BitDam Blog

Best of RSA 2019 – A First-timer’s Perspective
Rotem Shemesh
Rotem Shemesh
3 minutes & 7 seconds read · March 11, 2019

Best of RSA 2019 – A First-timer’s Perspective

Dispatch from the world’s premier security event

With more than 40,000 attendees from InfoSec, Security Ops, Software Architects, CISOs, 500 sessions and the entire city packed with conference visitors, attending the RSA Conference for the first time was an overwhelming experience. It seemed like the whole city talks cyber security – signs, side events in every hotel, and I won’t even mention how difficult it was to find a proper table in a restaurant… (actually, I did get a table at Ozumo and that was an amazing dinner!)

As someone who’s relatively new to the security space, the real experience from my perspective was to see first-hand, the depth and the width of the IT security space. There are so many categories (such as Risk & Compliance, Network Security, Cloud Security, Mobile Security etc.) sub-categories (including Email Security, Data Leak Prevention, Fire Wall, End Point Security, VPN, SIEM, Biometrics and so on) and sub-sub-categories (like SCADA security for buildings or biometrics for contact centers) to information security. There are so many potential breaches and so much data to protect. I knew that before but didn’t really realize the scope of it.

So what did I learn at RSA 2019?

1. Wherever you look, there is a growing need for better security

I learned that wherever there is information, or a connection to information, there is also a risk of having this information lost or stolen. I also learned that as the technology evolves and new techniques emerge, these innovations lead directly to an increased potential for data loss, breaches and therefore and increased need to protect and mitigate them. That’s why we see more and more niche security solutions – for healthcare, for IoT, for industrial IoT, for DevOps, for specific mobile apps and so on – and I fully expect that trend to continue.

2. Stick to security basics

Although there are plenty of new market categories that are driven by real needs, most attacks still start with an employee lured to click a malicious file or link. There are many cyber security solutions aiming to address this problem – from securing the network, through securing email gateways and endpoints, and all the way to employee training and education. However, at the end of the day there is still a gap, and even though these solutions are in place, organizations are still being breached at an increased rate. Therefore, it is no surprise that even in 2019, these “basic” solutions are still a key part of RSA. And you know what, as long as the arms race of email and content security is taking place, they are not going anywhere.

3. Enough with FUD

And perhaps the most important thing for me as a marketer was to notice how everyone talks the same language. Almost all the vendors are talking about threats, attacks and risks. I understand why they use FUD (and I do that too sometimes, after all, I’m in security too), but I did miss two things – looking at the positive side of things (for example, how these cyber solutions make your life easier), and some sense of humor. It seems like everybody is so busy frightening others, that they sometimes forget that after all, we talk to people and people like to laugh.

IT and cyber security is not going anywhere, there is a growing need for it across industries, roles, geographies, organizations, and basically, wherever you look. Even traditional problems like email or network security gaps are not totally addressed yet, there is a need for innovation there too. And the entire conversation is around threats, risks, attacks, loss. Makes you wish that we would live in a safer world. On a personal note as a marketer, I would try changing the attitude, and the lingo to a more positive one.

Read more
Even TrickBot Didn’t Trick BitDam
Roy Rashti
Roy Rashti
3 minutes & 37 seconds read · February 13, 2019

Even TrickBot Didn’t trick BitDam

Running at one of our American customers, the BitDam service has recently detected an email containing a TrickBot dropper with the following sha1 – 8cad6d7f47553b363698230c36c36cb39a801126.

It was pretending to be sent from Bank of America – the subject of the email was “FW: Incoming Confirmation” and it arrived from The attackers tried to lure their victim into clicking the attachment by pretending the email was sent a known bank.

You can read more about TrickBot at the end of this blog post, but first I’d like to take you through the analysis of this attack.

Attack Analysis

The following is a technical analysis of the interesting attack vector that we detected just a couple of weeks ago at one of BitDam’s customers.

When I opened the file, it was quite clear that it attempts to look like a ‘Bank of America’ document as shown in figure1.

Figure 1

The attack was macro based, and as I tried viewing the macro, I noticed that the VBA project was password protected. That was done by the attackers in order to make it harder for security teams to debug or view the VBA code of the attack, which was obviously well written.

Once I bypassed the password protection (it was relatively easy), I saw that the VBA project (shown in Figure 2) is made of a VBA module containing most of the code, and a form.

Figure 2

The code in the workbook was very simple. The attackers implemented Workbook_Open function that runs automatically. That function made only one simple call (shown in Figure 3).

Figure 3

The attackers made a significant effort to make their code look as legitimate as possible. Unlike most cases where we see heavily obfuscated code, this one was clear and even had some comments in it.

The malicious content that the attackers were trying to hide was founded in a textbox inside the form.

Figure 4 shows the value hidden in the textbox and the beginning of the ‘de-obfuscation’ of that odd, unreadable string.

Figure 4

Eventually, the string becomes readable and the attackers launch a shell that is supposed to execute it. Figure 5 shows the shell execution and the value it executes.

Figure 5

When copied aside, Figure 6 shows the full Powershell command line.

Figure 6

The attackers tried to avoid detection at any phase of the attack. In the Powershell execution line, we do not see any URLs nor downloaders. Just a long odd string that is base64 decoded an uncompressed using GZIP compression. To see what that stream is, I decoded and decompressed it to see a Powershell code with obvious intentions, shown in Figure 7.

Figure 7

Even here, in a code with clean intentions to download and execute an executable, the attackers inserted comments, probably used to break textual sequence in order to avoid detection.

This code is relatively clear as it attempts to download the payload from two different servers:

  • jamaicabeachpolice[.]com/za.liva
  • gba-llp[.]ca/za.liva

The payload (sha1 f91ed88e61b431ce883f75797ad36c5a4a9ca212) is TrickBot.

A bit about TrickBot

TrickBot is one of the newest banking trojans. It was initially seen in 2016. TrickBot aims to steal banking details, stored passwords, and emails, as well as stealing from Bitcoin wallets.

TrickBot has several modules, each with its own purpose: one for propagation, another one for stealing passwords, a module for setting persistency mechanisms, etc. TrickBot communicates with its Command and Control (C&C) servers that are set on hacked routers.

Propagation-wise, TrickBot uses EternalBlue SMB exploit (the same one used by WannaCry and NotPetya) to reach new computers within the network. Any computer that is not updated with the relevant patch is vulnerable to that exploit.

In an un-patched network in which TrickBot can spread easily, it will be hard to get rid of it. Keeping its persistency using scheduled tasks, it could get a hold in many computers within the organization, leak and take control over a lot of banking accounts and mailboxes.

The organization that was targeted by this specific TrickBot attack uses BitDam as the last line of defense. This means that this attack, detected by BitDam, has actually bypassed all other security solutions in place before BitDam caught it. Just imagine what would have happened if the BitDam solution wasn’t there.


Read more
Introducing BitDam Advanced Threat Protection for Cloud Storage
Rotem Shemesh
Rotem Shemesh
1 minute & 30 seconds read · February 7, 2019

Introducing BitDam Advanced Threat Protection for Cloud Storage

Keep combating content-borne cyber attacks

As you probably know, BitDam Advanced Threat Protection (ATP) for Email protects hundreds of thousands of mailboxes, scanning millions of emails for malicious files and links. That’s awesome – we love protecting our customers, we detect malicious emails all the time, and prevent them from reaching end users. It really is cool. But this is not enough.

Email protection is important, but what about other channels?

All of us use additional collaboration channels every day. We upload, download and share files over cloud storage. You may be using Google Drive, OneDrive, Sharepoint, Dropbox, Box or any other cloud collaboration platform, but you definitely use at least of those as part of your day-to-day work practice. And guess what? Attackers know that. They also know that these channels are much less protected than corporate email. And guess what? They’re going to take advantage of it!

BitDam 3.0 to the rescue

This is exactly why we decided to expand our solution to help protect important cloud content collaboration channels such as MS OneDrive, Sharepoint, G-Drive, Dropbox and Box. As a leader in content-borne attacks, we understand that there are multiple channels allowing content to reach end-users. A key channel is cloud drives. BitDam 3.0 which is now available for our customers covers cloud storage in addition to email, scanning every file and link that is uploaded to the drive in order to ensure that end-users can access legit files only.

To give you a glimpse of what I’m talking about, here is a screenshot of our (brand new) dashboard that helps SOC teams view, manage, analyze and investigate malicious files in order to take immediate action once an attack takes place. 


Want to learn more about BitDam 3.0? Contact us to see a demo, or read the full press release announcing BitDam 3.0 here.

Read more
Rotem Shemesh
Rotem Shemesh
5 minutes & 56 seconds read · January 24, 2019

City and County of San Francisco’s Nathan Sinclair Share His Experience of BitDam’s PenTest

Nathan Sinclair heads the Cybersecurity Defense team of the City and County of San Francisco providing IT security services to about 30,000 employees. He has recently engaged with BitDam, used its PenTest in several ways and got to some conclusions. In this interview, he shares his experience with BitDam’s PenTest including some specific insights about the process, how it helped him assess different email security solutions and even push for doing more in less time.

Nathan, can you please give us some background about yourself and your job?

Nathan: I manage the cybersecurity defense team for the city and county of San Francisco. We are a central service for cybersecurity monitoring and alerting which serves the entire organization.

One of the newest additions is that now we are also focused on email protection. Our biggest challenge was phishing because we knew it’s a growing problem but didn’t have much visibility on what was going on, so that was the main trigger for our email security solution search.

How did you hear about BitDam?

Nathan: Our CISO, Mike Makstman, brought it to my notice. I heard about BitDam before but didn’t have any direct touch with them. Then Mike told me about them and that they use an interesting approach. So I did some research and found out that it is indeed a different approach to how all others do email security and it sparked my curiosity. That was when we started to kick off, saw a demo and understand what it does. Understanding the technology underlying behind it, I realized how valuable it could be. That’s one of the reasons we went forward with procuring it.

Ok, so what was the next step?

Nathan: To start testing we used the BitDam online PenTest and forwarded some malicious emails to the BitDam portal to see how it works. Just like we did to other email protection solutions. I know that this wasn’t the perfect test, but that was the best we could as an initial step.

Alright, can you tell me a bit more about the PenTest itself? What was done there?

Nathan: Well, the Pentest – that was interesting!

I started with the free online PenTest – very simple. You just put your email address there. The first time we did that was actually very helpful because we tested multiple solutions using the same PenTest – sent the same emails to mailboxes equipped with different solutions so we got a true comparison.

Then we rolled in into the advanced part of the BitDam PenTest working with the company’s team. That was really good because the number of emails that were sent to all solutions was high and it gave us a representation of what emails the products could see, which ones saw what, whether they were able to detect malicious files and so on. This helped us narrow down the solutions very very fast. This is the fastest POC that I’ve ever done for so many solutions at the same time in my whole career.

How many solutions did you test?

Nathan: We’ve examined about 5 solutions in total. We had licensing set up from different solutions to some internal mailboxes so each mailbox used a different solution. It was interesting to see in real-time how different solutions handle different malicious emails, which alerts they send etc.

What kind of products did you check in this PenTest?

Nathan: All products we’ve compared to were email security solutions. Some of them had additional functions like sandboxing and advanced analysis of the messages, so it was kind of a mix.

How would you evaluate these solutions without the BitDam PenTest?

Nathan: It would have been a similar process but a lot slower…We would have to wait for certain malicious or phishing messages to come to us for real in order to send it to each of the solutions.

How long did the process of comparing these 5 solutions take?

Nathan: Honestly, once BitDam started to send all those messages the test was very quick. This PenTest was way more efficient than how we’ve been testing other solutions before. The PenTest analysis took about a month in total, and that was only so I can pull data and make sure I’ve tested all the features and covered all bases.

How easy was it to operate? Analyze?

Nathan: The initial one on the website was super easy. Literally, put your email address in, click a button, and click submit. The advanced PenTest was also easy. We just had to let the team know which email addresses to send the messages to. I had alerts set up so I knew when it was coming in, what time. It wasn’t anything that was complicated.

Anything worth sharing with others who may do this PenTest?

Nathan: We had to figure out a way to count the messages that did pass and came in, and there were hundreds of such messages. To deal with that, one of our guys set up a rule so he could tell me every morning how many messages actually made it to his mailbox. He just created a folder in order to track it and it was very interesting to see how many did make it through.

Also, to us, the PenTest helped us assess how we will operate on those systems when we will get a false negative. Good representation of what’s going on is a pretty big deal to us since we serve different departments.

Were you surprised by the results?

Nathan: You know what, no, I wasn’t. We asked our peers what other solutions and services they have, and the actual experience they had with these solutions. So when we tested one of the first ones I wasn’t surprised, it was typical.

I was surprised by the speed of this PenTest which gave us the amount of time to be able to do everything that we wanted and even more.

And what was your impression of BitDam?

Nathan: I can definitely tell that it’s a company that doesn’t just sell a product but really builds a partnership which really fits how we operate with vendors. I think it’s really cool how the product looks at email very differently. The BitDam approach – creating the baseline of how something is supposed to work – was a key driver to make the decision to have it as a security blanket, especially for mailboxes that are more targeted than others.

Are there any cyber trends that you notice at the City and County of San Francisco?

Nathan: Our biggest target is our end users. That trend is going to continue. Malicious emails are looking more and more real every day. There have been a lot of messages that were targeted to us, that looked very genuine from where they come from and they are not. They send you to websites or places that look just like the website that could potentially send it. Once the user has clicked on it the damage has been done. I think we have to combine education of end-users and technology such as more intelligence and dynamic analyzing of those messages.

Read more
Detection solutions – the more the merrier?
Maor hizkiev
Maor hizkiev
4 minutes & 9 seconds read · January 15, 2019

Detection solutions – the more the merrier?

I would like to invite you as a reader to take a deeper look at your perimeter solutions and their detection mechanisms. When you dig deep into the vendors’ websites or press releases, like I happen to do every now and then, you can find a lot of interesting information that some users are not aware of.

Specifically, I would like to draw your attention to the secrets of the detection mechanisms. As it appears from the vendors’ websites, most detection security solutions use more than one solution as their engines. Some hold an in-house-developed engine. Others only integrate external solutions into their infrastructure. You also hear about collaborations between vendors, that aim to provide you with stronger security. These typically market their solutions as even better, because “now you have five great engines that detect attacks instead of just one”.

On a first glimpse, it does seem great, that you can get several detection engines in one solution, but is this really the case? Let’s look at it from the vendor’s perspective – You now have several engines, with different levels of knowledge about how they work and operate, and you need to integrate them into one holistic solution.

Information loss on the path to one verdict

The first issue that comes in mind is that end-users should get just one decisive verdict: “passed” or “blocked”. In the case of using more than one engine integrated into one solution, you as a vendor, need to get a set of indicators from different engines and then combine them into a single verdict of “passed”/”blocked”. This means that the vendor needs to build some logic for it. Whether it’s a proprietary algorithm, a machine learning algorithm, a simple rule-based decisioning engine or any other method, it is not an easy task, especially when having a shallow knowledge about the other solutions you integrate with and the true meaning of the indicators. What we see happening here, is moving the problem to a different place, outside of the engines, and processing a set of indicators that might or might not indicate malicious behavior, to provide a definitive answer. Will you know what happens when “engine A” provides a set of indicators that, on a stand-alone deployment, would flag it as malicious, but “engine B” usually flags it as benign? Which one will you take?

Having another engine doesn’t magically increase the detection rate. In my opinion, it might be even worse when the vendor doesn’t have its own engine since the expertise is probably lesser in understanding and determining the true meaning of the indicators. The result of having too many sources of information is that some of the information is being lost.

Economical decisions

Again, looking from a vendor’s perspective, you always measure your product economically. Running all solutions all the times is expensive, and for some cases, the license doesn’t permit to use the engine extensively. So into the decision mechanism, you have to insert financial or license restrictions which determine which solutions to use for each sample. The common way to do it is by characterizing the sample using static-analysis methods. For example, if a file contains a macro, you’ll act differently than in the case of a file that doesn’t contain macros. It gets trickier on advanced attacks when static evasion techniques are used (for example you can view our blog about a variant of CVE-2017-11882 “The Hawk in the NET (CVE 2017-11882) – Part 1“. In conclusion, this level of decision algorithm is complex and usually results in a lot of false-negatives.

It takes longer to get security and engine updates

Another problem in integrating different detection engines into one solution is the updating issue. Each detection mechanism, due to its reactive nature, is evolving and creating more indicators pretty often. Using a stand-alone deployment, the user may get those updates fast, but having it as an engine inside your product means that you need to know which new indicators were added, and adds it to the overall decision algorithm. Only then, you will get to use this update. You can imagine that it takes time to develop and test, and I guess I don’t have to tell you how risky it is to wait for these updates for so long.

So what’s the solution?

We, at BitDam, believe that these three issues are key reasons for why we see many attacks bypassing all those integrated detection solutions available today. Generally speaking, we’ve reached the times when deployment can be quick and easy (thank you SaaS!), so there is no reason not to choose the best of breed, instead of relying on your old trusted vendor to do it.

If you’re using one of those integrated solutions, I recommend testing how secure it really is. You can do this by using this free Penetration Test which takes just a minute (and is totally secure and private) on our website, or contact us for a more comprehensive PenTest.

Read more
Rotem Shemesh
Rotem Shemesh
4 minutes & 16 seconds read · December 20, 2018

Lead Data’s President in an interview on BitDam

With Lead Data as a trusted partner, we wanted to hear from Ron Redmond, Lead Data’s President, about their activities, how they tried BitDam using the company’s PenTest and why they decided to offer the solution to their customers.

Ron, please give me some background about Lead Data.

Ron: We’ve started Lead Data 18 years ago, and back then focused on CheckPoint‘s products and services, bringing it to organizations in the tri-state area. Since then, we’ve evolved and work with other partners including Microsoft, Cisco, RSA, f5, Terranova, Barracuda, and since recently, also BitDam. We were always focused on security. Today, we serve more than 700 organizations in our geographical area, with most of them having multiple locations and a thin IT staff. They look at Lead Data’s team as trusted members of their own IT team.

How did you come across BitDam in the first place and what caught your attention?

Ron: I was introduced to BitDam by a friend almost a year ago. It sounds interesting especially since the founders know closely how attackers tend to work. So I spent some time with the founders and got an understanding of what the uniqueness of the technology. I loved the fact that BitDam brings a whole new approach to a known problem that exists many years, and which no one has really solved so far. That drew me to start working with BitDam.

I was intrigued by this different approach and wanted to check if I would see a difference, if it would catch things that normal Anti-Virus couldn’t catch. And here I’m talking mainly about zero-day malware. I wanted to see what impact this new approach would have on the bottom line, the actual results.

So I guess you wanted to test it before you decided to offer it to your customers.

Ron: Absolutely. We did a POC test with BitDam against our existing security controls – a combination of a leading sandbox solution and a leading email security product, both from well recognized players in this market.

Ok, and what did the results look like?

What were the results? The email solution didn’t get a single piece of the malicious files that were introduced and which BitDam caught. The sandboxing solution detected only 40% of it.

We’ve done two tests – the automated test provided online by BitDam, and a very extensive test with the BitDam team. We’ve done both tests multiple times with many different customers. BitDam always detected much more than the other solutions.

Any additional tools that you used as part of your assessment of the BitDam solution?

Ron: Well, we also used BitDam Total to scan files for malware leveraging the BitDam engine. One of Lead Data cyber security experts used this free service and found the portal very helpful. He actually used it to test files in many cases. The interesting thing about it is that it caught zero-day malware in many of these checks. And these were malicious files that our existing security suite missed. That was really impressive!

Ok. So you were impressed by the technology and the capabilities. Why do you think that others should use it?

Ron: For the obvious reason that it catches zero-day malware that most other products, including leading ones, do not catch. This is organizations’ main concern when it comes to email security. You see, there are many security solutions out there, and they catch malware. But the real risk is in zero-day attacks which can lead to massive losses. Everyone is looking for this ‘magic’ that would protect from zero-day malware, and here it is. This is not in theory, I saw it in my environment scanning Lead Data email traffic as well as with our customers. Within a few weeks of operations BitDam detected zero-day attacks that other solutions (again, leading ones) didn’t.

Which organization do you think should adopt this?

Ron: I think that BitDam’s technology could help companies of all sizes. The larger the organization the more value BitDam would add.

Do you have any tips or suggestions for your customers?

Ron: As a first step, I strongly suggest to try the BitDam PenTest which is available on their web site. It is a very simple straightforward to test your current mail security solution. Based on the results, me and my team are happy to set a full BitDam PenTest which is more comprehensive. The results of the full PenTest will show you the value that BitDam will bring on top of your existing mail security solution. And last but not least, I’d like to invite you to our BitDam webinar taking place on 29 January, 2019. 

Anything else that you would like to share from your experience with BitDam?

Ron: We used it ourselves. It has caught any pieces of malware for us although we are much smaller than other companies we work for. We actually caught several pieces of zero-day attacks that were sent to us by our customers.

Also, I must share that my experience working with BitDam has been wonderful. As a partner, their team is always available for me to help work with customers and prospects.

Read more
Email cyber threats: Which attachments should you not open?
Rotem Shemesh
Rotem Shemesh
1 minute & 45 seconds read · December 16, 2018

Email cyber threats: Which attachments should you not open?

File attachments in email are still common threat vectors. In fact, according to Verizon 2018 DBIR, 92.4% of malware is delivered via email, and a significant part of it is hidden in attached files.

We were intrigued by which file types are most commonly used for malware and went to check it in our real-life data. Covering hundreds of thousands of mailboxes, BitDam advanced threat protection scans millions of file attachment on a daily basis. We started our little research recently and this is what we found so far:

As we expected, most attachments containing malware were day to day files like PDF and Microsoft Office documents that were manipulated through scripts and macros to contain threats. These are files that look innocent, and might even bypass your Secure Email Gateway or Sandbox, but can cause huge harm when being opened.

PDF (38% of all malicious files detected) and Microsoft Word doc variations (30% of malicious files) were the most common file types, followed by Microsoft Excel files (19% of malicious files). Unfortunately, these are the same file types that most of us use, open and share with our colleagues, customers and vendors every day.

What can you do about it?

Even the strictest information security team won’t expect employees not to open these files or to be suspicious every time that they see a PDF or Microsoft Office document in their inbox. That’s where technology comes into the picture. Email protection solutions like BitDam’s stop advanced content-borne threats before they are delivered, so employees don’t get such malicious emails to their mailboxes. While other Advanced Threat Protection for email are based on knowledge about previous attacks, BitDam takes a proactive approach making it attack-agnostic. BitDam learns the normal code-level executions of applications such as Microsoft Word and Acrobat Reader. Based on this whitelist, it determines whether a given file is malicious or not and emails that contain malicious attachments are blocked pre-delivery.

We’ll keep our research going and will share more insights with you. In the meantime, you can try it yourself – scan a file to detect malware or contact us to set our 1-minute-deployment POC.

Read more
Eyal Blyachman
Eyal Blyachman
3 minutes & 43 seconds read · December 9, 2018

Exploited in a flash – CVE 2018-15982

A few days ago, a new flash zero-day vulnerability was discovered.

The attack was allegedly linked to ‘HackingTeam’, the Italian offensive cyber company that was breached about three years ago.

The sample exploits a Use After Free’ vulnerability in a Flash class named “com.adobe.tvsdk.mediacore.metadata.Metadata”. A weaponized MS Word document contains an embedded malicious SWF that exploits flash into running a shellcode.

Would BitDam detect it?

Luckily, none of our customers received this attack, but we wanted to confirm that they would have been protected if they would have received it when it was just issued.

That is why we used an older version of BitDam to scan the malicious file. We used an engine version that was never exposed to this attack. We had no doubt that BitDam would detect it, after all, that’s the “magic” about BitDam – it detects zero day attacks that it hasn’t seen before.

So we scanned the original sample of the vulnerability (Sha1-2d22bf18ab1a8db0309c477472b481b0641b9dc7) with BitDam’s old engine. Here are the scan results:

Figure 1

As expected, the BitDam engine was able to notice whitelist deviations and extract interesting information:

  1. There was a foreign commandline identified with the following commandline –
    C:\\WINDOWS\\system32\\cmd.exe /c set path=%ProgramFiles(x86)%\\WinRAR;C:\\Program Files\\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe
  2. BitDam extracted the APIs that the shellcode was using. One of those APIs was “CREATEPROCESSASTUB“.

When we tried to look at the file manually, the first thing that popped up is a document written in Russian that looks like a personal information form of a healthcare company (shown in figure2).

Figure 2

When the user allows the content to play, the malicious SWF is loaded.

Technical Drilldown

Due to the results we received from our system, the first step we took was to look for the shellcode. Figure 3 shows the call instruction within the shellcode that starts the cmd.exe process.

Figure 3

A deeper look into the extracted shellcode revealed additional functionalities and a string.

Figure 4 shows a dump of the shellcode in the memory. The string is highlighted in red and the ‘call’ instruction from before is marked in blue.

Figure 4

The highlighted string is the arguments used to create the malicious process that runs the payload.

To dig a little deeper into the shellcode, we created a very simple and small program that allocates memory in a page with execute permissions, then copies the shellcode and executes it. We changed the last byte of the execution string from ‘e’ to ‘d’ to make sure that nothing malicious will eventually run.

Figure 5 shows the code used to do that

Figure 5

In the beginning of the shellcode’s execution, the code calls a function in relative offset 0x129. The call is shown in Figure 6.

Figure 6

The function, shown in Figure 7 is what seems to be resolving of function addresses.

The highlighted section in Figure7 is the resolving of a single function, using a help function embedded in the Shellcode (at relative offset 0x59).

Figure 7

Once the attackers finished with the perquisites, the shellcode reaches the final stretch. The shellcode creates a process with the relevant parameters. The ‘call’ instruction highlighted in Figure8 calls the address pointed by ebp-24h which is CREATEPROCESSASTUB.

Figure 8

At that point, the address pointed by ESP+0x4 (see figure9) should look familiar to us. We’ve examined that memory to get the final approval.

Figure 9

That memory address does hold the commandline that we expected to see.

Decompiling the SWF resulted ActionScript and two binary data blobs. Those blobs are used as classes in the script and both are shellcodes. One is 32-bit shellcode while the other is 64-bit.

Figure 10 shows the ActionScript that checks the architecture and calls the appropriate function in accordance with the architecture.

Figure 10

That interesting vulnerability is not the first Flash exploit we encounter and probably not the last either.

When this file was initially submitted to VirusTotal towards the end of November, it had an extremely low detection rate. Today, almost any engine on it detects the file. 

Figure 11

BitDam’s proactive approach allows the detection of such threats from day one, with no need to update signatures when an attack is at your gates, or worse, already entered your organization.

Read more
Maor hizkiev
Maor hizkiev
3 minutes & 2 seconds read · November 29, 2018

Migration to O365: Did you think about everything?

Here are the key reasons why organizations of all sizes should consider migrating to O365:

O365 Migration: Don’t worry about servers and maintenance

Whether you have a small organization or a large enterprise, you don’t need to worry about monitoring your email servers for disk space, network issues and other problems. You can rest assured that Microsoft’s O365 has several fail-safe mechanisms that will do the job, without you even knowing.

O365 Migration: Getting updates seamlessly

Updating your systems is probably the most important practice an organization should adopt. O365 is being updated on a daily basis with bug fixes, security patches and new features. IT doesn’t need to chase after never ever ending patches.

O365 Migration: Deploying and managing email apps is easy

Want to test a new productivity application for the user’s inboxes? Need to add an email management tool? Just go to the O365 AppSource, and with a few clicks you can give any application a try.

O365 includes built-in spam filtering (SPF checking, blacklisted IPs)

O365 provides the basic spam filtering which everyone needs. i.e. SPF checking that verifies that the email came from a legitimate email server. In addition, since O365 serves millions of users worldwide, it can easily classify IPs which are used to spread spam and blacklist them to prevent them from reaching your organization.

No need for a VPN with O365 – access your email from anywhere

Using O365, users don’t need to connect to VPN in order to access their mailbox. Making this access easier helps users to simply reach their mailboxes from anywhere, thus improving productivity.

Migrating to O365 – here we come!

So you understood the benefits and got to a conclusion that it’s time for your organization to migrate to the cloud. You’ve also selected the right solution for you – Microsoft Office 365. You even contacted a vendor like RackSpace, AvePoint or CodeTwo to help you with that.

So what’s missing?

One thing that is clearly missing in that picture is advanced security solutions. While traditional on-premise email solutions are surrounded by an entire ecosystem of security solutions of all types and levels, when it comes to O365, securing mailboxes is still a challenge. Although there are various of security solutions in place, integrating them with O365 is not as simple as you would expect. Bottom line, organization that migrate to O365 struggle to secure their mailboxes as they wish to do.

If you face this challenge too, I recommend you to check out the BitDam solution which protects organizations of all sizes against email-born attacks (which, by the way, represent more than 90% of cyber-attacks). BitDam’s cloud-based Advanced Threat Protection solution proactively detects attacks, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and Zero-Day attacks contained in files and/or URLs. It’s fully integrated with O365, available on Microsoft Azure Marketplace, and can be deployed in a matter of minutes.

What is BitDam?

The BitDam solution is based on a unique attack-agnostic technology which shows remarkably higher protection. In a nutshell, it learns the normal code-level executions of business applications and determines whether a given file or weblink is malicious.

But what’s most important about it is that BitDam shows significantly higher detection rates than all other solutions. In practice, it already blocked dozens of attacks that some leading security solutions fail to uncover.

I encourage you to try it yourself. Upload your most sophisticated malware file to our BitDam Total free file scanning service and get an immediate result.

So don’t jeopardize your organization’s security just because you moved to the cloud. Make sure that your users are protected from the sophisticated attacks going around every day.

Read more
David Ben Shabat
David Ben Shabat
2 minutes & 39 seconds read · November 22, 2018

Welcome BitDam Dashboard

I need to confess – I love data, and I love how data can be turned into insights. Coming from a data analytics and visualization background, I find it super important to make data accessible to my customers. That’s why we’ve spent the last few weeks on creating a new dashboard that analyzes raw data from our system and provides users with actionable insights.

So… I’d like to share with you the highlights of BitDam’s new dashboard:

Overview Page

This is mainly for the IT manager. Here you get a high-level view of BitDam’s system performance and its real-time status in a quick glance. No more digging and inspecting for every small issue. The Overview Page allows you to easily understand the number of scanned emails, malicious files found, the distribution over time and split between file types.

Why do you need this page? Within a few seconds, you can understand the system status, make sure there are no delays and confirm that BitDam works as expected. You can also recognize trends or become aware of hot threats. On the day-to-day you can give it a quick look and move on. If an email is being delayed in the pipeline, you can easily release it. And if your organization is under attack, be assure that you’ll see it right away in the Overview Page.

Emails Page

As a SOC expert, you’ll receive a real-time alert any time that BitDam detects malicious content. But as a SOC expert, you also want to know more when there are malicious emails going around your organization. That’s why we created this page. Here you can check what exactly is going on. In this page you’ll quickly see who’s the sender, who was supposed to receive the malicious email and how many of those emails are out there.

How do you use it? Start with a high-level view of all blocked, clean and released emails ordered by priority. Then drill down easily to further investigate specific email. You can verify that it’s not a False Positive, download the malicious file, extract Indicators of Compromise (IOCs), pinpoint affected mailboxes and more.

Files Page

At some situation you might want to look at files rather than emails. That’s why we created the Files Page. Here you can perform a variety of actions on files (similar to the ones you’d do in the Emails Page) in order to learn more about the specific attack.

How do you use it? Typically, you will start by having a look at the list of malicious files. From here, you can further investigate specific files, drilling down to how they were delivered and what made BitDam flag them as malicious.

You can also upload files manually for scan on this page. In case you find a suspicious file, or want to compare BitDam’s detection to another solution, you can do it easily from here. You’ll get the scan result with indications on what’s wrong with the file, within a few seconds.

What’s next?

If you’re already a BitDam user, login to the dashboard and check out the new. And if you’re not a BitDam user yet. Mmm…than it’s time to try it.


Read more