Today, the Cloud Security Alliance has released theCSA STAR Program & Open Certification Framework in 2016 and Beyond, an important new whitepaper that has been created to provide the security community with a description of some of the key security certification challenges and how the CSA intends to address them moving forward.
As background, launched in 2011, the CSA’s Security, Trust and Assurance Registry (STAR) program has become the industry’s leading trust mark for cloud security with the successful objective to improve trust in the cloud market by offering increased transparency and information security assurance. The Open Certification Framework, also developed by the CSA, is an industry initiative to allow global, accredited, trusted certification of cloud providers. It allows for flexible, incremental and multi-layered cloud service provider (CSP) certifications according to the CSA’s industry leading security guidance.
Together the OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.
Since the launch of STAR, the cloud market has evolved and matured, and so has the cloud audit and certification landscape with now more than fifteen options including national, regional and global, sector-specific, cloud-specific and generic certification schemes available. This proliferation has resulted, in among other things, a barrier to entry for CSPs that cannot afford to get certified by multiple countries and organizations.
Aside for the time and cost of pursuing and maintaining these numerous certifications, there are a number of other concerns including:
Lack of means to provide higher level of assurance and transparency
Privacy not adequately taken into account
Limited transparency
Lack of means to streamline GRC
To address these certification challenges, the CSA is proposing, through the OCF, to offer the cloud community with both a global recognition scheme for security and privacy certification, and a set of GRC tools and practices that address the many complex assurance and transparency requirements of cloud stakeholders.
The three core ideas behind the CSA suggested solutions are that an effective and efficient approach to trust and assurance has to:
delicately balance the need of nations and business sectors to develop their specific certification schemas with the need of CSPs to reduce compliance costs
avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data)
make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means
The paper also outlines how a number of other frameworks and controls should play a part in this solution including:
Leveraging CCM and OCF/STAR as normalizing factors
Conducting continuous monitoring/auditing
Integrating privacy level agreements code of conduct into the STAR Program
The CSA is currently seeking validation for its proposed OCF-STAR program action plan and is seeking input and support from the CSA community. To download the full report or to become involved, visit the Open Certification Working Group.
Palo Alto Networks recently released PAN-OS 7.1 for our Next-Generation Security Platform. Many financial institutions will not immediately adopt a brand-new version of software, instead preferring to see how stable the new code is in other venues first. When the time is right, an effort to test and certify the new software will be launched to validate old and new features, interoperability and integration with network/systems management tools. Such is the life cycle of new software versions before they even get to the actual rollout phase.
With that being said, PAN-OS 7.1 does offer a number of key benefits to financial institutions:
1. Secure Any Cloud
Many financial institutions are pursuing private, public and hybrid cloud solutions to increase the agility, flexibility and scalability of their information technology (IT) environment. This has become necessary to meet unexpected business demands without the delays associated with provisioning a traditional IT infrastructure. Such capabilities are even more prominent in light of competition from FinTech startups, in addition to established competitors. Palo Alto Networks provides a holistic public and private cloud security solution that leverages our physical and virtual next-generation firewalls deployed across the extended network. This offers protection against sophisticated attacks, advanced persistent threats (APTs), and has visibility of applications and traffic sources, which is far beyond the native security capabilities offered by cloud service providers, such as Amazon Web Services (AWS) and Microsoft Azure.
2. Embrace SaaS
The use of SaaS applications (e.g., Salesforce, Box) continues to grow among financial institutions. To properly control such applications and minimize shadow IT, detailed visibility of the applications, their usage, and users, themselves, is needed. Palo Alto Networks Next-Generation Firewall was built to provide unparalleled visibility and control of all applications, as well as details about application usage across the network. In conjunction, Palo Alto Networks Aperture now enables safe usage of SaaS applications (e.g., Microsoft Office 365) with complete visibly and granular enforcement within the cloud. Ultimately, it boils down to limiting access to prevent data exposure risk and threat insertion while not disrupting business.
3. Accelerated Threat Intelligence
Financial institutions continue to be a favorite target for cyberattacks. The 2015 Verizon Data Breach Investigations Report ranked financial services as one of the top three industries for security incidents, confirmed data loss, and distributed denial of service, or DDoS, attacks. This has been the case in previous years as well. When truly unique and targeted attacks are found, financial institutions must accelerate analysis-and-response efforts with the right intelligence and threat context to maximize the effectiveness of their security operations professionals. With the new innovations across the Palo Alto Networks platform, we can provide threat visibility and remediation faster and more effectively then ever before. The new integration of Palo Alto Networks AutoFocus threat intelligence service with PAN-OS and Panorama centralized management brings advanced threat context to the entire organization − simplifying response efforts for the most critical attacks. This puts the largest collection of unknown malware data at the fingertips of the security operations center, allowing that team to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses and URLs with AutoFocus and PAN-OS dynamic block lists.
4. Prevent Breaches with Secure User Credentials
With Palo Alto Networks GlobalProtect mobile security service, users in financial institutions can be connected to the network at all times − eliminating the large and growing blind spot of users roaming off the enterprise network, where they and their credentials are more vulnerable. GlobalProtect works by connecting a user’s mobile device to the closest next-generation firewall so that full network security can be provided, regardless of the user’s physical location, such as a coffee shop or airport. With Palo Alto Networks VM-Series being consumable in public cloud services, such as AWS, the nearest next-generation firewall can be in close proximity to the user, wherever that person might be.
In addition to the key benefits above, PAN-OS 7.1 includes some features that will prove valuable for financial institutions:
Elliptical Curve Cryptography (ECC) and Perfect Forward Secrecy (PFS) for Decryption− A number of financial institutions are moving toward ECC-based key exchange algorithms. The preferred method for authentication of secure web browsing is becoming ECC, rather than Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A growing number of sites use ECC to provide PFS, which is essential for online privacy. PAN-OS 7.1 supports decryption, even when ECC and PFS are in effect, to maintain application visibility.
Bootstrapping Device Deployment – Financial institutions need to deploy firewalls at remote sites with minimal connectivity or in bulk for technology refresh projects. The new bootstrapping capability simplifies and automates the initial firewall-provisioning process. This allows for extremely low-touch, distributed deployments of hardware appliances.
Structured Threat Intelligence Exchange (STIX) Support – Many financial institutions are members of the Financial Services Information Sharing and Analysis Center (FS-ISAC). STIX is the preferred format for the import or export of threat data between parties. AutoFocus adds the ability to share threat intelligence via an application programming interface (API) with output in the STIX standard.
Bidirectional Forwarding Detection (BFD) – Some financial institutions use dynamic routing protocols with the Palo Alto Networks firewalls to establish paths for traffic flow through the network. Failure detection can be lengthy before a routing protocol re-convergence can even begin. BFD in PAN-OS 7.1 allows sub-second failure detection, which will immediately trigger re-convergence in routing protocols, such as Open Shorteath First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths and traffic flow across the firewalls.
For further information about the new PAN-OS 7.1 release, please visit the following pages.
Big changes are ahead for Ignite 2017: Goodbye, Vegas, hello, Vancouver!
Save the date for Ignite 2017: June 12-15, 2017 in Vancouver, BC. We look forward to seeing you next year for what will be our greatest Ignite yet. Follow along @Ignite_Conf throughout the next few months for looks back at Ignite 2016 and information to plan for next year.
Earning certifications to prove your knowledge and skills is the norm in the IT landscape, and that doesn’t look to be changing anytime soon. Still, often it requires time and money to earn those certifications. Exactly what difference do they make?
Well the results are in. The CompTIA 2016 IT Career Insights study asked current certification holders about their experiences post-certification, and shows that CompTIA certifications make a world of difference, both for career and self-growth. Check out five ways they do so.
Personal Satisfaction / Confidence
According to the 2016 IT Career Insights Study, the number one area impacted by earning a CompTIA certification is personal satisfaction. It may not be the first thing that comes to mind in helping find a job, but you’d be surprised! Those who have confidence in their skills and abilities are more likely to come across as effusive and competent, whether it’s socializing at job fairs or listing accomplishments during an interview. Having a healthy level of self-confidence is essential to landing, and keeping, the job you want.
Professional Development
Following a career path means you need the room and training opportunities to grow your profession. It’s all about tackling more responsibilities, upward mobility and the potential for a larger salary. CompTIA certification holders picked professional development as the second most important area their certifications helped. With no limit as to how many CompTIA certifications you can earn, the certifications’ different areas of expertise are perfect for long-term professional growth.
Career Satisfaction
We all know the importance of holding down a job, but you should also keep your future career path in mind. CompTIA certifications can help with both short- and long-term career goals! For now, a certification can increase the likelihood of landing a job. In the future, the number of different CompTIA certifications, and their different areas of focus, represent a series of solid career building opportunities that are there whenever you are ready.
Job Attainment
Anyone who has been job hunting knows it’s difficult to stand out from other applicants — especially when you and the other applicants all have similar skill-sets. Adding a CompTIA certification to your LinkedIn profile and resume goes a long way. It’s a great way to prove your skill-set and help your resume avoid the rejected pile! Most importantly, it verifies your knowledge and proves to potential employers that you’re motivated in maintaining and developing your skills.
The Right Job
Feeling motivated and eager to work every morning is a vital part of a satisfying job. But it can be hard to find a balance between easily managed tasks and tackling those that challenge you to grow your skills. Earning different CompTIA certifications can help find that sweet spot, thanks to the designated skills and knowledge they focus on. It can help employers, and you, find the right job level according to what certs, and thus what skills, you already have.
The categories above represent the international findings of the CompTIA 2016 IT Career Insights Study. If looking only at the U.S., the findings differ slightly, with job satisfaction ranking higher than career satisfaction. That job satisfaction ranks higher in the U.S. does not come as a total surprise – it’s tougher to find a job in the first place, as the U.S. has been experiencing high numbers of unemployment, nearly 10 percent in April 2009, since the 2008 economic recession. Overall though, the categories of highest importance remain consistent to both domestic and international CompTIA certificate holders.
Are you curious to experience what kind of a difference a CompTIA certification could make for you? Check out our certifications and find one or more that could be right for you.
Be the first to receive the latest news, cyber threat intelligence and research from Unit 42.Subscribe Now.
Ramdo is a family of malware that performs fraudulent website ‘clicks.’ Ramdo malware activity first surfaced in late 2013 and has since continued to infect machines worldwide, primarily through the use of exploit kits. In this blog post, we’ll take a deep dive into the technical aspects of the Ramdo malware itself, providing insight into how the malware functions, as well as techniques on how analysts can reverse-engineer this particular threat.
This research is a joint effort from Unit 42 and Dell Secureworks Counter Threat Unit. For more information about the Ramdo threat, please also refer to the published blog post from Dell Secureworks CTU.
For the remainder of this blog post, we will be dealing with the following sample, which first surfaced on January 22, 2016.
MD5: F0E64CC571590513D0DC8D37EA23D153
SHA1: 98D44A46E9DAD00748D0278C84B58CE36D5E8861
SHA256: B534D55F384F4A2F9F8762CCD360A7C5D3FBD9BA15B1671E4A3629EF69A4472B
Size: 163328 Bytes
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Compile: 2016-01-22 23:46:15
Most of the Ramdo samples witnessed in the wild are obfuscated using a simple packer. As such, the sample will first be unpacked in order to analyze the underlying, un-obfuscated malware.
Unpacking
The Ramdo malware is contained within a DLL. Packers will often store this DLL in an obfuscated state within an executable binary. When run, the executable will load this DLL after de-obfuscating it. Unpacking this sample is a simple matter of setting a breakpoint on calls to VirtualAlloc, and then setting a write hardware breakpoint on a byte within this newly allocated memory.
Figure 1 Breaking on calls to VirtualAlloc
After roughly two calls to VirtualAlloc, we witness the unpacked executable being written to this section. At this point it is simply a matter of dumping this memory section to disk.
Figure 2 Dumping un-obfuscated DLL from packed dropper
At this point we have the unpacked version of the Ramdo DLL, which can be used for further analysis.
Analyzing Ramdo DLL
One of the first problems the analyst will encounter when reversing a Ramdo DLL is the author’s use of encrypted strings and hashed functions. Functions are hashed using the following algorithm, represented in Python:
1
2
3
4
5
def hash_function(name):
x=0xFFFFFFFF
forninname:
x=((x>>8)^x *(x^ord(n)))&0xFFFFFFFF
returnx
A script has been provided that will generate a C header file containing an enumeration of these hashed function. Please note that this script must run on a Windows machine.
Additionally, strings are encrypted using a single-byte XOR key. A large array of the following data structures are used:
[WORD] XOR Key [WORD] Length [DWORD] Offset to Data
This can be better visualized in the following screenshot:
Figure 3 Array of data structures containing encrypted strings
An IDAPython script has been provided that will parse and decrypt these encrypted strings. Please note that the start address of the previously mentioned data structures must be set for this script to work.
After both the obfuscated functions and encrypted strings have been reverted to their original form, analysis of the Ramdo DLL becomes much easier.
The malware initially attempts to determine if it is running within a sandbox. This is further described within the blog post written by Dell Secureworks CTU. In the event it believes it is running within a sandbox, it will enter an infinite loop.
The malware proceeds to query the victim machine’s GUID via the following registry key:
HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
A string of ‘qK’ is appended to this value. This data is eventually used as a RC4 key. The malware will attempt to read the following registry key. Should this key exist, the malware will decrypt this data using the RC4 algorithm and the previously mentioned key.
This registry key is used to instruct Ramdo to install itself. Should this registry key have a value of zero, it will proceed. The malware then attempts to read the following registry key:
Should this key not exist, it is set with a value of zero. Should this key have a value of zero, it proceeds.
Ramdo continues to disable tooltips by setting the following registry key to zero, thus disabling balloon tooltips from appearing on the victim machine:
Disabling this setting prevents the malware from generating pop-up notifications that might otherwise notify the victim that something unusual is happening.
During Ramdo’s operations, the following mutexes are used by the malware:
Global\[machine GUID]qK-fffffffe
Global\[machine GUID]qK-fffffffd
Ramdo then copies itself (executable dropper) to the following location:
%APPDATA%\Microsoft\btstack.dll
This file has its timestamp data modified to help hide it from defenders.
The following registry key is written to ensure that btstack.dll is loaded upon reboot:
At this point, the malware will identify a running Microsoft Windows process and in turn identify the path to the associated executable file. This executable is spawned in a new suspended process, and the following code is injected prior to resuming the process:
This code will load in the previously written btstack.dll, which will load the malware into a legitimate Microsoft Windows process. Should this prove successful, the malware will exit.
In the event the malware is already running within a Microsoft Windows process, the malware proceeds to spawn a new thread that begins by setting the previously mentioned LasLoggedOnProvider registry key with the RC4 encrypted configuration data that is stored within the binary.
Before any network activity is performed, Ramdo will check to see if it is running within a virtualized environment. The CTU blog post further explains how this occurs. Should Ramdo discover it is running in a virtualized environment, the seeds used for subsequent domain name generation are altered, resulting in connections to incorrectly generated domain names.
Ramdo then attempts to determine if it is connected to the Internet by making a simple HTTP request. Note the lack of HTTP headers, such as a user-agent in the following request:
Prior to making this request to google.com, Ramdo first checks the DNS response to ensure at least two IP addresses were returned in the query. In the event only a single IP address is returned, the malware will not continue its execution flow. Instead, it will sleep until the next iteration of its network communication loop.
If Ramdo determines it is connected to the Internet, it proceeds to generate a domain using the following algorithm. The two seeds are hardcoded within the sample. The second seed increments by one up until twenty to generate all permutations of domains used by the malware. The third value is set to zero if no virtualized environments are detected. Should a virtualized environment be detected, the generated domains are incorrect.
The following IDAPython script can be used to identify the DGA algorithm and seeds used. It will then proceed to generate the 20 permutations of domains used by Ramdo. Note that this script is not guaranteed to work on all variants of Ramdo due to minor changes that may have been made in the DGA algorithm. The following example output from the script demonstrates what information is provided to the analyst:
Figure 4 Output from IDAPython script
After the domain has been generated, the malware will make a HTTPS POST request, such as the following:
POST / HTTP/1.1 Content-Length: 128 Host: qgwwyeeouiouwkya[.]org Cache-Control: no-cache
[Encrypted Data]
In the above request, data is encrypted using the RSA algorithm. The following base64-encoded public key is used to encrypt this data. It should be noted that this key has changed since Microsoft initially analyzed Ramdo, indicating that Ramdo continues to evolve over time.
The following variables contain the associated data:
v : Suspected version of Ramdo w : Operating system version, build number, service pack, virtualization information b : Machine GUID string with ‘qK’ appended s : Static value k : Randomized value c : Config Data (ShowTabletKeyboard registry key) x : DGA seed i : Iteration of the second DGA seed
The server response begins with the following format:
OK[k value from request]\r\n[command][data]
Where ‘k value from request’ is the decrypted ‘k’ GET parameter sent in the request by Ramdo. The server response is RC4-encrypted using the decrypted ‘b’ GET parameter sent in the request from Ramdo.
The command value can be any of the following, represented in binary form:
1 : Update the LastLoggedOnUser registry key 2 : Update the btstack.dll executable 3 : Update the ShowTabletKeyboard registry key 5 : Update the HangDetect and LastProgress registry key
The following example C2 response demonstrates a response with a command of five:
Ramdo continues to both download and extract this cabinet file, which contains a copy of theChromium Embedded Framework (CEF). The CEF will be used by the malware to conduct click fraud.
The malware proceeds to make a subsequent request to the C2 server. The server responds in a similar fashion to the previously mentioned one. One example C2 response can be seen below:
This response not only provides the malware with a number of domains to navigate to, but also the user-agent that the CEF will use for these requests.
After the previously downloaded cabinet file is extracted, the malware will load a series of functions from the libcef.dll library in the same manner witnessed earlier. In other words, the malware uses hashed representations of CEF function names to deter static analysis.
Figure 5 Ramdo loading CEF functions by hash
The following CEF functions are loaded by the malware:
cef_string_utf16_clear
cef_string_utf16_set
cef_string_utf16_cmp
cef_string_utf8_to_utf16
cef_string_utf8_clear
cef_string_utf16_to_utf8
cef_string_list_copy
cef_string_userfree_utf16_free
cef_shutdown
cef_run_message_loop
cef_quit_message_loop
cef_currently_on
cef_refresh_web_plugins
cef_add_web_plugin_directory
cef_api_hash
cef_post_task
cef_post_delayed_task
cef_browser_host_create_browser
cef_string_list_free
cef_string_list_alloc
cef_v8value_create_function
cef_process_message_create
cef_string_multimap_free
cef_string_multimap_alloc
cef_request_create
cef_string_list_append
cef_string_map_append
cef_string_multimap_append
cef_string_list_value
cef_string_list_size
cef_string_map_value
cef_string_map_key
cef_string_map_size
cef_string_multimap_value
cef_string_multimap_key
cef_string_multimap_size
cef_string_map_free
cef_string_map_alloc
cef_initialize
These listed functions will then be used by the CEF browser to navigate to the previously instructed web pages. When making requests to the specific sites, CEF will crawl all links discovered on the returned HTML. For example, given the site of ‘search-spinner[.]com’, the web page has a link to ‘2026531.adsdomain[.]org’, which in turn leads to further ad-related webpages.
Figure 6 Result of navigating to search-spinner[.]com
As you can surmise, the distributor of this malware can easily change these links to whatever ad-generating URLs he or she wishes. This coupled with the dynamic requests made to the C2s for the original URLs/domains to view allow the malware distributor to easily modify their actions to maximize profits.
The link provided by search-spinner[.]com and other sites appears to change every time a user navigates to it, providing additional ad revenue for the attacker, and ensuring that a single web site is not browsed too often.
Conclusion
Overall, Ramdo is not an overly complicated or sophisticated family of malware. It was created with a single purpose in mind—to generate revenue by falsely navigating to specific ad-generating web pages.
That being said, it does employ various interesting tricks to avoid being run in sandboxed environments, or virtual environments, such as detection for vmware and virtualbox, as well as checking the DNS response of requests made to google.com. What is quite interesting is the fact that the malware does not completely stop running when running within a virtualized environment, but instead modifies the generated domains that the malware connects to. This provides not only an early warning to the attackers that a sample is being executed in such an environment, but also may lead to researchers tracing incorrect domains during analysis.
![SAVETHEDATEIGNITE_2017_600X150-01[1]](https://i0.wp.com/researchcenter.paloaltonetworks.com/wp-content/uploads/2016/04/SAVETHEDATEIGNITE_2017_600X150-011-500x125.png?resize=500%2C125)
