Encrypted malware and code reusability
About 3 weeks ago, one of our readers, Andrew, submitted a very interesting malicious binary. Andrew did some analysis himself and told us that he found encrypted files and some certificates which immediately caused interest amongst handlers.
And this is the frightening bit :
Finally, the AV detection on submitted files is still very bad, even weeks after it has been released. The original downloader was detected by only a handful of AV programs, while the second stage (real bot) was detected by only 3 programs. It is clear that you can not rely only on the AV program and that you should have defense in depth. In this case, blocking outgoing TCP traffic would at least prevent the bot from contacting the C&C server and doing more harm on your internal network.
Read the article HERE.
And this is the frightening bit :
Finally, the AV detection on submitted files is still very bad, even weeks after it has been released. The original downloader was detected by only a handful of AV programs, while the second stage (real bot) was detected by only 3 programs. It is clear that you can not rely only on the AV program and that you should have defense in depth. In this case, blocking outgoing TCP traffic would at least prevent the bot from contacting the C&C server and doing more harm on your internal network.
Read the article HERE.
posted by vanish at 11:19 AM
0 Comments:
Post a Comment
<< Home