Malware, Phishing: the Need for Intelligent Response

Gary Warner

Wed, 6th August 2014


Speaker Bio 1:
Gary Warner serves as the Director of Research in Computer Forensics at the University of Alabama (UAB) at Birmingham and as the Chief Technologist at Malcovery Security.

At UAB he focuses the attention and resources of the Computer Science and Justice Sciences Departments at UAB on the problems faced by CyberCrime Investigators in Law Enforcement and elsewhere, while Malcovery Security provides commercial services in Phishing, Spam, and Malware Intelligence. With a 20 year career in Information Technology, Warner has served as IT Director for a publicly traded Energy company for nine years prior to arriving at UAB.

For the past six years Warner has been active in the FBI's InfraGard program, and has served as local chapter President, SouthEast Regional Coordinator, and on the National Board. He has also served on the national board of the Energy ISAC. He currently serves as a Microsoft Security MVP, and has been recognized by FBI Director Robert Mueller for:

"Exceptional Service in the Public Interest"
Gary also received the IC3 and NCFTA's Partnership Award:

"....in recognition of his outstanding support in the ongoing battle against cybercrime"

And in 2006 he received the "Outstanding Alumni Award" from his alma mater, the UAB School of Natural Sciences and Mathematics.

Learning Objectives:

Gary will explain:

  • Why identifying an infected machine, wiping the drive, and returning it to service is the wrong response to malware.
  • Why the race to shut down phishing sites as fast as possible is the wrong response to malware.
  • How the contect, relationship between, and history of malware and phishing attacks can help your company develop the right response.

Resources and materials:


Questions and answers

Max, Concise Courses:
Who is your typical client?

Gary Warner:
We really have two sides of this. With T3 Today’s Top Threats, what we are really doing there is defending networks, so anyone who has a large network to defend they would benefit from understanding what today’s top threats are in the email. There is a PDF that is 10-15 pages of analysis [with reference to] how this particular campaign works. We also have an XML feed that has all of the key indicators of compromise, so if you wanted to just strip that out to take those indicators you could be them straight into your web or spam filter or other places that might detect.

You can also use a certificate to scan your network for the logs and determine whether you have been visited by one of these sites that [host malware] and that would indicate that their site had been compromised. That is one half of it!

The other half of the organization is focused on the phishing and those customers tend to be large financial institutions or the large Internet companies. They are more concerned with protecting their brand being imitated, whereas T3 is primarily about defending any large network from malicious email attachments.


Max, Concise Courses:
The Juniper Mobile Threat Center team released an interesting report regarding Mobile Malware – in summary, Mobile Malware grew a staggering 600% between 2012 and 2013 and specifically targeted Android – any idea why Android is so bad? Does the Android OS allow for malicious apps to be downloaded?

Gary Warner:
You may remember that when iPhones first came out with the app store there was all the talk about how you would have to jailbreak your phone if you wanted to install an application that didn’t come from the app store. Android has never really had that limitation, it’s a free platform like your Windows computer, I can install and infect myself with anything I choose, and it’s the same thing with Android devices. On the Android it is very easy for me to send you a link to an app that you could download from a web page and install your device and infect yourself with. There has been more malware samples introduced to the Android app store but it’s more about the fact that I am not limited to adding applications from only the app store.


Max, Concise Courses:
I’m at the stage in my career where I should specialize – do you recommend becoming a malware analyst? It’s an area I am really interested in. Demand will always be strong, right?

Gary Warner:
Yes, I have been doing malware analysis since the late 1980’s and I’d say that it is a very safe market to get into. The people that are most successful with it are the ones that understand not only the assembly language code (you do really need some training how to disassemble and understand the behavior) but also especially more recently, being able to data-mine large volumes of evidence. So, how does the current infection [that you as a malware analyst would be examining] relate to previous infections?


Max, Concise Courses:
Can I train my user base not to click on these malicious emails?

Gary Warner:
No! There are several companies [one is what we refer to as] ‘fish meat’ that will send out [fake phishing] emails, and another one that we have done a lot of work is Wombat, both of those do training for end users. What the Verizon threat report would indicate is that you can train your employees not to fall for a ‘traditional phish’, i.e. if I sent you an email and teach you that it will say that [for example] there is ‘something wrong with your bank account don’t click it!’, yes, you can train them away from those attacks. What is more difficult is what we call the spear phishing attacks where the email has been more customized and personalized for you and they are more successful. If you send them to three people one of them is going to click open the email and if you send it to ten people then you are guaranteed that someone within the group will click on it, and unfortunately that really does seem to be true. The training is effective when the email that is delivered looks very similar to the training that you have received.