Back to the Future / Aug 24th

Remember when we were patching for Y2K bugs and viruses were propagating via email attachments rather than the blended (web & email) threats we've seen over the past decade?  At that point we all scrambled to install Email Gateways/Firewalls with AV engines + Attachment blocking and went to our next project.  Surprise!  The problem is back.  However, this time the files are Word and/or Excel. Not so easy to block those files is it?  As such, ESPO strongly recommends File Sandboxing as the AV Vendors continue to seriously lag the variants. Today's attack is being sent with a subject line of "Board Order - PO15028".  A M$ Word attachment drops a couple executables, and, attempts to inject itself into explorer:

Initial research indicates that this malware is from the Dridex family of financial stealing infamy.  As such, ESPO recommends that you monitor your Finance Staff (outbound bot connections found here) to validate that your IT Assets have not been compromised... as the AV Vendors are again doing a pathetic job (5 of 57 detections):

BTW - regarding blended threats, ESPO strongly recommends URL Sandboxing in which Websense can wrap all unknown/uncategorized links which send your users to a landing page.  At that time you can launch a Real Time Scan leveraging the Websense ACE technology to determine if it's safe to proceed.  As such, Websense has figured out a near full proof way to address both styles of attacks.

Auto Insurance App Attack / Feb 18th

A new attack started at ~6amCST with a subject of "Auto insurance apps and documents" via spam bots in Spain & India (88.2.161.115 & 59.97.76.10).  The lure was a doc attachment that, as you'll see via this link,drops a number of files with malicious intent:

You will note that a number of outbound TCP connections are made (via TCP Ports 80, 443 and 8080) to IPs currently listed in the Websense URL database as bots.  As such, a Websense Web Security Gateway customer would be protected even if an inferior Email Security Solution is in place.

BTW - we would strongly advise limiting your outbound TCP:80, 443 and 8080 connections to the IP of your Proxies only.  A Policy Based Route (PBR) or WCCP on your firewall would elegantly address this.

Lastly, and as always, AntiVirus coverage is weak with only 3 of 57 AV Engines currently protecting.  We at ESPO would therefore advise calling your AV Sales Rep and asking them to justify the expense  :-)

My Photo Attack / Feb 16th

A new executable is making it's way around since ~2amCST.  As you'll see via this Websense ThreatScope link, the malware author performs many steps to ensure their code remains resilient.   The AV Vendors are doing a better job than normal; although, only 13 of 57 are detecting this current attack.  Of special note is the fact that neither Symantec nor McAfee Endpoint AV Solutions are actively protecting our endusers (NOTE - the McAfee detection referenced below is only available on one of their many non-integrated gateway solutions).

Question - how much are you paying for your "Premium" AV Solution, and... why?

Statement - would it not make more sense to reduce your spend on AV and, instead, invest in a next generation security platform?

Remittance DOC Attack / Feb 13th

ThreatScope again proves itself by safely detonating malware disguised as a valid Word document.  As you'll see via this link, the file was anything but valid.  Initially note how it drops a 32 bit executable which modifies many registry settings. Secondarily note how outbound calls are made to 2 sites in Russia.  Thankfully, both IP Addresses are listed in the Websense URL database as Malicious.  As such, customers leveraging Websense' Web Security Gateways would have been protected... even if they had an inferior Email Security Solution.

Again, and as it typically the case, Anti-Virus procurements continue to fail to return value for our investments... note how only 1 of 57 AV engines is currently detecting the malware:

Feb 12th Attack

ThreatScope again identifies malware that, per the screen shot below, only one 1 of 57 AV engines was actively protecting against as of 7:40amCST this morning.  As such, organizations who do not leverage a Sandbox Capability would have likely been compromised. McAfee nor Symantec nor any AV Engines other than ESET would have helped.  What percentage of your security spend goes towards these legacy solutions?  Additionally, per this link, you will very clearly see that the malware (disguised as a Word file) attempts to connect out to Russian Botnet that Websense is actively protecting against.  An additional outbound call is made to another US site hosting malware which is also protected via Websense ACE Technology.  In summary, this attack leveraged all 7 steps of the Kill Chain and Websense protected against all: