Category "Cerberus"

There are 18 results found

DayZero’s SigFree Cerberus prevents Exfiltration of data, detecting zero day attacks using worms, trojans and many viruses.

What’s wrong with this picture?

Wrong? Can you pick out how this article describes what’s really wrong with internet security solutions today? What SigFree technologies and SigFree Cerberus are here to solve?

The article that follows is not wrong. In fact, it’s an excellent article. But it does highlight what’s terribly wrong with internet security measures today! The following wording is word for word from the article “Russian cyber spies target 0-day vulnerability in Windows” which can be found at http://www.dvhardware.net/article61400.html.
“ARS Technica writes suspected Russian cyber wrong

attackers have been targeting a 0-day vulnerability in Windows over the last year.

Prime targets included NATO, Ukrainian and Polish government agencies, as well as a variety of sensitive European industries.

The security flaw was patched today as part of Microsoft’s Patch Tuesday update cycle. Surprisingly, newer versions of Windows were vulnerable but the old Windows XP was not vulnerable to the attack. The zero-day attack is dubbed “Sandworm” because security researchers found references to Frank Herbert’s Dune series in the worm’s code. The attack is reportedly very subtle and anti-malware makers are had a hard time writing signatures for it.
“We can confirm that NATO was hit; we know from several sources that multiple organizations in the Ukraine were targeted,” said John Hultquist, senior manager of cyber-espionage threat intelligence for iSIGHT. “We have seen them using Ukrainian infrastructure as part of their attacks.”

The Sandworm Team, named because its members include references from Frank Herbert’s Dune series in their code, also used a previously unknown software flaw, or 0day vulnerability, to compromise some targets. Using the security hole, the Sandworm group could execute their attacks on systems running up-to-date versions of Windows Vista, Windows 7, Windows 8, and Windows RT. Microsoft plans to release a patch for the flaw during its regular updates on Tuesday.”

What’s wrong is that this vulnerability and the way it had been exploited went undiscovered for over a year! The exploits more than likely included advanced persistent threats which were used as routes to slowly gain greater authorization within the systems and to plant various types of malware.

This example shows what can go wrong when we rely on outdated signature approaches to finding malware. It’s not only wrong, it’s an indictment of intrusion detection techniques but we’re focusing on the detection side here.

SigFree Cerberus gets around this problem. Cerberus can take a bite out of what’s wrong with threat detection today. Cerberus does not depend on signatures. Cerberus is signature-free.

To begin the download of your free two week trial of Cerberus, simply click http://cerberus.dayzerosystems.com/download/. License sales are exclusively through Digital River and you can go to their MyCommerce site to buy a license by clicking on http://cerberus.dayzerosystems.com/buynow/.

Metasploit port scanning target for Cerberus

Metasploit test setups in the early development stages of Cerberus (The best part is the last by the way).

Metasploit is a tool used for network penetration testing. Penetration testing is done to discover a network’s vulnerabilities. For the basics of penetration testing, take a look at this Wikipedia article. For a bit more including a short mention of Metasploit, take a look at this InfoWorld article, “Penetration testing on the cheap and not so cheap”.

Within the Metasploit framework, Nmap was used as the port scanning solution. Nmap stands for network mapping. It has multiple capabilities but at the core, it probes to discover what other hosts and resources are available on a network.

We’ll show the results of tests using three of the Nmap scan modes. These were insane, polite and sneaky scan speeds.

In each test, you’ll also see that the process “Ruby Interpreter” is contained at the end. In Metasploit, Ruby can be used to write the commands to be issued to manage the target object. In each case, the Nmap scenario runs its course of port scanning as a worm infection may do. Afterwards, Cerberus then detects the Ruby Interpreter trying to send some illegitimate messages. This was added to the command sequence as a curiosity on our part and supports the conclusion that Cerberus is doing its job as was intended. In each case, it detected both worm-type scans as well as illegitimate messages. These were suspicious but none of these were malicious so none were quarantined. However, all were contained as should have been with Cerberus on the job.

Insane Speed

This is a very fast scanning rate. You can see in the figure below that Nmap was contained and then relaxed. Nmap actually tried several intermittent scans before starting insane speed. If this had continued it would have been contained. However, Nmap started to increase the scan rate and was contained only 63 milliseconds (0.063 seconds) after start of test. This figure does not show all the Ruby Interpreter activity which continued to send messages at long intervals and was contained and relaxed followed by a strong burst 30 minutes after start of test. They were all contained but never quarantined as none were malicious.

metasploit
 

Polite Speed

This mimics a very slow worm, which is usually difficult to detect. You can see in the figure below that Nmap was contained and then relaxed two times, the second at the end of the Nmap part of the test. Cerberus still contained Nmap only 109 milliseconds (0.109 seconds) after start of test. Again, neither Nmap nor Ruby were ever quarantined as they were not malicious despite the scans and messages being illegitimate.

metasploit
 

Sneaky Speed – This is a great example of why Cerberus is a great addition to your computer’s security measures!

This setting does just as the name implies. It is designed to evade intrusion detection attempts. This setting is adaptive. It adapts to the reaction it receives from any protection present. The reason it does this highlights the value of Cerberus. Sneaky speed is designed to defeat common rate limiting methods of detection and detection methods that use thresholds. For example, in the latter, being adaptive, Nmap tests its boundaries and determines the threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained Nmap sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go. This demonstrates the validity and usefulness of Cerberus’ signature-free approach!

metasploit

Rongvhin.C – Development stage test results

The Rongvhin family of malware is a trojan, sometimes referred to as a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version tested, Rongvhin.C, was discovered in October 2013. We performed this testing on March 18 2014. We knew mostly what to expect and this was not a test to determine how Cerberus performed with zero day malware. Rongvhin.C is most correctly described as a trojan but also often discussed as a virus.

Rongvhin’s main purpose seems to be to generate reputation and google rankings for certain ads, websites or software downloads for its authors or their Customers. Rongvhin Rongvhin.C may also change the blocked and allowed sites set on your computer. This can be rectified by returning to the default values. You can read more about the Rongvhin family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanClicker%3aWin32%2fRongvhin.C#tab=1.

We installed TrojanClicker: Win32/Rongvhin.C from file H_LOADER.exe. This installed files miniads.exe miniads2.exe, miniads3.exe & adsminirun.exe. This is where the name confusion enters as while the Rongvhin.C is a trojan, the executables installed behave as viruses.

During our testing miniads.exe and miniads3.exe were the only ones to become active. Miniads.exe did not display malicious activity but tried to send several messages. Miniads3.exe would try to send out messages about every 8 minutes and SigFree Cerberus would contain it. If it is not contained, it will send messages for about 2 minutes and then go dormant for 8 more minutes, and then repeat the cycle. However, Cerberus contained it meaning that Cerberus stopped its messages from being launched into the web.

Rongvhin.C

Cerberus did not quarantine. Cerberus can control the Rongvhin.C programs by simply containing them when they attempt to send messages. Through Cerberus’ actions, you may determine you want to remove the infection from your computer. But, even if you choose not to do so, Cerberus will still be protecting you. Cerberus will continue protecting even if Rongvhin.C mutates or is changed into a new variant that other programs cannot protect. Cerberus does not need known signatures!

As with Sirefef discussed in a prior blog entry, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success! SigFree Cerberus protected the computer from the effects of the Rongvhin.C trojan and rendered its objects useless to complete their tasks!

Sirefef – Early development stage test results

The Sirefef family of malware is a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version of Sirefef tested was discovered in November 2013. We performed this testing on March 12, 2014. We knew what to expect and this was not a test to determine how Cerberus performed with zero day malware.

Sirefef’s main purpose seems to be to generate ad revenue for its authors Sirefef by altering search results. It may download updates to add to its capability or to alter its signature. It seems capable of carrying a payload. You can read more about the Sirefef family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Sirefef.gen!B.

We ran this on XP SP3, as most likely being the most vulnerable.

We installed TrojanDropper:Win32/Sirefef.gen!B. Scanning, we found files TrojanDropper:Win32/Sirefef.gen!B, Trojan:Win32/Sirefef, and Trojan:Win32/Sirefef.AB. The virus is capable of turning off Windows firewall and Microsoft Security Essentials. Added protection in this case is definitely a benefit.

The virus infected two host processes, services.exe and svchost.exe. Services.exe was the most active and was contained five times by SigFree Cerberus and then quarantined. This process would go dormant when contained but was finally deemed malicious. It was almost five seconds after installation that the process was quarantined but most of this time it had returned to its dormant state.

As we mentioned, this is often the case with the operation of Cerberus. The suspect will respond to being contained by moving to a dormant state. With some malware, repetition of this action is enough to expend the limits of the malware. This repeated containment is not dangerous. Containment is simply a first stage of quarantine. We developed this method to prevent containment of good objects. Remember, we are signature-free. We are not only trying to find malware that has already been found. Our objective is to find our targets quickly and to be able to find our zero day targets just as quickly.

The second instance of the virus infected svchost.exe but was almost inactive. SigFree Cerberus contained it six times during the test but it fell dormant each time. It presented no danger.

Again, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success!

Cerberus Takes a Bite Out of Zero Day Malware

Cerberus v1.0, the revolutionary added cerberusmalware protection for Windows, is being released today by DayZero Systems. When serious problems strike, SigFree Cerberus may be the only solution that offers protection from malware.

Harrisburg, PA – 16 October 2014: The time has come for new thinking in internet security software and DayZero Systems is stepping up to the challenge. The first zero day, signature-free detection application for protection from worms is being introduced today by DayZero Systems, Inc. The new DayZero SigFree(TM) Cerberus(TM) Version 1.0 brings a new level of added protection to any Windows computer user.

SigFree Cerberus provides zero day protection against worms and other similar self-propagating and self-mutating malware, including many viruses. Cerberus does not require known signatures so detection can occur before malware spreads and causes costly damage. And, before the malware steals personal information or uses system resources as part of a bot network.

The constant onslaught of new threats and breaches is proof enough that a new approach to internet security is necessary. Microsoft issues regular patches and in a recent announcement stated, “Attackers often spread malicious code through self-propagating malware, like worms.” With regard to the prevalent use and sharing of USB drives, Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered the ease of planting malware in USB microcontrollers, “Now all of your USB devices are infected. It becomes self-propagating and extremely persistent. You can never remove it.”

SigFree Cerberus v1.0 strikes at these types of threats and is the first in an arsenal of future signature-free applications to be released by DayZero Systems, the new leader in zero day threat protection. Cerberus does not protect systems from every type of malware. DayZero still recommends continued regular scans using Windows(TM) Security Essentials or, in the case of Windows 8, Windows Defender.

SigFree Cerberus v1.0 comes with a free two week trial, just click: http://cerberus.dayzerosystems.com/download/. DayZero promotes safe computer use. After downloading, right click on the file name in its folder, click properties, and click the digital signature tab. This ensures that the software comes from a trusted, certified source.

The version 1.0 license is US$14.00 per computer on which it is installed, comes with all v1.0 upgrades, and is not time-limited. The license may be purchased through Digital River by clicking http://cerberus.dayzerosystems.com/buynow-v1/.

DayZero Systems Inc. has been active in the internet security community since 2006 and is affiliated with the Pennsylvania State University and the Pennsylvania State Research Foundation. Follow us on Twitter (https://twitter.com/DayZeroSys) and look for news at http://blog.dayzerosystems.com/.

DayZero

Breaches – how prevalent are they?

Two days ago, we blogged about Home Depot and took the following quote about breaches from one of the articles: “There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” In fact, there are more breaches than we realize!

According to the Ponemon Institute, as reported in USA Today, “43% of companies have experienced a data breach in the past year”.

It looks like the Ponemon surveys are close to confirming that conviction that there’s something already looming in every company. As we said, APT attacks and the malware that is installed and propagates through and across networks can take years. The ultimate goal of the malware, usually stealing information, can occur over a number of years before breaches are detected.

This is why we’re introducing SigFree Cerberus, a zero day detection solution to take care of bugs that you don’t know are there, as soon as they start becoming active! We are trying to do our part to stem breaches by malware that other threat prevention solutions just cannot detect.

Home Depot – Prevention versus Detection

We’re all awaiting the forensics reports with bated breath.

It’s a tragedy for the 56 million affected individuals in this, the largest retail breach yet. And, we don’t yet know the facts from forensics analysis. Despite the blame being laid on antiquated systems and protection at Home Depot, it still begs the question: do we put too much attention on prevention and not enough on detection of what is already embedded in company systems?

The New York Times reported prior employees attesting to “the risks were clear to computer experts inside Home Depot. The home improvement chain, they warned for years, might be easy prey for hackers.” But how did they reach this conclusion? Through vulnerability analysis? By running regular scans? Did they have state-of-the-art detection tools, not signature-based tools, to really assess threats already present?

But, the initial reports seem to indicate these are valid points being made but again, we must await the forensic reports before making judgments.

That same NYT’s article stated that “Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect”. But the difficulty of detection is dependent on whether you’re using the right tools, isn’t it?

Both of those points seem to be drawing some corroboration. Brian Krebs called the malware that hit Home Depot a new “variant of the malware that was used against Target”. And, in a Times article, Krebs was quoted as saying, “Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?”. That same article brings up the point, “There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” In other words, those who do not know they have been breached yet are not using the right detection tools for the job.

We bring up all these points because we have a similar view. Too much is spent on prevention at the expense of detection. It’s possible that this malware at Home Depot was on their system for years. Time and time again, we see that breaches are the result of malware that has evaded detection for many months, if not years. And we’re facing zero day malware plus new variants of older software every day. Signature based detection is just not the solution anymore.

DayZero’s SigFree Cerberus, our soon to be released Client app, is directed specifically at this type of malware. It is signature-free and designed for detection of variants including self-mutation as well as self-propagation. It is designed for the type of malware that may possibly already be resident in 1000’s of other retailers’ systems right now! Think about it!

Cerberus is coming soon, get a preview!

Release of our newest app, Cerberus, is approaching soon. Read more about it below:

There are many ways that malware becomes installed on your computer and existing defenses against their entrance are not perfect. Your own well-intentioned actions may allow malware to gain entrance or it may become attached to a normally trusted piece of software. And then there are phishing attacks which are becoming more and more successful, because the enticing come-ons that are used are becoming more and more believable and less obviously malicious. If you use a thumb drive, you may also inadvertently install malware on your machine that was unknowingly downloaded to the thumb drive, or any other type of removable media.

So, Cerberus was designed to be a gateway to detect malicious software which is attempting to make connections to the outside for other than legitimate purposes. It may be trying to send your data to outside sites, it may be trying to spread itself to other computers, or it may be a bot that someone is using in order to launch other attacks anonymously.

Cerberus uses several DayZero signature–free techniques but they can be split into three principal parts. First, Cerberus is listening to every process running on your computer, even those you don’t know are there. Cerberus is able to quickly detect suspect behavior. At this point, Cerberus raises a red flag, or, what we call a smoke signal.

As soon as the smoke signal appears, Cerberus uses a containment technique while the malware’s communications are being analyzed. This containment technique is used for quick reaction to threats and also acts as both a deterrent and sometimes is the only solution needed as Cerberus may bring the malware under control or exhaust its useful life. Cerberus is able to contain a suspect within milliseconds versus the much longer reaction time of other techniques. This step also allows marginal suspects to be analyzed without disturbing legitimate processes. This is of growing importance as many sites attempt to gather data for marketing purposes and may utilize techniques very similar to some worms and spyware or even contain malware.

The containment often results in modifying a worm’s behavior and if it stops its activity, and is not deemed a threat, it will be released. However, if it tries again, it will be contained again and analysis will begin again. One reason we allow releases to occur is that a legitimate site page may initially act much as a worm, and in fact could be infected. Also, worms are sometimes designed to act only once, or a limited number of times. But, even if a released worm self-mutates, Cerberus is designed to detect it again and take measures since Cerberus does not rely on signatures for detection.

The proprietary analyses that Cerberus performs then determine if the suspect’s actions are malicious or otherwise illegitimate. If its actions persist and are judged malicious or not for legitimate purposes, Cerberus will quarantine the process originating the malicious activity.

Cerberus provides a number of extra benefits:

  • Cerberus is a signature free malware detection solution. This means that it is designed to find malware at zero day or malware which is programmed to alter or mutate its identity to avoid detection while it is installed on your computer, or when it moves from one computer to another.
  • Cerberus is working all of the time. It does not depend on running scans periodically.
  • Cerberus targets some of the most dangerous malware that plagues consumer and business users alike – self-mutating and self-propagating worms and other malware that behave like worms. Self-mutating means that the malware is programmed to change its identity to make detection much harder. Self-propagating means that the malware duplicates itself to infect other devices to which your computer becomes connected.
  • Cerberus is easy to use. In fact, you can install it and forget about it. If Cerberus needs your attention, it will let you know but typically, it can run and do its job without bothering you at all.
  • Cerberus gives you added to protection should you fall victim to a phishing attack (where the attacker tempts you to invite it in by clicking on something you believe is valid).

    • Cerberus isn’t meant to protect you from every type of threat but it is expert at the targets described below. We still recommend using traditional protection particularly using regularly scheduled scans of your computer files for other types of threats as well.

      When the worst happens, Cerberus may be the only solution to keeping you safe!