12/03/2014

#sonyhack: it came by the mail (and why don't we sandbox emailattachments ?)

"Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.

The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

The memo warns that once the beacons start, the process of wiping the files has begun http://www.csoonline.com/article/2853893/disaster-recover...

this is like most of the APT attacks that are described are very 'professional attacks and code only available to ...blablablabla' 

but if you follow the same logical examination as any forensic investigation and you ask how the file came on the PC (even before asking yourself how it is possible that those workstations have so many administrative rights and so little protection .... behind that socalled firewall and other securitywalls) 

than the answer is in most cases always the same 

"it came as an attachment from the mail" or as a "download from a link in the mail" 

but why do we accept that these attachments in the mail are downloaded and placed on the computers or our internal networks ? Why don't we place them on a sandboxed server (with no connection to the internet or even the intranet) where people can open them, read them and eventually sanitize them before placing them on a server in the network (that you can secure much harder than the rest of your servers (for example no networkconnections for files). 

Ideally you should be able to let those files be analyzed every so many days by a number of antivirus, antimalware etc products and block all those where there are suspicions 

this would be the cheapiest solution that would in fact be very easy to set up and add to your mailserver and network. 

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.