Skip to content ↓ | Skip to navigation ↓

HappyCyber Security Awareness Month!

Welcome to the inaugural Tripwire Breach Report Blog Post. These dispatches from the Security Solutions team and Breach Report Editorial Board will be posted at least once a month to foster discussion, knowledge exchange and ways Tripwire can help you address the cyber challenges you face each day.

In this week’s Security Communiqué:

*    A supersonic reemergence of the Zeus Botnet (Awesome diagram here)

*  The latest on Stuxnet – the malware many are calling the most sophisticated piece of cyber badness ever developed.

*  A spicy breach in the healthcare space where Tripwire could’ve made a positive impact

The Zeus is Loose!

Originally discovered in 2007, the Zeus Botnet is picking up steam in a big way in the financial services sector around the globe and branching out to infect computers across all vertical segments and business sizes for hopes of obtaining financial account access or financially valuable information.

*   Attacks perpetuated via e-mail and social media inboxes to get people in companies to click on links or view infected files (e.g. Apple iTunes customers could be at risk of financial data security breach)

*   People are often targeted based on their positions in companies and their likely access to financial account administrative privileges.  Currently, nearly four million PCs in the U.S. alone are believed to be infected with Zeus or a variant.


  1. Zeus is hard to detect. Most AV doesn’t even pick it up, but the telltale for anything like this is going to be its “phone home” traffic.  For Zeus it’s going to be simple HTTP over Port 80 going to suspicious sites, showing itself most likely as foreign IP addresses rather than Fully Qualified Domain Names
  2. If you are monitoring webfilters, firewalls, and NIDS for outbound traffic then Tripwire Log Center can be used to detect this pattern.
  3. Tripwire Enterprise (TE) could be used to make sure your webfilters and firewalls are configured to look for this traffic.  Finally, TE might be used to actually detect either the botnet itself, or more likely the packaged data it is setup to send (files with extensions such as .zip files, .dat, .tmp  and others that grow (as data is collected and then get shipped to parts elsewhere)
  4. It also may be possible to find a Zeus license key since this software is sold on the black market

Stuck on Stuxnet:

A good article with Cyberwar intrigue:
Is Stuxnet the ‘best’ malware ever?

Here’s what The Tripwire Breach Report team said at the time Stuxnet was unleashed in the Spring of 2010
Tripwire Enterprise:
There are native Windows agents available for TE, which could have been configured to detect changes to specifically defined files. But even if they didn’t allow installation of a TE agent on a Windows machine, we’d still be able to configure a “custom node type” which could remotely log in and check files.
Tripwire Log Center (TLC): Similarly, TLC can collect and evaluate the events from a Windows machine.  A correlation rule could be written that detects the unique behavior of the worm. Also, TLC would pick up on the worm’s unique behavior from other network devices (firewalls, etc.)

Breaches Ripped from the Headlines: Kern Medical Center Breach
Lessons From A Security Breach; Forbes, 09.27.10

What happened: Malware created performance issues and the organization took an operational hit that lasted 16 days. Machines became infested with pornography, but latest reports indicate no sensitive data was impacted.
What Tripwire does in these types of cases: Generically, when malware is unleashed on a company, organization or governmental body, Tripwire helps in the following ways:

  • Tripwire Enterprise offers visibility into changes that would have automatically detected changes to specifically defined files, registry, database and directory objects, VMware, and command outputs. Even if installation of an agent is not allowed by policy, our solution is easily configured for new node types supporting Secure Shell (SSH) or telnet, which will remotely log in and check files and configuration changes. By automatically and intelligently assessing system configurations, Tripwire Enterprise would have detected and alerted IT personnel about configuration policies that could have been automatically remediated to mitigate the risk data breaches.
  • Tripwire’s next generation security information and event management solution, Tripwire Log Center collects and evaluates events from machines in the infrastructure. Using correlation rules, TLC analyzes and alerts in near-realtime on the unique behavior of the malware, including call-back traffic, inappropriate access, propagation, and even absence of events, or deleting of log files to cover attack footprints.


Under the Breach Radar

  • A report of a recent hack of with this:


C’mon…really? Let’s all take an oath right now to leave those who do good and try to educate the masses alone moving forward. It’s like beating up a kid in a wheelchair. Not funny. Not cool. Not without major karmic payback.

Just say no to Cyber-kookery.

Data Pellet for Public Consumption

Based on a sample of 200, Verizon Business determined that those organisations suffering some kind of data breach were 50% less likely to be PCI compliant. Verizon PCI Compliance Report (PDF)

Something to add? Something you need? Let me know. @MarkAEvertz

See you in the shadows.