What Magna Saw

Previous Blogs:

Consumers are easy victims when it comes to free utilities to enhance the performance of their computers. Maybe it’s because Windows PCs become sluggish after months of use, or maybe it’s because consumers want the best performance. No matter what the reason, PC cleaners or PC optimization tools should only be installed from reputable sources. In an enterprise environment, however, only IT approved tools should be installed.

In 2015, a security analyst at a manufacturing company noticed that the anti-virus engines on many of the company’s laptops were out of date even though software had been configured to update automatically. Once the anti-virus software downloaded new virus definition files, the software detected malware on seven laptops. The security analyst, with the assistance of the company’s IT team, quickly reimaged the infected laptops. The security analyst was not surprised that the anti-virus software had found malware, since zero-day and custom malware can easily evade end point protection tools with out-of-date virus definition files. Since anti-virus depends on current signatures, the laptops were easy targets for malware when the virus definition files failed to update.

Web browsers and toolbars can be important tools to increase employee productivity. They are commonly downloaded from various sites without much thought about any security implications. Recently, LightCyber Magna detected a change in behavior of one workstation, having already established a profile of normal activity for this device and its peers. More specifically, using automated endpoint data investigation, Magna detected a large number of failed DNS requests along with what appeared as seemingly random DNS requests from the workstation. Here’s what happened next…

While Shared Administrator accounts are necessary to configure systems and administer other accounts in the environment, these accounts are also the crown jewel for those seeking unauthorized access to servers on the network. This is because attackers with such access can then create any other accounts they desire, change configuration settings, corrupt data, or launch attacks on other hosts. (Reference SANS http://www.sans.org/reading-room/whitepapers/basics/administration-shared-accounts-1271). Recently, Magna detected an account named “Administrator” that was used to login to 38 hosts on the network. This was more than a 35x increase from the learned baseline of 1.08 host logins.

Recently, LightCyber Magna alerted a security analyst that in a single day a workstation in his network generated almost 5,000 failed DNS requests to what appeared invalid domains. This was an 20,000x increase from a calculated baseline of 0.02 failed DNS resolutions since Magna profiled the workstation. One example of these invalid domains is bppzehpmfcczars2p.com and is shown in the screenshot below. The alert also identified the process that was responsible for generating these DNS requests, which was svchost.exe. It turns out the workstation had been rebooted, and the svchost.exe process made the DNS requests when it started back up.