About Me

Archive

Archive

Read More

Enterprise Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, #SecurityLegos, 12 Scams of Christmas, 2012, 2012 Security Predictions, Acquisition, Advanced Persistent Threat, Android, android antivirus, Android Malware, Android security, android security app, anti-phishing, anti-theft, anti-virus, antivirus, APIs, App Alert, Apple, application blacklisting, application developers, application security, app protection, apps, app safety, ATM scams, attacks, authentication, automotive, Bad Apps, balanced scorecard, best practices, Big Data, BlackBerry, Black Hat, Blackhat, black hat hackers, botnet, Brazil, breach, Business IT, car hacking, certification, Change Control, China, CISO Executive Summit, Citrix, class action lawsuit, cloud, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, collaboration, Compliance, Conficker, consolidation, Consumer, consumerization, consumerization of IT, Content Protection, counter identity theft, credit card fraud and protection, credit card skimming, critical infrastructure, CSP, cyber attack, Cybercrime, cyberespionage, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cyber security, cybersecurity, cyber security awareness, Cyber Security Mom, cyber threat, cyberthreats, data, database activity monitoring, database security, data breach, Datacenter, data center, data center security, Data Classification, data loss, Data Protection, Dave DeWalt, Dave Marcus, dedicated security appliances, Deep Command, Deep Defender, DeepSAFE, DefCon, DefCon Kids, Department of Commerce, device, Device Control, devices, dewalt, DLP, Dmitri Alperovitch, easter, Eelectric Vehicle, Email & Web Security, Email & Web Security, embedded, embedded devices, Embedded Security, Emerging Markets, Emerging Market Security, EMM, encryption, Endpoint Protection, Endpoint Security, energy, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epayment, epo, ePO Deep Command, ePolicy Orchestrator, ERP, ESM, espionage, EV, exploit, exploits, facebook, Facial recongnition, Family Safety, FDCC, file sharing, Financial Security, firewall, FISMA, Fixed Function Devices, Focus, Focus11, FOCUS 2011, forrester, Foundstone, Friday Security Highlights, Garter, Gartner, Gartner Security and Risk Management Summit, George Kurtz, Global Cybersecurity, Global SecurityAlliance Partner Summit, global threat intelligence, google, government, GTI, Hackers, hacking, Hacking Exposed, Hacktivism, HB1140, Healthcare, Heuristics, HIPAA, host intrusion prevention, Host IPS, HV, Hybrid Vehicle, ICS, IDC, identify potential cyber-threats, identity protection, identity theft, IDF 2011, Incident Response, Information leak, Information Protection, Information Security, Information Warfare, Insider Threats, Integrity, intel, intellectual property, Internet Explorer, internet security, Interop, IntruShield, In vehicle Infotainment, IP, iphone, IPS, IT, IT Security, japan earthquake safe donation, japan earthquake scams, kurtz, labs, laptops, Larry Ponemon, law, legal, legal risk, linkedin, live-tweeting, lizamoon, Lockheed Martin, mac, Mac OS X, malware, Malware research, managed security services, Management, Mariposa, mass sql injection, mastercard, Maturity Model, McAfee, McAfee Application Control, McAfee Cloud Security Platform, McAfee Data Loss Prevention, Mcafee DLP, McAfee Email Gateway 7.0, McAfee Enterprise Mobility Management, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, McAfee Labs, McAfee Mobile Security, McAfee MOVE AV, McAfee Network Security Platform, McAfee NSP, McAfee Policy Auditor, McAfee Risk Advisor, McAfee Security Journal, McAfee Security Management, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, Microsoft, Microsoft Security Bulletin, Mid-Market, Mobile, mobile antivirus, mobile app, mobile data communications, mobile device, mobile devices, mobile devices and security threats, mobile malware, mobile phone spyware, mobile security, mobile security app, mobile smartphone security, mobiles security, mom, MS12-020, MySQL, NACACS, near field communication, Network Perimeter Security, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, new year resolution, next-gen IPS, Next Generation IPS, NFC, Night Dragon, NIST, NitroSecurity, OMB, online banking, Open Source, operational risk, Operation Aurora, Optimized, outages, OWASP, passwords, password security, patch, Patch Tuesday, Patmos, PCI, PCI Compliance, PCI DSS, Peer to Peer file sharing, perception, personal information over mobile phones, phishing, PII, Ponemon Institute, PostScript, Potentially unwanted program, power grid, power loss, Pre-detection, Printers, privacy, protection, Public-Private partnerships, Public Sector, pup, QR codes, reference architecture, regulations, reporting, reputational risk, retail, risk, Risk Advisor, Risk and Compliance, Risk Management, ROI, Rookits, Rootkits, RSA, RSA 2012, SaaS, SaaS security solutions, safe searching, Saviynt Access Manager, SCADA, scam, SCAP, SEC Guidance, SecTor, secure cloud computing, secure container, security, Security-as-a-Service, Security and Defense Agenda, security attacks, security awareness, security breach, security conferences, Security Connected, Security Connected Reference Architecture, Security Influence, security management, security metrics, security optimization, security policy, security threats, Sentrigo acquisition, Shady RAT, SharePoint, shortened URLs, SIA Partners, SIEM, SiteAdvisor, Situational Awareness, Small Business, smartphones, smartphone security, SMB, social business, social media, social networking, social networks, Software-as-a-Service, spam, Spearphishing, sql attacks, SQL Injection, State of Security, stealth attack, stealth crimeware, stealth detection, Steve Jobs, storage, Stuxnet, substation, Support, Symbian, T-Mobile, Tablet, tablets, tablet security, targeted attacks, TCO, technology development, Telecommunications, threat reduction, TJX, TPM, Trusted Computing Module, trustedsource, twitter, Twitter online security, U.S. Cyber Challenge Camps, urchin.js, Vericept DLP, ViaForensics, Virtualization, VIrtual Machines, visa, Vontu DLP, vPro, vulnerability, Vulnerability Manager, vulnerability manager for databases, Web 2.0, web protection, web security, Websense DSS, Web services, white hat hackers, Whitelisting, wikileaks, Windows 7, Windows Mobile, Wind River, Xerox, youtube, Zero-Day, zeus
Enterprise : Network Security :

VBMania: When Minutes Count

Tuesday, September 21, 2010 at 1:31pm by Archive and Tyler Carter
Archive

Some malware attacks come so quickly that by the time you react, it’s too late. That was a lesson learned the hard way by thousands of organizations last week with VBMania, otherwise known as the “Here You Have” email worm. In stark contrast to Advanced Persistent Threats (APTs) such as Operation Aurora, the VBMania worm spread uncontrollably with over 200,000 systems detections in just days. With thousands of organizations having their defenses rendered, well… defenseless, how can you avoid being the next victim?

VBMania steps to infection (See McAfee labs blog post):
1. Victim receives the “Here You Have” email with link to a PDF
2. Victim clicks a PDF link; link is actually a malicious SCR file download
3. SCR malware file downloads and executes
4. Malware harvests email addresses from Outlook
5. The “Here You Have” email self propagates via email contacts
6. Malware also downloads additional files, including password recovery tools and malicious HOSTS files (to interrupt security updates)
7. Also infects USBs and network shares

To defend against rapidly spreading attacks like these, you need a threat model that is both predictive and ultra-responsive. McAfee Labs and McAfee Global Threat Intelligence works off these principles, providing predictive, reputation-based intelligence to make real-time decisions about whether or not to block potentially malicious activity.

McAfee offers multiple products that incorporate real-time McAfee Global Threat Intelligence feeds. Let’s take a look at a couple of them – McAfee Firewall Enterprise and McAfee Network Security Platform – to see how they used real-time threat feeds from McAfee Global Threat Intelligence to block VBMania.

McAfee Network Security products block VBMania at multiple points in the process outlined above:

User tries to access bad URL (See step 2 above)
• With VBMania, the SCR file download was disguised as a link to a PDF
• The URL hosting the SCR download had a bad reputation (dating back to April 2010)
• McAfee Firewall customers with Global Threat Intelligence would have not been able to access the Web site

This is an example of the value of predictive defenses based on reputation. McAfee’s Global Threat Intelligence recognized that the network connection harbored malicious content and the firewall prevented users from accessing it. Can your firewall do that?

Malicious executable file is downloaded (See steps 3 & 6 above)
• In cases where the McAfee Firewall wasn’t in place or didn’t have Global Threat Intelligence turned on (tsk-tsk), McAfee Network Security Platform also covered the attack
• McAfee Network Security Platform includes file reputation feeds directly from McAfee Global Threat Intelligence allowing it to intercept suspicious files
• Once the McAfee Global Threat Intelligence file reputation database flagged the malicious SCR file on September 10, 11:34 EDT, all Global Threat Intelligence enabled Network Security Platform sensors would be capable of blocking VBMania

Like most Network IPS solutions, McAfee Network Security Platform includes thousands of local intrusion prevention signatures to protect against known threats. Unlike most Network IPS solutions, its protocol analysis based detection also provides coverage for many unknown threats. Additionally, it is also able to query McAfee Global Threat Intelligence file reputation database – including 35 million suspicious file samples – in real-time, which allows McAfee Network Security Platform to catch more threats faster.

The “Here You Have” email self propagates (See step 5 above)
• Immediately after infection, VBMania uses email contact lists to self propagate (When attacks come from within your internal network, preventing this step can be extremely difficult)
• McAfee Labs released a signature for the VBMania outbreak shortly after discovering the network activities
• Organizations with McAfee Network Security Platform download the new signature
• Internal network segments with McAfee Network Security Platform would now be protected against spread of VBMania from within

Many outbreaks come from within. When that happens, perimeter defenses are useless. The quick response of McAfee Labs with this signature prevented propagation of network traffic containing the VBMania. Even if you didn’t have McAfee Global Threat Intelligence enabled on your perimeter (which you should have), McAfee Network Security Platform sensors could still have prevented spread of the attack using in-line defenses on internal networks.

These are just a few examples of how McAfee Labs and McAfee Global Threat Intelligence help provide predictive, ultra-responsive protection to the latest malware attacks. Visit the McAfee Threat Center for more information on VBMania and how to protect your networks.

Bookmark and Share

Tags:

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

CAPTCHA Image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (0)