Cyphort Labs Threat ReportSummary Prepared for:Vandelay Industries

2 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

About this report

At Cyphort, we understand that it takes more than just an effective threat monitoring & mitigation product to successfully defend against the modern attacks and threats. A proof-of-concept (POC) deployment represents the very first step in learning about the specific needs of threat protection in the customer environment, the possible observation points in the network in order to gain sufficient visibility to all traffic of interest, the desired workflow for security monitoring and incident response, and the ultimate security posture that the customer would like to achieve given their resource and priority considerations.

When customers choose to be part of the Cyphort Threat Intelligence Network, Cyphort Threat Labs becomes actively involved in the POC process through daily monitoring of incident alerts on customers networks. Cyphort researchers will provide customers with proactive email communications on any significant incidents of potential interest on an as-needed basis, and create threat summary reports on the customer’s behalf toward the end of the POC period.

The Cyphort Labs Threat Report Summary is designed to provide a more comprehensive view on:

� Significant threat incidents discovered during an extended period of time, typically several weeks so that traffic fluctuation associated with time-of-day activity patterns is accounted for. These will include the whole spectrum of alerts including serious threats, suspicious activities and adware, and any instance of noisy alerts.

� Visibility stats that shed lights on what types of files are being moved across the customer network, at what volumes, and through what agents (e.g. human browsing the web vs. automated programs). We believe that good visibility and awareness goes a long way in helping with a strong defense posture.

� More details on selected threats and malware objects. The details are based on deep-dive research conducted by the Cyphort threat researchers to reveal things like attack payloads, threat intent, and other threat indicators. A set of mitigation actions and best-practice recommendations are also included when applicable.

� Background and other useful references. While it is important to take immediate mitigation actions in order to contain the threats and minimize potential impact, it is more important to take steps to improve long-term postures by implementing continuous monitoring capabilities, extending coverage of threat vectors, and addressing security practice and policy needs.

This report is based on observations made at customers spanning the period from November 2013 to March 2014. Monthly data are based on the actual aggregates in the respective month while the daily data is based on specific days duly noted. In those cases, we simply picked a specific day that seems fairly typical of a weekday regarding the reported stats.

As always, the Cyphort Threat Labs welcome all your feedback and suggestions for improving these reports. Please send your feedback to cyphortlabs@cyphort.com.

3 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Incident Alerts Summary

High Severity Threats

Malware download incidents including:

¡ Zeus Trojan

¡ Cidox malware

Suspicious Apps And Adware

186 Adware instances:

¡ Genieo

¡ Conduit

¡ ShadyOffer

¡ Wajam

¡ InstallCore

¡ MyWebsearch

¡ and others

Noise

¡ 36 false positives (out of 384,000 objects scanned)

4 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Monthly Activity Summary

Daily Top Analyzed Files

Date Unique IPs HTTP Downloads Unique Files

March 2014 17k 550k 157k

February 2014 23k 288k 101k

January 2014 25k 215k 52k

December 2013 22k 250k 89k

November 2013 9k 80k 37k

File Type File Count (As of 3/12/2014)

ZIP Archive 50,713

PDF 5,576

Mac Executable 1254

Windows Executable 534

Microsoft Office 157

OS Mappings Downloads (As of 3/12/2014)

MacOS 48,107

Unknown 5,537

Windows 1,402

Apple IOS 1,297

Android 134

Daily Human vs. Auto Browsers

� “Unknown” count corresponds to apps using “non-standard” User-Agent strings, no ready OS mapping.

� Cyphort new release will ingest endpoint scan data for accurate OS mapping

5 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Actions & Recommendations

Zeus Trojan instance

[19c77b56269a31a01aa0572da78e1b15]

¡ Clean the machine immediately using System Restore

¡ Block CNC IP address in Korea - 61.38.200.5

Cidox Trojan instance

[ace4334e7bbe67a4e4f639c62689f812]

¡ Clean the machine immediately using System Restore

¡ Block CNC - sugar-freez.com, networksecurityx.hopto.org

Adware

¡ Conduit is a browser hijack in that it changes your home page and search provider. This

component insures that any changes made to the search provider subsequently will

revert back to Conduit. We suggest removing it.

¡ Genieo is an adware for the Mac platform that intercepts users searches. We suggest

removing it.

¡ ShadyOffer is an adware that monitors mouse and keyboard.Block CNC : http://stub.

goobzo.com/p.ashx

¡ Wajam is an adware that hijacks search results. We suggest removing it.

6 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Zeus Trojan Background ¡ Zbot or Zeus malware family is one of the most dangerous malware families (http://www.

microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fZbot)

¡ Sophistication: three key components

1. a toolkit for creating and delivering the threat

2. the Trojan that gets installed and controls victims’ machine

3. the command & control (C&C) server that controls the malicious activities and

facilitate data theft

¡ Spread infection by social engineering, spear-phishing, & drive-by download

¡ Known malicious activities so far: shutdown machine, delete files, browser hijack, data

theft, Trojan dropping cookie stealing, bank fraud, bitcoin stealing.

Conduit Background

¡ Conduit  is an adware program that changes your browser home page and default

search engine to search.conduit.com.Conduit creates a toolbar on your browser and

whenever your are doing a search, it will display on the first search results their own ads.

Conduit is installed together with freeware/shareware programs: MP3 rippers, YouTube

downloaders, etc. Some Trojans distribute it as well. 

7 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Genieo Mac Adware Background

¡ Genieo comes in as a Mac dmg file. Inside is an adware that customizes your Internet

browser page to display products that it believes you’ll find interesting. It was being

distributed through installers that pretend to be something they are not, such as fake

Adobe Flash Player installers. It intercepts searches on Google, Bing and Yahoo and

silently redirects them to Genieo or its partner engine.

See http://en.wikipedia.org/wiki/Genieo

¡ Once Genieo.dmg is downloaded, it installs Genieo.app and adds it to the Login Items

so that it will be restarted at login.

¡ It also installs a Launch Agent:

/Library/LaunchAgents/com.genieo.engine.plist

¡ Along with two dynamic libraries:

/usr/lib/libgenkit.dylib

/usr/lib/libgenkitsa.dylib

¡ Libgenkit.dylib is added to OS X’s global launched configuration file:

/etc/launchd.conf

8 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

ShadyOffer Adware Background

Shadyoffer has the following malicious behavior:

¡ Steals System Information

¡ Monitors Mouse and Keyboard

¡ Downloads files

¡ Shows Pop-ups from the notification that offers to install another software

After some delay time it starts to show a notification bar which offers the infected user free

backup software called “MyPC Backup”. That software will offer a “Protect Now” Button

which that asks the user for a monthly payment to properly protect your files.

9 PROPRIETARY AND CONFIDENTIAL. ©2015 Cyphort, Inc. All Rights Reserved.

Cyphort Labs Threat Report Summary : Vandelay Industries

Wajam Adware Background ¡ Wajam is an adware browser extension that bills itself as a social search engine that

gives you recommendations from your friends everywhere you like to search. Wajam is

monetizing its service through affiliate links to Shopping.com . Unwanted installations

of Wajam also have the capability to hijack a browser’s search functions and display

undesired ads. See http://en.wikipedia.org/wiki/Wajam

¡ Wajam was founded by Martin-Luc Archambault, who was previously the President of

Zango Canada.

¡ Zango, formerly ePIPO,

180solutions and

Hotbar, was an adware

company that was

charged by the Federal

Trade Commission for

“Deceptive Failure to

Disclose Adware”, “Unfair

Installation of Adware”,

and “Unfair Uninstall

Practices” in violation

of the Federal Trade

Commission Act.About Cyphort:Founded in 2011 by a team of security experts, Cyphort advanced threat defense goes beyond malware detection to reveal the true intent of the attack and the risk to your organization with prioritized and expedited remediation. Our software-based approach combines best-in-class malware detection with knowledge of threat capabilities and your organizational context to cut through the avalanche of security data to get at the threats that matter and respond with velocity, in hours not days.

Sales/Customer Support1-855-862-5927 (tel)1-855-8-MALWARE (tel)1.408.540.1299 (fax)Email: support@cyphort.com

©2015 Cyphort, Inc. All rights reserved.

CYPHORT, Inc.5451 Great America Parkway Suite 225Santa Clara, CA 95054P: (408) 841-4665F: (408) 540-1299