IT Analytics introduces powerful ad-hoc reporting and business intelligence tools, and along with it a few terms that may be new to you. To alleviate any confusion, this article describes a few key terms so that you can easily understand out-of-the-box functionality and start using the tool to gain deeper insight into your DLP data to make informed decisions.

Hello,

Symantec offers a range of fast, effective, and affordable antivirus and malware protection products designed for small and medium-sized businesses.

This product comparison guide is designed to help you select the right product to meet the security needs of your unique business.

Reference: http://buy.symantec.com/estore/clp/small-business-security-antivirus

Latest Symantec Endpoint Protection 12.1 is powered by Insight and is the fastest, most powerful endpoint antivirus software solution you can buy for both virtual and physical systems.

• Integration with VMware’s vShield Endpoint provides better than physical security for data-rich virtual environments while maintaining blazing fast performance.
• Tuned for Windows 8 performance to make make your OS 80% faster and 29% safer than the native Defender solution, according to testing conducted by PassMark and Av-Test.
• Support for Mac OSX 10.8 (Mountain Lion) allows you to protect a multitude of Linux, Windows and Macintosh platforms and version from a single security solution.
• Enhanced security features include SONAR monitoring nearly1400, rather than 400, file behaviors.
• Improved management through the ability to automatically remove existing security software, find orphaned machines, and more efficiently use group update providers.

Key Features

Unrivaled Security. Blazing Performance. Built for Virtual Environments.

Symantec Endpoint Protection is built on multiple layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. Built for virtual environments, it can integrate with VMware vShield Endpoint for dramatically improved performance. Symantec Endpoint Protection 12.1.2 includes the latest features for improved security, performance and management.

What's new in Symantec Endpoint Protection 12.1?

http://www.symantec.com/docs/HOWTO55189

What's new with Latest Symantec Endpoint Protection SEP 12.1.RU3

https://www-secure.symantec.com/connect/blogs/whats-new-latest-symantec-endpoint-protection-sep-121ru3

In case of Small Environments, it is suggested to use the Symantec Endpoint Protection SBE 12.1 -

Symantec Endpoint Protection SBE 12.1 is Fastest, Most Effective and Simple.

• Won’t slow down your system
• Easy to install and manage
• Save time and costs

PassMark Software, Small Business Endpoint Protection Performance Benchmarks, June 2012 (tested against Kaspersky, ESET, Sophos, Trend Micro)

Symantec Endpoint Protection Small Business Edition 2013 is a new solution that offers simple, fast, and effective protection against viruses and malware for your laptops, desktops and servers. Available as a cloud-managed service it can be set up with no additional hardware, so securing your business is simple and quick with minimal upfront investment. It provides updates automatically, so you know you always have the latest security available. And you can easily manage everything from a Web-based console, so you can spend less time worrying and more time running your business. Not quite ready for the cloud? Ask about our on-premise management option that allows you to manage protection on-site with a server. A virus can destroy your business in minutes. Symantec Endpoint Protection Small Business Edition 2013 can protect it just as fast.

Question: What is the difference between Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition 2013?

Answer: Symantec Endpoint Protection helps larger enterprises gain protection from viruses and malware through an on-premise solution with an on-site server.

Symantec Endpoint Protection Small Business Edition 2013, on the other hand, has been designed specifically for small and medium sized businesses and offers simple, fast and effective protection against viruses and malware as a cloud-managed service. It installs in just minutes without additional hardware, delivers always-on protection and can fit into any IT budget through a simple subscription fee. The on-premise management option can be selected if you prefer an on-site server. With Symantec Endpoint Protection Small Business Edition 2013, businesses can quickly and easily secure critical business resources and get on with the business of focusing on their strategic goals.

Q. What about customers who are receiving Endpoint Protection through Symantec Protection Suite Small Business Edition?

A. Symantec Protection Suite Small Business Edition will only continue to be bundled with Symantec Endpoint Protection Small Business Edition 12.1.x. There is no automatic entitlement to Symantec Endpoint Protection Small Business Edition 2013.

Check the FAQ's Section of Symantec Endpoint Protection.cloud

http://www.symanteccloud.com/en/gb/services/end_user_protection/endpoint_protection.aspx

Symantec Endpoint Protection.cloud

https://www-secure.symantec.com/connect/downloads/symantec-endpoint-protectioncloud

Check these Whitepapers -

Symantec Positioned Highest in Vision & Execution In Gartner's Magic Quadrant for Endpoint Protection Platforms

https://www4.symantec.com/Vrt/wl?tu_id=z@gM1357330977540756510

Dennis Technology Labs: Enterprise Anti-Virus Protection July-September 2012

http://www.symantec.com/content/en/us/enterprise/other_resources/b-dtl-enterprise-anti-virus-protection-jul-sep-2012.pdf

Dennis Labs – Virtual Desktop Anti-malware Protection, May 2012

Tolly Enterprises – Antivirus Performance in VMware ESXi Virtual Environments, May 2012

Tolly Enterprises – Competitive Anti-virus Performance in VMware vSphere 5 Virtual Environments, October 2012

Tolly Enterprises – Anti-virus Effectiveness in VMware vSphere 5 Virtual Environments, October 2012

AV-Comparitives (October' 2012)

http://www.av-comparatives.org/wp-content/uploads/2012/10/avc_cor_201209_en.pdf

PassMark Software: (22 August 2012)

http://www.passmark.com/ftp/Fast%20and%20Effective%20Endpoint%20Security%20for%20Business%202012%20-%20Ed1.pdf

Hope that helps!!

Introduction

This is the second of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.

This article deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.  

About Cryptolocker and Ransomware: An Ounce of Prevention....

Recent years have shown a rise in the number of ransomware threats in circulation.  These threats hijack a whole computer or its data and demand that a payment is made in order to unlock or decrypt them.  The authors of these malicious threats have a very strong financial motive for infecting as many computers as possible, and have put substantial resources into making these threats prevalent.  New variants are seen all the time.  The following articles (and the links they contain) have more detail on the subject. 

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

One recent variation calls itself "CryptoLocker."  Current definitions from Symantec detect this family as Trojan.ransomcrypt.f though older definitions classified it as Trojan.Gpcoder.H.  Prevention is far better than a cure for ransomware and ransomlock threats: end user education and the use of some of SEP's optional capabilities can help keep your data safe! 

This infection is typically spread through emails sent to corporate email addresses, pretending to be from an array of legitimate companies.  These emails would contain an attachment that, when opened, infects the computer. These .zip attachments contain executables that are disguised as PDF files: they have a PDF icon and are typically named something like FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and trick victims into opening them. If SEP12.1's optional Proactive Threat Protection (SONAR) is running, it will prevent these double executable filenames from causing harm.

Once it is on the computer, CryptoLocker will contact a "secret server" (Command and Control server) and generate a unique key with which to encrypt the victim's files.  Using SEP's optional IPS components will block this communication and keep files from being locked by this threat.  Definitely deploy IPS, if it is not already in use!

If it is able to generate a key, CryptoLocker will then begin to sabotage all the MS Office documents. Open Office documents, and other valuable materials it can.  A list of affected extentions is available in the Trojan.ransomcrypt.f Technical Details (though, of course, different variants will behave differently....).  Both files on the local computer and on any mapped network shares can be affected.  Once the encryption is complete, the threat will display a pop-up which explains what it has done and demand payment for those files to be decrypted.  It may also change the Windows desktop.

...The Pound of Cure

If your files have been locked by this threat, Symantec advises: do not to pay the ransom.  If these scams make money for their authors, it will only encourage the attackers.  Your payment will fund R&D for new and more sophisticated attacks against you.  

Follow the steps in this document to contain and eliminate the threat:

Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466 

Now it's time to think about recovery.

Decryption without the key from your attackers is not feasible, but that does not mean that a CryptoLocker threat must seriously disrupt your business.  A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage. If your organization has been following best Disaster Recovery practice and maintaining a routine schedule of backups, then simply delete all the encrypted files and restore them from their last known-good backup.  Symantec supplies Backup Exec, NetBackup, and a number of backup tools in the Norton consumer products.  Other vendors supply other products which can likewise make the job of recovering from CryptoLocker quite straightforward.

Use Windows Powershell to generate a list of files that have been encrypted by ransomlock.  You can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Microsoft Built-In Tools: Windows Backup 

Windows comes with a built-in backup and restore utility.  Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage.  Microsoft have released a video on how to use the built-in backup and restore tool to backup your important files.  Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life.  Definitely recommended!

Back up your files
http://windows.microsoft.com/en-ie/windows7/back-up-your-files

This Windows Backup tool also has the ability to create a system image- this is an exact image of the entire drive: system settings, programs, files, everything.  If this system image is restored, it will not only replace all the corrupted files that CryptoLocker has damaged- it will overwrite everything!  Use system image restoration with caution.

Use a Previous Version

An alternative, if it is a technology in use in your organization, is to restore from a Previous Version.  Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:

Previous versions of files: frequently asked questions
http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions

If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.

As an example: let's say that CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish.  From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.

One the File Server: Volume Shadow Copies

If CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them.  If Volume Shadow Copies are enabled on the server, recovery should be easy.  More details and a mention of gourmet snacks can be found in this Technet article:

Rapid Recovery with the Volume Shadow Copy Service
http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx
 

Conclusion

After cleaning up from this CryptoLocker threat, it would be a very good idea to run a diagnostic to ensure there are no additional undetected malicious files on the computer(s).  The following article provides an illustrated example of how this can be done:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

And it would also be a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Many thanks for reading!  Please do leave comments and feedback below. 

I have come across customers who are on Symantec Endpoint Protection Manager 11 and are gearing to migrate / upgrade to Symantec Endpoint Protection Manager 12.

The Challenge / dilemma they face is whether to retain the existing SEPM 11 or setup a parallel new SEPM 12 environment.

o   The simple reason could be either

o   They don’t want to upgrade their existing SEPM server, incase there is an issue during SEPM upgradation.

o   They want to install SEPM 12 on a new set of Hardware.

o   They don’t have the encryption key, incase there is an issue during SEPM upgradation. They will have to start all again and the clients will not be able to communicate with current SEPM 11, until the clients receive new sylink.xml file.

Note: As a security measure, most of the organizations have File and Print services disabled.

o   If a new parallel environment is created, there is no mode of communication between both the Independent SEPM.

Protecting your endpoints with only Signature based protection is not enough. You also need to install the latest SEP 12 software.

I would like to present a solution where you can move the existing SEP 11 clients from the old SEPM 11 to new SEPM 12. It can also be used to move clients from an independent SEPM to another independent SEPM.

So here is how SNAC can help you tackle this problem.

The best part is this requires no Hardware enforcers or DHCP software plug-in to be configured.

Pre-requisites:

1.           Make sure your SEPM 11 is SNAC ready. In Policies Tab you see Host Integrity Policy option, if not you can add SNAC.xml file to the License folder in SEPM.

Note: Please restart SEPM services, on adding SNAC license.

2.           Ensure SEP is functioning properly on all SEP clients

3.           On SEPM 12, create New groups / similar groups as seen in SEPM 11

4.           Copy the sylinkdrop.exe file and sylink.xml to a shared network folder or an internal Http / FTP site

a.      Sylinkdrop (SEP 11 CD2\Tools\NoSupport\SylinkDrop) – This version of sylindrop doesn’t require network privileges and will be executed locally.

b.      Sylink.xml from the New SEPM group, respective clients will communicate to the respective groups in new SEPM

Let's see how to create an HI policy, to move SEP clients reporting to SEPM 11 to another SEPM 12.

1.      Login to SEPM

2.      Click on Policies and select Host Integrity

3.      On the Right Pane, right Click and Select “Add”

4.      Enter a description for the policy

5.      Click on “Requirements”

6.      Click on “Add”, select “Custom requirement” and click “OK”

7.      Click on “Add” and select “IF... THEN”

8.      On the right pane

o   In Select a condition ---> Scroll and select “Registry: Registry value equals”

o   Under “Registry Key” --->, Enter the Value “HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink”

o   Under “Value name” ---> Enter “LastServerIP”

o   Under “Data to compare Against” ---> click on “String Value” and enter the SEPM 11 IP address (1.2.3.4)

9.      On the Left Pane ----> click on “THEN” ---> click on “Add” ---> click on “Function” and select “File: Download a File”

10.   Under “Download the file” --->Enter the path to “download the file - SylinkDrop” and provide a “Target folder” locally

                         o   If authentication is required provide the credentials

11.   Click on “Add” ---> click on “Function” and select “File: Download a File”

o   Under “Download the file” --àEnter the path to “download the file – Sylink.xml” and provide a “Target folder” locally

o   If authentication is required provide the credentials

Note: You will have to upload new Sylink.xml with respect to the new groups in new SEPM 12. So the path will change for eg:

Group A: path to download will be \\1.2.3.4\A\Sylink.xml

Group B: path to download will be \\1.2.3.4\B\Sylink.xml

12.   Click on “Add” --àclick on “Function” and select “Utility: Run a Program”

o   Under “Specify the command” enter the variable “c:\temp\Sylinkdrop.exe -silent sylink.xml”

o   If the SMC service is password protected, enter the password within the variable

The syntax of this comman

i.      SylinkDrop [-silent] [-p password] [SylinkFile]

               -silent    Hide user interface

             -p           Use this argument if Smc requires a password to stop

                  password         Password to stop Smc

             [SylinkFile]           Specifies drive, path, and filename of the sylink.xml file

13.   Click on “OK”

14.   On SEPM 11:

o   Assign the HI policy to a group

o   On the next heartbeat the client will receive the policy

o   It will download both the files

o   Execute the command locally

o   It will Stop “SMC” service, replace the sylink.xml file with the new sylink.xml file

o   It will Start the “SMC“ service and client will start communicating with the New SEPM 12

Here are the Knowledgebase Articles available for Symantec Endpoint Protection 12.1.4013 (RU4) which would assist you to prepare for this Latest Release.

NOTE: This Article would be updated as and when new Articles in reference to Symantec Endpoint Protection 12.1.4013 (RU4) gets published.

Product Guides

Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control

http://www.symantec.com/docs/TECH163829

Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.4 Release Notes/What’s New

http://www.symantec.com/docs/DOC6838

System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1.4

http://www.symantec.com/docs/TECH212063

Installation and Getting Started.

New fixes and features in Symantec Endpoint Protection 12.1.4

http://www.symantec.com/docs/TECH211972

Best practices for upgrading to Symantec Endpoint Protection 12.1.x

http://www.symantec.com/business/support/index?page=content&id=TECH163700

Upgrading or migrating to Symantec Endpoint Protection 12.1.4 (RU4)

http://www.symantec.com/docs/TECH211821

Overview for Symantec Endpoint Protection 12.1.4 for Mac

http://www.symantec.com/docs/HOWTO92146

What are the officially released versions of Symantec Endpoint Protection (SEP)?

http://www.symantec.com/docs/TECH154475

Third-party security software removal support in Symantec Endpoint Protection 12.1.2 and later

http://www.symantec.com/docs/TECH195029

About Windows 8 and Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH174348

Information about the "Fast-Pathing" feature in SEP 12.1 RU4

http://www.symantec.com/docs/TECH212153

Compatibility between Symantec Endpoint Protection for Mac/Symantec AntiVirus for Macintosh and versions of Mac OS X

http://www.symantec.com/docs/TECH131045

Removing Symantec programs for Macintosh by using the RemoveSymantecMacFiles removal utility

http://www.symantec.com/docs/TECH103489

About Symantec Endpoint Protection 12.1 RU4 Definitions in LiveUpdate Administrator 2.x

http://www.symantec.com/docs/TECH211582

Known Issues - 

Symantec Endpoint Protection 12.1 RU4's right-click context menu for the Security Log does not appear when using a stylus on Windows 8

http://www.symantec.com/docs/TECH211590

Launching the remote Java-based Symantec Endpoint Protection Manager Console takes significantly longer with version 12.1 RU4

http://www.symantec.com/docs/TECH211353

NOTE: You could also search on the Symantec Knowledgebase as well -

Hello,

Symantec Endpoint Protection 12.1.RU4 Small Business Edition has been released on 28th October 2013.

Previous release details are available here: https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially

You may find the latest release notes & fix notes here:

http://www.symantec.com/docs/TECH163829

Symantec Endpoint Protection Small Business Edition incorporates many of the features from the enterprise edition. It is designed for small-to-medium businesses with up to 250 clients. Previous version used to support only 100 computers.

SEP 12.1 SBE provides several improvements over previous versions, including additional operating system, platform, and browser support, improved installation process, streamlined performance, enhanced management features, and new support for virtual environments.

To download Symantec Endpoint Protection 12.1.RU4 go to: https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

This build's version is: 12.1.4013.4013.

Screenshot is attached to the reference.

Key features of this build:

Expanded operating system and browser support

• Supports Mac OS X 10.9 and Windows 8.1 / Server 2012 R2.

• Supports the latest versions of Internet Explorer, Firefox, and Chrome.

Expanded and improved features for Endpoint Protection for Mac

• Improved remote deployment features for the client, including a standardized deployment package for use with third-party client management systems that supports unattended, logged out, and silent deployment.

• Intrusion prevention for Mac client computers.

• LiveUpdate 6 for Mac, which does not require Java and can run with no user logged in.

• Content for Mac from Symantec Endpoint Protection Manager (SEPM)

• Other improvements including improved scheduled scan options, user interface improvements, and language support

Faster alerting and notification for priority events

SEP 12.1.4 Windows clients can quickly send priority events to SEPM without waiting for the next heartbeat. You can create notifications without a damper for critical events. Priority events include malware detections and IPS alerts

If having Small Business Edition 12.0 then can refer the following article to complete the upgrade process though it's stating upgrade to RU3, it will be very similar for an upgrade to RU4 as well.

Article: "Upgrade process graphical overview: Small Business Edition 12.0 to Small Business Edition 12.1 RU3 version"

https://www-secure.symantec.com/connect/articles/upgrade-process-graphical-overview-small-business-edition-120-small-business-edition-121-ru

Supported Upgrade path:

SEP SBE 12.0 > SEP SBE 12.1 (SBE Upgrade)
  Keeps the same license

SEP SBE 12.O or SBE 12.1 > SEP 12.1 (EE upgrade)
   Remove old licenses, adds and activates upgrade license

Other helpful links:

What's new in Small Business Edition 12.1

https://www-secure.symantec.com/connect/articles/whats-new-small-business-edition-121

https://www-secure.symantec.com/connect/articles/knowledgebase-articles-symantec-endpoint-protection-121-ru4

Download Trialware

https://www4.symantec.com/Vrt/offer?a_id=117524

Hi,

Logon to the SEPM console 

Admin --> Install Pacakge --> Client Install Package --> Add a Client Install Package

Browse to the SEP 12.1 RU4 Part-1 setup files, Go to the Additional Packages folder, you will find  SEPMacLegacy.info, select that file

Give Specific name & Description.

Monitor Import Package Process, it may take few minutes.

We can see now SEP RU7 package is successfully added.

We can see now SEP 11.0.7101.0236 (RU7 MP1) package is successfully added.

After successful import you can export it any time.

To import Windows legacy package (32 bit) can refer the following article:

How to import SEP 11.x package into SEPM 12.1

https://www-secure.symantec.com/connect/articles/how-import-sep-11x-package-sepm-121

Introduction

This is the third of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

• The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
• The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.

This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.

IP What?

Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.  It’s very cool.

SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints.  More details are contained in:

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

Not Just for Windows Any More!

IPS has been an optional component of SEP for Windows since the beginning.  In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function. 

SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”).  An overview of these enhancements can be found in:

Overview for Symantec Endpoint Protection 12.1.4 for Mac
http://www.symantec.com/docs/HOWTO92146

One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network.  So, definitely upgrade the protection on your Macs!

How IPS Defends Clients

For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools.  Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files.  If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief).  Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!

Generating SEPM Reports of Network Attacks

As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting.  It can often tell you exactly what is going on with the security of your network, if you know how to look.

One report that it can generate on demand is Network Threat Protection: Attacks.  (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS.  IPS can be installed without NTP.  The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)

Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type.  Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.

The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program. 

Identifying Unprotected Computers

One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network.  There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others.  Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?

Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread).  These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”

Examining the Remote Hosts that were responsible for all that traffic was the solution to this case.  There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good. 

Identifying Infected Machines

In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server.  Several days were spent examining the load points of the server itself, with nothing malicious found.  The reason: the infection was on one of the 400 clients which connect daily to that mapped drive.  Some client in the network had attempted to do the damage- but which one?  It would not be possible to examine load point diagnostics from all those hundreds of clients.

Luckily, that file server had IPS installed.  The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address.  This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected.  That computer was isolated, cleaned, patched and returned to the network.  Problem solved.  

. 

Conclusion

IPS can protect your computers- and everything on them-  in ways that AV alone cannot.  And, its logs can provide valuable intelligence about which computers in the network are infected. 

Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics.  &: )

One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Many thanks for reading!  Please do leave comments and feedback below. 

Trying to wade through Client Activity logs can become a tedious task, especially when you have thousands of clients. I would like to show you some advanced filtering that you can do to get the Client info you need much more quickly.

For this article, I will focus solely on the Client Activity logs in the SEPM:

The box we want to use for filtering is the Event source box. There are specific keywords you can use to get more granular. They are as follows:

1.     GUP
2.     IPS
3.     LiveUpdate Manager
4.     Network Intrusion Protection Sys
5.     REP
6.     Smc
7.     SONAR
8.     SYLINK
9.     Symantec AntiVirus
10.     Symantec Endpoint Protection

To look at events generated by SMC, we enter SMC into the Event source box:

Click View Log to see those events

As you can see, a wealth of info is generated. This also holds true for the other nine keywords above as well. I highly recommend you try these out to see what info comes back. It is very detailed and you may find somethings that you previously did not know about! Better yet, you can export to CSV and drop into Excel and filter as needed.

I hope these help you in your daily monitoring tasks. Feel free to post and comments/questions/criticisms

Thanks!
Brian

Additional questions

If you have any problems with your set up, please contact your BCAM.
 

Additional Alternative Notification Methods

You may also want to subscribe to anti-virus RSS feeds by visiting the following link and signing up for the virus definitions and security updates: http://www.symantec.com/xml/rss/definitions.jsp 

For IT Analytics reports hosted by SQL Server Reporting Services (which include out-of-the-box reports and dashbaords) some users may experience extended wait times before the report is able to render, and in some cases the report may even fail or timeout. This typically occurs in environments where there are extremely large data volumes and where reports are pre-configured to display all data by default (without filtering).

To minimize the time it takes for some IT Analytics reports to load, steps can be taken to configure settings so that data will be filtered by default, hence greatly improving performance. This article will describe such process, utilizing Microsoft Report Builder a client side aplpication which comes with SQL Server Reporting Services.

Selecting the Report

1. To load Report Builder, open Symantec Management Platform Console and navigate to: Settings > Notification Server > IT Analytics Settings > Reports > Report Builder. Then click on the Launch Report Builder button.

​

2. If prompted, click Run to start downloading the application.
3. Be patient, launching application may take a minute or two, depending on connectivity. While the application is loading, you should see this message:

4. Click Open to select the report you want to optimize. Under the default configuration, all IT Analytics reports are stored within the ITAnalytics folder off the ReportServer root. 

NOTE: For the purposes of this example, we will select the IT Analytics Configuration Events report. As such, the parameters you select in the next section of this article may be different.

Modifying the Report

1. When report opens, expand Parameters in the Report Data pane on the left, then right-click the From parameter and select Parameter Properties.

2. Navigte to Default Values > Get values from a query. For both fields select MaxDate from drop-down list, then click OK.

3. Modify the properties for the Types parameter and navigate again to Default Values. Select Specify Values and Add new value. In the field type in 'Cube Processing' (without quotes) as shown below, then click OK. If you are modifying a different report, select an appropriate paramater and input a default value that matches a value for that parameter.

5. Click Save to apply all changes (saving may take couple seconds).

Reloading the Report

1. In the Symantec Management Console, navigate to Reports > IT Analytics > Reports > IT Analytics Events > ITA Configuration Events (or a the appropriate report you modified). Refresh the browser if necessary. You should notice the report load much faster than previously.
2. Verify that the current day (in the From parameter) and the specific Type and Target are pre-selected with the values we input previously (or the appropriate values you entered if modifying a different report).

3. To adjust the parameter values, you can select different values as you normally would.

By default, reports and dashboards in IT Analytics (hosted by SQL Server Reporting Services) will run automatically when selected. This behavior can sometimes be problematic for environments with excessive amounts of data, resulting in increased load times or timeouts for certain reports. One option to prevent this is to modify the value of a parameter within a report so that it does not execute automatically when clicked, a process which is documented in the article below.

To modify report parameters in more detail in order to load reports more efficiently, please see the article: Modifying IT Analytics Reports to Decrease Load Times.

1. For the purposes of this example we will use the DLP Endpoint Incident Search report. Note that by default, the report runs with the Policy Name parameter value of 'All' pre-selected.

2. To change this report, open a browser on the server hosing SQL Reporting Services and goto: http://localhost/Reports.
3. From within the IT Analytics folder, locate and hover over the DLP Endpoint Incident Search report (or the report you want to modify) and to the right you will see a menu of options. Select Manage.

4. Once in the report manage screen, select the Parameters section.

5. Once there, uncheck the 'Has Default' column from the parameter you want to force users to select or enter information on. This will ensure a user must select a value for that parameter before the report can be executed. In this example we will use the Policy Name parameter, then click Apply.

6. Return to the Symantec Management console to load the report and you should notice that it does not automatically execute the report, but instead prompts for a parameter value. Once a value is selected click View Report. Refresh the browser if necessary. 

Symantec Data Loss Prevention provides many operational log files that can be used to interpret how the system is running.

The default locations put the log files during installation for the Enforce Server and Detection Servers on the computers that host the servers. The files are in the \SymantecDLP\Protect\logs directory on Windows installations and in the /var/log/SymantecDLP directory on Linux installations. The number at the end of the log file name indicates the count.

Most log files are located on the sub-directory: \SymantecDLP\Protect\logs\debug on Windows and /var/log/SymantecDLP/debug on Linux.

Did you know that it IS possible to monitor web traffic using the SEP firewall? In this article, I will show you how to monitor web traffic using the SEP firewall.

Before we get started there are a couple of things you should be aware of:

1. While the SEP firewall can handle this task, Symantec Web Gateway is a better fit if you need to do this permanently
2. Monitoring web traffic will not work correctly if your web traffic goes through a proxy server. SEP cannot differetiate between proxied and non-proxied traffic. Another reason why SWG works better for this task.

With that in mind, let's get started.

Request: Monitor web traffic (port 80 and 443)

Solution: Configure the SEP Firewall to handle this task

The first step is to create a new network service for 80/44 traffic

Login to you SEPM and navigate to Policies >> Policy Components and highlight Networks Services. Under Tasks click Add a Network Service...

Type in a Service Name (Web Traffic) and click Add...

Leave the Protocol at TCP and add 80,443 in the Remote Port line. Click OK

You should see the following:

One that is created, we can move on to adding a rule to the SEP firewall to monitor the traffic

Go into the Policies page and highlight the Firewall policy. Add a Firewall policy and give it a name (Monitor Web Traffic)

Click Add Rule...

Give the rule a name (Log_Web_Traffic)

Select the radio button for Allow Connections

Select the radio button for Only the applications listed below: and click Add...

Enter iexplore.exe in the File Name field and click OK. You can add more browser names if you wish.

Click Next

Leave the radio button checked for Any computer or site. Click Next

Now, we need to select our newly created network service. Check the radio button for Only the communications selected below:

Put a check in the Web Traffic box and click Next:

Select the radio for Yes to create a log entry when the rule is matched. Click Finish and make sure the new rule is at the top of the stack.A ssign the new policy to the groups you want to monitor traffic on and ensure the clients get the new policy.

Once clients start browsing, you can verify the rule is working by checking the logs on the SEPM. Monitors >> set Log type to Network Threat Protection, set Log content to Traffic. Edit any advanced settings that you want and click View Log

You will get a log similar to the below screenshot:

You will likely need to highlight one of the lines and select Details to get more granular. Here we get a better view:

So there you have it. Monitoring web traffic using the SEP firewall. It's really just a quick and dirty way to do it if you need something temporarily. Hopefully this has been helpful for you.

Most of the organizations use SCCM to deploy Third party software, OS patches etc to endpoints.It’s a very tedious process for the SCCM admin to verify if all the endpoints are 100% compliant.

I would like to present a solution where you can ensure whether the SCCM agent is running / services are enabled / disabled. Depending on the result it can start the services or download the installation files and locally install the SCCM agent on the endpoint.

So here is how SNAC can help you tackle this problem.

The best part is this requires no Hardware enforcers or DHCP software plug-in to be configured.

Pre-requisites:

1.           Make sure your SEPM 11 / 12 is SNAC ready. In Policies Tab you see Host Integrity Policy option, if not you can add SNAC.xml file to the License folder in SEPM.

Note: Please restart SEPM services, on adding SNAC license.

2.           Ensure SEP is functioning properly on endpoints.

3.           Create an HI policy and assign it to groups

4.           Copy the required SCCM agent installation files to a shared network folder or an internal Http / FTP site

Let's see how to create an HI policy, to check if SCCM agent is installed / disabled / stopped / uninstalled.

1.      Login to SEPM

2.      Click on Policies and select Host Integrity

3.     On the Right Pane, right Click and Select “Add”

4.      Enter a description for the policy

5.      Click on “Requirements”

6.      Click on “Add”, select “Custom requirement” and click“OK”

7.      Click on “Add” and select “IF... THEN”

8.      Check for services “ccmexec” and “bits” if running on endpoint

o   On the right pane, In Select a condition --à Scroll and select “Utility: Service is running”

o   Under “Check if the following service is running” --à Enter the Service name  “CcmExec”

9.      On the Left Pane - check for another service

o   Right Click on “Utility Service is running”

o   Click on “Add”

o   Click on“AND”

10.   On the right pane

o   In Select a condition --à Scroll and select “Utility: Service is running”

o   Under “Check if the following service is running” --à Enter the Service name  “BITS”

11.   On the Left Pane ---àclick on “THEN” --àEnter the comment “SMS agent is running”

12.   On the Left pane, Click on “THEN” comment“SMS agent is running” --à click“ADD” --àSelect “Return”

13.   On the right pane, select “Pass”

Note:   If both the services are running on the endpoint the HI policy will “Pass”.

If both the services / either service is not running the HI policy will “Fail”.

If the services are disabled, we can start the service via HI policy.

If SMS agent is not installed, we can download the files and execute locally via the HI policy.

Restart of SCCM services – Disabled / stopped

14.   On the left Pane, click on “THEN” click on “Add”  and select “Else”

15.   Enter the comment “Start SCCM service”

16.   Click on “Else --->Comment ---->Start SMS service” click on “Add” click “Function” and select“Utility: Run a program”

17.   On the Right Pane, under specify the command type “net start bits”

18.   Click on “Add” click “Function” and select“Utility: Run a program”

o   On the Right Pane, under specify the command type “net start ccmexec”

Installation of SCCM Agent

19.   Check for services “ccmexec” and “bits” running on endpoint.

o   On the left pane click on “Utility: Run a program” click on “Add” click on “IF…..THEN”

20.   On the right pane

o   In Select a condition --à Scroll and select “Utility: Service is running”

o   Under “Check if the following service is running” --à Enter the Service name  “ccmexec”

21.   Add an check for another service

o   In Select a condition --à Scroll and select “Utility: Service is running”

o   Under “Check if the following service is running” --à Enter the Service name  “bits”

22.   Click on “THEN” and insert a comment “SMS agent is running”

23.   On the Left pane, Click on “THEN” comment“SMS agent is running” --à click“ADD” --àclick  “Return” and select“Pass” on the right pane

Note: If the services are not running / the agent is not deployed. Initiate installation files to be downloaded from an ftp / network shared folder and be executed locally.

24.   On the left Pane, click on “THEN” click on “Add”  and select “Else”

25.   On the Left Pane ---àclick on “ELSE” --àclick on “Add” --à click on “Function” and select “File: Download a File”

o   Under “Download the file” provide path to download the files and provide a “Target folder” locally to copy the files

Note: copy all the SCCM agent installation files ( MHosts.vbs, ccmclean.exe, ccmdelcert.exe, cmsetup.exe, delete.cmd, excluded.txt, local.vbs, lmhosts, sleep.exe, Trace32.exe, UI_local.cmd) to  %systemroot%\system32 folder

Execute the script: Cscript local.vbs

As per the screenshot above, customer created a bat file. It contained a script to copy the installation files and execute (Cscript local.vbs) locally

Click on “Add” --àclick on “Function” and select “Utility: Run a Program”

o   Under“Specify the command” enter the command “c:\temp\sccmagent.bat”

26.   On the Left pane, Click on “Utility: Run a program ” click“Add” click “Return”

o   Select “Pass”

Disclaimer: this may not be an exaustive description of the solution and is intended to be used as a guideline. All information is available in the product documentation, including the Administrator's guide.
 

There are usually three important aspects for the recovery of encrypted data:

• Data and Key backups
• Key recovery (and ADK)
• Disk recovery

Data and Key backups
This point is simply the basilar of IT best practices - Backups are your friends, but only if tested!!!

Additional note: much of the time data backups can be kept stored in safe locations in clear, i.e. not encrypted.
 

Among others, you should keep up-to-date and good backups of:

• Symantec Encryption Management Server backups (stored outside of the server)

• Virtual Disk images you may have

• Organization Key (full keypair) and its correspondent passphrase - this is probably the most critical key in the encryption environment (Used to sign all user keys the Symantec Encryption Management Server creates and, to encrypt server backups!)

• Symantec Encryption Desktop keyrings (including private ones), especially if using standalone installations and/or Client Key Mode (CKM) and Server-Client Key Mode (SCKM)

• Ignition Keys (you don't really backup those, but you need the credentials, so have them safe) - most environments don't really require this one. This is only needed when there is a risk of an unauthorized person gaining physical control of the server hardware. If used, the server will be kept locked until unlocked using the proper method.

There are two types of Ignition Keys:

• Hardware Token: You need to have the PKCS#11 token and its respective PIN
• Soft-Ignition Passphrase: You need to know the passphrase you have specified.

Key recovery (and ADK)
How to recover a lost key or decrypt data with an alternative key? Key Reconstruction - Enabling key reconstruction ensures that users can reconstruct their PGP keys.

Key reconstruction is useful if the user loses their key material, or forgets their key passphrase. Key reconstruction is not suitable for enterprise data recovery, since only the user knows the answers to the reconstruction questions.

Additional Decryption Key (ADK) - The ADK is only available in Symantec Encryption Management Server environments. An ADK can be used to decrypt encrypted data and messages if an end user is unable or unwilling to do so. For different purposes two types of ADK can be defined in a managed environment:

• Policy ADK - this can be defined per consumer policy
• Organization ADK - this will be applied to every user in the environment

For standalone instalation you can use the Master Key in a similar way of an ADK, however, this would imply a trust with the users (that they won't remove that key) and the value of this would be only for recovery of encrypted data when the user key is lost.

Disk recovery
Which are the recovery options configurable for Disk Encryption in Symantec Encryption Management Server?

There are some ways to to ensure access to encrypted disks. Note that, if none of the options above was enabled *before* losing access to the disk, it will not be possible to access to the content because the records cannot be modified after losing access to the disk.

The options can be configured in the consumer policy:
Consumers > Consumer Policy > select the policy > in the section Symantec Encryption Desktop click the Desktop (button) > Drive Encryption (tab).

Under Symantec Drive Encryption there are some options which should be enabled and must be defined according company policy/local regulations.

• Enable Whole Disk Recovery Tokens - this will send a one-time token to the management server and can be used to regain access to the encrypted disk. Once used a new token will be automatically sent to the server.

• Encrypt Windows Drive Encryption disks and PGP Virtual Disks to a Disk Administrator Key. Attention!: Use the Symantec Drive Encryption administrator key to log in to a user's system at the Symantec Drive Encryption BootGuard screen using two-factor authentication (with a smart card or token). Before deployment check for token support.

• Encrypt Drive Encryption disks to a Disk Administrator Passphrase - this adds a permanent passphrase to the disk which can be used by administrators. This passphrase should be kept private.

• Use the WDE-ADMIN Active Directory group membership - Any member of the WDE-ADMIN Active Directory group can remotely access a system to add or remove users from Symantec Drive Encryption, encrypt or decrypt a drive, and so on, using the Symantec Drive Encryption command-line tool. These administrative functions can be performed without having to request the user's passphrase.

• Local Self Recovery Security Questions - also useful for standalone installations. Note: The Security Questions for Local Self Recovery cannot be created until the until the disk is fully encrypted.

Some companies/regulations have strict policies for the usage of these bypass mechanism and they should be documented in an internal "paper" policy.
For the ADK is also possible to use key splitting for obliging the presence of multiple stakeholders for unlocking access to encrypted data.

Last but not the least, deploying system images with Symantec Encryption Desktop pre-installed is not supported. This may cause that some or more of the options above will not be available, potentially leading to data loss due to no recovery option.

Each environment has its own specificities, thus testing is also part of IT best practices and whenever possible should be done in test machines.

Hello All,

Symantec Endpoint Protection 11 RU7 MP4 (11.0.7400.1398) is Released.

This build's version is: 11.0.7400.1398

SEP all version release details are available here: http://bit.ly/m0vOJp

Note: If in case you do not see the SEP 11 RU7 MP4 Release on Fileconnect, you may see the same in coming few days on your Fileconnect Account.

You may find the Latest Release of Symantec Endpoint Protection 11 RU7 MP4 at: https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

Select and start the download process using JAVA downloader

 If you wish to download using HTTPS download, click on +sign & will see HTTPS download option.

This release contains all of the features that were delivered in versions 11.0.7 (11 RU7) through 11.0.7.3 (11 RU7 MP3).

This release includes the following new features:

1) Support for Java Runtime Environment (JRE) 7, update 25 (7u25) - For improved security and stability, the Symantec Endpoint Protection Manager console runs on JRE 7u25.

2) Support for PHP 5.4.16 -  Symantec Endpoint Protection Manager includes PHP 5.4.16.

3) Support for Apache Tomcat 7.0.42 - Symantec Endpoint Protection Manager includes Apache Tomcat 7.0.42

4) Additional component updates -  This release provides updates to the following Symantec Endpoint Protection components, which improves stability and security.
■ cURL 7.31.0
■ LibPNG 1.5.15
■ LibXML 2.9.1

Supported upgrade paths to Symantec Endpoint Protection 11.0.7.4 (11 RU7 MP4)

Symantec Endpoint Protection 11 RU7 MP4 supports an upgrade from the following earlier versions:

■ 11.0.7000.793 - Release Update 7 (RU7)
■ 11.0.7101.1056 - Release Update 7 Maintenance Patch 1 (RU7 MP1)
■ 11.0.7200.1147 - Release Update 7 Maintenance Patch 2 (RU7 MP2)                                                                                                                      ■ 11.0.7300.1294 - Release Update 7 Maintenance Patch 3 (RU7 MP3)

If your Symantec Endpoint Protection version is earlier than 11 RU7, you must first install SEP 11 RU7.

Supported upgrade paths from Symantec Endpoint Protection 11.0.7.4 to Symantec Endpoint Protection 12.1.x

Supported upgrade paths from Symantec Endpoint Protection 11.0.7.4 to Symantec Endpoint Protection 12.1.x When you plan your upgrade from Symantec Endpoint Protection 11.0.7.4 to Symantec Endpoint Protection 12.1.x, the minimum version to which you can upgrade is Symantec Endpoint Protection 12.1.4. This requirement is due to the updated Java Runtime Environment and PHP components in Symantec Endpoint Protection Manager. Earlier versions of Symantec Endpoint Protection 12.1.x are incompatible with these updated components

Articles:

Symantec™ Endpoint Protection and Symantec Network Access Control 11.0.7.4 (11 RU7 MP4) Release Notes

http://www.symantec.com/docs/DOC7074

New fixes for Symantec Endpoint Protection 11 and Symantec Network Access Control 11

http://www.symantec.com/docs/TECH103087

Welcome to the Security 1:1 series of articles

In Part 1 we start right off with Viruses and Worms - get to know the definitions and what differentiates them. Nowadays both terms are quite often used interchangeable but there are still differences between them. We look further more on the classifications and what are the characteristics of each types. We will have a bit historical look at both known and most devastating viruses and worms in the past.

I will provide you as well with references to Symantec write-ups about those threat where both in-depth characteristics and removal processes can be checked. Throughout the series I invite you as well to watch the youtube videos from Norton and Symantec channels introducing various types of threats and attacks - those are shown in really informative (sometimes as well funny) way and are very easy to understand.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

1. Viruses

Virus - a malicious program able to inject its code into other programs/applications or data files. After successful code replication the targeted areas become "infected". By definition virus installation is done without user's consent and spreads in form of executable code transferred from one host to another.. Purpose of viruses is very often of a harmful nature - data deletion or corruption on the targeted host leading up to system in-operability in worst case scenario.

Viruses can spread pretty fast over network, shares or removable media. On many occasions the virus spread scenarios are connected with social engineering attacks, where end-users are tricked to execute malicious links or download malicious files, in some other cases malicious email attachments are being opened by end-users which ends in infection. Viruses as already mentioned have as well ability to inject the code in other legitimate executable files - when afterwards run by end-users - the virus code contained in the infected program is being executed simultaneously. Viruses can take avail of known OS security vulnerabilities that allow them to access the target host machines.

Video - Symantec Guide to Scary Internet Stuff: Pests on Your PC - Viruses, Trojans & Worms

Depending on virus "residence" we can classify viruses in following way:

• Resident Virus - virus that embeds itself in the memory on a target host. In such way it becomes activated every time the OS starts or executes a specific action.
• Non-resident Virus - when executed this type of virus actively seeks targets for infections - either on local, removable or network locations. Upon further infection it exist - this way is not residing in the memory any more.
• Boot sector Virus - virus that targets specifically a boot sector (MBR) on the host's hard drive. This type of viruses is being loaded to memory every time when an attempt is being made to boot from the infected drive - this kind of viruses loads well before the OS loads. Boot sector viruses were quite common in the 90s where the infection was spread mostly through the infected floppy disks left in the bootable drives.
• Macro Virus - virus written in macro language, embedded in Word, Excel, Outlook etc. documents. This type of viruses are being executed as soon as the documents they are contained within are opened - this corresponds to the macro execution within those documents that under normal circumstances is automatic.

Another classification of viruses can result from their characteristics:

• File-infecting Virus (File-Infector) - classic form of virus. When the infected file is being executed the virus seeks out other files on the host and infects them with malicious code. The malicious code is being inserted either at the begging of the host file code (prepending virus); in the middle (mid-infector); or at the end (appending virus). A specific type of viruses called "cavity virus" can even injects the code in the gaps in the file structure itself. The start point of the file executions is changed to the start of the virus code to ensure that it is run when the file is executed - afterwards the control may or may not be passed on to the original program in turn. Depending on the infections routing the host file may become otherwise corrupted and completely non-functional. More sophisticated viral forms allow though the host program execution while trying to hide their presence completely (see polymorphic and metamorphic viruses).

• Polymorphic Virus -  this kind of viruses can change its own signature every time it replicates and infects a new file in order to stay undetected from antivirus programs. Every new variation of the virus is being achieved by using different encryption method each time in the virus file copies. This type of viruses is especially difficult in detection by any detection programs due to the number of variations - sometimes going in hundreds or even thousands.

• Metamorphic Virus - the virus is capable of changing its own code with each infection. The rewriting process may cause the infection to appear different each time but the functionality of the code remains the same. The metamorphic nature of this virus kind makes it possible to infect executables from two or more different operating systems or even different computer architectures as well. The metamorphic viruses are ones of the most complex in build and very difficult to detect.

• Stealth Virus - memory resident virus that utilises various mechanisms to avoid detection. This avoidance can be achieved for example by removing itself from the infected files and placing a copy of itself in a different location. The virus can also maintain a clean copy of the infected files in order to provide it to the antivirus engine for scan, while the infected version still remains undetected. Furthermore the stealth viruses are actively working to conceal any traces of their activities and changes made to files.

The first known full-stealth Virus was "Brain"(http://virus.wikia.com/wiki/Brain) - a type of boot infector. The virus monitors physical disk I/O and redirects any attempt on reading a Brain-infected boot sector to where the original disk sector is stored.

• Armored Virus - very complex type of virus designed to make it's examination much more difficult than by traditional viruses. By using various methods armored viruses can also protect itself from antivirus software by fooling it into believing that the virus location is somewhere else than real location - which of course makes the detection and removal process more difficult.

• Multipartite Virus - virus that attempts to attack both the file executables as well as the master boot record of the drive at the same time. This type may be tricky to remove as even when the file executable part is clean it can re-infect the system all over again from the boot sector if it wasn't cleaned as well.

• Camouflage Virus - virus type that is able to report as a harmless program to the antivirus software. In such cases where the virus has similar code to the legitimate non-infected files code the antivirus application is being tricked that is has to do with the legitimate program as well - this would work only but in case of basic signature based antivirus software. As nowadays antivirus solutions became more elaborate the camouflage viruses are quite rare and not a serious threat due to the ease of their detection.

• Companion Virus - unlike traditional viruses the companion virus does not modify any files but instead compromises the feature of DOS that allows executables with different extensions (here .exe and .com) to be run with different priorities. This way where user tries to execute the legitimate "program"  without specifying the extension itself and expects program.exe to be run, the virus is run instead - with the program.com executable (as this one is first in the alphabetical order). Companion virus is an older type and became increasingly rare since introduction of Windows XP. Nowadays this kind of viruses can be still unintentionally run if the host machine does not have the option for "show file extensions" activated and user accidentally clicks the companion virus file.

• Cavity Virus - unlike tradition viruses the cavity virus does not attach itself to the end of the infected file but instead uses the empty spaces within the program files itself (that exist there for variety of reasons). This way the length of the program code is not being changed and the virus can more easily avoid detection. The injection of the virus in most cases is not impacting the functionality of the host file at all. The cavity viruses are quite rare though.

One good example of cavity virus is "Lenigh" (http://virus.wikia.com/wiki/Lehigh) - early DOS cavity infector, that was specifically targeting command.com files and using unused portions of the file's code.

2. Worms

Worm - this malicious program category is exploiting operating system vulnerabilities to spread itself. In its design worm is quite similar to a virus - considered even its sub-class. Unlike the viruses though worms can reproduce/duplicate and spread by itself - during this process worm does not require to attach itself to any existing program or executable. In other words it does not require any interaction for reproduction process - this capability makes worm especially dangerous as they can spread and travel across network having a devastating effect on both the host machines, servers as well consuming network bandwidth. More invasive worms target to tunnel into the host system and from within to allow code execution or remote control from the attacker. Some worms can as well include a viral component that infects executable files.

The most common categorization of worms relies on the method how they spread:

• email worms: spread through email massages - especially through those with attachments.
• internet worms: spread directly over the internet by exploiting access to open ports or system vulnerabilities.
• network worms: spread over open, unprotected network shares
• multivector worms: having two or more various spread capabilities

Some of the most known and destructive worms (by dates):

• Iloveyou [2000] (http://virus.wikia.com/wiki/Loveletter) - known also as Loveletter

Worm created by a student of computer university on Philippines. The worm was arriving in email inboxes with the simple subject of“ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. The final ‘vbs’ extension was hidden, leading unsuspecting users to think it was a text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user’s sender address. It also made a number of malicious changes to the user’s system. Symantec Security Response has identified 82 variants of this worm.

More than 45 million computers around the globe have supposedly been infected by various strains of the worm. The Ford Motor Company shut off its email system after being hit by the worm. Some others affected were Silicon Graphics, the Department of Defense (including the Pentagon), Daimler-Chrysler, The Motion Picture Association of America. Estimates of the worm's damage: over $10 billion.

Reference:
[VBS.LoveLetter.Var]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-121815-2258-99

• CodeRed and CodeRed II [2001] (http://virus.wikia.com/wiki/CodeRed)

Worm that targeted servers running the Microsoft IIS (Internet Information Server) Web Server. The worm propagates by installing itself into a random Web server using a known buffer overflow exploit, contained in the file Idq.dll.  It contains the text string"Hacked by Chinese!", which is displayed on web pages that the worm infected. The original CodeRed had a payload that caused a Denial of Service (DoS) attack on the White House Web server. CodeRed II has a different payload that allows its creator to have full remote access to the Web server.

The reported cost of worm activities: $2 billion

Reference:
[CodeRed II]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-080421-3353-99

• Sobig [2003] (http://virus.wikia.com/wiki/Sobig)

One of the most destructive worms ever. The worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.  It was able to send over a million copies of itself within just a few hours of the outbreak. Sobig was the first of the spam botnet worms. While some worms, like Tanatos, dropped trojans on the computers they infected, Sobig was the first to turn computers into spam relays. The worm was stalling or completely crashing Internet gateways and email servers worldwide.

Total estimated damage costs of the worm: $37 billion.

Reference:
[W32.Sobig.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-010913-1627-99

• Blaster [2003] (http://virus.wikia.com/wiki/Blaster) - known also as Lovesan

Blaster Worm is a worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) affecting both Windows 2000 and Windows XP machines. Once a computer was infected, it displayed a message box indicating that the system would shut down in a couple of minutes. It has also a date triggered payload that launches a DDoS attack against windowsupdate.com.

The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system. Overall estimated damage caused by the worm: $320 million.

Reference:
[W32.Blaster.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99&tabid=2

• Sasser [2004] (http://virus.wikia.com/wiki/Sasser)

Sasser Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. The worm was written by German Student of Computer Science. It spreads by scanning the randomly selected IP addresses for vulnerable systems. When a vulnerable system is found, a worm on the worm will send shell code to the target computer that attempts to exploit the LSASS buffer overflow vulnerability. Sasser was exploiting the same vulnerabilities used by Blaster - here as well Windows 2000 and XP affected. Sasser also displayed a notice indicating that the system was shutting down.

Security experts estimate that infected computers numbered in the millions. British Airways suffered delays when the worm hit Terminal Four at London's Heathrow Airport. Other affected companies were Sampo Bank in Finnland, Deutsche Post, Delta Airlines Estimated, British Coastguard, French Stock Exchange and the France Presse news agency. Damage costs caused by the worm estimated to: $500 million.

Reference:
[W32.Sasser.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99

• MyDoom [2004] (http://virus.wikia.com/wiki/Mydoom) - known also as Novarg

One of the most damaging email worms ever released. Worm was spreading as well through the file sharing systam Kazaa. Worm was arriving as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

The impact of the worm was experienced worldwide as it was able to cause slowdowns of internet traffic. Estimated reported costs of the worm: $38 billion.

Reference:
[W32.Mydoom.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99

• Conficker [2008] (http://virus.wikia.com/wiki/Conficker) - also known as Downadup

Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability MS08-067 (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways. It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.

It has an extremely large infection base – estimated to be between 10-15 million computers. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. From interesting facts it is to mention that the vulnerability that allowed Conficker to spread had been patched for a little over a month before the worm appeared. Still, millions of computers were not updated. Estimated damage cost of the worm: $9 billion.

Reference:
[W32.Downadup]
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
Simple steps to protect yourself from the Conficker Worm
http://www.symantec.com/business/support/index?page=content&id=TECH93179

• Stuxnet [2010]

The Stuxnet computer worm is perhaps the most complicated piece of malicious software ever build.
The worm targets industrial control systems in order to take control of industrial facilities, such as power plants. The ultimate goal of Stuxnet is to sabotage such facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. While the attacker’s exact motives for doing so are unclear, it has been speculated that it could be for any number of reasons with the most probable intent being industrial espionage. Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.

Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows, applications that can display icons can also inadvertently run code, and in Stuxnet’s case, code in the .lnk file points to a copy of the worm on the same removable drive. Furthermore, Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was notably used incredibly successfully by W32.Downadup (a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073). The worm also attempts to spread by copying itself to network shares protected by weak passwords.

Reference:
[W32.Stuxnet]
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
The Hackers Behind Stuxnet
https://www-secure.symantec.com/connect/blogs/hackers-behind-stuxnet
W32.Stuxnet Dossier
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet 0.5: The Missing Link
https://www-secure.symantec.com/connect/blogs/stuxnet-05-missing-link
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf

Video - Stuxnet: How It Infects PLCs

Video - Stuxnet 0.5: The Missing Link

Wikipedia references:
http://en.wikipedia.org/wiki/Computer_virus
http://en.wikipedia.org/wiki/Macro_virus
http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
http://en.wikipedia.org/wiki/Computer_worm
http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Conficker

Welcome to the Security 1:1 - Part 2

In Part 2 we take a closer look at Trojans - what is a Trojan? Why is it different from a virus? What are the types of Trojans based on their function and attack vectors. The introduced classification of Trojans will be complemented with references to Symantec Security Response write ups to provide a real world examples of Trojans at large as well as theirs technical details, characteristics and removal steps.

In second part of this article we will dive into some more threats types - this time more general to cover the various definitions that are sometimes interchanagably used to define a specific trojan or threat.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

1. Trojans

Computer Trojans or Trojan Horses are named after the mythological Trojan Horse from Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar to such strategy - it is a type of malware software that masquerades itself as a not-malicious even useful application but it will actually do damage to the host computer after its installation.

Trojans do not self-replicate since its key difference to a virus and require often end user intervention to install itself - which happens in most scenarios where user is being tricked that the program he is installing is a legitimate one (this is very often connected with social engineering attacks on end users). One of the other common method is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. Trojans can be spread as well by means of drive-by downloads (see Symantec Video) or downloaded and dropped by other trojans itself or legimate programs that have been compromised.

Video: Symantec Guide to Scary Internet Stuff: Drive-By Downloads

The results of trojan activities can vary greatly - starting from low invasive ones that only change the wallpaper or desktop icons; through trojans that mere purpose is to open backdoors on the computer and allow in such way other threats to infect the host or allow a hacker remote access to targeted computer system; up to trojans that itself can cause serious damage on the host by deleting files or destroying the data on the system using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not advertise their presence on the computer.

Reference:
[Trojan Horse]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99

The trojan classification can be based upon performed function and the way they breach the systems. Important thing to keep in mind is that many trojans have multiple payload functions so any such classification will provide only a general overview and not a strict boundaries. Some of the most common Trojan types are:

• Remote Access Trojans (RAT) aka Backdoor.Trojan - this type of trojan opens backdoor on the targeted system to allow the attacker remote access to the system or even complete control over it. This kind of Trojans is most widespread type and often has as well various other functions. It may be used as an entry point for DOS attack or for allowing worms or even other trojans to the system. A computer with a sophisticated back door program installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see part 3 of the Security 1:1 series). Backdoor.Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet.

Reference:
[Backdoor.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99

• Trojan-DDoS - this trojan is being installed simultaneously on a large number of computers in order to create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack on a particular target.

Reference:
[DDoS.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2012-111917-3846-99

• Trojan-Proxy - this trojan is designed to use target computer as a proxy server - which allows then the attacked to perform multitude of operations anonymously or even to launch further attacks.

• Trojan-FTP - trojan designed to open FTP ports on the targeted machine allow remote attacker access to the host. Furthermore the attacked can access as well network shares or connections to further spread other threats.

• Destructive Trojans - are designed to destroy or delete data - in its purpose are much like viruses.

• Security Software Disabler Trojans - designed to stop security programs like antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This kind of trojan functionality is often combined with destructive trojan that can execute data deletion or corruption only after the security software is disabled. Security Software Disablers are entry trojans that allow next level of attack on the targeted system.

• Infostealer (Data Sending/Stealing Trojan) - this trojan is designed to provide attacker with confidential or sensitive information from compromised host and send it to a predefined location (attacker). The stolen data comprise of login details, passwords, PII, credit card information, etc. Data sending trojans can be designed to look for specific information only or can be more generic like Key-logger trojans. Nowadays more than ever before attackers are concentrating on compromising end users for financial gain - the information stolen with use of Infostealer Trojans is often sold on the black market. Infostealers gather information by using several techniques. The most common techniques may include log key strokes, screen shots and Web cam images, monitoring of Internet activity, often for specific financial web sites. The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author.

Reference:
[Infostealer]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-122016-0558-99

• Keylogger Trojans - a type of data sending trojan that is recording every keystroke of the end user. This kind of trojan is specifically used to steal sensitive information from targeted host and send it back to attacker. For these Trojans, the goal is to collect as much data as possible without any direct specification what the data will be.

Video - The Threat Factory - Keystroke Logging From the Victim and Cybercrminal's Perspective

• Trojan-PSW (Password Stealer) - type of data sending trojans designed specifically to steal passwords from the targeted systems. In its execution routine the trojan will very often first drop a keylogging component onto the infected machine.

• Trojan-Banker -  trojan designed specifically to steal online banking information to allow attacker further access to bank account or credit card information.

• Trojan-IM - type of data sending trojans designed specifically to steal data or account information from instant messaging programs like MSN, Skype, etc.

• Trojan-GameThief - trojan designed to steal information about online gaming account.

• Trojan Mailfinder - trojan used to harvest any emails found on the infected computer. The email list is being then forwarded to the remote attacker.

• Trojan-Dropper - trojan used to install (drop) other malware on targeted systems. The dropper is usually used at the start or in the early stages of a malware attack.

Reference:
[Trojan.Dropper]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-082718-3007-99

• Trojan-Downloader - trojan that can download other malicious programs to the target computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders that are encountered will attempt to download content from the Internet rather than the local network. In order to successfully achieve its primary function a downloader must run on a computer that is inadequately protected and connected to a network.

Reference:
[Downloader]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99

• Trojan-FakeAV - trojans posing as legitimate AV programs. They try to trick the user to believe that the system is infected with a virus and offer a paid solution to remove the threat.

Video: Symantec Security Response - Fake Antivirus Schemes

These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialogue boxes and alert messages that prompt the user to buy the product. The alert messages can include as well pop-up notifications in the notification area of Windows.

This type of trojan can be either targeted to extort money for "non-existing" threat removal or in other cases the installation of the program itself injects other malware to the host machine. FakeAV applications can perform a fake scans with variable results, but always detect at least one malicious object. They may as well drop files that are then ‘detected’.The FakeAV application are constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and appear very professional to the end users. An example of this may be the Nortel Antivirus (http://www.symantec.com/security_response/writeup.jsp?docid=2009-090113-2706-99&tabid=2).

In order to further convince the user to purchase the product, many of these applications also have a professionally designed product Web pages containing bogus reviews or even offering live online support. Symantec has published a blog article that describes how some misleading application vendors provide live online support - see referenced links.

Reference:
[Trojan.FakeAV]
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99
Fake AV & Talking With The Enemy
https://www-secure.symantec.com/connect/blogs/fake-av-talking-enemy

• Trojan-Spy - trojan has a similar functionality to a Infostealer or Trojan-PSW and its purpose is to spy on the actions executed on the target host - these can the include tracking data entered via keystrokes, collecting screenshots, listing active processes/services on the host or stealing passwords.

• Trojan-ArcBomb - trojan used to slow down or incapacitate the mail servers.

• Trojan-Clicker or Trojan-ADclicker - trojan that continuously attempts to connect to specific websites in order to boost the visit counters on those sites. More specific functionality of the trojan can include generating traffic to pay-per-click Web advertising campaigns in order to create or boost revenue.

Reference:
[Trojan.Adclicker]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-091214-5754-99&tabid=2

• Trojan-SMS - trojan used to send text messages from infected mobile devices to to premium rate paid phone numbers.

Examples of Trojan-SMS:
AndroidOS.FakePlayer (http://www.symantec.com/security_response/writeup.jsp?docid=2010-081100-1646-99)
Android.Opfake (http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99).

Reference:
Server-side Polymorphic Android Applications
https://www-secure.symantec.com/connect/blogs/server-side-polymorphic-android-applications

• Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan - trojan prevents normal usage of the infected machine and demands payment (ransom) to restore the full functionality. The prevention of normal use can be achieved by locking the desktop, preventing access to files, restrict access to management tools, disable input devices or by similar means. The program displays a warning or a notice (often combined with a lock screen) prompting for a payment and often claims to originate from governmental or law enforcement agencies to convince the end user of its authenticity.

By checking the IP address of the user computer the Ransomware can tailor the language of the fake notice to the country of the user. Another technique used by Ransomware Trojans is to display notice posing as warning from a legitimate software vendor like Microsoft - this can concern for example expiring software license.

Video - Ransomware: A Growing Menace

Reference:
[Trojan.Ransomlock]
http://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99
Additional information about Ransomware threats
http://www.symantec.com/business/support/index?page=content&id=TECH211589
Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools
Ransomware: A Growing Menace
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf

• Cryptolock Trojan (Trojan.Cryptolocker) - this is a new variation of Ransomware Trojan emerged in 2013 - in a difference to a Ransomlock Trojan (that only locks computer screen or some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files. While the Cryptolocker uses a common trojan spreading techniques like spam email and social engineering in order to infect victims, the threat itself uses also more sophisticated techniques likes public-key cryptography with strong RSA 2048 encryption.

Reference:
[Trojan.Cryptolocker]
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99
Cryptolocker: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace
Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
Cryptolocker Q&A: Menace of the Year
https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

2. Other security threats

• Malware - malicious software. This general term is often used to refer viruses, spyware, adware, worms, trojans, ransomeware etc. Malware is designed to cause damage to a targeted computer or cause a certain degree of operational disruption. Malware often exploits security vulnerabilities in both operating systems and applications.

• Rootkit - malicious software designed to hide certain processes or programs from detection. Rootkit usually acquires and maintains privileged system access, while hiding its presence in the same time. The privileged access can allow rootkit to provide the attacker with a backdoor to a system; it can as well conceal malicious payload bundled with the rootkit - like viruses or trojans.

Reference:
Rootkits
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/rootkits.pdf

• Spyware - software that monitors and collects information about particular user, his computer or his organisation without his knowledge. Very often spyware applications are bundled with free packages of freeware or shareware and downloaded without any cost by users from internet. Spyware is usually installed unwillingly.Spyware can be generally classified into following types: system monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies.

• Tracking Cookies  - are a specific type of cookie that is distributed, shared, and read across two or more unrelated Web sites for the purpose of gathering information or potentially to present customized data to you. Tracking cookies are not harmful like malware, worms, or viruses, but they can be a privacy concern.

Video - Tracking Cookies

Reference:
[Tracking Cookie]
http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

• Riskware - term used to describe a potentially dangerous software whose installation may pose a risk to the computer. Riskware is not necessarily a spyware or malware program, it may be as well a legitimate program containing loopholes or vulnerabilities that can be exploited by malicious code.

• Adware - in generall term adware is a software generating or displaying certain advertisements to the user. The advertisements may be displayed either directly in the user interface while the software is being used or during the installation process. This kind of adware is very common for freeware and shareware software and is on itself more annoying than malicious - in such scenario it is merely a mean for the software producer to gain some revenue while releasing applications that are free of change or at a reduced price. Adware may be as well used to analyse end user internet habits and then tailor the advertisements directly to users interests. Term adware is on occasions used interchangeably with malware to describe the pop-up or display of unwanted advertisements.

• Scareware - class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV software. Scareware is known as well under the names "Rogue Security Software" or "Misleading Software". This kind of software tricks user into belief that the computer has been infected and offers paid solutions to clean the "fake" infection. Scareware can advertise as well system or software security updates luring users into fraudalent transactions by buying for example fake Antivirus Software - thats either non-functional or malware itself.

Video - Symantec Guide to Scary Internet Stuff: Misleading Applications

Reference:
List of rogue security software
http://en.wikipedia.org/wiki/List_of_rogue_security_software

• Spam - the term is used to describe unsolicited or unwanted electronic messages - especially advertisements. The most widely recognizewd form of spam is email Spam, but there are many different forms of it in almost any available communication media - Instant messaging (called SPIM), over VOIP (called SPIT), internet forums, newsgroups, blogs, online gaming, etc. Spam may be a medium for phishing or social engineering attacks. It is estimated that between 70% and 80% of total email traffic worldwide is spam.

• Creepware - term used to describe activities like spying others through webcams (very often combined with capturing pictures), tracking online activities of others and listening conversation over the computer's microphone, stealing passwords and other data. The information, data, pictures gained with use of creepware may be later on used to extort money or blackmail the victims of this threat. Creepware is other term to RAT (Remote Access Trojan) described before.

Some of the creepware examples:
W32.Shadesrat - a worm that attempts to spread through instant messaging applications and file-sharing programs. It also opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-022214-1739-99
Backdoor.Krademok -  a Trojan horse that opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-121417-0311-99
Backdoor.Darkmoon - a Trojan horse that opens a back door on the compromised computer and has keylogging capabilities.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99
Backdoor.Jeetrat - a Trojan horse that opens a back door on the compromised computer, steals information, and may download additional threats.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-062815-5700-99
Trojan.Pandorat - a Trojan horse that opens a back door on the compromised computer and may steal confidential information.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-101616-2121-99

Video - Creepware: Who Is Watching You?

Reference:
Creepware - Who’s Watching You?
https://www-secure.symantec.com/connect/blogs/creepware-who-s-watching-you

• Blended threat - defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. Blended threat usually attempts to exploit multiple vulnerabilities at the same time.

Wikipedia references:
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Spyware
http://en.wikipedia.org/wiki/Riskware
http://en.wikipedia.org/wiki/Adware
http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Scareware
http://en.wikipedia.org/wiki/Spam_(electronic)

 

Welcome to the Security 1:1 - Part 3

In part 3 of the series we will discuss various types of network attacks. On this occassion I will introduce as well some types of attacks directed more at end-user than at network or host computers - we will speak hear about Phishing attempts and Social Engineering tenchniques. Of special importance would be new emerging threats and attack types as well the evolving ones. More than ever before we see attacks involving all available media - such as social portals, VoIP or Bluetooth. The artcile will be complemented with Symantec references both to Security Reponse ressource as well as Connect blogs.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

What is a network attack?

Network attack is usually defined as an intrusion on your network infrastructure that will first analyse your environment and collect information in order to exploit the existing open ports or vulnerabilities - this may include as well unauthorized access to your resources. In such cases where the purpose of attack is only to learn and get some information from your system but the system resources are not altered or disabled in any way, we are dealing with a passive attack. Active attack occurs where the perpetrator accesses and either alters, disables or destroys your resources or data. Attack can be performed either from outside of the organization by unauthorized entity (Outside Attack) or from within the company by an "insider" that already has certain access to the network (Inside Attack). Very often the network attack itself is combined with an introduction of a malware components to the targeted systems (Malware has been discussed in the Part 2 of this article series).

Some of the attacks described in this article will be attacks targeting the end-users (like Phishing or Social Engineering) - those are usually not directly referenced as network attacks but I decided to include them here for completeness purposes and because those kind of attacks are widely widespread. Depending on the procedures used during the attack or the type of vulnerabilities exploited the network attacks can be classified in following way(the provided list isn't by any means complete - it introduces and describes only the most known and widespread attack types that you should be aware of):

What types of attack are there?

• Social Engineering - refers to a psychological manipulation of people (here employees of the company) to perform actions that potentially lead to leak of company's proprietary or confidential information or otherwise can cause damage to company resources, personnel or company image. Social engineers use various strategies to trick users into disclosing confidential information, data or both. One of the very common technique used by social engineers is to pretend to be someone else - IT professional, member of the management team, co-worker, insurance investigator or even member of governmental authorities. The mere fact that the addressed party is someone from the mentioned should convince the victim that the person has right to know of any confidential or in any other way secure information. The purpose of social engineering remains the same as purpose of hacking - unauthorized access gain to confidential information, data theft, industrial espionage or environment/service disruption

• Phishing attack - this type of attack use social engineering techniques to steal confidential information - the most common purpose of such attack targets victim's banking account details and credentials. Phishing attacks tend to use schemes involving spoofed emails send to users that lead them to malware infected websites designed to appear as real on-line banking websites. Emails received by users in most cases will look authentic sent from sources known to the user (very often with appropriate company logo and localised information) - those emails will contain a direct request to verify some account information, credentials or credit card numbers by following the provided link and confirming the information on-line. The request will be accompanied by a threat that the account may become disabled or suspended if the mentioned details are not being verified by the user.

Video: Symantec Guide to Scary Internet Stuff - Phishing

Symantec Security Response provides a portal where a suspected Phishing Site can be reported - if you ever encountered the Phishing attack and have details from the spoofed email with link to a specific suspicious website I highly recommend to report this to the provided portal: https://submit.symantec.com/antifraud/phish.cgi

• Social Phishing - in the recent years Phishing techniques evolved much to include as well social media like Facebook or Tweeter - this type of Phishing is often called Social Phishing. The purpose remains the same - to obtain confidential information and gain access to personal files. The means of the attack are bit different though and include special links or posts posted on the social media sites that attract the user with their content and convince him to click on them. The link redirects then to malicious website or similar harmful content. The websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice the difference. The website will require user to login with his real information - at this point the attacker collects the credentials gaining access to compromised account and all data on it. Other scenario includes fake apps - users are encouraged to download the apps and install them - apps that contain malware used to steal the confidential information.

Facebook Phishing attacks are often much more laboured - consider following scenario - link posted by an attacker can include some pictures or phrase that will attract the user to click on it. The user does the click upon which he is redirected to mirror website that ask him to like the post first before even viewing it - user not suspecting any harm in this clicks on "like" button but doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the fake app to access user's personal information. At this point data is collected and account becomes compromised. For the recommendations on how to protect your Facebook account and do not fall a prey to  Facebook Phishing have a look at the Security Response blog referenced below.

Reference:
Phishers Use Malware in Fake Facebook App
https://www-secure.symantec.com/connect/blogs/phishers-use-malware-fake-facebook-app

• Spear Phishing Attack - this is a type of Phishing attack targeted at specific individuals, groups of individuals or companies. Spear Phishing attacks are performed mostly with primary purpose of industrial espionage and theft of sensitive information while ordinary Phishing attacks are directed against wide public with intent of financial fraud. It has been estimated that in last couple of years targeted Spear Phishing attacks are more widespread than ever before.

Video: Protect Against Spear Phishing and Advanced Targeted Attacks with Symantec

The recommendations to protect your company against Phishing and Spear Phishing include:

1. Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them)
2. Keep your operating system updated
3. Use a reputable anti-virus program
4. Enable two factor authentication whenever available
5. Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted

Source:
One Phish, Two Phish, Classic Phish, SPEAR Phish?!
https://www-secure.symantec.com/connect/blogs/one-phish-two-phish-classic-phish-spear-phish

• Watering Hole Attack - is a more complex type of a Phishing attack. Instead of the usual way of sending spoofed emails to end users in order to trick them into revealing confidential information, attackers use multiple-staged approach to gain access to the targeted information. In first steps attacker is profiling the potential victim, collecting information about his or hers internet habits, history of visited websites etc. In next step attacker uses that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any are vulnerabilities or loopholes are found the attacker compromises the website with its own malicious code. The compromised website then awaits for the targeted victim to come back and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at the watering hole for his prey.

Reference:
Internet Explorer Zero-Day Used in Watering Hole Attack: Q&A
https://www-secure.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa

• Whaling - type of Phishing attack specifically targeted at senior executives or other high profile targets within a company.

• Vishing (Voice Phishing or VoIP Phishing) - use of social engineering techniques over telephone system to gain access to confidential information from users. This Phishing attack is often combined with caller ID spoofing that masks the real source phone number and instead of it displays the number familiar to the Phishing victim or number known to be of a real banking institution. General practices of Vishing includes pre-recorded automated instructions for users requesting them to provide bank account or credit card information for verification over the phone.

• Port scanning - an attack type where the attacker sends several requests to a range of ports to a targeted host in order to find out what ports are active and open - which allows him them to exploit known service vulnerabilities related to specific ports. Port scanning can be used by the malicious attackers to compromise the security as well by the IT Professionals to verify the network security.

• Spoofing - technique used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. We can name few of the common spoofing types:

1. IP Address spoofing - process of creating IP packets with forged source IP address to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf Attack).
2. ARP spoofing (ARP Poisoning) - process of sending faked ARP messages in the network. The purpose of this spoofing is to associate the MAC address with the IP address of another legitimate host causing traffic redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.
3. DNS spoofing (DNS Cache Poisoning) - attack where the wrong data is inserted into DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results for client queries.
4. Email spoofing - process of faking the email's sender "From" field in order to hide real origin of the email. This type of spoofing is often used in spam mail or during Phishing attack.
5. Search engine poisoning - attackers take here advantage of high profile news items or popular events that may be of specific interest for certain group of people to spread malware and viruses. This is performed by various methods that have in purpose achieving highest possible search ranking on known search portals by the malicious sites and links introduced by the hackers. Search engine poisoning techniques are often used to distribute rogue security products (scareware) to users searching for legitimate security solutions for download.

• Network sniffing (Packet sniffing) - process of capturing the data packets travelling in the network. Network sniffing can be used both by IT Professionals to analyse and monitor the traffic for example in order to find unexpected suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily readable with use of network sniffers (protocol analysers). Best countermeasure against sniffing is the use of encrypted communication between the hosts.

• Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) - attack designed to cause an interruption or suspension of services of a specific host/server by flooding it with large quantities of useless traffic or external communication requests. When the DoS attack succeeds the server is not able to answer even to legitimate requests any more - this can be observed in numbers of ways: slow response of the server, slow network performance, unavailability of software or web page, inability to access data, website or other resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected systems (botnet) flood a particular host with traffic simultaneously.

Video: Symantec Guide to Scary Internet Stuff - Denial of Service Attacks

Reference:
DoS (denial-of-service) attack
http://www.symantec.com/security_response/glossary/define.jsp?letter=d&word=dos-denial-of-service-attack

Few of the most common DoS attack types:

♦ ICMP flood attack (Ping Flood) - the attack that sends ICMP ping requests to the victim host without waiting for the answer in order to overload it with ICMP traffic to the point where the host cannot answer to them any more either because of the network bandwidth congestion with ICMP packets (both requests and replies) or high CPU utilisation caused by processing the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is either to disbale propagation of ICMP traffic sent to broadcast address on the router or disable ICMP traffic on the firewall level.

♦ Ping of Death (PoD) - attack involves sending a malformed or otherwise corrupted malicious ping to the host machine - this can be for example PING having size bigged that usual which can cause buffer overflow on the system that lead to a system crash.

♦ Smurf Attack - works in the same way as Ping Flood attack with one major difference that the source IP address of the attacker host is spoofed with IP address of other legitimate non malicious computer. Such attack will cause disruption both on the attacked host (receiving large number of ICMP requests) as well as on the spoofed victim host (receiving large number of ICMP replies).

Reference:
ICMP Smurf Denial of Service
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20611

♦ SYN flood attack - attack exploits the way the TCP 3-way handshake works during the TCP connection is being established. In normal process the host computer sends a TCP SYN packet to the remote host requesting a connection. The remote host answers with a TCP SYN-ACK packet confirming the connection can be made. As soon as this is received by the first local host it replies again with TCP ACK packet to the remote host. At this point the TCP socket connection is established. During the SYN Flood attack the attacker host or more commonly several attacker hosts send SYN Packets to the victim host requesting a connection, the victim host responds with SYN-ACK packets but the attacker host never respond back with ACK packets - as a result the victing host is reserving the space for all those connections still awaiting the remote attacker hosts to respond - which never happens. This keeps the server with dead open connections and in the end effect prevent legitimate host to connect to the server any more.

♦ Buffer Overflow Attack - this type of attack the victim host is being provided with traffic/data that is out of range of the processing specs of the victim host, protocols or applications - overflowing the buffer and overwriting the adjacent memory.. One example can be the mentioned Ping of Death attack - where malformed ICMP packet with size exceeding the normal value can cause the buffer overflow.

• Botnet - a collection of compromised computers that can be controlled by remote perpetrators to perform various types of attacks on other computers or networks. A known example of botnet usage is within the distributed denial of service attack where multiple systems submit as many request as possible to the victim machine in order to overload it with incoming packets. Botnets can be otherwise used to send out span, spread viruses and spyware and as well to steal personal and confidential information which afterwards is being forwarded to the botmaster.

Video: Symantec Guide to Scary Internet Stuff - Botnets

• Man-in-the-middle Attack - the attack is form of active monitoring or eavesdropping on victims connections and communication between victim hosts. This form of attack includes as well interaction between both victim parties of the communication and the attacker - this is achieved by attacker intercepting all part of the communication, changing the content of it and sending back as legitimate replies. The both speaking parties are here not aware of the attacker presence and believing the replies they get are legitimate. For this attack to success the perpetrator must successfully impersonate at least one of the endpoints - this can be the case if there are no protocols in place that would secure mutual authentication or encryption during the communication process.

• Session Hijacking Attack - attack targeted as exploit of the valid computer session in order to gain unauthorized access to information on a computer system. The attack type is often referenced as cookie hijacking as during its progress the attacker uses the stolen session cookie to gain access and authenticate to remote server by impersonating legitimate user.

• Cross-side scripting Attack (XSS Attack) - the attacker exploits the XSS vulnerabilities found in Web Server applications in order to inject a client-side script onto the webpage that can either point the user to a malicious website of the attacker or allow attacker to steal the user's session cookie.

• SQL Injection Attack - attacker uses existing vulnerabilities in the applications to inject a code/string for execution that exceeds the allowed and expected input to the SQL database.

• Bluetooth related attacks

♦ Bluesnarfing - this kind of attack allows the malicious user to gain unauthorized access to information on a device through its Bluetooth connection. Any device with Bluetooth turned on and set to "discoverable" state may be prone to bluesnarfing attack.

♦ Bluejacking - this kind of attack allows the malicious user to send unsolicited (often spam) messages over Bluetooth to Bluetooth enabled devices.

♦ Bluebugging - hack attack on a Bluetooth enabled device. Bluebugging enables the attacker to inititate phone calls on the victim's phone as well read through the address book, messages and eavesdrop on phone conversations.

Reference:
Symantec warns users over Bluetooth security
http://www.cnet.com.au/symantec-warns-users-over-bluetooth-security-339282314.htm

Wikipedia ressources:
http://en.wikipedia.org/wiki/Attack_(computing)
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Port_scanner
http://en.wikipedia.org/wiki/Spoofing_attack
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://en.wikipedia.org/wiki/Buffer_overflow
http://en.wikipedia.org/wiki/Botnet
http://en.wikipedia.org/wiki/Session_hijacking
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection