Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Showing results for 
Search instead for 
Do you mean 

We hear a lot about being “always on” and having “100 percent uptime.” While this is a reasonable expectation, it’s a difficult task to accomplish when an outage occurs due to a disaster or some other unavoidable circumstance. What to do in such a situation is a dilemma that keeps IT professionals on the edge of their seats and reaching for the latest technology that can keep their workloads backed up and secure in a time of need.

Read more...

New threats in July 2016

by Juniper Employee ‎08-26-2016 06:16 PM - edited ‎08-29-2016 06:00 PM

(This post is the first in a monthly series highlighting some of the new threats detected by Sky ATP's deep analysis engines.)

 

In July, Sky ATP detected tens of thousands of malicious applications and documents as they passed through SRX firewalls. While most of these were known threats, Sky ATP also detected new malware strains, including multiple forms of ransomware as well as assorted trojans, droppers, spyware, and other potentially unwanted programs. In this post, we'll look at two new ransomware variants, plus an old threat that has evolved into highly-evasive (almost) fileless malware.

 

Early in the Sky ATP analysis pipeline, we run each new sample against a suite of anti-virus engines. AV engines are a fast and efficient way to catch and filter out known threats and their close variants. Removing these known threats from the analysis pipeline as early as possible reduces the load on the more computationally-expensive parts of the pipeline, which includes static analysis engines and full sandbox detonation. But for new threats, hashes and signatures are not enough. In this post, we’ll look at some of the threats we saw in July, which were undetected by numerous AV engines but caught by Sky ATP’s deep analysis.

 

Zepto ransomware

We discussed Locky in previous posts. Zepto is a new variant, but looks and behaves much like Locky, except it uses ".zepto" as the file extension for the encrypted files:

 

zepto_files.pngAs with Locky (and most other ransomware), the victim is notified by pop-up images, text files, and a new desktop background with instructions on how to convert the ransom payment to bitcoin and deliver it via a site on the dark web.

 

zepto_desktop.png

 

Cerber ransomware

Sky ATP’s deep analysis detected a number of variants of the Cerber ransomware that evaded traditional antivirus engines. The ransom process includes an automated voice announcing the infection.

 

 

Kovter's (almost) fileless malware

Some of the most interesting samples detected by our deep analysis pipeline in July were several variants of the Kovter click-fraud malware. This malware strain has become increasingly evasive and maintains almost fileless persistence on a victim’s machine.


Kovter’s foothold begins with obfuscated Javascript and binary content saved in the Windows registry.

 

kovter_registry1.png

 

Kovter's authors use a clever trick to achieve persistence without leaving any of their malware on the actual Windows filesystem. The malware drops a randomly generated file with an arbitrary (but important!) file extension, along with a batch file and a shortcut.

 

kovter_files.png

 

The batch file "opens" the garbage .fcb676eie file with the start command

 

kovter_batch.png

 

Instead of opening the file, a registry key associated with the .fcb676eie extension instructs Windows to execute an altogether different command.

 

kovter_registry2.png

 

This uses Microsoft's mshta engine to execute the obfuscated Javascript stored in the registry. The bulk of the payload is a 5000+ character hexadecimal string, with is decoded and executed with the Javascript eval() function. This produces another Javascript program, this time with a very long string encoded in Base64

 

kovter_js2.png

 

This, in turn, is decoded to form a Powershell script containing raw shellcode that is injected and launched to create a malicious Windows process, using a technique taken from an old Metasploit template.

 

kovter_powershell.png

 

With this convoluted process, the malware can remain on the victim's computer without leaving anything on the filesystem besides the garbage file and its associated batch file and shortcut. Its malicious behavior, however, is still detected by Sky ATP's deep analysis techniques.
 

Until next month...

As mentioned above, these threats are just a few of many detected by Sky ATP's deep analysis engines. Thanks for reading, and please check back next month for another installment in this series!

Juniper Networks expands its portfolio of US Department of Defense certified devices.

Read more...

What ransomware does to animals..What ransomware does to animals..

Can ransomware attack cloud data? Are you safe if you use online backups or backup services like Dropbox or Google Drive?  It depends...

Read more...

Web application vulnerabilities face exploitation by malicious attackers, who are looking for benefits from the activity. Secure network architectures need to constantly evolve to keep up with the latest advanced persistent threats.

 

OWASP represents most critical application vulnerabilities and provides excellent reference point for assessing the application security risks.

Read more...

The World Wide Web is a source of threats in the form of malware and viruses. There are hackers trying to get in to corporates network and steal information. This makes it important for businesses to have a complete visibility of the usage patterns of the applications over the Internet accessed by their users. This visibility can help organization detect and block malicious or unauthorized network traffic.

Read more...

Welcome to the June edition of Microsoft Patch Tuesday Summary. In this edition there are 16 updates; 5 are marked "Critical" and 11 are rated "Important".  A total of 36 CVE's (Common Vulnerability and Exposure) were fixed over 16 bulletins this month. One of the Critical update MS16-063 is a Internet Explorer (IE 9 to 11) patch. This single update resolves 7 CVE's (Common Vulnerability and Exposure) and is the highest profile bulletin of the month.

Read more...

virus_names.png

The current situation with malware naming conventions is in disarray. Different antivirus vendors use different naming conventions and sometimes they don’t follow their own standards.  Let's come up with a better way to name viruses.

Read more...

Economics of Botnets

by Juniper Employee on ‎06-02-2016 12:51 PM

title_img.jpg

 

According to recent security reports, botnets have become an increasing security concern, infecting tens of millions of computers, stealing users’ data, identities and helping to mount DDoS attacks. In fact, it has been estimated that up to a quarter of all personal computers participate in a botnet.

Read more...

More on Ransomware

by Juniper Employee ‎05-20-2016 05:10 PM - edited ‎05-23-2016 04:06 PM

mischa_animated.gif

2016 is shaping up to be the year of ransomware. In addition to Locky, we’ve seen TeslaCrypt, 7ev3n, 7ev3n-HONE$T, a failed Locky clone, Petya, Rokku, Jigsaw, and many more. Hospitals and medical centers have been hit by ransomware, including the SamSam variant that targets vulnerable JBoss servers. In this post, we’ll look at some recent ransomware samples and how Sky ATP handles these threats.

Read more...

“Indistinguishability Obfuscation” And Malware Detection

by Juniper Employee ‎05-20-2016 12:24 AM - edited ‎05-20-2016 12:25 AM

random.png

 

Recent breakthroughs in cryptography, widely reported on in the media showed that it is possible to reassemble any given program into a mathematical jigsaw puzzle so complicated that, although it functions identically to the original, divining its purpose without running it is effectively impossible. We’ll look at the security implications of these findings.

Read more...

Static analysis methods and signature-based detection in particular has been the bread and butter strategy for malware detection, because it allows for quick and painless detection and virus identification. Let's talk about how signature-based detection works.

 

Read more...

Making FinFisher Spyware Undetectable

by Juniper Employee ‎05-17-2016 09:46 AM - edited ‎05-17-2016 10:29 AM

Governments use malware to spy on journalists.  In this article we will show how to make one such malware undetectable by antivirus programs.

Read more...

About Security Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon


Our Bloggers

Jennifer Blatnik
Vice President
Enterprise Portfolio Marketing

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Announcements

Design and Architecture Center
Labels