Matthew J. Harmon: Minneapolis, Minnesota, États-Unis, Earth

Action and Adventure on the High Seas of Information Security

Malware: Defense

Apr 05, 2014, Posted in sosb, infosec, malware, featured

Malware Kitty

This cute kitten is harboring a malicious test file, four different ways, that every anti-virus should detect, don't blow your whole budget on buzzword bingo "anti-virus" software.

  • Start with the basics, enable the built in operating system firewall.
  • Build on your authorized software list and consider whitelisting only authorized software packages.
  • Keep your data separate from your operating system.
  • If your organization is small enough, set your backups to run at end of day and automatically shut down your workstations and network when done.
  • Don't install developer tools on day-to-day workstations, use a separate transferable and compartmentalized environment such as Docker.io
  • If your staff need a playground, use virtual machinies.
  • Use a separate internal server for file sharing and disable all other file shares and p2p (workstation to workstation) communications.
  • You don't allow p2p you say? Run this at your Windows command line net use
  • Linux / OS X people? Run this for similar output netstat -an | grep LISTEN

While anti-virus software has it's place, implementing the steps above will get you far better traction.

All "anti-virus" software should detect the EICAR Test File contained within the cute kitten. Unfortunately, none have found it.

Blk/Grn Hex Dump Screenshot

Can you identify how the malicious files are hidden? Here's a hint.

Why does this matter? If I can load an image on your system, I can load a malicious payload for future use. Here's a demo of how to pre-load assets.

John Strand of Black Hills Information Security on Security Weekly explaining why Malware isn't your biggest problem and exploits aren't everything "Live from SANS DFIRCON: Panic! Hysteria! No malware required!"

The four ways are: 7z + AES + simple password, LZMA2 + 512Mb dictionary, PKZ + UTF16 EICAR, ???

Want to see something really cool? Save the kitten image and unzip it.

Matthew J. Harmon
Matthew J. Harmon - http://www.linkedin.com/in/matthewjharmon/

Passionate security researcher, entrepreneur, consultant. Owner, founder, maker, mentor, teacher.

Loading Google+ Comments ...