Emergency Threat Update Nov 10, 2008
-
Upload
sandra4211 -
Category
Documents
-
view
680 -
download
4
description
Transcript of Emergency Threat Update Nov 10, 2008
![Page 1: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/1.jpg)
Emergency Threat Update Nov 10, 2008
Windows Worm BreakoutPresented by Jose Varghese
![Page 2: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/2.jpg)
Agenda
What is the vulnerability and associated threat ?
How does the worm work ?
What are the mitigating controls ?
How do we prepare for Incident Management?
Summary – Immediate Action and Long term solutions
2
![Page 3: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/3.jpg)
Vulnerability and Threat
![Page 4: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/4.jpg)
Vulnerability
Buffer overflow vulnerability in Windows server service
Attacker sends malformed RPC requests to the server service
Unexpected input leads to “overflow” condition
If successful, attacker can run any code of his choice
Example- change passwords, steal data or modify parameters
4
![Page 5: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/5.jpg)
Previous buffer overflow vulnerabilities
Slammer worm in 2002, Blaster worm in 2003, Sasser
worm in 2004 - all exploited buffer overflow vulnerabilities
A bit of history
On Nov 2 , 2008 , it was 20 years since the first Internet worm
“Morris “ spread – targeting buffer overflow vulnerability on
Unix systems
5
![Page 6: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/6.jpg)
Does attacker need authentication?
Authentication requirements
No authentication required Windows 2000/2003/Windows XP
Authentication required for Windows 2008/ Windows Vista
Windows 2000/2003/XP more vulnerable than Windows
2008/Vista
6
![Page 7: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/7.jpg)
Threat
Infected machines become unusable
System try to spread the worm and also upload data to
attacker
High CPU/memory utilization and machine becomes unusable
Data Leakage
Password information and system details are passed to
attacker
Network choking
Rapid propagation of worm results in high utilization of LAN
and WAN network
7
![Page 8: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/8.jpg)
Worm – How it works and what it steals
![Page 9: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/9.jpg)
Worm functioning
Worm targets machine running vulnerable version of
Windows Server service
The worm file name is n1.exe, n2.exe , n*.exe
When the worm starts
Installs a dll file in \system32\wbem directory – sysmgr.dll
Sets up a new service in Windows
Displayed in Control Panel as “ System Maintenance Service”
Connects to Internet and downloads more components
Installs and adds one more service “Windows NT Baseline”
9
![Page 10: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/10.jpg)
Worm functioning
Worm collects the following data and passes it to attacker
Operating system version, Antivirus version
MSN Messenger / Outlook Express credentials
Username / Computer Name
Installed patches, applications
Recently opened documents
Network adapter / IP addresses
Uploads it after encrypting to http://www.t35.com
11
![Page 11: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/11.jpg)
Worm functioning
Trojan also updates itself automatically from below sites
http://summertime.1gokurimu.com
http://perlbody.t35.com
http://doradora.atzend.com
One of the images downloaded is popular
character Homer Simpson
12
![Page 12: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/12.jpg)
Prevention and Detection
Technical Controls
![Page 13: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/13.jpg)
Preventive Controls
Best solutions
Disable the Server service and Browser service in the Windows
system
OR
Apply the patch MS08-067 and use the Services
13
![Page 14: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/14.jpg)
Impact of service stoppage
Disable the Server service and Browser service in the
Windows system
You cannot share your folders but can still access remote
shares
You will not be able to view others computers in your
“Network Neighbourhood”
Netlogon service which allow domain login depends on Server
service
14
![Page 15: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/15.jpg)
Out-of-Band patch release
Microsoft follows a monthly patch release cycle
New patches every second Tuesday of the month
Next one due on Nov 11
The patch for this vulnerability was released out-of-cycle
or out-of-band
In the middle of the month on Thursday, Oct-23
Out-of-band patch release indicates the criticality associated
with this vulnerability
15
![Page 16: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/16.jpg)
Checking Patch rollout
![Page 17: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/17.jpg)
Is the patch deployed?
If you have an automated patch management solutions
Easy to track status
WSUS, BigFix, Landesk – deploy patch and report status in the
console
If patch deployment is manual, tracking is difficult
Use Nessus and scan for this specific plug-in [ 34476]
www.nessus.org/plugins/index.php?view=single&id=34476
Use Microsoft MBSA tool 2.1
17
![Page 18: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/18.jpg)
If we cannot patch nor disable service…
1
![Page 19: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/19.jpg)
Workarounds – Network Port blocking
Disable TCP 139/TCP 445 at Internet Firewall
Almost all Internet firewalls will already be doing this
Disable TCP 139/ TCP 445 at Internal Firewalls and WAN
routers
This will affect file sharing across branches and locations
We can have this till the patch roll out is complete
19
![Page 20: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/20.jpg)
Workaround – Checkpoint SmartDefense
Checkpoint Firewall has released Smartdefense update to
detect and block these malformed RPC requests
Only relevant if have to allow TCP 139/ TCP 445
Will help prevent propagation and also identify internal
infected sources
http://www.checkpoint.com/defense/advisories/public/2008/cpai-
23-Oct.html
20
![Page 21: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/21.jpg)
How do I know if I am infected ?
Early detection is key to limiting damage
![Page 22: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/22.jpg)
Detection
Anti-Virus Tracking
IDS and IPS monitoring
Network traffic Monitoring
Internet browsing traffic logs
22
![Page 23: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/23.jpg)
Anti-Virus detection
The proof-of-concept worm is detected by AV vendors.
Each vendor calls the worm by a different name
TrendMicro – GIMMIV.A
Symantec – Trojan.Gimmiv.A
McAfee - Spy-Agent.da
Expect to see more variants from attacker and
corresponding new names from AV vendors
23
![Page 24: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/24.jpg)
AV has limitations ..
This is a self-propagating worm and not a virus
AV can only detect and clean
Even if AV is updated , cleaned system can get re-infected
Only MS 08-067 patch can prevent re-infection
24
![Page 25: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/25.jpg)
Anti-Virus Server Statistics
Methodology
Check daily for Top 50 Viruses present in your network
Look out for Gimmiv. , Infostealer or its variants
These could be the infected PCs/Isolate and clean them before
it spreads
Pre-requisites
All servers/desktops report infection data to central console
All servers/desktops have the updated DAT that detects
Gimmiv
25
![Page 26: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/26.jpg)
IDS and IPS signatures
Methodology
Have IDS sniffing on Internal WAN and Server traffic
Alert on Gimmi traffic
Pre-requisites
IDS signatures for Gimmi worm is updated in NIDS
Snort IDS has already released the signature
-www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
All leading IDS/IPS vendors have released signatures
IDS is positioned to see internal traffic
26
![Page 27: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/27.jpg)
Network Traffic Monitoring
Methodology
Check for denied traffic on TCP 139/445 from Internal
LAN/servers
Look out for abnormal high amount of denied packets
These could be the infected PCs/Isolate and clean them before
it spreads
Pre-requisites
Denied traffic ar router/firewall is logged
Mechanism exists for real time tracking and alerting
27
![Page 28: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/28.jpg)
Internet Browsing Logs
Methodology
Check URL access logs for any access to these sites
www.t35.com
http://summertime.1gokurimu.com
http://perlbody.t35.com
http://doradora.atzend.com
59.106.145.58
Pre-requisites
Internet Browsing logs are available and can be easily filtered
28
![Page 29: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/29.jpg)
Hope for the best, prepare for the worst
What if the worm still hits us?
![Page 30: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/30.jpg)
If the worm strikes
Identify the affected systems/office/region
Isolate the network
Clean up, patch, check and reconnect
30
![Page 31: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/31.jpg)
From past experience ..
When an incident breaks out
Links might not work, Email and Internet might have to be
turned off
Designated people may not be available to help
Decisions have to be taken with minimum delay
31
![Page 32: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/32.jpg)
What can we do now ?
Send out the actual patch file [not the link] to all your
location administrators
WAN links and Internet links may not work when worm strikes
Send out the worm cleanup instructions/toolkits to all your
locations
Send out the AV DAT version that detects the virus [if
possible]
Decide criteria for cutting off a link or branch or region if
virus strikes
32
![Page 33: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/33.jpg)
How to check global activity of the virus?
![Page 34: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/34.jpg)
SANS Incident Internet Storm Center
http://isc.sans.org
Today’s Rating – Green [ meaning Safe]
34
![Page 35: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/35.jpg)
Symantec Threat Management Center
https://tms.symantec.com
Todays Rating - Elevated – [meaning Unsafe]
35
![Page 36: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/36.jpg)
Summary of Action Items
![Page 37: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/37.jpg)
Quick Checklist
Rollout MS 08-067 across Windows desktops/servers
Track patch deployment using Nessus or MBSA
For unpatched systems turn off Server/Computer Browser
service
Update AV/IDS signatures
Track infections and alerts
Monitor TCP 139/445 traffic logs and Internet URL logs
Be prepared for incident – Distribute patches and clean up
instructions now
37
![Page 38: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/38.jpg)
Worms will come again
Long term planning
![Page 39: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/39.jpg)
Long term action plan
Desktop patching takes time, tracking is difficult
Have an automated patch mgmt solution
Anti-Virus centralized tracking is critical
Make sure AV console can provide a full view of organization
Have a vulnerability scanner operational and used
regularly
Nessus or MBSA
39
![Page 40: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/40.jpg)
Long term action plan
Disable desktop sharing. Sharing only on designated
servers
Block vulnerable ports at branch routers and WAN
aggregation points
Block known bad , Allow rest
Have traffic log monitoring and alerting on suspicious
patterns
Network device and firewall logs
IDS to monitor Internal and WAN traffic
Not just Internet side40
![Page 41: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/41.jpg)
Recommended Reading
![Page 42: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/42.jpg)
More details available at ..
Microsoft Knowledge Base
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
support.microsoft.com/kb/958644.
Detailed FAQ on patch and worm
http://blogs.securiteam.com/index.php/archives/1150
How the worm operates
http://tools.cisco.com/security/center/viewAlert.x?alertId=16947
42
![Page 43: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/43.jpg)
Questions? Suggestions?
![Page 44: Emergency Threat Update Nov 10, 2008](https://reader035.fdocuments.us/reader035/viewer/2022070304/54c55f294a7959c83a8b4658/html5/thumbnails/44.jpg)
Thank you for your time