely have to. There was a recent story of a proof-of-concept attack on lightbulbs in Israel. The researchers set up a series of Phillips light bulbs that are controllable with an app. They put a Bluetooth device on a drone and put the drone right outside the window of the office where the lightbulbs were installed. The drone sent a message to one lightbulb that essentially said: “I have a firmware update for you.” The lightbulb accepted the update and then shared it with the lightbulbs nearby. The update spread throughout the entire floor almost instantly. This proof-of-concept malware then permanently disabled the firmware updates and made all the lightbulbs flash SOS—dot-dot-dot/dash-dash-dash/dot-dot-dot

Now, imagine something like this switching off lightbulbs in a whole city!

As another example of manufacturers building smart appliance/IOT software as cheaply as possible, there are some home appliances have the Pandora music application installed. Now, why does a refrigerator need Pandora? It is because the software for these smart appliances is using the same UNIX system as what is on a home entertainment system. It was simply cheaper to use this UNIX system on a fridge, than to create a new one. Cars are very interesting too. There are demonstrations of how you can take over a car—take over everything—including switching off the brakes and controlling the steering.

What about malware on a grand scale, for example against entire regions or countries?

This is very interesting because at some point in the future, we are going to see the weaponization of malware. For example, you could in theory do something similar with power grid—the EU power grid is all interconnected. Same with US/Canada grid. Something like this is nothing short of an act of war. But, it takes a lot of resources to do this and it will not likely be done by a single lone hacker. If something like this happens it will likely be perpetrated by a government. In fact, it is probably safe to assume that malware of this type probably already exists and is being held in storage for a “special” occasion. There was some news recently about this type of malware

being discovered having been targeted at the Ukraine. Ironically, though, some regions of the world may not have to worry about this type of attack—on a power grid, for example. Some parts of Africa and Asia are using technology developed in the 1950s, that is just too old to make a large scale power grid attack viable. And then there are countries that simply don’t have a nationwide grid.

Can you give us any predictions for future malware?

We’re going to get more of the same, but with differ-ences. I know that sounds contradictory, but seriously, if you look at history it tells us that what we’re seeing today is similar to what we’re seen in the past, just on new platforms, with new approaches, etc. I don’t think we’re going to get anything significantly revolutionary in the near future. If you want to get into science fiction speculation someday we might see dramatic new mal-ware with human cybernetics. But we’re not there yet.

Fifteen to twenty years ago, I used to access the sites of the AV vendors and they would list the malware and what it did. Some people still expect that. But most malware nowadays has such a short lifespan, so it is fairly pointless to devote intensive human analysis resources simply to determine what a malware does, when what you really need to do is stop the malware first. Protection of the end-user is the priority.


Smart Devices May be Offering Up Doses of Not-so-smart Malware

The impending malware onslaught delivered via Internet of Things (IOT) botnets that so many cybersecurity professionals had been predicting over the last few years has decidedly arrived. During 2016, cybercriminals recruited over 1,000,000 IoT devices to distribute the Mirai and Bashlight botnet malware. Used primarily for distributed denial of service (DDOS) attacks, these botnets targeted everything from security blogs to Twitter, CNN, and Netflix, as well as Dyn, a company that controls much of the Internet’s domain name system (DNS) infrastructure.

As malware and ransomware continues to grow at epidemic levels, Internet of Things botnets are particularly dangerous. With an unlimited supply of Internet-connected devices that are poorly protected, criminals can easily leverage the power of botnets to deliver their malware payloads. When a criminal can garner $50K to $100K in a single ransomware attack, IoT botnets that can be hired for as little as $3,000 per attack, offer an excellent return on investment.



Sandboxing Reinvented Innovation Is the Only Defense

In the repeated battles with cybercriminals on the many malware fronts, security researchers have continually resorted to innovation to identify and halt threats.

Early malware security tools included capturing a hash fingerprint or signature and then using this hash to isolate and block additional identical versions of the virus. When criminals learned to evade this technique with polymorphic malware, security professionals like Fridrik Skulason, the subject of this report’s in-depth interview (p. 7), developed heuristics, applying more generalized detection rules in order to catch “unique-ified” variants of a single malware.

Later, analysts relied more and more on sandboxes which are able to run malware in “walled” environments to protect the entire malware lab. Sandboxing essentially provides an environment intended to dupe the malware into thinking that it has arrived on an actual end-user system, so it will execute and reveal its behavior—and thus be detected and blocked whenever it appears at any security gateway. To avoid detection in sandbox environments, malware authors began to design the malware to “play possum” while in the sandbox—that is, to remain inert and lay low until the analysis has been run, revealing nothing which might be construed as malicious. A sandbox will run both static and dynamic analyses (see see definitions below) to automatically observe and document malware behavior, such as what files are downloaded, what IP addresses/URLs are contacted, what registry entries are changed, and what processes are altered—if the malware executes or “detonates”.

THE SANDBOX IS DEAD: LONG LIVE THE SANDBOX

A study commissioned by Cyren and conducted by Osterman Research (July 2016) found that over 50 percent of small and mid-sized companies in the U.S. (100 to 3,000 employees) report having deployed an appliance-based sandboxing capability.

The broad deployment and very success of appliance-based sandboxes and AV-lab deployments has led (unsurprisingly) to innovations by criminal enterprises, with newer “hyper-evasive” malware successfully evading sandboxes by exploiting the limitations of the traditional sandbox appliance architecture, such as:

1. The fixed amount of physical resources (i.e., memory and processing power) available in a server appliance limits the scalability of the solution in terms of total analysis object load and the depth of analysis performed.

2. The reliance on virtualized environments, the presence of which can be detected by malware.

3. The lack of diversity in the scope and origination of the tests employed, with the variety and nature of tests limited to those devised by the specific sandbox vendor.

4. The fact that any specific sandbox performs one kind of analysis best, e.g., operating system or registry or network behavior analysis.

Sandboxing solutions typically use two categories of analysis:

STATIC ANALYSIS—Performed by the system without executing the suspected code. Examples include file fingerprinting, extraction of hard-coded strings, file format metadata, emulation, packer detection, and disassembly.

DYNAMIC ANALYSIS—Performed by the system while the suspected code is executed inside a sandbox. Examples include analyzing the difference between defined points and observing run-time behavior.




EVADE, ESCAPE, & ATTACKMalware developers invest a lot of time and energy in optimizing their evasion techniques for each sandbox platform in the market, knowing that once they have found a “tell” for the particular sandbox being used, their evasive techniques will get them past the organization’s last line of defense or prevent analysis by security organizations.

As an example of this last approach, Cyren is seeing recent ransomware downloaders that have added the requirement of an additional parameter for the execution of the downloaded ransomware code. A sandbox may have the download file itself, but it does not have the full script, so it would not detonate in the sandbox because it is missing the one component or parameter found in that script.

MALWARE HIDE-AND-SEEK

When put under the microscope and run through its paces, many malware samples reveal a high level of sophistication and serious investment in sandbox evasion techniques. Cyren researchers identified an impressive 28 functions within a single variant of Cerber ransomware to check for the presence of and hide from appliance behavioral analysis, including checking if a debugger has been installed to detect the malware; looking for the presence of virtual machines; and making payload execution conditional upon the inclusion of an added component that is missing from the initial download and prevents the code from “detonating” or revealing its true behavior in a sandbox.

The extent and variety of functions shows that malware writers are hard at work researching the sandbox and debugging technologies widely used by many security vendors.

A GAME OF CAT AND MOUSE

The 2016 Locky malware also highlights the nature of the hyper-evasive threats we are now confronting. As the ransomware Locky wormed its way around the globe last year, researchers began to notice the frequency of script mutations and obfuscations in short periods of time, suggesting that the cybercriminals behind the malware regularly checked the scripts to see if they were being detected by anti-malware products.

Initially, the Locky malware was delivered via a macro in a malicious MS-Office document or spreadsheet, which called out to a C&C server to download the main components. The delivery quickly switched to JavaScript which initiated a download from legitimate, but compromised, websites. And, then shortly after the distribution with JavaScript began, the malware developers switched back to distribution via document macros.

On top of the constant adaptation in distribution techniques, the criminals used advanced obfuscation techniques from the start. Binary components arrived as packed executables, making them unique during each wave; the ransomware files wouldn’t execute without a downloader, preventing sandboxes from analyzing the binary payload, if the sandbox was processing separately from the script; new decryption routines appeared; and different techniques were employed for downloading Locky’s binary executables.

Check functions performed by Cerber ransomware to evade detection:

VIRTUAL MACHINE CHECK FUNCTIONS:

• Parallels• QEMU• Oracle VirtualBox• VMWare• an unknown VM

MULTIPOT SANDBOX CHECK FUNCTIONS:

Loaded modules check against:• sbiedll.dll - Sandboxie• dir_watch.dll, api_log.

dll - Sunbelt Sandbox

• CommView Network Monitor

• WinDump• WireShark• DumPCAP• OllyDbg

• IDA Disassembler• SysAnalyzer• SniffHit• SckTool• Proc Analyzer• HookExplorer

DEBUGGER PROCESS CHECK FUNCTIONS:

Common Techniques for Evading Sandbox Analysis

• Detecting the existence of a virtual environment

• Delayed activation, that is attempting to “out- wait” the sandbox

• Awaiting human interaction, like specific mouse movements usually not found in a simulation

• Making payload execution conditional



LOCKY DOESN’T SPEAK RUSSIANAs an interesting side note, malware developers specifically designed Locky to detect which language was set on the computing device. If the language was set to Russian, the Locky malware actually deleted itself from the system. Other malware families have exhibited this same behavior of avoiding systems infections from specific countries such as Ukraine, Belarus, and China.

CLOUD-BASED PROCESSING SUPPORTS ARRAY OF MULTIPLE SANDBOXESFor cybersecurity professionals, the appropriate response to the advent of hyper-evasive malware is to exponentially improve the analytical capacity of all systems, including behavioral analysis systems. With the elastic processing scale and big-data analytical capabilities of cloud computing now available to cloud-based security systems, Cyren has developed a next generation sandboxing array that subjects malware to several varied sandboxing environments, while testing the malware in multiple environments, dramatically increasing the probability of detection. This approach dramatically improves the ability to catch and kill hyper-evasive malware.


Figure 1: Example of Heavily Obfuscated Code in Locky

Figure 3: The Cyren sandbox array automatically deploys malware into different sandbox “branches,” including environments with SSL termination needed to capture the traffic flow to command and control servers.

Figure 2: Side-by-side comparison of downloaded Locky binary code, encrypted (left) and then decrypted (right)



In the future, when you think about billion-dollar industries, make sure you include ransomware.

According to security researchers, ransomware proceeds crossed the $1 billion dollar mark in 2016, based on currency calculations from ransomware-related Bitcoin wallets. And, some experts believe that number might even be low. In fact, it is easy to imagine the value of ransomware only getting bigger. Leaked attack exploits (think WannaCry and Petya), as well as ransomware-as-a-service (RaaS) models, mean that cybercriminals have numerous avenues to ply their “wares” (or in this case, “ransomwares”).

ETERNALBLUE: THE GIFT THAT KEEPS ON GIVINGGlobal ransomware attacks are unquestionably on the upswing. Take the WannaCry ransomware that hit the global stage with a bang in May and utilized a stolen National Security Agency (NSA) exploit in Windows software called ETERNALBLUE. The hacking group known as “The Shadow Brokers” released the exploit code (which took advantage of the Windows SMBv1 protocol vulnerability) in mid-April. Using worm-like capabilities, WannaCry (aka WannaCryptor and Wcrypt) managed to infect hundreds of thousands of PCs in at least 100 countries within just a few hours, upending operations at some care facilities affiliated with the United Kingdom’s National Health Service (NHS), German Railway ticket computers, FedEx, and Telefonica. WannaCrypt initially demanded ransom payment of $300 in Bitcoin, although the payment amount reportedly escalated over time.

And, in June, just as folks thought it was safe to go back into the water, a variant of the Petya ransomware appeared, using the same ETERNALBLUE exploit. (It seems that after the WannaCry attack, businesses and governments STILL didn’t install the Microsoft MS17-010 security patch issued in March.) This variant of the Petya ransomware distributed in 2016 added the worm-like ETERNALBLUE exploit. This new version of Petya hit institutions in countries around the globe, crippling transportation infrastructure like the airport and subway in Kiev, shutting down shipping terminals in the Netherlands, and compromising business networks from Russia’s Rosneft to British advertising giant WPP.

Billion Dollar Industry? It’s Called Ransomware.

Figure 3: The WannaCry ransomware infected systems in 100 countries around the globe.

Cyren Cloud Security Blocks Petya and WannaCry

Automated cloud security offers the ability to detect and stop threats in real time. Cyren first detected and blocked this variant as W32/Petya.VUNZ-1981, as the outbreak began. Cyren Web Security also detects and blocks WannaCrypt Command & Control calls.


Billion Dollar Industry? It’s Called Ransomware.

RANSOMWARE-AS-A-SERVICE MODELSIt appears that cybercriminals are taking their lead from some established business service models. In February 2016, the “Cerber” ransomware first appeared in the form of Ransomware-as-a-Service (RaaS), in which affiliates distribute the ransomware, while the Cerber developers earn a commission from each ransom payment. In February 2017, Cyren detected fresh outbreaks of Cerber ransomware distributed using variants of a popular malware distribution tool known as “Nemucod” which enables developers to transform Cerber into thousands of variants, making detection difficult.

PROTECT YOURSELF & YOUR FILES WITH THE LATEST TECHNOLOGY

Ongoing preventative measures, such as email and web gateway security, network sandbox arrays, and endpoint security with active monitoring can help ensure that corporate and personal systems remain operational, even when cybercriminals attack.

RANSOMWARE MADE EASY: ROLL YOUR OWN IN MINUTES“Satan” is a ransomware creation service found on the dark web’s TOR network, and provides a complete, one-stop ransomware package for any would-be criminal. The service significantly lowers the barriers for entering the ransomware “business,” allowing even the not-so-technically-inclined to configure their own ransomware payload.

Like its namesake, this malware service is evil incarnate—ransomware-as-a-service in its purest form. For a small fee, the aspiring criminal only needs to register, log in, and follow simple configuration options (like “How many days until the payment period expires?”) to create a new variant of the Satan virus. Once the virus is created, the criminal downloads it and begins distribution. Unlike the ransomware-as-a-service Cerber, which has a scheme for sharing revenue, Satan charges a fixed fee to use their automated ransomware generator and distribution package creator. Essentially Satan is a private-label ransomware payload provider with easily configurable options. Once the ransomware is distributed and victims begin paying the ransom in Bitcoin to regain system and data access, the Bitcoins are credited to the account created on the Satan ransomware-as-a-service site. Satan then takes a 30% fee, with a sliding scale that decreases depending on the number of infections and payments made.

The configuration pages for your very own Satan ransomware, shown below, and are simple and elegantly designed. They allow for the user to configure their own ransomware, and generate a dropper to deliver the payload.



In the beginning, Tim Berners-Lee gave us HTTP as the protocol for browsers to speak with the Web.

Netscape (remember them?) then gave us HTTPS, which was initially conceived as a best practice to implement for online payments, and has moved quite beyond that today. By adding SSL encryption to HTTP, all information sent between a web browser and a website can’t be read or modified in transit, in principle protecting credit card data or personally identifiable information (PII).

Only there’s a catch—making data private doesn’t speak to what data is being sent. During an in-depth analysis of cloud threat data, Cyren researchers found that more than a third (36%) of all malware is now using HTTPS, and that number is growing strongly.

The evident conclusion is that any security which only inspects HTTP traffic has left a very large, open door available for malware utilizing HTTPS, and recent Osterman Research surveys commissioned by Cyren show that the majority of companies around the globe do not inspect their HTTPS traffic for threats.

THE GREEN PADLOCK: PRIVATE, BUT NOT SECURE Most Internet users have been well trained to only give their personal information to a website displaying the padlock symbol. By encrypting the data being transmitted via the Internet, the SSL ensures that the data remains private and viewable only by the intended recipient. Often many SSL icons include phrases such as “100% secure transaction” or “100 percent secured website guaranteed”, which implies to the user that the website is trustworthy and safe.

To create an SSL connection, a web server needs an SSL certificate. Most organizations that issue SSL certificates charge for SSL encryption and also validate the company and website details before issuing the certificate. Once an HTTPS session is established, there is an effective encrypted link between the company’s website and the customer’s browser.

But for many internet users, the SSL/TSL/HTTPS icons that say “100 percent secured website guaranteed,” create confusion around what SSL does and does not do. While SSL encryption protects from criminal eavesdropping and the altering of online communications (such as man-in-the-middle attacks), it does not enforce any security standards beyond encryption and authentication. This means that SSL can hide both valid data, as well as cyber threats.

HTTPS IS NOW THE NORM FOR THE WEB Many may not be aware, but 2017 is proving a watershed year for the ongoing shift to web traffic encryption. For the first time, the amount of HTTPS traffic flowing between browsers and web sites has surpassed unencrypted HTTP traffic, according to published browser data from Google Chrome and Firefox (which together represent 75% of global browsers in use).

And, in the short space of six months to June 2017, that percentage of SSL connections has accelerated to 68% of all loaded web pages.

This “SSL-ization” of the web was really kicked off by the revelations by Edward Snowden in 2013, and has been further fed by organizations like Google and the Electronic Frontier Foundation (EFF), which have initiated projects to promote HTTPS and make it more easily available. The Electronic Frontier Foundation has for some time promoted a browser plug-in called HTTPS Everywhere. Since 2014 Google has been offering a powerful carrot to stimulate HTTPS adoption, providing a search ranking boost to sites which encrypt their traffic. This past January the company matched a powerful stick to this carrot, penalizing non-HTTPS pages by displaying a “Not Secure” warning. This is initially for pages which ask for a password or payment information, but in October 2017 this is intended to be applied more broadly, eventually encompassing all pages.

FREE SSL CERTIFICATES ALSO DRIVING ADOPTIONAlso contributing heavily to the recent acceleration towards HTTPS is the launch in April 2016 of the free SSL certificate authority “Let’s Encrypt,” which in the short span of a year is already issuing over 1 million SSL certificates a month. Analysts estimate that soon a majority of websites will use HTTPS encryption, in addition to the current preponderance of HTTPS traffic.

HTTPS Is Not Secure Malware Increasingly Hides in HTTPS Traffic


MALICIOUS USE OF HTTPS WAY UP

Malware authors have also been making the move to encrypted traffic, effectively hiding their malware from any security system which does not inspect HTTPS. In 2013, NSS Labs performed a study which found a very small percentage—only 1 percent—of malware was using SSL. Cyren researchers began noting increased usage of HTTPS by malware authors in 2014, such as when Dyre and Cryptolocker began using HTTPS in botnet Command & Control communications. Research across a sample of 800 million transactions from the Cyren security cloud in Q1 2017 revealed that 36 percent of all malware today is utilizing HTTPS, compared to the 1 percent figure in 2013. The move to HTTPS for malware is also well illustrated by the fact that every major ransomware family since January 2016 has been distributed at some point via HTTPS, including Petya, Locky, and Jigsaw.

Cybercriminals are also using HTTPS for malvertising campaigns—creating fake web ads to deliver SSL-encrypted malware and ransomware payloads. Comparing data from the 4th quarter of 2016 to the 1st quarter of 2017, Cyren researchers found a major jump—30 percent—in the use of HTTPS by malvertising campaigns, considering all types of malware. When the focus is narrowed to just ransomware campaigns, the jump was 50 percent.

HTTPS INSPECTION IS PROCESSING INTENSIVE

In order for companies to examine data sent via HTTPS, they first need to decrypt it. And, unfortunately, the reality is that decryption processes to date haven’t been simple or inexpensive, explaining why a majority do not inspect SSL traffic. In the past, the choice to inspect or ignore has come down to the fact that security appliances can’t scale practically and economically to meet the additional processing requirements to decrypt, process, and re-encrypt HTTPS traffic. Properly inspecting all SSL traffic requires a significant amount of computer processing power. By its very nature, an on-premises security appliance has a specific and limited CPU that doesn’t lend itself to the kind of highly elastic on-demand processing required for HTTPS traffic. In contrast, today’s cloud computing environments are ideally suited to such processing-intensive tasks.

To perform SSL traffic inspection with appliances, companies invariably face trade-offs between throughput performance and security—if you turn features on, the amount of traffic a given server is capable of processing can drop dramatically. Miercom has produced several studies on the impact of processing performance on

appliances when additional features are turned on, including specifically the impact of HTTPS inspection on the performance of firewalls and unified threat management (UTM) from a cross-section of vendors, finding figures of over 80 percent in throughput degradation to be common. One such study published in October 2016, found that turning on HTTPS decryption caused throughput to decline 57 to 93 percent for firewalls tested, depending on the model. With appliances operating in full UTM mode, traffic throughput performance degraded by up to 89%, compared to processing of unencrypted HTTP traffic.

So security managers invariably face a difficult choice—keep adding additional appliances to handle the increased load—or forego HTTPS inspection. The outcome for most companies has been simply to not inspect anything that comes via HTTPS, creating a critical security gap.

SCALABILITY, SCALABILITY, SCALABILITY.

In the end, the only way to protect from HTTPS-delivered malware is through a security solution that both decrypts and can scale to meet the data needs of any organization. One solution that solves the scalability challenge is a cloud-based sandbox array (see article on p. 11), which takes advantage of both cloud-scale computing and the ability to run highly evasive malware iteratively through multiple different sandboxes to ensure detonation. Cloud-scale analysis offers the unlimited and flexible processing power needed to perform multiple and different types of data analysis in parallel, such as SSL termination and data processing, even when the computing device is operating at a remote location.

Jigsaw and HTTPS Delivery

Active between April and November of 2016, the Jigsaw malware used the metaphor of the cult-classic, psychological movie thriller “Saw” for ransomware that takes over a computer and plays a Saw-like video as files are encrypted and then deleted if victims don’t comply with payment demands. Using a main attack vector of malicious doc files that were spammed to emails, when opened the Jigsaw malware (named for the serial killer in the movie), downloads a ransomware file from different cloud and file uploading services.

Cyren first detected a spike in malicious macro documents downloading the Jigsaw ransomware from HTTPS sites in June of 2016. A comprehensive review of the Jigsaw propagation patterns showed that many of the infections took place or were attempted via HTTPS deliver.


HTTPS Is Not Secure Malware Increasingly Hides in HTTPS Traffic


It isn’t enough today to rely on one security appliance or outdated security software. The following tips will help you to improve your security:

• Deploy an email security gateway with advanced threat protection: The majority of cyber-attacks start via email, and the best defense is to stop malware before it reaches your users. Effective email security must detect and block all threats immediately and not rely on detection updates when a new threat is discovered.

• Deploy a web security gateway with advanced threat protection: Even if a user clicks on a link or activates an email downloader, these need to retrieve the malware from the Internet. An effective web security gateway will stop even new and zero-day malware downloads, attempts to access malicious URLs, and communications with botnet command and control.

• Deploy cloud sandboxing: Effective cloud sandboxing should itself provide multiple detection layers to ensure blocking of advanced malware that can evade detection in virtual machine-based sandboxes. Sandboxing is complex and notoriously slow, so be sure that it does not inject significant delays into email or web content delivery. Cloud-based sandbox arrays take advantage of both cloud-scale computing and the ability to run highly evasive malware iteratively through multiple different sandboxes to ensure detonation.

• Deploy endpoint security with active/behavioral monitoring: Malware evolves quickly and you need to augment traditional AV with next-generation detection.

If your company is attacked, these six tips will help you to prevent additional infections and recover quickly:

• Deploy post-infection detection and response technology: A web gateway that blocks malware “phone-home” communications is a good starting point to detect compromised endpoints.

• Backup regularly and keep a copy off-site: If your files are ever encrypted by ransomware, then you can simply restore them after removing the ransomware. You should test that your backups can be restored—don’t wait till an emergency!

• Train your users: For malware to get into your organization, an employee will have to click on a link or open a malicious attachment. Educate users about the dangers and about the social engineering tricks that are used.

• Turn off network shares: Current malware exploits network and sharing vulnerabilities and seeks out mapped network drives with large file repositories. So don’t map network drives.

• Patch early, patch often: Outdated operating systems, browser, and plugins are major vectors for malware infections.

• Turn off admin rights for your users: Some malware leverages admin privileges. Only allow admin privileges to staff trained to use and understand them.

Best Practices A Layered Architecture to Stop Malware


The Cyren GlobalView™ Threat Trend Indices are published quarterly and are indicators of global tendencies for the principal types of Internet threats. The indices are compiled from operational data from the Cyren GlobalView™ Security Cloud, which processes over 25 billion transactions daily.

Most notable during the 2nd quarter of 2017 was the dramatic increase by 586 percent of email-attached malware distributions—a sharp contrast to the previous quarter’s comparative decline of 98 percent. This quarter’s increase is almost entirely attributable to a resurgence of ransomware in the form of Jaff and Locky, both distributed via the Necurs botnet. In addition, after a 20% decline in the 1st quarter, spam activity increased slightly. Phishing, Android malware, and overall malware continued to grow at a steady pace during this period as well.

Detailed second quarter numbers are presented below.

CYREN MALWARE THREAT INDEX

Malware Samples

UP

23% IN Q2 2017

0

60M

CYREN PHISHING THREAT INDEX

Phishing URLs

UP

13% IN Q2 2017

0

10M

CYREN SPAM THREAT INDEX

Spam Detected

UP

3% IN Q2 2017

30B

60B

CYREN ANDROID MALWARE THREAT INDEX

Android Malware Samples

UP

57% IN Q2 2017

0

5B

CYREN WEB MALWARE THREAT INDEX

Active Malware URLs

0

2M

CYREN EMAIL MALWARE THREAT INDEX

Email Malware Detected

UP

586% IN Q2 2017

0

5B

UP

16% IN Q2 2017

Q3 2016 Q4 2016 Q1 2017 Q2 2017 Q3 2016 Q4 2016 Q1 2017 Q2 2017

Q3 2016 Q4 2016 Q1 2017 Q2 2017

Q3 2016 Q4 2016 Q1 2017 Q2 2017Q3 2016 Q4 2016 Q1 2017 Q2 2017

Q3 2016 Q4 2016 Q1 2017 Q2 2017

45.70M

5.41M

54.600M

2.980M

1,588M

1.67M

34.90M

7.38M

62.714M

2.770M

4,615M

2.16M

49.16M

9.41M

50.277M

2.966M

70M

1.98M

60.68M

10.60M

51.715M

4,653M

480M

2.30M

Cyren GlobalView Threat Trends—Q2 2017

www.Cyren.com

@CyrenInc

www.linkedin.com/company/cyren

©2017. Cyren Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of Cyren and may not be transmitted or reproduced without Cyren’s express written permission. All other trademarks, product names, and company names and logos appearing in this document are the property of their respective owners.

Headquarters

US Virginia1430 Spring Hill RoadSuite 330McLean, Virginia 22102Tel: 703-760-3320Fax: 703-760-3321

Sales & Marketing

US Austin10801-1 North Mopac ExpresswaySuite 250Austin, Texas 78759

UK BracknellVenture HouseArlington SquareDownshire WayBracknellRG12 1WA

US Silicon Valley1230 Midas WaySuite 110Sunnyvale, CA 94085Tel: 650-864-2000Fax: 650-864-2002

R&D Labs

GermanyHardenbergplatz 210623 BerlinTel: +49 (30) 52 00 56 - 0Fax: +49 (30) 52 00 56 - 299

IcelandDalshraun 3IS-220, HafnarfjordurTel: +354-540-740

Israel1 Sapir Rd. 5th Floor, Beit AmpaP.O. Box 4014Herzliya, 46140Tel: +972-9-8636 888Fax: +972-9-8948 214

Cyren (NASDAQ and TASE: CYRN) leads the fight against cyber attacks with the world’s largest security cloud, providing the industry’s fastest protection for over one billion users. Cyren protects enterprises with Security-as-a-Service for web, email, sandboxing, and DNS, and provides embedded detection solutions and threat intelligence to security vendors and service providers. Customers including Google, Microsoft, Check Point, and SAP rely on Cyren’s zero-day protection technology to block over 130 million threats every day. Processing more than 17 billion transactions daily, Cyren is the first to detect and the first to protect. Learn more at www.Cyren.com.

Cyren–The Fastest Time to Protection The Appliance Window of Exposure

AUGUST 2017 CYBER THREAT - Cyren · 5 CYREN MALWARE THREAT REPORT AUGUST 2017 “I’m the creeper....

Documents

Transcript of AUGUST 2017 CYBER THREAT - Cyren · 5 CYREN MALWARE THREAT REPORT AUGUST 2017 “I’m the creeper....