Announcing the New Traps v3.4: Protect Yourself From Antivirus

Traditional antivirus (AV) is not the solution to endpoint security – it is the problem. AV is no longer effective at stopping today’s cyberthreats and to prevent security breaches in your organization, you must protect yourself not only from known and unknown cyberthreats but also from the failures of any traditional AV solutions deployed in your environment. Today, we’reannouncing enhancements to Traps advanced endpoint protection that empower you to replace your AV with real breach prevention.

In this post, I’ll go over some of the enhancements we’ve made to Traps. For a deeper dive, I encourage you to learn more about Traps, its new and updated capabilities, and how it replaces traditional antivirus with true prevention, by downloading the “Protect Yourself From Antivirus” white paper, or by joining our webinar to see Traps in action.

Traps replaces traditional antivirus with a proprietary combination of purpose-built malware and exploit prevention methods that protect users and endpoints from both known and unknown threats. With Traps, you prevent security breaches, in contrast to detecting and responding to incidents after critical assets have already been compromised.

The updated release of Traps eliminates the need for traditional AV by enabling you to:

  • Prevent cyber breaches by pre-emptively blocking known and unknown malware, exploits and zero-day threats.
  • Protect and enable your users to conduct their daily activities and use web-based technologies without concern for known or unknown cyberthreats.
  • Automate breach prevention by virtue of the autonomous reprogramming of Traps using threat intelligence gained from Palo Alto Networks WildFire threat intelligence service.

New and Improved Multi-Method Malware Prevention

Traps prevents malicious executables by maximizing coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of malware detection. This approach combines several layers of protection that instantaneously prevent known and unknown malware from infecting your systems, whether they are online or offline, on-premise or off, connected to your organization’s network or not (Figure 1). Those layers include:

  1. Static Analysis via Machine Learning [new]: Obtain an instantaneous verdict on any unknown executable file before it is allowed to run, without reliance on signatures, scanning or behavioral analysis.
  2. WildFire Inspection and Analysis [improved]: Rapidly detect unknown malware and automatically reprogram Traps to prevent known malware by leveraging the power of Palo Alto Networks WildFire cloud-based malware analysis environment.
  3. Trusted Publisher Execution Restrictions [new]: Identify executable files that are among the “unknown good” because they are published and digitally signed by trusted publishers.
  4. Policy-Based Execution Restrictions [improved]: Define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment.
  5. Admin Override Policies [improved]: Define policies, based on the hash of an executable file, to control what is allowed to run in your environment and what is not.

Traps also quarantines malicious executables to prevent infected files from spreading to or infecting other users.

The combination of the above methods and capabilities not only prevents both known and unknown malware from compromising your systems but also enables you to fully customize the scope of prevention to meet your organization’s needs.

Improved Multi-Method Exploit Prevention

Traps uses an entirely new approach to prevent exploits. Instead of focusing on the millions of individual attacks, or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques used by all exploit-based attacks. By identifying and pre-emptively blocking any exploitation technique the moment it is attempted, Traps prevents exploits from compromising your applications, including those developed in-house and those that no longer receive security support.

Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block exploitation techniques (Figure 2):

  1. Memory Corruption/Manipulation Prevention [improved]: Identify and prevent the exploitation techniques that manipulate your application’s memory space before they can successfully subvert the application.
  2. Logic Flaw Prevention [improved]: Recognize and block the exploitation techniques that manipulate the operating system’s normal processes used to support and execute your applications.
  3. Malicious Code Execution Prevention [improved]: Identify and prevent the exploitation techniques that allow the attacker’s malicious code to execute, before they compromise your applications.

Traps protects applications and systems, whether or not they receive security patches, and regardless of network connectivity or physical location.

Automated Prevention via the Next-Generation Security Platform

Traps is the only endpoint protection offering that automatically converts the threat intelligence gained from a global community of over 10,000 WildFire subscribers and multiple threat intelligence sources into malware prevention.

When WildFire identifies an executable file as malicious, regardless of where that threat intelligence is gained, Traps automatically reprograms itself to prevent the execution of that file from that moment on. This process all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect your systems because an attacker can use each piece of malware once, at most, anywhere in the world, and only has seconds to carry out an attack before WildFire renders it entirely ineffective.

As part of Palo Alto Networks Next-Generation Security Platform, Traps enables you and your organization to continuously apply the growing threat intelligence gained from thousands of enterprise customers, across both the network and endpoints, to your own environment.

Protect Yourself From Antivirus

[Palo Alto Networks Research Center]

Orcus – Birth of an unusual plugin builder RAT

Unit 42 has been tracking a new Remote Access Trojan (RAT) being sold for $40 USD since April 2016, known as “Orcus”. Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability. The objective of this blog is to highlight some of the capabilities of this new RAT family and the impact seen so far.

Background

Before we discuss the details of this RAT family, let’s discuss how Orcus became a commercially sold RAT. Around October 2015, the developer of Orcus, going with the alias of “Sorzus”, posted a thread on a hacker forum about a RAT he was developing, soliciting feedback on how it could be published. The developer had then named the tool as “Schnorchel”, German for “Snorkel”.

Figure 1 Sorzus discusses publishing Orcus

The figure below shows the early versions of Orcus when it was being developed. It is interesting to see that the developer details mentioned on the earlier version indicates “Vincent (Alkalinee)”, and we are also aware that ‘Alkalinee’ was the alias which was being used by the developer before taking the new alias of ‘Sorzus’. (This also suggests that the real name of the Orcus developer may be ‘Vincent’.)

Figure 2 Early version of Orcus which was known as “Schnorchel”

The developer had shared intentions to publish the RAT for free and make it open-source. However, some of the users in the forum responded, advising to make it commercial instead of sharing it for free or making it open source, citing that the source code would eventually be used by others to repackage and sell it as a new RAT. One forum user, alias “Armada”, offered to assist “Sorzus” on helping out with publishing the tool and apparently became Sorzus’ eventual partner.

“Sorzus” and “Armada” are believed to be the two main individuals currently managing the sales and development of Orcus. Brian Krebs published a blog a few weeks ago disclosing details of the individual who has been supposedly known to be the person behind Orcus. Our analysis suggests that ‘Sorzus’ is the main developer of the RAT and ‘Armada’ is mostly responsible for sales and support of the tool.

Architecture

Orcus is developed using C# with the Windows administration/controller component developed using WPS (Windows Presentation Foundation), which is used to render user interfaces in Windows based systems. Orcus has three main components to its architecture: Orcus controller, Orcus Server and the trojan binary which is deployed on a victim machine. The delivery vectors vary, ranging from a spear phishing attack using the malware binary with the email, having a hyperlink with a download link to the Orcus malware binary, or even using drive-by download methods.

In most RAT malware, once a victim has been infected, the malware connects back to the admin panel of the attacker to send data and provide control to the infected machine. However, if a victim machine is infected with an Orcus RAT, it connects back to the Orcus server which does not have the admin panel on it. Orcus has a separate component for the admin panel (Orcus controller) which enables control of all infected machines from the Orcus controller. This set up offers multiple benefits to the cyber criminals using Orcus. For example, they are able to share access to victim machines by accessing a single Orcus server which would enable a group of cyber criminals working together to better manage their infected victim networks and also allow scalability of their Orcus network by deploying multiple ‘Orcus servers’.

Figure 3 Orcus Architecture

The developer not only has a controller build for Windows, but also created an Android app for the admin controller to control the infected machines using an Android device. An Android app for the controller/administration component is also available from Google Play.

Figure 4 Orcus administration component for Android platform

Unique Features

Below are some Orcus features that can enable full control of a victim machine:

  • Keylogger
  • Screengrabs
  • Remote code execution
  • Webcam monitor
  • Disable webcam light
  • Microphone recorder
  • Remote administration
  • Password stealers
  • Denial of Service
  • VM Detection
  • InfoStealer
  • HVNC
  • Reverse Proxy
  • Registry explorer/editor
  • Real Time Scripting
  • Advanced Plugin System

Orcus has many common features of a RAT, however the features which are unique and stand out the most is the ‘Plugin System’ and ‘Real time scripting’. The plugin feature allows users of Orcus to build their own plugins or download plugins which have been developed by the author. If a user has basic knowledge on one of the supported programming languages, which are C#, VB.Net or C++, that user can easily extend and write plugins to build on to the current capabilities of Orcus. The author also provides a developer package to create the plugins with an IDE (Integrated Development Environment), which is an application used by programmers to develop programs.

The Orcus sellers also provide very well documented tutorials to create plugins, and also maintain a Github page which has a few sample plugins created. Orcus allows seven different types of plugins to be created. Figure 5 shows the current list of plugin types that can be built.

Figure 5 Types of plugins

The libraries are well documented and are currently being hosted on ‘sharpdox.de’. Sharpdox is a tool to create C# code documentations and can be hosted on ‘sharpdox.de’. Figure 6 shows an example of the methods or functions which are available to the Orcus plugin’s ‘ClientController’ class.

Figure 6 Example of a plugin library documentation

The Real Time scripting feature allows Orcus users to write and execute code (C#, VB.Net) in real time while remotely managing the compromised system.

Figure 7 Real time scripting feature on Orcus

Analysis: Orcus Protections

From an incident responder or threat analyst’s perspective, it is important to understand the type of anti-analysis protections a malware family employs so one is able to build an environment to successfully analyze the malware. This blog is not intended to discuss reverse-engineering the RAT in detail; however, it is interesting to see some of the anti-analysis features which Orcus employs to avoid being detected in a standard analysis environment.

We reverse-engineered one of the Orcus samples seen on a recent attack to check and verify some of the configured features. Given Orcus is developed in C# / VB.Net, we can easily peek into the code using a .NET disassembler. If an Orcus user enables the VMDetection feature while building the malware binary, the malware would check if the malware is running within a virtual machine environment. The virtual machines that Orcus detects are ParallelsDesktop, VirtualBox, VirtualPC and VMWare. The figure below shows the code excerpt for detecting the presence of virtual machines.

Figure 8 Virtual Machine detection in Orcus

Orcus also checks for processes of network monitoring tools like Netmon, TCPView and Wireshark as shown in the figure below.

Figure 9 Detection for network analysis tools

Impact

Figure 10 below shows the trending graph seen in Autofocus on the number of malware download sessions for Orcus. Given the feature rich toolset and the scalability Orcus provides, it is not a surprise that the usage and acceptance of the Orcus RAT is growing among cyber criminals since being first sold early this year. Given the increasing popularity of Orcus, it is likely that we will see more cyber crime campaigns where the RAT of choice is Orcus.

Figure 10 Autofocus graph of Orcus download sessions over time

Conclusion

The individuals behind Orcus are selling the RAT by advertising it as a “Remote Administration Tool” under a supposedly registered business and claiming that this tool is only designed for legitimate business use. However, looking at the feature capabilities, architecture of the tool, and the publishing and selling of the tool in hacker forums, it is clear that Orcus is a malicious tool, and that its target customer is cyber criminals. It’s not uncommon but this is an interesting case where a developer with an initial intention to release the code for free or open source, ends up in collaborating with an individual in a hacker forum who has prior experience in building and selling similar malicious tools, and creates a commercial RAT which has started to gain wide acceptance among cyber criminals with its unique feature set and flexible architecture.

Palo Alto Networks WildFire correctly identifies Orcus as malicious and AutoFocus customers can track this threat using the Orcus tag.

IOCs:

The current list of hashes for Orcus samples can be found on the Unit 42 github page here.

[Palo Alto Networks Research Center]

 

Transparency and the Journey to Digital Health

The benefits of digital health are discussed widely around the world. The prospect of increased efficiency and enabling patients to take a more hands-on role in their own medical care are considered positive outcomes by many. However, concerns over data privacy and the prevalence of data breaches in the sector are creating barriers to the adoption of digital health in the United Kingdom (U.K.).

With this in mind, we recently hosted a roundtable event in London, inviting several experienced and respected individuals from all aspects of the healthcare sector to discuss some of the most pressing issues on the journey to digital health. During the event there were a number of different issues explored, and although there were a lot of opinions in the room, and a few debates, the participants all ultimately had the care of patients as their priority.

One goal everyone agreed upon was the need for some transparency on the journey to digital health. The following questions encapsulate concerns around a range of issues: What do patients today actually know about how their data is shared and more importantly perhaps, why it is shared?

The lack of transparency in the processes and management behind the U.K.’s recently cancelled Care.data initiative is often cited as one of the main reasons for its failure. One million people reportedly opted out of Care.data, and it was understood that many of these people were discouraged by the prospect of their information being shared for purposes beyond direct care. There was an echo of concern about the prospect of data being sold to third parties. The reality is there was little information offered over how data would be shared, and with whom, which leaves people to draw their own conclusions.

With this in mind, we wonder how many of the people who opted out understood or had access to information telling them where exactly their data would have been shared, or for what purpose. We also don’t know if these people were aware that their data would be anonymised and used in research to help find a cure for a common serious illness, and if knowing this would have made a difference to their decision.

During our discussion in London, it was evident that prioritising transparency could make a significant difference by improving the chances of gaining access to more anonymised data to both ensure public safety, and to enhance public benefit through research, and also by giving patients more control.

Solutions mentioned included enabling patients to access information about who has viewed their medical records, and even granting the ability to give or withdraw consent on a case by case basis. More could be done to communicate public need and the positive effects that anonymised data can bring (e.g. communicating that this data has led to the development of a new drug to treat a particular disease).

There are plenty of stories relating to data breaches in the healthcare sector. It’s interesting to think if it would make a difference if patients were able to read more success stories about data sharing, or if patients were told they could view exactly which practice or practitioner had seen their data – and if this visibility and control would instill more confidence in the prospect of data sharing. The question over whether patients would pay attention, if granted more transparency, was brought  up by the participants at our roundtable session. Privacy of data and security are key concerns that patients cite when it came to data sharing initiatives, but even if you’ve quelled these fears, people ultimately want to know how they will personally benefit from tracking its use and granting consent. Many of us will readily hand over our sensitive financial data for the convenience of mobile banking, because it makes our lives easier.If the public knew that sharing their data could positively influence someone’s health and significantly impact the lives of others, this could add another dimension to the way people think about healthcare data. Overall, being open about the reasons why data sharing is a benefit seems to be the key to real positive change in the sector.

The solution to achieving this will require co-operation across all aspects of the sector, driven by a real will to understand the issues, the objectives being achieved and where accountabilities should lie. Following the discussion at our roundtable event, and the enthusiasm of all participants for this culture of transparency, we’re encouraged that the commitment for this development is there, which is a positive first step.

–By Faisal Malik, head of Business Development, EMEA (ISC)2

[(ISC)2 Blog]

Japanese Election Results in Positive Strides for Cybersecurity and Tokyo 2020 Summer Olympics

The two Japanese ruling parties, the Liberal Democratic Party (LDP) and Komeito, won a majority of the 121 contested seats in the election of the Upper House on July 10. The coalition party now has 145 out of 242 total seats. The outcome of the election guarantees the continuation of a stable Abe administration—which will have positive results for the recent momentum in Japan on cybersecurity.

Since December 2012, when Prime Minister Shinzō Abe took office, his administration has been active in expanding bilateral and multilateral cybersecurity cooperation on capacity-building, cyberthreat intelligence sharing, and the protection of critical infrastructure. The Japanese government started cyber dialogues with the U.S. in May 2013; the European Union in October 2014; Israel in November 2014; Estonia, France and the U.K. in December 2014; and Russia in March 2015. Tokyo also started the ASEAN-Japan Ministerial Policy Meeting on Cybersecurity in September 2013 and the ASEAN-Japan Cybercrime Dialogue in May 2014, as well as the trilateral cybersecurity dialogue with China and South Korea in October 2014. These dialogues have strengthened their ties between Japan and other countries because information and communications technology (ICT) now lays the foundation for economy, innovation and national/international security, and cybersecurity is integral part of sound ICT (The Japan-India Cyber Dialogue began in November 2012).

During the election campaign, cybersecurity slipped through unnoticed, as discussions mostly focused on Abenomics and the possibility of the Japanese Constitution revision (to be fair, cybersecurity has not been a primary topic in many elections around the world). Yet, the current Abe administration has made significant progress in cybersecurity policy, public-private partnerships, and international cooperation. The election of the ruling parties means the continuation of Japan’s healthy cybersecurity development. They are crucial elements for the success of the Tokyo 2020 Summer Olympics.

Since Tokyo was chosen as the host of the 2020 Summer Olympic Games in September 2013, the Japanese government has been keen to develop cybersecurity policies to raise the country’s cyber resilience in an effort to make the event successful. It’s a priority for Japan as Olympics are special in terms of the scale of the event and stakeholders and the sensitivity of relationship-building and reputation management. The Cybersecurity Basic Act, issued in November 2014, provided legal authorities to the National Center of Incident Readiness and Strategy for Cybersecurity under the Cabinet Secretariat to craft national policies, serve as the point of contact for international collaboration, gather and analyze cyberthreat intelligence, move forward public-private partnerships for the protection of critical infrastructure, and evaluate cybersecurity measures taken by governmental agencies and ministries.

Under the Act, the Cabinet adopted the Cybersecurity Strategy in September 2015 to enhance cybersecurity without thwarting economic growth toward Tokyo 2020. Then, the LDP “Special Mission Committee on IT Strategy” issued the Digital Japan 2016 in May this year to provide the Japanese government with a list of recommendations about how to achieve social welfare by promoting cutting-edge IT technologies, including artificial intelligence and FinTech (rather than regulating the industry, as Japan has tended to do). The Committee believes cybersecurity and IoT security will play a key role to ensure citizens can appreciate the convenience of IT services and companies, ensuring efforts for security will be respected and valued.

The Japanese government reportedly sent delegations to the U.K. and Brazil to learn lessons from London 2012 and Rio 2016 Olympics about preparing for and running the events, in terms of cybersecurity, and plans to use lessons learned to prepare for Tokyo 2020. Discussions about sensitive information, like prevention tips and threat intelligence, require mutual trust and information assurance—thus, sharing the Olympics’ experiences and relationship-building will be helpful to reinforce Japan’s existing ties with the U.K. and Brazil. The U.K. is going through a difficult time after the national referendum for Brexit. While Japan needs to pay close attention to potential global economic and political consequences, the importance of cybersecurity cooperation between the two countries will not go away.

Japan’s three visions of Tokyo 2020 are “achieving personal best,” “unity in diversity,” and “connecting to tomorrow” to “leave a positive legacy for future generations.” The victory of the ruling parties is expected to allow Japan to continue its important and impactful activities of the last four years. The industry will contribute to those efforts by innovating cybersecurity solutions and increasing cyber resilience in Japan. This would ultimately help the cybersecurity of other countries Japan works with and lead to a good cybersecurity legacy in 2020 and beyond.

[Palo Alto Networks Research Center]

Mark McLaughlin Named to CRN’s Top 100 Executives List

August is off to a great start for Palo Alto Networks as our CEO Mark McLaughlin has been named to CRN’s Top 100 executives list. Published annually, CRN’s Top 100 executives list honors executives from companies that are leveraging the channel most effectively leaders who play an integral role in shaping the industry, whether by driving huge cultural shifts or forging innovative new routes to success.

Executives named to the list are recognized in one of four categories: Most Influential, Top Innovators, Top Disruptors and Sales Leaders. Mark was included in the Most Influential list, where he was praised for having Palo Alto Networks “firing on all cylinders and delivering more and more security functionality across its platform, including stellar growth for its Traps endpoint product. And Palo Alto Networks NextWave partner program has many partners shifting their business away from legacy vendors.”

Together with our partners, we are transforming the security market from detection to prevention. Since day one, Palo Alto Networks has been a channel-centric company and our channel mission has never been clearer — to build an ecosystem of next-generation security innovators, with coverage, capacity and capabilities to elevate our leadership position in the enterprise security market.

You can take a look at the list here. Congratulations, Mark!

[Palo Alto Networks Research Center]

English
Exit mobile version