Tuesday, February 24, 2015

Back to the Future / Aug 24th

Remember when we were patching for Y2K bugs and viruses were propagating via email attachments rather than the blended (web & email) threats we've seen over the past decade?  At that point we all scrambled to install Email Gateways/Firewalls with AV engines + Attachment blocking and went to our next project.  Surprise!  The problem is back.  However, this time the files are Word and/or Excel. Not so easy to block those files is it?  As such, ESPO strongly recommends File Sandboxing as the AV Vendors continue to seriously lag the variants. Today's attack is being sent with a subject line of "Board Order - PO15028".  A M$ Word attachment drops a couple executables, and, attempts to inject itself into explorer:



Initial research indicates that this malware is from the Dridex family of financial stealing infamy.  As such, ESPO recommends that you monitor your Finance Staff (outbound bot connections found here) to validate that your IT Assets have not been compromised... as the AV Vendors are again doing a pathetic job (5 of 57 detections):



BTW - regarding blended threats, ESPO strongly recommends URL Sandboxing in which Websense can wrap all unknown/uncategorized links which send your users to a landing page.  At that time you can launch a Real Time Scan leveraging the Websense ACE technology to determine if it's safe to proceed.  As such, Websense has figured out a near full proof way to address both styles of attacks.


No comments:

Post a Comment