Lenny Zeltser is teaching us how malware operates

Lenny Zeltser has been teaching security classes at SANS for more than 15 years now and has earned the prestigious GIAC Security Expert professional designation. He is not some empty suit but a hands-on guy who developed the Linux toolkit REMnux that is used by malware analysts throughout the world. He is frequently quoted in the security trades and recently became VP of Products of Minerva Labs and spoke to me about his approach to understanding incident response, endpoint protection and digital forensics.

“I can’t think about malware in the abstract,” he said. “I have to understand it in terms of its physical reality, such as how it injects code into a running process and uses a command and control network. This means I have to play with it to learn about it.”

“Malware has become more elaborate over the past decade,” he said. “It takes more effort to examine it now. Which is interesting, because at its core it hasn’t changed that much. Back a decade or so, bots were using IRC as their command and control channel. Now of course there is much more HTTP/HTTPS-based connections.”

One interesting trend is that “malware is becoming more defensive, as a way to protect itself from analysis and automated tools such as sandboxes. This makes sense because malware authors want to derive as much value as they can and try to hide from discovery. If a piece of malware sees that it is running or a test machine or inside a VM, it will just shut down or go to sleep.”

Why has he made the recent move to working for a security vendor? “One reason is because I want to use the current characteristics of malware to make better protective products,” he said. Minerva is working on products that try to trick malware into thinking that they are running in sandboxes when they are sitting on user’s PCs, as a way to shut down the infection. Clever. “Adversaries are so creative these days. So two can play that game!”

Another current trend for malware is what is called “fileless,” or the ability to store as little as possible in the endpoint’s file system. While the name is somewhat misleading – you still need something stored on the target, whether it be a shortcut or a registry key – the idea is to have minimal and less obvious markers that your PC has been infected. “Something ultimately has to touch the file system and has to survive a reboot. That is what we look for.”

Still, no matter how sophisticated a piece of malware is, there is always user error that you can’t completely eliminate. “I still see insiders who inadvertently let malware loose – maybe they click on an email attachment or they let macros run from a Word document. Ultimately, someone is going to try to run malicious code someplace, they will get it to where they want to.”

“People realize that threats are getting more sophisticated, but enterprises need more expertise too, and so we need to train people in these new skills,” he said. One challenge is being able to map out a plan post-infection. “What tasks do you perform first? Do you need to re-image an infected system? You need to see what the malware is doing, and where it has been across your network, before you can mitigate it and respond effectively,” he said. “It is more than just simple notification that you have been hit.”

I asked him to share one of his early missteps with me, and he mentioned when he worked for a startup tech company that was building web-based software. The firm wanted to make sure their systems were secure, and paid a third-party security vendor to build a very elegant and complex series of protective measures. “It was really beautiful, with all sorts of built-in redundancies. The only trouble was we designed it too well, and it ended up costing us an arm and a leg. We ended up overspending to the point where our company ran out of money. So it is great to have all these layers of protection, but you have to consider what you can afford and the business impact and your ultimate budget.”

Finally, we spoke about the progression of technology and how IT and security professionals are often unsure when it comes to the shock of the new. “First there was vLANs,” he said. “Initially, they were designed to optimize network performance and reduce broadcast domains. And they were initially resisted by security professionals, but over time they were accepted and used for security purposes. The same thing initially happened with VMs and cloud technologies. And we are starting to see containers become more accepted as security professionals get used to them. The trick is to stay current and make sure the tools are advancing with the technology.”

Like what you are reading?

Subscribe to Inside Security!

FIR B2B podcast #66: The Robot Who Fooled Me, Block That Buzzword and Domain Name Insanity

Paul Gillin and I discuss a variety of topics this week. First, the notion of automated phone attendants to provide outbound sales support is taking on new meaning when Paul’s got a call from Brian the fund-raiser. Turns out Brian wasn’t a real person, but it initially fooled Paul!

Next, perhaps it’s time to sharpen our use of language. We talk about lazy usage of meaningless words, such as flexible robust high-performance. Say what?

I note that the latest crop of domain name extensions is completely out of control, not to mention pricey and making it harder for brands too. You can listen to our 20-minute podcast here:

A new kind of domain name exploit: Latin letters

 The latest domain-based scam depends on you not noticing the difference between ɢoogle.com and Google.com. Look closely, and note that first “g” looks a bit off between the two samples. This is because this domain name is using Latin characters (as shown from the Wikipedia entry above with all those K’s). Thanks to Unicode alphabet support in domain names (which makes Chinese and Hebrew and other non-Roman lettered domains possible), scammers are registering these near-typo-squatted domains to fool users into clicking on them. This also makes it harder for IT security folks to keep malware hosted on these domains from infecting their networks. This particular domain was registered to an alleged Russian criminal called Vitaly Popov. He also owns the domain lifehacĸer.com. (Note the odd “k” there.)

Needless to say, the legit owners of these domains have filed legal disputes, claiming that users would be confused and at peril. 

This isn’t the only challenge for users of the domain name system. I recently explored registering a new domain name. Given that the old standbys such as .com and .net are usually taken for the most common names, the Internet authorities now have opened up dozens of new extensions to choose from such as .camera and .kitchen (see the screenshot here) that I could use. In fact, there are far too many choices. I guess this was inevitable.

But my surprise wasn’t just at the sheer number of them, but their excessive cost: some of these extensions will set you back hundreds of dollars a year. And that is just for the registration of the name, let alone putting up a website for that domain. While many domains now get sold through brokers for higher fees, this is the just the initial retail cost from a registrar. This makes it a lot harder for brands to know what to purchase, and it could up the ante if they are startups who will have to purchase multiple names to register their brand.

Remember those halcyon days of Pets.com and its spokes-puppet? Seems like a long time ago.


HPE Insights: 8 lessons about IoT security learned from the Mirai botnet

Botnets are a major threat, and require a combination of methods to defend against massive traffic volumes. Experts recommend a combination of steps to guard against attacks. You’ve probably seen your fill of Mirai-inspired headlines, but keep reading my article on HPE’s latest website. You’ll learn something essential to maintaining your overall IT security posture. I provide an overall timeline of events since last fall, show how Mirai was first detected, and what things you should do to protect your enterprise infrastructure. 

HPE Insights: 9 ways to make IoT devices more secure

Devices must be more secure if IoT is to reach its full potential. The good news is that security policies and procedures can protect enterprise infrastructure, harden IoT configurations, and make the network smarter and more defensible. Here is where to start, in an article that I recently wrote for a new HPE IT site, where I provide what the bottom-line impact will be for enterprise IT folks and digest information from various sources, including the latest reports from the Broadband Internet Technical Advisory Group (BITAG) and the Cloud Security Alliance.


Both Paul and I have known Sam Whitmore since all three were at PC Week (now eWeek) back in the go-go 1980s. Since 1998, Sam has been running his own consultancy for PR firms, called MediaSurvey. We spent some time talking to him about a fascinating series of posts on his site that began with an open letter that purported to be from a fictional agency to its fictional B2B client. The letter explains, from the agency’s point of view, why the relationship isn’t more productive. It inspired several comments, as well our own curiosity about Sam’s motivations.

The letter makes three points, with the basic thesis being that “We need max access and a budget bump,” meaning that PR budgets have to reflect a more approach to what agencies do. The fictional PR firm asks to be given better access to customer feedback and become a more strategic partner of the client’s marketing efforts, and to have better relationships with content gateways that will outlast a point product release. The tone of the letter is snarky, but also to the point, with good suggestions about the brave new world of what Sam calls “content platforms” such as ITCentralStation, ProductHunt, and SoftwareAdvice. Whitmore calls these the “IT version of Yelp,” and notes that they’re increasingly powerful in shaping buying decisions. Do you know about them? I actually contributes product reviews to the first site and have seen impressive results, but Paul had barely heard of them.

You can listen to our 27 minuter podcast here:

Bridging the digital divide: not everyone has the same needs

Today, the issue of digital equity is receiving more attention than ever. For good reason; Internet access is no longer a luxury, it is a daily necessity in how we live, work and play. Still, we are far from the most connected nation on earth (as shown above from TransferWise), and a quarter of our homes aren’t yet on broadband networks.

One issue is that the digital divide isn’t a simple binary split between “haves” and “have nots.” There are many shades of grey in between. Not everyone uses the Internet and connected technologies the same way, with the same skill set, or even with the same context. Before we can solve this divide, we have to understand these subtleties.

I met Michael Liimattta at an event last week and he got me started thinking about this in more detail. He is the co-founder of Connecting for Good, a Kansas City nonprofit focusing on digital inclusion. I have taken his remarks from this blog post and added my own thoughts as well.

In our efforts to level the digital playing field for low income families, we must avoid the assumption that all of them relate to technology, computers and the Internet in the same way. To be effective in digital inclusion efforts, we must recognize that there are at least four different subsets within this population, each with its own and different needs.

  1. The early adopters: Several national studies indicate that low income families with school children have a higher rate of broadband adoption; approximately half of them can access the Internet at home. The cities where we find the highest adoption rates are those where discounted Internet plans have been offered for a number of years and where there is extensive outreach in the public schools. However, these plans are not available everywhere. There are also cost issues: some families have to purchase expensive smartphone data plans to connect their computers, and many families have outdated PCs or don’t have the necessary tech support or lack sufficient bandwidth. These early adopter families also have another issue: understanding the dangers of the Internet in terms of accessing inappropriate content and meeting child predators.  
  2. The uninformed: We do not want to forget that there are still low income families that know they need to be online and can afford a discounted Internet plan but simply don’t know what plans are available. ISPs like Comcast, Cox and Google Fiber have staff members dedicated to this type of outreach in cities where they offer discounted Internet services. But they will need more local help to increase awareness.
  3. The financially challenged: The truth is, there are families that recognize the need to be connected but truly cannot afford to do so. With the FCC’s modernization of the Lifeline program, a $9.25 per month subsidy for broadband services should be available to eligible low income families, if only more ISPs adopted it. There are other programs from local housing authorities and private philanthropy that can also help to defray these costs.
  4. The unconvinced and intimidated: Lastly, there are low income families that are able to afford a discounted Internet connection but are simply not convinced that they need one or are too intimidated by technology. Ultimately, convincing the adult heads of household is the trick. They must value access enough to dedicate seriously limited financial resources toward paying for an Internet subscription. When it comes to broadband adoption efforts, this can be the most challenging group of all, representing a significant portion of households living on the wrong side of the digital divide. This group also includes people who don’t know the difference between accessing the Web via a phone or the larger screens of tablets and PCs.

Digital inclusions efforts need both dedicated leadership and “boots on the ground” to be executed successfully. Too many efforts focus on providing computers and connectivity but fail to factor in the social dynamic of broadband adoption. To be effective, crossing this divide will take hours and hours of time spent in training and technical support if we are to bring the Internet to the rest of America’s poorest families.

Here is one small step forward: Next week, the National Digital Inclusion Alliance will hold a webinar to introduce digital inclusion practitioners and advocates on the state of digital inclusion at the local community level. You might want to tune in.

The view from Joshua Belk, former FBI CSO

Joshua Belk is the co-founder of the security startup Opsec360. Previously, he was the cybersecurity manager at the electric utility PG&E and the CSO for the FBI back at the beginning of this decade.

His earliest memory of a security issue was with managing people: “I have found that no matter how comprehensive our policies may be, if you don’t have the right culture among your workforce they won’t matter. Education, understanding, and inclusion are the ways to build the right security environment.”

He is drawn to tools that provide useful analytics. “With TB of data available to your team, trying to find the needle in the haystack can be a challenge. Each tool has its place in your security architecture so picking one is difficult, but those which are capable of providing me good information for analysis are the ones I prefer. That said, knowing your use cases and setting up your tools is probably the biggest impact to any security organization.”

His best advice for dealing with insider threats is to first, start with the basics. “Many companies have not taken adequate measures to protect their information or environments. At the lowest level, access provisioning, data classification, and updated antivirus and firewalls are all mandatory but when new systems or services get introduced into your environment the effects are often not well known. Protect against the drift.”

He sees MDM as a careful balance between protecting the employee and preventing unauthorized access. “At the core of the issue, no one wants their data put at risk and most users and organizations are willing to conform to a good policy in order to protect themselves.”


Like what you are reading?

Subscribe to Inside Security!

SecurityIntelligence.com: Tracking the Digital Transition in the White House

As President Donald Trump arrives at the White House to start his term, he faces a very different collection of technology than when former President Barack Obama entered eight years ago. Back then, government PCs sported floppy drives and no president ever personally used Twitter or other form of social media. But the task of making the digital transition isn’t easy, and I describe some of the electronic methods that are being used to preserve the Obama legacy. You can read my post on IBM’s SecurityIntelligence.com blog here.


This week we cover a grab bag of stories dealing with B2B marketing, some good and some bad. We look a why Medium.com failed to deliver revenue, blaming this failure on its advertising model. The story ran in Bloomberg after the company had a significant recent layoff. Washington Post homepage editor Doris Truong was caught up in her own private PizzaGate fake news saga when trolls on the Internet spread a terrible case of mistaken identity about her, pictured here. Then we discuss understanding the kind of PR program you’re really looking for and how you need to set your expectations accordingly. The article mention five kinds of potential startup PR programs that are typical.

Finally, we cover this interesting story about building a brand, the Chinese way. Networking and communications giant Huawei (annual revenue of US$60 billion and the #3 smartphone vendor) paid a few dozen influencers to attend their September trade show in Shanghai and promote to their social media connections.

You can listen to the 21 minute podcast now.