Monday, September 19, 2016

The Death of Commercial AV Products - Part Deux

There was a Microsoft Word file with a Malicious Macro being distributed via email this morning.  AV Detection Rate was at the time very low for Stage 1 of this attack:


Thankfully, our Forcepoint(r) Sandbox is detecting it for us through a number of indicators, one of which shows a similarity to Zeus:


What else is happening in the attack?  As usual it is Posting/Phoning home to Mother Russia along with an HTTP Get which downloads a .exe file:


What is the detection rate for this 2nd stage of the attack?  Not so great either:


NOTE - did you see that CrowdStrike, with much fanfare, decided to contribute back to the Security Community by having their "Machine Learning" powered results displayed via VirusTotal?  While it is good that, unlike many traditional signature based engines, CrowdStrike detected this threat in Stage 2.  However, where was CrodStrike on Stage 1?  No where on Virus Total can you find their results for that initial Word Doc.  Are there agreements in place to only display their name when a positive detection is made?  Seems fishy to us.

In any case, let us help you save money by installing next gen security solutions as the AV Vendors have once again proven unsuccessful.  Call ESPO Systems if you need help...  :-)