welcome to

White Papers

Terdot: Zeus-based malware strikes back with a blast from the past

This whitepaper is a technical analysis of the Terdot, a Banker Trojan that derives inspiration from the 2011 Zeus source code leak. Highly customized and sophisticated, Terdot can operate a MITM proxy, steal browsing information such as login credentials and stored credit card information, as well as inject HTML code in visited Web pages.

READ MORE

EHDevel – The story of a continuously improving advanced threat creation toolkit

More than a year ago, on July 26th 2016, the Bitdefender Threat Intelligence Team came across a suspicious document called News.doc.

Upon preliminary investigation, the sample revealed a set of similar files that bear the same features, but appear to have been used in separate attacks targeted at different institutions.

This plug-and-play malware framework uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.

Dubbed EHDevel, this operation continues to this date, the latest known victims reportedly being several Pakistani individuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the modus operandi is identical.

READ MORE

New Pacifier APT Components Point to Russian-Linked Turla Group

In 2016, Bitdefender uncovered a new advanced persistent threat dubbed Pacifier, targeting government institutions starting in 2014. Using malicious .doc documents and .zip files distributed via spear phishing e-mails, attackers would lure victims with invitations to social functions or conferences into executing the attachments. Our previous analysis of the Pacifier components revealed that it’s capable of dropping multi-stage backdoors and that the analyzed first stage dropper is also known as “Skipper” by other security vendors.

Our new whitepaper covers an in-depth analysis of the three new backdoor modules, as well a short description of their capabilities and features.

READ MORE

Remote Exploitation of the NeoCoolcam IP Cameras and Gateway

The Internet of connected things has changed the way we interact with our homes, offices or even with our own bodies. But although connected devices are sold mostly everywhere, manufacturers haven’t dived deep into the technology, as more innovation is expected to emerge the more connected we are.

In 2016, security researchers from Bitdefender detected multiple vulnerabilities in a number of Internet of Things devices. This paper is another investigative effort in the IoT space and it details the compromise of a vendor’s line of IPTV and gateway products by trivial remote exploitation.

READ MORE

Inexsmar: An unusual DarkHotel campaign

The DarkHotel threat actors have been known to operate for a decade now, targeting thousands of businesses across the world via Wi-Fi infrastructure in hotels.

This whitepaper covers a sample of a particular DarkHotel attack, known as Inexsmar. Unlike any other known DarkHotel campaigns, the isolated sample uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques. Instead, the new campaign blends social engineering with a relatively complex Trojan to infect its selected pool of victims.

READ MORE

Everything we know about GoldenEye

On January 27th, reports of a rapidly spreading ransomware attack started to emerge from Ukraine. The speed at which critical infrastructure networks were shutting down pointed to a ransomware application with a wormable component, whose virality called to mind the WannaCry ransomware. In less than three hours, the infection crippled banks, ATMs, public transport and an airport, as well as utilities provider Kyivenergo. Then it spread outside the Ukraine.

As multiple critical infrastructure networks reported major blackouts, Bitdefender started an internal investigation over the isolated malware samples to trace the attack’s origin and better understand what it targeted, and how. The following report is based on our internal telemetry and reflects what we know as of the moment of writing.

READ MORE

Everything you need to know about the WannaCry ransomware

For the past decade or so, increasing tensions between International governments have led to what IT security experts call today “cyberterrorism” – the use of cyberweapons (hacks) to spy on or to commission cyber-attacks overseas.

The most recent such example occurred on May 12, 2017 when an unknown group of hackers deployed what was to become the most dangerous ransomware attack ever recorded. WannaCry, as the malware is dubbed, leverages a (now patched) 0-Day vulnerability developed by hackers contracted by the NSA. This whitepaper is a technical detail into how the malware operates and its spreading techniques.

READ MORE

Inside Netrepser – a JavaScript-based Targeted Attack

In May 2016, the Bitdefender threat response team isolated a number of samples from the internal malware zoo while looking into a custom file-packing algorithm. A deeper look into the global telemetry revealed that this piece of malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets.

Its unusual build could have easily make it pass like a regular threat that organizations block on a daily basis ; however, telemetry information provided by our event correlation service has pointed out that most of its victims are government agencies.

READ MORE

Delivering strong security in a hyperconverged data center environment

A new trend is emerging in data center technology that could dramatically change the way enterprises manage and maintain their IT infrastructures. It’s called hyperconvergence, and it’s gaining momentum as companies look for ways to run more efficient and agile technology environments.

READ MORE

Dissecting the APT28 Mac OS X Payload

Since the APT28 group’s emergence in 2007, Bitdefender has become familiar with the backdoors used to compromise Windows and Linux targets, such as Coreshell, Jhuhugit and Azzy for the former OS or Fysbis for the latter.

This year we have been able to finally isolate the Mac OS X counterpart - the XAgent modular backdoor. This whitepaper describes our journey in dissecting the backdoor and documenting it piece by piece.

READ MORE

Virtualization makes CIOs role key (UK)

A Bitdefender survey of 153 IT decision makers in the United Kingdom in companies with more than 1,000 PCs, shows they will rise in companies’ hierarchies, as CEOs and board members face increasing internal and external security risks that could ruin customer trust and business forecasts. Still, not all C-suites include CIOs/CISOs in the business decision-making process. This survey, carried out by iSense Solutions, shows how IT decision makers perceive their role inside the organizations and what they need to meet shareholder
expectations. How has virtualization changed the security game? How many attacks can be stopped with the current resources? Would they pay to avoid public shaming?

READ MORE

Encrypting Businesses – ransomware developers’ favorite cash cow

Ransomware, the most prolific cyber threat of the moment, gains foothold in organizations and companies via file-sharing networks, e-mail attachments, malicious links or compromised websites that allow direct downloads. The first quarter of 2016 saw 3,500% growth in the number of ransomware domains created, setting a new record.

READ MORE

Virtualization brings new security challenges for large companies (UK)

A November 2016 Bitdefender survey of 153 IT decision makers in the United Kingdom in companies with more than 1,000 PCs shows that virtualization is a strategic priority, yet they are still not fully ready for the security challenges this environment brings. Hybrid infrastructures have become the major common architecture in the enterprise environment and CIOs have to adapt to the new world. This survey, carried out by iSense Solutions, shows the main security concerns and issues they face. What cyber threats are companies not ready to handle? What are the main concerns regarding the security management of hybrid infrastructures? Why do IT decision makers fear for their jobs?

READ MORE

The Impact of Virtualization Security on Your VDI Environment

VDI empowers employees and employers with many benefits, no matter the size of the organization. However, as with any environment, security should always play a pivotal role and should complement the business environment. With VDI it’s no different; security should be seamless, without any effect on the user experience.

READ MORE

Securing the Virtual Infrastructure without Impacting Performance

Virtualization offers many benefits, but also raises additional performance issues in areas of security. This bodes the question: is virtualization security counterproductive? Moreover, do the currently-available security solutions impact some of the benefits offered by virtualization, creating bottlenecks and additional issues in virtualized environments as compared to physical server environments?

READ MORE

Evolve or Die: Security Adaptation in a Virtual World

As virtualization projects continue to accelerate, organizations are discovering they have changed how datacenters are architected, built, and managed.

This white paper explores areas of security concern organizations must address as they move, ever-increasingly, to rely on virtualization.

READ MORE

Next Generation Security for Virtualized Datacenters

To accelerate the business benefits enabled by virtualization, companies must not overlook security. However isolated and self-contained, virtual containers are still vulnerable to increasingly sophisticated malicious attacks carried out by dedicated networks of cybercriminals. The larger the virtualized environment, the more challenging it can become to efficiently secure virtual machines.

READ MORE

The New IT Acronym KISSME: Keep IT Security Simple, Manageable, and Effective

IT has evolved immensely over the past decade, always adapting to become faster, more agile, and more efficient. Unfortunately, security threats have evolved as well, and are more stealthy, more intelligent, and more malicious than ever before.

READ MORE

Getting the most out of your cloud deployment

Virtual machines in a cloud environment are as susceptible to nefarious exploitation – where sensitive data is highly valuable – as physical machines. The same exposure profile exists regardless of the underlying platform (traditional physical, virtualized, private cloud or public cloud). Although traditional security can be used in the cloud, it is neither built, nor optimized for the cloud.

READ MORE