Tuesday, August 25, 2015

Another day...

...another attack in which the "Premium" Security Guys (McAfee & Symantec) are AWOL:

- Email traversing the internet this morning with a subject of "Invoice 26949 from I SPI Ltd".  The M$ Word attachment is named  Report For Inv_26949_from_I__SPI_Ltd_7888.doc



- Per this Websense File Sandbox Report, the malware modifies 23 Files, 2 Processes and 417 Registry Settings.  However, the "Premium" Security/AV Guys currently find no problem with the file:



- Additionally, per the above Websense File Sandbox report, you'll notice that the malware also phones home to a site in Poland to download an additional exe.  You may therefore ask, "can the "Premium" Security Guys at least protect me from this portion of the blended threat?"   Ummm... no:




Posted by at No comments:

Friday, August 14, 2015

McAfee & Symantec... asleep at the wheel

Remind me again how we block malicious macros in Microsoft Files.  Attachment blocking?  Nope... not if it's a MS Office file.  Antispam signatures?  Kinda... but not 100% effective.  Antivirus?  Well... that's what we've put our trust in for the last decade.  Good decision?  Consider the following:

- Email traversing the internet this morning with a subject of "invoice" and an attached excel file:



- Per this Websense File Sandbox Report, the file modifies 53 Registry Settings and downloads an executable from a recently compromised site.  In fact, the download is from a valid government site for the City of Noale Italy that has recently been compromised.  Quick Question/Test - would your web filtering solution block that HTTP connection?  :-)

- Lastly, and as is so often the case, the vendors who command such a premium for reactive signature-based AV solutions (McAfee and Symantec) are again MIA.  Would it, therefore, make sense to reduce your AV budget by purchasing one of the vendors referenced below, and then reapply those savings towards an advanced security solution?


Posted by at No comments:

Thursday, August 6, 2015

Symantec Focused on Split?

As Symantec finally realizes that Security + Storage does not equal a valid business model and thereby prepares for their upcoming split, we at ESPO ask a question - is Symantec focused on Wall Street or your security?  Consider the following:

- An ~80KB M$ Word doc with malicious macro is traversing the Internet today with a subject line of "Debit".  The Websense File Sandbox report can be found here.  Note how the malware performs a Zeus-like HTTP POST to a malware site in Germany.

- Convinced it's a bad file that you wouldn't want your Finance Dept receiving?  Convinced that your Symantec AV has you covered??  May want to think again regarding that second question:



In closing, it's a nice to see McAfee catching this latest variant as we've beaten up on them recently.  However, we still strongly advise clients put a File Sandboxing solution in place ASAP.
Posted by at No comments:
Subscribe to: Posts (Atom)