Tag Archives: Malware

WireLurker

Yesterday Palo Alto Networks released a report on a new OSX & iOS malware, WireLurker.  The best write-up I have seen so far is here: http://www.zdziarski.com/blog/?p=4140

A couple pertinent points:

-Currently only circulated through Chinese warez – seems to be targeting identifying information of users only (possibly to identify key players in the Chinese software-pirating market?)

-The concern is not so much about WireLurker itself, but “…that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines.”

-If you are interested in detecting if a device has been compromised, see here:  https://github.com/PaloAltoNetworks-BD/WireLurkerDetector – If anybody has IDS sigs yet, please let me know….

 

Key Takeways:

-Remind users that jailbreaking your phone (whether android or iphone) nets you less security – better yet, enforce policies that disallow jailbreaking devices that have organizational data on it

-“While your own Mac may not be infected with WireLurker, it’s possible others (in your school, college, at work, or public computers) are, so it’s important not to trust any devices other than your own. To help prevent this from accidentally happening, you may wish to pair lock your device using these instructions.”

We need to continue to help foster cultural change that surrounds most of our Mac users – the fallacy that if you have a Mac, you don’t need to worry about security issues… “Only PC users need to worry about that.”

Tagged , , , ,

Outbound Spam Filtering

One configuration setup that I have run into a a number of times is the lack of outbound Spam/Anti-Virus filtering.  The organization in question has their inbound mail queue running through their Anti-Spam/AV filter, but they do not have their outbound mail going through it. When asked about it, typically the response has been, “Never thought about it. We are really only concerned about inbound spam and viruses.” 

Here is my typical response:

When a corporate mailbox is compromised and is used in a spam campaign, how will you know? When the user of the compromised account complains to the helpdesk because of the glut of bounced messages in his inbox? By that time, possibly your only static public IP has been listed on a number of Real-time Blackhole Lists (RBL).

Filtering outbound messages for Spam/Malware helps you detect internal compromised accounts/computers faster than waiting for the user or RBL to alert you.  Just be sure to tweak alerts to get the right kind of alerts when they are needed, so that you don’t fall into alert fatigue.

-Josh

 

 

Tagged , ,