InfoSec News

This is a hypothetical scenario to get the old grey matter thinking on how you, the incident handler, would respond. To make this a piece of light entertainment when sipping coffee, just focus on these three phase, containment, eradication and recovery, of the six step incident handling process. Feel free to apply your own incident response plans to this scenario and I dont expect anyone to post their answers to the questions. This is simply something to warm up the brain after the weekend or help those recover after the week that was SANSFire.
The Scenario:
A very popular news web site is compromised and the front page is offering up known malware, AB, to any that visit it. You first discover this as the AV console frantically starts receiving notifications from client machines visiting the infected site. A quick bit of research reveals the malware AB exploits a vulnerability in only Internet Explorer 6 and then attempts to phone home uploading the compromised machine's IE protected storage details to any one of 30 drop web sites via http. If the malware infects the system, it then attempts to download, via FTP and https, a .exe file containing more malware designed to hunt over port TCP 445 for machines without patch MS08-067 (KB 958644) to drop a hidden .exe file on %SYSTEMROOT%/System32. The AV companies released a signature file to detect and protect against this three weeks ago.
You're the lone security person for a company of 5,000 employees, over 10 sites. The standard operating system is Windows XP with version of Internet Explorer from 6-8. The IT team use Microsofts System Center Configuration Manager to manage the Windows systems and deploy software and patches. You are the firewall and AV admin and the IT support staff are competent but over worked and under resourced. Two of the ten sites have no IT staff on site.
The Problem:
Over half your company, including all of senior management, visit that site daily to keep themselves informed or read the gossip of the day. From the IT team's best estimates at least 3000 machines have IE 6 and roughly 300 of those machines probably have don't have the right level of AV definitions on them to protect against it for any number of reasons. The news web site isnt going to be able to remove the malware distribution for up to 12 hour. 10 server systems you know of don't have the MS08-067 patch due to operational issue with supporting from a 3rd party vendor but requires TCP 445 to be available to internal systems.
The AV console currently has 1200 alerts and growing by the minute.
The Questions:

What do you do to contain this incident?
How can you identify infected machine?
What do you do with infected machines?
How can you identify any other at risk machines?
How can you protect the 10 servers without MS08-067?
What information do you communicate to staff, IT and management?

Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Brent wrote in in response to ChrisM's diary about helping us help you.





One of the things I stress to other admins is the importance of performance monitoring. Not only is it useful for

diagnosing performance bottlenecks, but it's useful from a security perspective too, provided someone is willing to

skim performance graphs on a regular basis to get a feel for what normal is.



For instance, we track the query stats on our DNS servers and back in March I saw an odd jump in query failures on

one of our external DNS servers.

A look at a 2nd graph

showed that these queries were for A records. When I see an anomaly like this (things that make me say hmmm) I go investigate. In this case, it was a flood of queries for hostnames/domains our DNS servers weren't authoritative for (and, of course, they're set up to refuse recursive queries).



What was interesting was these queries initially came from a wide variety of IPs (many of which were in RBLs as

compromised systems) and soon thereafter, they were coming from our IP space, but mostly from blocks not currently

in use.



Checking performance stats has exposed all sorts of things - misbehaving software doing dozens of queries per second

for the same hostname, a compromised system looking up millions of MX records to try to send spam, someone running a

portscanner (and causing a big spike in rejected packets from our egress filters), etc. Ya never know what you'll find, if you just go look regularly. :-)



I couldn't agree with Brent more. Health and performance monitoring tools can and should be used to detect security related events. Peacetime learning or monitoring while not under attack or unusual load is used in DDOS detection. Netflow which is commonly used to detect DDOS attacks today was originally designed for BILLING on burstable pipes:)

SNMP monitoring is frequently used to detect attacks against a system. If the memory or other resources suddenly goes

WAY UP you can bet something is wrong and in many cases that will be a security related event. So if your performance and health monitoring team isn't tied tightly to your security team you may want to introduce them.



Lastly the triad of security are frequently referred to by the TLA, CIA.

Confidentiality, Integrity, and Availability (2 new ones were added a while back Authenticity and Non-Repudiation).

Availability is either one third or one fifth of security practitioner's job, depending on which version of the triad your following.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After a great State of the Internet Panel at SANSFire 2011 with the Internet Storm Center Handlers we began to reflect on Phishing, Spear Phishing, FAKE-AV etc and how this threat is never going away.



In another episode of Handlers have lives too we get Phishing and run into strangeness as well. While sitting at our Handler Dinner a Handler Phone buzzed with a text message. Not unusual, but when examined a good gut chuckle rumbled out of the handler (By the way, that handler was me).



The message then got passed around to the rest of the handlers. It was then that Dr Johannes Ullrich, our boss, said Take a screenshot and post it.



On a serious note, after taking a look at this screen shot, ask yourself, who would fall victim to this? Notice the optout,reply,stop?







One of our sister sites has great information on Securing the Human OS and this plays right into that shameless plug [1]. Technology is so pervasive and only going to get more complex.



[1] http://www.securingthehuman.org
Richard Porter
--- ISC Handler @ SANSFire 2011 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Those of you that are Apple users will no doubt have noticed a few updates to Safari, but more importantly an update to the Snow Leopard O/S. Lion is out today. A few of us are Apple users and are in the process of installing/updating the product already.
Unlike previous upgrades this one is delivered digitally through the App store on the Mac. A 3.7GBupdate, so you will likely want to download it when connected to something cheaper than your 3G card.
No real major issues have been identified so far, but then it is early days. One change is that Rosetta is no longer installed, so some older applications may no longer work. In other words Lion is not fully backwards compatible with things that you might be running.
Over the next few days if there is anything of significance to report one of the handlers we'll let you know. As always if you have anything to add feel free to comment or contacts us.
UPDATE:
The install was pretty seamless and straight forward. Little snitch is one of my favourite apps and needed to be updated. The rest of the apps on the machine still seem to be working. I guess I'll find out tomorrow when it has its first work day. One thing that was a smidge irritating is the two finger swipe you use to scroll. It now defaults to natural which feels completely backwards as the reverse to what you were used to under snow leopard. A quick trip to system preferences fixed that.
The Release notes make mention of two main security features Address space Layout Randomisation (ASLR). Something that has been available in a number of operating systems for a while makes it way to the MAC. By randomising the memory locations where key data is stored it should make it a little bit more difficult to do things like buffer overflows. The second feature is probably a bit more useful which is application sandboxing. Applications are in a contained environment and are prevented from doing evil things. How effective these two measures are I guess we will see in the weeks to come as more people have a play with the product. The updates to Safari also mean that web pages and browser based applications are sandboxed.
-- Mark --
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This one started with ISC reader Lorenzo spotting a suspicious EXE download in his proxy logs. Sorting and analyzing the logs further led him to the page that actually triggered the download... and from there, he discovered a slice of what is behind those poisoned Google Image Searches that we covered earlier.
In a nutshell, there are websites running PHP, and a vulnerable version of (what we believe so far) WordPress or Joomla.
Once hacked, the bad guys add some custom malicious PHP.
The custom PHP uses Google Trends and other web sites with trending statistics to find out what people currently are interested in. Out of this, the PHP generates lots of links for these topics, pointing to itself and other similarly infected pages. Politely enough, the current version of the PHP keeps a log file of sorts of its activity .. and this log file is accessible, looking something like this (defanged to keep your anti-virus from panicking :)
a href=http://domain-removed/js/ajax.php?p=social-security-checkssocial security checks

a href=http://domain-removed/js/ajax.php?p=rebecca-naleparebecca nalepa

a href=http://domain-removed/js/ajax.php?p=droid-bionicdroid bionic

a href=http://domain-removed/js/ajax.php?p=marilyn-monroe-statuemarilyn monroe statue

a href=http://domain-removed/js/ajax.php?p=murdochmurdoch

a href=http://domain-removed/js/ajax.php?p=facebookfacebook

a href=http://domain-removed/js/ajax.php?p=iphone-5-release-dateiphone 5 release date

a href=http://domain-removed/js/ajax.php?p=men-of-a-certain-agemen of a certain age

a href=http://domain-removed/js/ajax.php?p=george-anthonygeorge anthony

a href=http://domain-removed/js/ajax.php?p=toshiba-thrivetoshiba thrive
One thing in common is the ?p=trendy-topic. If you search, for example, for
inurl:?p=casey-anthony inurl:php
in Google, chances are that a good bunch of the results are actually infected web sites. BEFORE YOU GO THERE: These search results are highly likely to return MALICIOUS content. As they say on TV: Don't try this at home, kids! As I say off TV: If you brick your PC or blackout your company, don't blame ME!
One of the search results, for example, is blog. ccdex.com/wp-admin/rtl.php?p=casey-anthony-jurors
In this case, you would go to blog. ccdex.com/wp-admin/log
... and lookie what you find: A long list of trending topics and other infected domains.
After trying a handful of these domains manually, Lorenzo wrote a script that recursively requested the log files, parsed them, and requested the log files of the domains mentioned within the log, etc... The result are currently about 100 domains that are hacked, and used to poison the search results.
Our investigation is still ongoing, if we find any further clues, we'll update this diary. If you have been analyzing the same thing in the past days, please share what you found so far.


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dan wrote in with some interesting results after a co-worker reported an unusual error.
Is anyone else having similar problems/results?
A dns lookup shows the NS records pointing to servers at JOMAX.NET





$ dig search.live.com

DiG 9.7.0-P1 search.live.com

-HEADERsearch.live.com



. IN ANSWER SECTION:

search.live.com



. 60 IN A 69.25.212.52

search.live.com



. 60 IN A AUTHORITY SECTION:

search.live.com



. 65535 IN NS WSC2.JOMAX.NET



.

search.live.com



. 65535 IN NS WSC1.JOMAX.NET

MSG SIZE rcvd: 121



A whois on live.com



is very interesting as well:



~$ whois live.com



Whois Server Version 2.0



Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net



for detailed information.



Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM



IP Address: 69.41.185.200

Registrar: TUCOWS.COM



CO.

Whois Server: whois.tucows.com



Referral URL: http://domainhelp.opensrs.net



Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM



IP Address: 209.85.6.100

Registrar: ENOM, INC.

Whois Server: whois.enom.com



Referral URL: http://www.enom.com

Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM

IP Address: 80.190.192.39

Registrar: EPAG DOMAINSERVICES GMBH

Whois Server: whois.enterprice.net





Referral URL: http://www.enterprice.net

Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM

IP Address: 80.190.192.39

Registrar: EPAG DOMAINSERVICES GMBH

Whois Server: whois.enterprice.net





Referral URL: http://www.enterprice.net

Domain Name: LIVE.COM

Registrar: CSC CORPORATE DOMAINS, INC.

Whois Server: whois.corporatedomains.com





Referral URL: http://www.cscglobal.com

Name Server: NS1.MSFT.NET

Name Server: NS2.MSFT.NET

Name Server: NS3.MSFT.NET

Name Server: NS4.MSFT.NET

Name Server: NS5.MSFT.NET





Status: clientDeleteProhibited

Status: clientTransferProhibited

Status: clientUpdateProhibited

Updated Date: 08-apr-2009

Creation Date: 28-dec-1994

Expiration Date: 27-dec-2017



Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC
Dan followed up with:


Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results. Other name servers I checked (OpenDNS, ATT) looked okay. As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.


Something doesn't smell right about this.
Indeed
Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Yesterday, I wrote about all the great things Apple did to improve security in its new operating system. Today however, we got a new, and quite different, vulnerability. It turns out that the firmware in Apple's laptop batteries is secured with a default passwords. An attacker would be able to use this password to change the battery firmware or settings, permanently ruining the battery. So its more of a denial of service attack. Persistent malware should be possible but it is not clear how much access it would have to the system.
It is always amazing what devices have firmware which may be manipulated by an attacker. I remember a while back a firmware update for the display port to VGA addapter. If there is a firmware update, there is always a change for a malicious firmware install. Recently, we talked about thunderbolt, Intel's new interface standard that provides direct bus access similar to Firewire. Thunderbolt cables are fare removed from pairs of copper we are used to. Instead, each thunderbolt cable has active circuits, and you guessed it, firmware embedded in the connector.
A malicious thunderbolt cable could potentially have direct access to system memory and disk.
http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Once you are over the online install experience, the upside down mouse gestures and all the other bling that comes as part of OS X Lion, it is time to look at what has changed from a security point of view. Apple doesn't exactly advertise security features, but Lion provides some significant security improvements.
Just an important note: Lion is just a day old now, so a lot of these features haven't exactly been tested yet by the large masses of users.
Address Space Layout Randomization (ASLR)
ASLR will make exploiting vulnerabilities significantly harder. In itself, it doesn't prevent any vulnerabilities. Snow Leopard introduced ASLR, but limited it to libraries. ASLR on Snow Leopard also missed randomizing the stack and the heap.
Automatic Security Updates
In Snow Leopard, like in most other operating systems, the user was told about updates, but had to manually approve / install them. In Lion, this is all going to happen behind the scenes. We will have to see how well this works as automatic or unmanaged updates may of course break incompatible applications
Sandboxing
Sandboxing is supposed to limit how individual applications can affect each other, and the underlying system. In particular for Safari it will be interesting how well this works and if it prevents exploitation of some vulnerabilities. Safari itself is even split into different parts and javascript or plugins will run in its own sandbox.
Encrypted Backups
Time machine backups can now be encrypted.
Air Drop
Air drop sounds a bit dangerous, and we will have to revisit this protocol. It essentially allows setting up quick peer-to-peer networks to exchange files. However, the file transfer is TLS encrypted according to Apple and authenticated using the users Apple ID (which has always been available as a client certificate). It also appears to set up appropriate firewall rules. Looks like they did think about the important issues, but this is very much a topic that needs further testing.
File Vault 2
The original file vault feature in Snow Leopard only encrypted the users home directory. It was rather clunky and didn't interoperate well with time machine. File Vault 2 implements full disk encryption. In addition, a number of additional features are implements. For example, one can instantly wipe the disk by deleting the key. If a users is afraid of losing the key, the key can be escrowed with Apple. Initial performance test have been pretty good.
Update: After experimenting with File Vault 2, I found that it can only be used if the installer was able to create a recovery partition, which it didn't do in my case. Also, File Vault 2 is encrypting the partition, not the entire disk like other products (e.g. PGP).
Privacy
Lion uses refined privacy preferences in particular limiting the access to location information
Apple ID for authentiation
Not sure Air Drop, but other authentication features leverage your Apple ID. As you sign up for an apple id, Apple will create a client certificate for you that you can now use to authenticate for file sharing, iChat and Screen Sharing. The certificate has existed in the past, and was used in iChat. But now it is used by other features of the OS.
Complete Feature List:http://www.apple.com/macosx/whats-new/features.html
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status