In early November of 2014, a complex and high-profile family of malware named WireLurker splashed across the radar of the security community and the general media.
Originally discovered by Palo Alto Networks, WireLurker is an unusually complex family of malware targeting Apple systems. WireLurker was unique in being able to attack mobile devices, as the malware was able to compromise Apple iPhones connected to Mac computers infected by malicious applications hiding WireLurker. Difficult to detect because of complex obfuscation methods, it was clear to the security community as a whole that WireLurker posed a significant threat to Apple users.
But what the security community didn’t know was that Windows users were also at risk of infection.
When AlienVault Labs, our research team here at AlienVault, first received information about WireLurker we performed a battery of analysis devised to uncover details about the malware and the infrastructure of those who wielded it. Additionally our Chief Scientist, Jaime Blasco, analyzed WireLurker with a new technology that our team has been developing over the past year.
Today we’re excited to reveal this technology with the announcement of the Closed Beta for Open Threat Exchange (or OTX 2.0). OTX 2.0 is a generational enhancement of our Open Threat Exchange platform designed to empower security professionals and IT practitioners of all skill levels and resources with the ability to collaboratively build, and defend themselves, with high level threat intelligence.
Here's a screen cap of the new offering:
Using features within OTX 2.0 and novel analysis of the malware, Jaime’s research revealed that WireLurker’s presence extended far beyond Apple devices. He was able to analyze WireLurker’s command and control infrastructure, and in doing so discovered that there was a Windows-based version of WireLurker that had been operating prior to the OSX version’s discovery.
Our labs team also discovered that this Windows version had been particularly aggressive. Of the known infected desktop applications that hosted WireLurker over the previous six months, 97.7% of applications were actually the previously undiscovered Windows variant of the malware suite.
Further analysis on WireLurker by the security research community revealed much about the attackers who created the suite, and less than two weeks later Chinese authorities arrested 3 individuals charged with the creation and use of WireLurker to compromise and defraud victims.
WireLurker was one of several high profile security threats that the AlienVault Labs team has analyzed over the past year using OTX 2.0. In every instance of its use, OTX 2.0 was able to reveal deep and novel findings about threats online that otherwise had gone unseen or undiscovered.
The new features within OTX 2.0 allow users to do a variety of different things: extract indicators of compromise (the “atoms” that describe the overall “molecule” of a threat) from plain English sources, translate those indicators automatically into machine-legible intelligence, and investigate at a granular level how this data correlates with other findings from the existing Open Threat Exchange – a surface of data that sees over a million IPs and malware samples a day submitted to it from more than 26,000 sources in over 140 countries.
But very critically, OTX 2.0 will also enable everyone in the OTX community to actively discuss, explore, validate and share the latest threat data, trends, techniques and research – strengthening their own defenses while helping others to do the same.
Users will be able to jointly review and build “Pulses” that describe threats, and collaboratively build defenses to threats in a way that is unprecedented in threat intelligence and security as a whole. Once refined, anyone can export Pulses to a variety of different open file formats (STIX and OpenIoC to name a few) or use data created within OTX via a new API we are developing called DirectConnect.
We will be conducting a closed “rolling” beta for OTX 2.0, focused on gathering feedback from targeted segments of users to better refine new features for the platform and the product as a whole in preparation for OTX 2.0’s general availability launch. Over time we will accept more applicants to the beta, with the end goal of completely opening the platform to everyone later this year.
To apply to join the closed beta for OTX 2.0,
OTX 2.0 is a continued realization of our original goal with Open Threat Exchange: to allow defenders to safely collaborate and work together to face an increasingly complex and dangerous threat landscape.
We’re excited to unveil the next generation of OTX, and look forward to seeing you soon in OTX 2.0.
Check out our humorous video.
