Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Malicious Dropbox Activity Highlights Need for Endpoint Visibility

Malicious Dropbox Activity Highlights Need for Endpoint Visibility click dropbox
benweb
July 1, 2014 / Ben Johnson

With the recent “news” that malware was using Dropbox for command and control as well as data exfiltration (malware has been communicating via legitimate cloud and social sites for several years), we felt it would be a good time to point out the power of endpoint visibility.

By knowing which process is making a connection, as well as information such as parent process, child processes, who wrote the binary in question, etc., a whole new world of both response and detection is enabled. Using Carbon Black data, it’s very simple to start alerting on this sort of activity. To begin, we start by searching for anything that isn’t dropbox.exe that is communicating to the dropbox.com domain

process_name:* -process_name:dropbox.exe domain:dropbox.com

search_results_1

As you can see, the most recent results right now are all iexplore.exe. We can go page by page, or I can just filter out iexplore.exe to see what we then get:

process_name:* -process_name:dropbox.exe -process_name:iexplore.exe domain:dropbox.com

search_results_2

The only problem here is we still have some browser and email clients. While you probably do not want to ignore them in reality (at least to start with), we’re going to negate them now to reduce our search results. We’re going to leverage both using process names as well as process md5sums so that you get the idea that doing either (or both) is possible. So now we have:

process_name:* -process_md5:34bdb838268bb47a69e0c90024151b9b

-process_md5:2ddd895521d8d7e03c3308249682a719

-process_md5:fbf809ccc3ce593e8d616fee6500585a

-process_name:dropbox.exe -process_name:chrome.exe

-process_name:outlook.exe -process_name:iexplore.exe

-process_name:firefox.exe

domain:dropbox.com

search_results_3

This search still yields several results, but it is much more manageable. The results include a handful of anti-virus processes, but they also include winword.exe and svchost.exe.

Now, unfortunately for this specific blog post (but fortunately for our customer!), none of these hits are actual malicious activity (analysis omitted for brevity). The takeaway here is that we can determine how widespread Dropbox usage is in our environment, and (even more importantly) we can add a watchlist that will alert us when something (other than those excluded above), connects to Dropbox. You also can limit the search to particular users (such as a SYSTEM account), or specify multiple domains like Amazon, Box, and Google Drive, or look for processes connecting to the cloud that have an unusual parent, and more.

While we’re excited to see exposure about the issue of malware trying to blend in, as with Dropbox, it’s really not a new concept. With endpoint visibility, you can actually see which processes are making malicious connection. This information aids in detecting suspicious behavior as well as helping you understand how your enterprise uses a cloud-based service such as Dropbox.

 

TAGS: bit9 / Carbon Black / command and control / dropbox / visibility

Related Posts