Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data	Sample Data 2
Sample Data 3	Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumps

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

• http://www.opswat.com/partners/technology-partners
• http://www.mcafee.com/us/products/network-threat-response.aspx

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

• McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
• McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

NitroSecurity is a leader in the 2011 Gartner Magic Quadrant for SIEM. They have been a McAfee Security Innovation Alliance partner for the past three years and their NitroView Enterprise Security Manager (ESM) is already integrated with our security management platform, McAfee ePolicy Orchestrator (ePO™) software. I’m excited about this acquisition because the integration of these solutions gives our enterprise users complete visibility—via a single management console—into their endpoint assets, underlying network infrastructure, specific security threats and risks, and system vulnerabilities across the entire IT environment.  Senior executives, business managers, and IT managers can leverage this information to more rapidly assess their risk profile and security posture and analyze and institute a range of corrective actions, such as issuing new configurations, implementing new policies, and deploying more recent software updates.

The addition of NitroSecurity products and technology to the existing McAfee portfolio will enable us to provide customers with the following benefits:

• The most comprehensive and robust security management solutions in the market today
• The fastest performing SIEM solution available for mid-sized to Fortune 500 companies. NitroSecurity’s solutions are easy to install and capable of collecting, analyzing, benchmarking, and reporting larger amounts of security information faster than any other vendor due to its highly scalable, patented database engine.
• An integrated solution with advanced correlation capabilities to provide greater visibility and situational awareness across your organization. The existing integration with NitroView ESM allows the McAfee ePO platform to view and correlate events, activities, and logs created by networks, databases, and applications so you can rapidly implement a range of risk monitoring and mitigation actions.

For more information about the NitroSecurity acquisition and our other security and risk management solutions, please visit the McAfee NitroSecurity acquisition web page.

Stuart McClure

GM and SVP, Risk & Compliance Business Unit, McAfee

The proposed transaction will bring together best-in-class technologies:

•     NitroSecurity’s strong foothold in the SIEM market will help McAfee significantly expand our “Situational Awareness,” our risk and compliance coverage, and our Global Threat Intelligence capabilities

•     NitroSecurity’s SIEM management technology, which has already passed integration testing with McAfee® ePolicy Orchestrator (ePO), gives customers a single security platform for event analysis and management across the enterprise. The integration expands the capability of the McAfee ePO platform to view events, activities and logs created by networks, databases and applications.

•     The McAfee ePO platform can leverage the extended SIEM capabilities to more rapidly institute a range of monitoring and mitigation actions, such as issuing new configurations, implementing new policies, and deploying more recent software updates

I’m very excited about this acquisition and believe that NitroSecurity has the technology McAfee needs to expand its enterprise security portfolio. NitroSecurity is quite simply the most advanced SIEM on the market, and has a leadership position in Gartner’s Magic Quadrant. NitroSecurity offers the only product with integrated application monitoring, database monitoring, log management, SIEM, IPS and Network Flows in a single, active dashboard.  This capability provides the most visibility and the most advanced correlation capabilities giving McAfee true “Situational Awareness”, and will provide the best overall security solution for McAfee customers.

For more information, please visit the acquisition landing page.

Stuart McClure

GM and SVP, Risk & Compliance Business Unit, McAfee

This week on the stand is my good friend and occasional co-presenter, David O’Berry CSSLP, CISSP-ISSAP, ISSMP, CRMP. Now a McAfee Strategic systems engineer, his previous life was 19 years in the public sector, culminating as Director of Strategic Development and IT at the South Carolina Department of Probation, Parole, and Pardon services where he gained a wealth of experience (and a long list of certifications).

David’s no part of McAfee, and intends to help McAfee customers more effectively deploy and use our wide range of solutions. I thought it would be interesting to pick his brain about the transition, as it’s quite rare for senior decision makers to join the vendor community…

So David, welcome to 15minutes with – Let’s start by introducing you to the audience – you’ve been in the public sector for a long time – what were you doing?

I worked alongside my team to create Personal Productivity Savings (PPS) defined as adding every minute we could to the end-user in the pursuit of Business Operating Efficiency (BOE). To me that meant finding ways within and outside of the organization to help things work better, to insure business processes made sense, to blow up or go around roadblocks whether they be fiscal, political, personal, or imagined, to back my team to the hilt in their pursuit of goals that benefited not only my organization but the community as a whole.

For instance, in 2001/2002 we created an IT Strategic Plan that was titled Secure Access to a Ubiquitous Computing Environment or as we called it S.A.U.C.E. People look at that now and say…well sure…but at that time it was like we were heretics. Now radical consumerization and mobilization is an assumed thing but 8 or 9 years ago it was astounding how different things were.

At times, it was like herding cats and at other times it was like being strapped to a rocket that you had to build from what you could pull together based on funding models. Myself and my team learned to not only tolerate change but over time to embrace and to then truly relish change.

Outside of my agency, I was the Security Domain Chairman for South Carolina, the Collaboration Team Lead, served on the MS-ISAC Executive Board, helped found the Trusted Computing Group’s TNC Customer Advisory Council, served as the Chairperson for the Open Group’s Improving the Digital Ecosystem Workgroup, served as the president of the Midland’s ISSA Chapter, while also steadfastly advocating for rapidly evolving customer-driven standards in both the network as well as the security space.

There are a number of other things but suffice to say without my team none of it would have been possible. They were and are like family to me and I take that very seriously.

Most importantly, I was helping to raise my 10 year old son while coaching everything I could coach for as many years as I could coach it.

Why make the shift to the dark side of the commercial sector? How do you think your experience can help McAfee help our customers?

It was an incredibly difficult decision because I worried about my team, my organization, the organizations like MS-ISAC etc. that I had been so heavily involved in…the State of South Carolina where I have participated so vocally over the last two decades…but when it came down to it I thought that the opportunity to continue the work I had been doing..helping to solve the incredibly difficult problem of strengthening the digital ecosystem worldwide could form a slightly different attack angle…it was time…

You’ve been with us a few months now – I hope you still think it was the right decision, but any advice to someone in a similar position thinking of switching from a customer to a vendor role?

I absolutely believe it was still the right decision. My team at PPP is excelling led by my great friend Bill Miller. The State of SC, while I miss it, probably needed a break from me based on the current state of needed change in various areas. I still am involved, just not in the same capacity and I will always seek to assist South Carolina in becoming the amazing success I know it can be both within IT as well as in the delivery of services to citizens. New blood is never a bad thing and eventually new and old can mix to find a balance that maybe could not have been achieved if things stayed status quo.

As far as advice, don’t jump for money. Don’t jump for fame. Don’t jump for greener grass. Look deep inside you and figure out what you really want to do and where you think you can make the biggest impact. I am a big fan of long term wealth versus short-term greed.

I have always offered my assistance in any and everything without worrying about how it would positively impact me at some point. Don’t have an agenda when you are progressing in your career other than to make that difference, that impact…because in the end people can tell, your team can tell, and there is no substitute for being genuine and doing something you believe in with all your heart. At the same time, don’t let fear paralyze you about a move. Perfection is the enemy of progress and there will never be an absolutely perfect time to make a move like this one.

What was your first introduction to McAfee – any anecdote you’d like to share?

Oh wow…like maybe 1997 or 1998…I was cold called…hard sales job out of New Jersey…the number started at something like five times what I ended up at…perpetual license versus subscription..it was probably my first experience with just how much a vendor will do to earn business in certain times of the quarter/year end. Actually it probably was a keystone of my future negotiations with all of the tech companies I dealt with…so all you companies out there that I beat to death…you can thank McAfee for honing my skills early on!

I think the most interesting anecdote was that we owned all of the four “legs of the stool” or whatever they called it at that point. Gauntlet and PGP…McAfee Desktop…Magic HelpDesk…Sniffer (including the pizza boxes)…and the concept…it was there…it made so much sense…and it was so poorly executed on until David DeWalt and his group came in after the divestiture of most of those lines. I still get a kick out of thinking about the NAI/McAfee to Secure Computing to McAfee journey of like the firewall product etc. As a side not, PPP actually still uses Magic HelpDesk and it has served its purpose…it’s now BMC I think but it’s probably one of the last pieces that exist from that initial purchase…other than the endpoint.

Has McAfee ever burnt you? Did we recover gracefully/earn your respect for how we dealt with the problem?

I think any customer vendor interaction is going to have its challenges. I am fairly certain, with most reputable companies, that they never set out to burn customers but that at some point bad decisions get made that are then compounded by a lack of knowledge and communication, etc., across both the customer and vendor organization.

Very few companies can avoid that aspect because of just how decentralized and haphazard communication with customer’s has become as the spend has climbed. From the McAfee perspective, I would say my experiences have been much more positive over the last three or four years than they were the first, ninth or tenth time.

It took a while for DeWalt to get things moving in the right direction and even now there are hiccups that have to be worked through and breakdowns in communication between the end rep and the customer that take effort to manage. In the most recent years, I would say the integration of SafeBoot into McAfee ePolicy Orchestrator (ePO) and the challenges associated with it and some newer HP equipment probably stand out as one of the most intense challenges for PPP’s relationship with McAfee.

At the same time, we worked through it and McAfee provided the assistance we needed to get things squared up. Beyond that, it’s the normal things associated with all anti-malware vendors…the DAT file issue…etc. All in all, the good has far out-weighed the bad and McAfee’s people and the integrated (hopefully continuing to move to open) story have made a huge difference in why we have stuck with them versus finding a cheaper or possibly slightly better point solution on any given day.

Chasing the shinies as a CIO will get you flat killed…patience matters as long as your vision is solid and you have vendor partnerships that are true relationships that transcend a supplier/consumer model.

So David – 19 years implementing vendor products in local government – if you had to give three pieces of advice regarding vendor/customer relationships, what would they be?

Hmm…great question….

I think first of all I would say that both sides have to realize that it really is a relationship. What happens sometimes is that it turns into a demand/supply equation instead of a true relationship. Both sides have to be willing to work on things that are at times not comfortable and that may not go completely the way they want it to…in a relationship that benefits both parties that is doable. In a supply/demand equation you lose a lot of that flexibility.

Something that goes along with that is do the research on whats out there and at the same time know what business problem you are trying to solve and be able to communicate both what you know and what you need clearly. If you are more interested in what they are selling or where you guys are going for lunch and how much smoke someone is going to blow to pump you up then you lose control of what is going to be best for the organization you are working for in the end.

In the past, the hardest part was that new and shiny is sexy, so often people are down the rabbit hole with boxes piling up of new toys based on what the sales rep said than based on what they need. That can lead to a great deal of angst and miscommunication down the road, which ultimately leads to alienation of both your organization and the vendor. Getting along with the vendor is not only a good thing, but truly necessary to create that win/win relationship everyone is after. But do not let it color what you do for your organization.

That was probably more than two but as as a third, I would say…don’t give up on requiring vendors to be more open. this gives you the freedom to make the decisions that benefit your organization when you need to make them, instead of when the next sales cycle rolls around.

I have always told vendors, don’t make me depend on you executing on your business plan in order for me to execute on mine. I have seen so few companies in this industry actually execute successfully for five or even three years in a row at times. That means they have to make business decisions that may be counter to your best interest. That is fine because that is their business but your business requires you to be flexible and agile which means not depending on a single vendor or a homogeneous ecosystem.

When I first got on the soap box about this many years ago it was Microsoft and Cisco that were the prime targets of my discussions…now it’s any company that expects to prosper going forward. Many thought I was a heretic for saying this a while back, but now I think many of those same people realize this is not hate for any single company. It’s a love for innovation that I firmly believe is significantly encouraged by adherence and support of open standards both on the supply and demand side of the equation.

We often get told that local government users are not capable of handling things like passwords, or understanding the concept of security – do you think this is true? Does user education help?

At this point in my career and for the past 10+ years I actually believe in the user to be perfectly blunt. I think we have failed the user for so many years, as a profession. It is easier for us to lump them all together into some giant ignorant unwashed mass than it is for our profession to actually do an evaluation of how we failed them and how we can eventually fix the problem.

When I say we failed them I take my share of that responsibility. Early in my career, I too went down the path of the user proof concept because I was not confident that users could even care enough to learn. The technology curve kept accelerating and the education curve fell farther and farther behind. This inverse relationship is really hurting us now from a holistic security approach because whether it was too hard, or too tedious, or what…we have pushed user education way way down the charts for 20+ years.

I think the late 80′s and 90′s greatly contributed to this crippled state of existence. It was then that we began obfuscating everything behind GUIs in order to make the “user experience” more palatable as we hit critical mass with consumption of PCs. We never really asked should we…we just did because as a profession we did not really have the ability and even the knowledge to stand up and make a cogent argument for why security even mattered at that point…why the users being able to learn how to be secure mattered…instead we made it as easy as possible and now we are paying for it.

The entire foundation is flawed yet instead of knocking it down and starting over we are forced to try to go top down floor by floor to get to a root of trust that I am not even sure exists now…it if ever existed. The model has to change from absolutes to a more developed set of overlapping nets with holes of different sizes and from an avoidance mind-set to a resilience and mitigation mind-set.

The only way we can get there is through the users though…all the nastiest technology in the world will not solve this if we don’t start working together both as IT and users and enterprise to enterprise.

So David, I know standards bodies are really close to your heart and you’re an active participant in many groups – are there any standards you think could really make a difference, which you think the industry is avoiding taking on or participating in?

Oh boy…you are going to get me in trouble in my first month on the job! Hmm…I am a firm believer in open standards in general and right now a large part of my time has been spent on SCAP, Trusted Computing Group’s Trusted Network Connect, IF-MAP including how that can fit within cloud interoperability concepts etc.

I also believe that a strong standardized fully featured secure network control language has to evolve. Beyond that, in the cloud we have to look to audit and compliance standards…visibility standards…transportability…eventually interoperability…like roaming agreements from cell phone vendors…a spot market with very fast CIA-C profile matches that allow enterprises to really gain the agility required to conduct business at rapidly increasing speeds with little to no margin for error in the marketplace.

Even now I grow more frustrated by the day when I hear companies try and explain why their non-standard black box fabric is better than TRILL and therefore TRILL does not need to be supported. There are companies that have been stalwarts of standards and that have now seemingly turned hypocritical to those professed tenets, based on getting a leg up, that really harm the industry.

I think that companies that have the marketshare are always trying to protect that marketshare as a general rule, and the ecosystem as a whole does not matter to them because the next quarter has to matter. That is unfortunate and one of the areas where I do believe that if we do not get our act together as a industry we will be mandated to do so by some intense regulations.

Longer term, enterprises and governments will not care one bit why something occurred that either breached them or crippled their ability to do their jobs. They will instead care that we, as an industry, were either able to protect them or not. To me, I believe we are skating on a very thin sheet of ice right now as a profession and industry because many companies keep turning a blind-eye to what really does matter to the people they are supposed to serve…their customers.

I’ve always told companies, don’t make me have to execute on my business plan while solely depending on you to execute on yours. That’s a recipe for disaster because I have not seen a single tech vendor execute, from a customer’s perspective, for a five year period…or even a three year period…there is too much internal stuff that has to go on for that to happen and vendors different product managers seldom act as one entity even within their own company.

Bluntly, it has never seemed like a very customer friendly environment anyway.  Most of the efforts going towards assuaging concerns versus actually finding out the real issues and attacking them is at the root of the problem. What we need is a true customer driven gap analysis of standards and where and what we need going forward.

That is going to have to be in an organization that does not exist today, unless there is one out there that can take it up. In my opinion, most of the standards bodies are poisoned at this point. It’s one of the reasons I registered demandstandards.com/org/net a while back in order to start working on that type of solution…in my spare time!

Finally, I have to ask about the excessive number of letters after your name – can you tell us a little about them, and perhaps your thoughts on whether security professionals should go through independent review of their skills?

Yeah, I have stopped putting a bunch of them on there at this point. It is kind of a running joke…talking about tri-fold business cards etc. I have seen some people that dwarf mine though, but you always wonder about the substance. I believe that independent review is a must. One of the ways I do that is writing questions for ISC2 for the CSSLP, CISSP, ISSAP, and ISSMP exams.

Believe me, near instant peer review of questions you write is a humbling and very educational exercise. I also never shy from a conversation as long as people are open-minded. Right now, the important of the digital ecosystem is second to none to the continued stable advance of society.

With that in mind, we allow anyone to call themselves a cyber-security expert. That is counter-intuitive. You don’t let people operate on your brain without intense rigorous review because the number of fatalities would be high. Would they be as high as if a digital event took out a hospital though? The electric grid? Yet, we continue to have incredibly subjective measures of ability in our profession.

Maybe that is all we can do right now but I will tell you I have seen enough paper tigers in my day to realize that certifications are certainly not the only measure of ability and in reality may sometimes be a counter-indicator. There has to be some hybrid though, a balance there between what you can do and what can be measured and then the certifications you achieve. We are just not there yet and bluntly may never be there.

Wow – well thank’s for your time today David – before we go, I know you’re an active speaker on security issues – any events you’d like to promote?

Hmm…I just got back from speaking on a panel at the the NSA’s 2nd Annual Trusted Computing Conference and felt that to be incredibly worthwhile. Coming up, I will be speaking at NASCIO, McAfee’s Focus, followed by the NIST Conference up in Maryland at the end of October.

I believe all of those are worthwhile for the various segments for which they are targeted. If I can answer any questions for anyone while there, either during the panels and talks or afterwards, then please do not hesitate to fire away. I love to learn and solid discourse is the single best way I have found to do that in this world.

You can find David (and Simon) at McAfee Focus 2011 – please drop in and say hello!

As you may know, we have an assortment of valuable sessions and events planned:

• Keynotes from prominent leaders and industry visionaries, including: Gen. Colin Powell, USA (Ret.); McAfee CEO Dave DeWalt; security expert Howard A. Schmidt; and best-selling author George Kurtz (Hacking Exposed)
• Dedicated time with McAfee’s cutting-edge technology partners at the Sponsor Expo
• Training and certification opportunities
• Targeted networking activities and special events
• And much more.

Most importantly, FOCUS will offer over 90 breakout sessions, touching on today’s most important security topics.

The McAfee Avert Labs research team will join forces with Security Innovation Alliance partners to deliver sessions on emerging threats and trends, cloud technologies and interoperable security solutions. Other breakouts will explore how organizations can reduce costs and increase efficiencies in their security processes. And over 40 deep, technical sessions will offer an in-depth look at topics such as email and web protection, intrusion prevention, data encryption, data loss prevention and access controls across endpoints and networks.

The lineup of speakers includes world-class organizations like eBay, Citrix Systems, Tyco International, EDS, Arizona State University, Jones Day, QUALCOMM, Network Frontiers and more. You can learn more about FOCUS tracks and sessions on the FOCUS Web site.

Last year’s event was described as “thought-provoking”, “invaluable”, “a worthy investment.” FOCUS 09 promises to deliver more of the same. Be sure to follow FOCUS09 on Twitter for the latest information.