Detection of virus attacks

by Stephane

Analysis of Dridex attacks

Since August 2, 2014, we have implemented an automatic detection system for suspicious files within the ALTOSPAM engine itself. This system is based on on-the-fly analysis of file signatures passing through our platforms. It can identify in real time the presence of so-called “suspicious” files: for example, files (identified only by their signature for reasons of content confidentiality) originating from different networks and transmitted to several distinct networks, or compressed files. The presence of suspicious files in an email enables us to raise specific rules that will trigger further analysis and verification, so that we can eventually block the emails concerned if they are spam or viruses unknown to our 5 antivirus programs.

This system also helps to detect large-scale attacks and enables us to analyze the behavior of our own systems in the face of them. So, for example, if emails specific to the current attack reach some of our customers, we are immediately informed so that we can manage the situation and act very quickly.

 

The graph below shows the number of suspicious files identified every day since the introduction of this innovative system. As a result, we’re seeing waves of attacks. The latter correspond to virus attacks of all types, but the most significant waves of undesirables are those of the Dridex type. In these attacks, Microsoft Office-type files are used to download payloads directly or indirectly via vbs macros (details on these attacks can be found in our article: https: //www.altospam.com/actualite/2015/07/vagues-dattaques-facture-macro-word-virus-dridex/ ).

 

Attaques-dridex

 

Attack peaks were triggered in order of importance on: 27/10/2015, 20/07/2015, 23/07/2015, 16/07/2015 and 15/07/2015, which correspond precisely to large waves of Dridex virus invasions. The first wave began (gently) on June 8, 2015, with a main peak in the 3rd week of July. The second, more concentrated wave took place in the last week of October 2015. It took three months for the hackers to improve their ransomware and launch a new, more aggressive and better controlled attack (perfectly controlled e-mails: spelling, title and content meticulously chosen for a higher open rate).

 

With the arrival of new versions of ransomware such as CrytoWall 4 (details at https://www.altospam.com/actualite/2015/11/attention-au-malware-cryptowall-4-0/ ), a third wave is likely within the next few months. As we have seen with traditional viruses, we can be prepared for these attacks to be even more concentrated in time and even more dangerous. Some ‘traditional’ virus attacks last less than 2 hours, which is why we need a system that is not based solely on signature-based antivirus software…

 

That’s why, in addition to this suspicious file detection system, we’ve set up a veritable antivirus fortress designed to block both known and unknown viruses (details of this antivirus fortress: https: //www.altospam.com/actualite/2014/02/la-forteresse-daltospam-les-malwares/ ). We enhanced this fortress at the beginning of November 2015 with the implementation of a real-time analysis system for macros contained in Microsoft Office files to be even more effective in detecting suspicious files and dangerous emails. This system includes a code deobfuscation and script analysis algorithm. The presence of specific elements in the macro is identified to perfect our anti-spam analysis engine and block emails containing dangerous files.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …