Thursday, January 12, 2012

CPE: McAfee AudioParasitic: Episode 1: Nordea Bank phishing incident

length: 00:24:49

1st episode audioparasitic mcafee podcast..

Take a close look of the issue and trend- what driving the industry…  beat that issue into submission with 2 very opinionated hosts.

If you look for malware /news wrong podcast.. but if you look highly caffeinated commentary – welcome to  AudioParasitic

Nordea Bank phishing –largest most successful malware threat
The developers behind it is very very capable and aware with signature based AV
It was a specific trojan bought for this specific target – that managed to say active for a window period of time..
But on the other stuff – it is not different from what we have seen for many many years.

Don’t trust email from someone you don’t know..

Password stealer – 1.1 million dollar.. pretty big amount of money lost in a very short time..

I don’t know if we are going to see more and more  password stealer…
But I do know the complexity to avoid AV will increase.

Nordia attack is  almost like chest game – the figure 4-5-6 steps ahead…
This is fascinating as tread but not as malware…
The information gather from multiple victim was taken from multiple servers and countries..

One of the only thing nordia could have done is to inform customer that they are not going to use internet for password..etc..

People has to treat internet as really bad neighborhood…

Discussion on information disclosure

How much information do we share with customer – or other vendor… if you put 2 security researchers in the room askthis question – they will start to fight… this is a very volatile discussion
Joined by:
Joe Telafici – Fich since mid 90 with Symantec.. running AV
Kevin Beets – foundstone  -  starting with Admin with pix & CP – move to foundstone.. acquired by
2 different position..

Joe Telafici  more close information minded – because of historical and recent reasons..
Kevin Beets I am full disclosure side following the responsible disclosure!! I don’t think hiding the information is the way to go ..

What level? Is there a minimum level that we can share?

In AV industry – we only share only to people who know personally – people that we trust  - people that we are confident if we give them a sample they are not going to share with anybody else… and NOT get infect other people in any shape or form…this is not a company effort but people effort…
All cooperation of AV – occurs at personal level – AV company on researcher in McAfee trust someone at Symantec or kaspersky – trust them that they can hand a loaded gun and not pointing back…
That being said.. there has been a lot of changing.. there are many groups starting to share information…

Kevin we should share them all…

On the malware side – not a lot of that is shared – many is closely shared
In the vulnerability side – it it public and it is outhere..

There is difference between disclosing vulnerability and posting malware exploit… there is different level of damage that can be done…

Analogy: describing how to build bomb is one way
Giving someone else a bomb is a different way…

It depends!!!

Also depend if the malware is replicating or not – a single accident or many people

All these rules were put in place because end of 80s early 90s researchers are sending sample wildly.. accidentally in good faith.. running sample in the lab, not realizing the FW is open and infecting other people..

Fitch – I never touch a single piece of malware since becoming VP in McAfee because I am not uptodate any more..
And accident happen- I watched people with 10-15 years of experience accidentally doubleclick a piece of malware..  launch a piece of malware.. if you don’t both  technological and physical policies to handle this – because bad things is going to happen eventually
We don’t have to only know how to handle properly BUT also how to remediate problem..

Kevin and Fich both agree on how disclosure

PoC disclosure – you need a little skill set to cause damage..

It is interesting when you have 2 people who think they are on different position but actually there are in a pretty close position ..

Does the information we share gives people ideas???
Kevin : I don’t think so! If you are interested in security..
Fich: thinks it depends who the people we give information..
Dave: Fitch you are not allowed to use “it depends” anymore!! J

If this simple – I would not have a job..

I have watched this happen… I was standing next to Greg Hoglund when he started to write first anti rootkit

We do a lot of things with AV behavior.. but we don’t ever discussed about it…  because we don’t want people to know what we are doing..
Certainly we anybody can pickup a good debugger to reverse engineer it.
We can make it hard –very hard – but we cannot make it impossible to reverse engineer!!

I watched techniques that are  fairly simple – trivially simple but it took 4-5 years for the malware community to figure out work around –because they don’t know why are doing it…
But one a smart guy found it…discuss it in the discussion forum.. today that feature is useless..

If we talked about it –it would have not lasted a year.. it would have not provided any benefit!!
We have detected 100k malwares.. without lifting a finger!!

If you look at my doom – the first mydoom was written by someone that we never caught- but then he released the source code… and weeks later many variants came to live..

We caught a kid who wrote the variant.
This kid would never wrote anything on that scale on his own!!!!

We still get mydoom variant floating around – as the result of that source code being released..

Yes –once the genie is out the bottle we cant put it back. But we can make is difficult for ourselves or we can make it really difficult for ourselves!!!!

The foundstone is available for people…

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home