Over the past month, TRUE NSM analysts have observed a significant increase in the number of corporate web users being attacked by the Blackhole Exploit Kit.  The rate of incidents reported involving this malware is now close to two per day.  The Blackhole exploit kit targets vulnerabilities in out-of-date Java and Adobe Reader software.  A cursory examination of a few of the deobfuscated Javascript files delivered to users by Blackhole also shows evidence that Adobe Flash is being targeted and perhaps even a few Microsoft vulnerabilities by way of the Windows Media Player ActiveX control.

So what can corporate IT security administrators do to prevent this attack?  There are several options.  First, you can make sure that your Adobe Reader, Flash, and Java Runtime software on all of your client computers are being updated on a regular basis.  This option is much easier said than done once you have more than a dozen PCs to worry about. There are some corporate systems management suites (e.g., LANDesk, Microsoft Systems Center Configuration Management, etc.) that could help manage this problem, but they are far from easy to install and wield properly.

The second option is to disallow use of all of this software in the first place. Unfortunately, in the modern corporate world all three of these applications are nearly essential to conduct business. Flash and Java are perhaps slightly less essential than Adobe Reader, but there are quite a few legitimate business-related websites that fail miserably if either of these software packages are missing.

The third option is probably the best: install a web filter that blocks Flash and Java except from white-listed websites. Unfortunately, installing a web filter usually requires a bit of a culture change and, for reasons I can’t understand, corporate legal counsels are all too often scared of approving its use.

Anybody have other suggestions on how to attack this problem?

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

It looks like the main anti-malware vendors are choosing sides and going head-to-head on the relationship between Duqu and Stuxnet.  So far, the fight is Symantec and Kaspersky, who say Duqu is related to Stuxnet, vs. SecureWorks and Bitdefender, who say they are not related at all.

If you haven’t heard, Duqu is a new piece of malware that has been found so far in Sudan and Iran and is spreading via an unknown method. It is similar to Stuxnet in that it installs a rootkit on infected machines and injects encrypted DLLs into the Windows kernel.  As SecureWorks points out in this analysis, none of this behavior is unique.  It is dissimilar to Stuxnext in that it does not appear to be targeting SCADA PLCs, but is apparently a remote-access trojan that receives commands and exfiltrates data.

It seems to me that the anti-malware vendors are just trying to ride the coattails of the media coverage of Stuxnet. (Wait, isn’t that what I’m doing here?)

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data.  Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx).  Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares.  Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure.  Deploy those updates.

Some of the more interesting information reported:

• What is not getting exploited as often as I would have suspected – Adobe Flash and Microsoft Office.  Even though two Flash vulnerabilities identified in the first half of 2011 led to an increase in exploits against Flash, Flash is getting exploited 7 times less often than Java!

• For the last four quarters (Q3 2010 through Q2 2011) the detection of trojan and backdoor malware has experienced a consistent slight downward trend.  An explanation could be the coordinated take down of several large botnets in the past year.  Microsoft has been involved in those take downs, so a shout of thanks goes to them!

• Another unexpected result: phishing attacks against social networks accounted for slightly less than half of all phishing attempts, while attacks against financial institutions accounted for slightly more than one-third of phishing attempts.  In April, Microsoft’s data indicated that 84% of all phishing attempts were against social networks.

So, what does this mean for security professionals in the corporate world?  Well, it’s nothing new really: protect the clients just as you would the servers.  Patching the OS is no longer enough.  You must patch applications regularly too – most importantly, Java, Acrobat, and Flash.   Disable AutoRun, if possible, but at a minimum deploy the updates from Microsoft for XP and Vista that make them more secure.  And, finally, warn your users about phishing attacks and discourage using the same password for personal social networking and financial websites as they use for their corporate login(s).

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Apparently, a U.S. military installation where pilots command the U.S. military’s UAVs (Unmanned Aerial Vehicles), Creech AFB in Nevada, has been infected by a virus. The virus is apparently logging keystrokes but is not interfering with the pilots’ ability to continue performing the UAV missions. That’s the good news. The bad news is the base IT personnel have been unable to clean the computers without wiping the hard drives and starting from scratch.

The Wired article linked above contains this quote: “We keep wiping it off, and it keeps coming back.” That statement suggests one of two things to me: either the malware has installed a rootkit deep into the operating system’s kernel, in which case cleaning the PC with standard tools will do you no good, or the malware is spreading on the network and the IT personnel have failed to find (and patch) the vulnerability that it is exploiting to do so.

Either way, I’d hate to be those IT guys right now.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Just about everyone with an Internet connection has heard the term “malware.”  Even most home users (my dear old dad included) have heard the term “spyware,” even if they aren’t sure what it means. But have you heard of “ransomware”? Get ready, I’ve got a feeling it’s going to be the “next big (bad) thing” on the Internet.

Ransomware is a type of malware that attempts to extort money from users it infects.  One of the first samples of ransomware was the AIDS Virus in the late 1980s.  The virus would encrypt and hide disk contents and then ask the user to pay $189 to “license” the decryption software.  It has only been in the last half-decade or so that ransomware has been becoming more prevalent on the Internet.

A new Trojan is now making its way around the usual social-networking sites.  Kaspersky Labs is calling it Trojan.Win32.Agent.ARVP.  This little guy is apparently Russian-language only at the moment, but it attempts to extort 500 rubles (equivalent to about $17 US) out of the user by claiming that it will forward child-pornography evidence to the authorities.  There’s really nothing new about this trojan–using the threat of pornography is certainly not a new concept for ransomware.  However, it is spreading via social networking, and is a very quick translation away from targeting the English-speaking world.

Many users in the corporate world will likely be afraid (or at least hesitant) to report an infection of this ransomware due to the potential HR ramifications of being the user of a computer that may contain pornography.  The pornography threat is likely an empty threat, but it’s enough to give users pause…

I suggest that corporate CISOs send a monthly e-mail to all users reminding them of the necessity of reporting any suspicious behavior on their workstations immediately.  The same e-mail should include a short discussion of ransomware and make it clear that such malware often uses the threat of pornography to scare users, and that even if the malware happened to drop adult content on the computer, the user would not be held liable for the presence of dropped content.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.

What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.

Adobe is set to release an update on October 13. Until then, keep on your toes!

TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

As noted on several discussion sites around the Internet, there seems to be a new phishing attack against Facebook users.  The login page is being spoofed by several .BE and .AT domains in an attempt to steal user’s credentials.  Be careful signing in to Facebook for a few days…make sure everything looks correct and your browser is showing you the real Facebook login page.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

As you may know, our company provides 24×7 Network Security Monitoring services to many customers.  Our clients vary widely in size, industry, and information security maturity.   Even so, we see many similar successes, failures, and trends in security monitoring alerts between these customers.  Spyware infections tendsto be a significant number of the incident reports we generate.  Today, I would like to write about the reason spyware alerts are a threat to your organization, why you should take them seriously and respond timely, and what you can do to decrease these incidents on your network.

The danger of spyware is two-fold.   First, it indicates a deficiency on the part of the user in general information security knowledge and specific corporate information security policies.  A spyware infection means that the user likely installed unapproved software on his/her system.  Perhaps the user was doing non-business related web surfing and found the “Totally Awesome Change Your Life Toolbar” from hAcme Software, Inc.  Or maybe the user was tricked into installing this software via social engineering.  (“Click here to install a media player to see Jane E. Celebrity in a bikini!”)  Either way, the user was not aware of the dangers of his/her actions wrt. information security and wrt. corporate security policies.  (You do have policies defining acceptable use of corporate information resources and punishment for misuse, right?)

The second danger (related to the first–in fact, the first is a consequence of the second, so maybe I should have reversed these points–oh well) indicated by a spyware infection is that the user has sufficient rights to execute unapproved software on his/her system that can modify his/her settings and hijack information.  With these rights the user may be delivered and subsequently execute much more damaging malware that exfiltrates personal and/or corporate information or receives and executes instructions from external attackers.  This malware may be delivered by the spyware itself.  Regardless of how it is delivered, your organization has a problem, and it needs to be fixed.

For these two reasons above you should take spyware infections seriously and respond to them in a timely manner.  But what can you do to limit future infections?

1. Limit user rights.  Do not make them a member of the local Administrator or Power Users groups.  If you have applications that require Administrator privileges to run (QuickBooks, I’m looking in your diretion), get rid of them.  That is a poorly designed application and is likely going to have far worse flaws.
2. One word: Education.  Provide it to your users.  If you don’t have a sufficiently trained and knowledgeable employee who can teach one day classes on information security, there are plenty of companies that provide that service–and you won’t have to develop the curriculum.  Google is your friend, here.
3. Follow the hardening guidelines from Microsoft, NIST and NSA on how to secure your Windows systems and networks.
4. Use Group Policy or other enforcement mechanisms available from companies like Cisco, Symantec, etc., to whitelist applications.  Only applications listed in the whitelist can be executed by the user. Use Group Policy to disable all but a few approved Internet Explorer BHOs (Browser Helper Objects).  This will prevent a lot of the toolbar spyware software from infecting your systems.
5. Get serious about your corporate information security posture.  Convince upper management to dedicate sufficient time and money to sustaining a CISO position.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

It amazes me that there are some simple firewall rules that everyone can do to aid in the defense of their internal network, yet seem to be rarely implemented.  These rules limit *outbound* traffic.  It seems, unfortunately, many network administrators neglect to limit traffic from their internal network to less-trusted (e.g., VPN, DMZ, and Internet) networks.  Too often this is due to the fact that the admins are too busy trying to keep upper management happy by ensuring that public services (web and e-mail) are accessible to customers and potential customers with five-nines uptime.  This is a sad state of affairs.

How many customers are you really going to lose if your website is down for 5 minutes?  If a customer finds that your website is inaccessible for a short time, they are likely going to first suspect their PC or their ISP network before they blame your organization.  Even if it they do eventually blame you before the problem is resolved, who is really going to be that mad about it?  If Google goes down for 15 minutes (as recently happened), I just chalk it up to bad luck.  I don’t fault Google.  So what, I wasn’t able to hit GMail for 15 minutes?  My life is not over.  Computers suck.  Stuff happens.  Services become inaccessible.  Big deal.

Now, think about how many customers are you going to lose if your organization is in disarray and can’t close sales deals due to some malware spreading internally?  How about your reputation when all your customer information is stolen and posted on the Internet for your competitors (and customers) to see?  What if you lose personal data like SSNs or bank account numbers?  The list of damaging items that can be lost from inside your network is long and scary.  A reasonable person (like myself) would much rather your organization’s Internet services be down for a few minutes (or, heck, even a few hours) than for your organization to lose their confidential data.  Even if you are providing me a service (VoIP or spam filtering, for example), I can stand a few minutes of unexpected downtime (albeit a very few minutes…like 5).  That’s just life.

So enough of the rant.  Here are two simple rules to aid you in detecting malware spreading inside your network.  Of course, you’ll have to be paying some attention to your firewall logs to notice.  You are paying attention, aren’t you?

1. Block outbound SMTP that does not originate from your internal e-mail server(s).
2. Block outbound DNS requests that do not originate from your internal DNS server(s).

Simple.  Quick.  Powerful.  But why are these rules helpful?

The first rule above will catch spambots.  Spambots are malware that sit on a PC and spew tons of spam.  If you have an internal machine spewing e-mail to the Internet, and it’s not your internal mail relay, then that machine is h0sed and you need to examine it.  It’s likely to have more than just one piece of malicious software on it.

The second rule will catch malware that is exploiting the fact that most organizations don’t block outbound DNS.  These malware will use hardcoded public DNS servers to resolve hostnames, all the while avoiding being logged by the legitimate internal DNS server(s).  The hostnames the malware are resolving are often used to aid an attacker in maintaining command and control.

If you can identify infected internal machines through your firewall logs, you can clean the malware and identify further holes in your internal security posture (like foolish users who installed “Whack-a-mole 2009″ from  hAcme Games, Inc., on their corporate PC).

Check out my next post on outbound firewall rules.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts