sans technology institute group discussion/written project ... · sans technology institute group...
TRANSCRIPT
SANS Technology Institute
Group Discussion/Written Project
GIAC Enterprises Downadup Incident
3/1/2009
Tim Proffitt Seth Misenar John Jarocki
Table of Contents
Executive Summary ..........................................................................................................................................3
Introduction.......................................................................................................................................................3
Detection Techniques........................................................................................................................................3
Detection Testing Results and Certainty ........................................................................................................5
Top Three Recommendations ..........................................................................................................................6
Conclusion..........................................................................................................................................................9
References ........................................................................................................................................................10
GIAC Enterprises Project Plan .....................................................................................................................11
Executive Summary The malware of 2009 is not the virii of 10 years ago where the threat was a rebooting computer or corrupted hard drive. Malware of the present is designed to steal your information assets, take control of your infrastructure, join a botnet or a host of many other criminal activities. In April 8, 2008 Symantec Corp.'s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone. Nearly two-thirds of all the threats that Symantec has ever uncovered have been found since 2007 (Turner, 2008). The trending of these statistics makes it difficult to believe that traditional antivirus solutions will be sufficient in mitigating malware variants. This should be an alarming statistic for GIAC Enterprises or any organization with information to protect.
GIAC Enterprises has provided a secure web application and backend database infrastructure for the workforce to submit and process intellectual property. Although this does provide a layer of defense, it does not protect GIAC Enterprises from all attack vectors. One such attack vector, which is the focus of this report, is malware. Contained within this report, we are recommending several solutions for GIAC Enterprises to utilize to protect its information systems. First, the report outlines the various techniques and tools utilized for detection of Downadup malware. Second, as requested, the tiger team has identified three recommendations for the prevention of malware to GIAC enterprises. Additionally, several general malware prevention solutions are documented for future initiatives as GIAC Enterprises experiences success and growth.
Introduction GIAC Enterprises has tasked our group with developing an approach for dealing with malware. In particular, GIAC is concerned with determining: if they are currently infected with Downadup (a.k.a. Conficker); three recommended techniques that could be employed to prevent future malware infections; and a project plan associated with the implementation of these recommendations. While detection and prevention of malware is not an exact science, some basic measures can certainly be employed to mitigate the threat of initial infection and propagation.
Detection Techniques The Downadup worm and its variants (Downadup.A, Downadup.B, Downadup.B++) have been highly successful at infecting large numbers of hosts due to a combination of both old and new techniques of propagation, survivability, and self-updating. Some of the specific features that enabled Downadup's growth include (Porras, Saidi, Yegneswaran, 2009):
1. Remote exploitation of a fairly recent RPC-DCOM vulnerability (MS08-067) and then patching that exploit in memory (netapi32.dll).
2. Injection of the worm into a critical system process (service.exe). 3. Detection of attempt to remotely exploit a Downadup-patched system and use this as a peer-to-peer
update communication channel. 4. Multiple propagation methods, including direct remote MS08-067 exploitation, propagation via
NetBIOS shares (using brute force password attempts), and creation of autorun.inf files to infect via
attached USB devices or other removable media. 5. Manipulation of Universal Plug and Play (UPnP) to modify the local Internet gateway to allow
connections to the locally installed HTTP server for remote computers to connect to. 6. Patching of DNS APIs in memory to monitor and prevent access to security software update sites. 7. Authentication of new worm code updates through the use of digital signatures.
Although these variants have been successful, an organization patched for MS08-067, using strong passwords, with firewalls that do not allow inbound connections or self-modification via UPnP, and with Windows AutoRun disabled should have minimal risk of Downadup infections. Although we cannot be 100% sure there has not been an infection, we can recommend some techniques for detecting infected hosts and preventing future infections. At the request of the CIO, the team implemented several techniques to attempt to detect the presence of Downadup-infected hosts.
Tasks Executed:
- Ran a full virus scan of GIAC Enterprise systems using the existing antivirus solution. This scan was run overnight, to minimize impact to workers processing fortune cookie sayings.
- Searched for scheduled tasks of the form "run32dll.exe.*" (using a list of GIAC systems to inspect in hosts.txt): (W32.Downadup.B, 2008)
wmic /node:@hosts.txt job list where (command like "run32dll.exe%") list /format:csv
- Checked for systems that were vulnerable because they did not have the MS08-067 patch installed (Microsoft Security Bulletin MS08-067, 2008). The following wmic command creates a report of all hosts that have the Windows XP version of the patch applied (KB958644):
wmic /node:@hosts.txt qfe where hotfixid="KB958644" list brief /format:HTABLE > ms08-067-xp.html
- Checked for disabled services - Error Reporting Services, BITS, Automatic Updates, Defender
wmic /node:@hosts.txt service where (name="ERSvc" OR name="BITS" OR name="Wuauserv" OR name="WinDefend") get name, state /format:HTABLE > services.html
- Looked for increased network congestion - via network monitoring tools (netflow, firewalls),
- Checked for failed logins, account lockouts, and lockout resets - in Windows Domain Controller event logs,
- Check if System Restore Points have been disabled (On a system where these are enabled, one or more restore points will be listed with the following command. Otherwise, the string No Instance(s) Available. is printed (zeraphis, 2005)),
wmic /namespace:\\root\default path SystemRestore get | find "No Instance"
- Deployed IDS signatures for detection of Downadup as well as other known malware signatures.
- Reviewed firewall logs for evidence of outbound propagation traffic or attempts to open ports via UPnP.
Detection Testing Results and Certainty The result of our testing did not indicate the presence of Downadup infection, propagation, or post-infection communication at GIAC Enterprises. Although this is excellent news, we cannot state with 100% certainty that an infection has not occurred because of the built in fallibility of each test coupled with the base-rate fallacy (Axelsson, 2000). This is a phenomenon of Bayesian statistics that states that the true positive rate of any detection technique is built from a combination of two factors:
1. The likelihood of an occurrence in the general population (in this case, what percentage of hosts connected to the Internet, directly or indirectly, are infected with Downadup), and
2. The accuracy of the particular test itself. For example, if a service that we test for could be disabled for reasons other than Downadup, then our test does not have a high fidelity.
Although calculating the true detection rate of our tests is outside the scope of this assignment, we accept that 100% accuracy is not possible nor required to allow us to state with reasonable certainty that GIAC Enterprises has not been infected with Downadup. Finally, we should note that this investigation was prompted by a notification to the GIAC Enterprises CIO from a peer who received an email, apparently from the CIO, that was marked as infected with Downadup. We obtained a sample of this email, including full header information. Our review of the headers illuminated that this email was spam -- spoofed to appear to come from our CIO's email account. Additionally, the currently known Downadup worm variants have multiple propagation vectors, but none of them include transmission via email (Porras, et al, 2009).
Prevention Techniques
Attackers being able to more easily and effectively craft malicious code capable of bypassing antivirus detection coupled with the fact that targeted attacks are increasingly impacting small to medium enterprises such as GIAC Enterprises, it is imperative that additional malware prevention techniques be employed by GIAC Enterprises. While Conficker/Downadup serves as an especially salient example of such malware, the prevention techniques outlined below are more widely applicable than simply one such piece of malicious code.
The goal of this phase is to provide recommendations for such preventative techniques and technologies. Though GIAC Enterprises has asked for three recommendations, we thought it prudent to highlight additional methods that could be employed should management determine more or fewer resources are able to be dedicated to this project. However, enumeration of the three most highly recommended prevention techniques will certainly be provided. Also, we would be remiss not to mention that though preventing infection is a most laudable goal, building an infrastructure that supports and provides a facility for detection of malware infection is considerably more important; "prevention is ideal, but detection is a must" (Cole, p. 15, 2001).
Top Three Recommendations Patch Management - Employ a 3rd party patch management tool and associated process for ensuring the prompt deployment of patches for applications installed throughout the enterprise. Although tools such as the free Windows Software Update Services (WSUS) from Microsoft are increasingly common to find in small to medium enterprises such as GIAC, simply focusing on Microsoft patches is no longer sufficient. In part, due to our facility for blocking infiltration via the perimeter, attackers are trending toward a focus on client side applications (Turner, 2008). In addition, although 0-day exploits are getting more press in recent years, the fact remains that the overwhelming majority of exploitations target a known vulnerability for which there is a patch. GIAC Enterprises should evaluate 3rd party patch management solutions that are capable of timely distribution of patches for applications used throughout the environment, which could help prevent malware infections exploiting known vulnerabilities. Secure Baseline Configurations - Standardize on hardened baseline configurations derived from industry best practices. Although all systems and applications should have a secure baseline configuration that is consistently used throughout the enterprise, the most important items to address initially would be a base secure desktop and server configuration. Certainly hardened database, network gear, mail, web server specific configurations are important, but ensuring that the basic desktop and server configurations represent sound starting points is key. A hardened baseline configuration can greatly reduce the security exposure to malware infection by limiting the potential vulnerability touch points.
Security Awareness Training/Acceptable Use Policy - Provide continuously updated security awareness training to all members of GIAC Enterprises workforce, and ensure our Acceptable Use Policy (AUP) is strict enough to preclude actions commonly associated with malware infection. Most organizations do a poor job providing awareness of security issues to their workforce. End-users serve not only as a common attack vector, but, if properly trained and empowered, can also serve as a member of the security team. A more knowledgeable workforce can serve as a first line of detection of security incidents. Well intentioned users, if properly trained, are also less likely to engage in behaviors that might lead to malware infection. In addition to the base Security Awareness Training, GIAC Enterprises should also have a clear Acceptable Use Policy that makes obvious what actions are expected and prohibited.
Additional Recommendations Egress filtering - Where possible, and certainly at the network perimeter, employ egress filtering that allows only business necessary traffic/ports to leave the organization. Strict filtering of outbound traffic serves as a basic implementation of the Defense In Depth principle of least privilege. In addition to the obvious benefit of not acting as an agent of propagation for spreading a malware infection beyond enterprise boundaries, egress filtering can also limit the abilities of the malware itself by disallowing the malicious code from receiving updated instructions or software from an external entity. Only allowing outbound traffic that is necessary for business purposes, while easy to understand, can be extremely difficult to implement for enterprises that lack sufficient understanding of what constitutes business necessary access.
Network Access Control (NAC)/Network Access Protection (NAP) - Employ a NAC/NAP solution that is capable of ensuring that a node meets defined minimum security standards before allowing network access. Enterprises typically have less robust security when facing an attacker or malware infection sourced from the internal network. Sales persons, contractors, mobile employees, VPN connections, and partner networks can all serve as sources of malware propagation or attack. Although the details and functionality certainly vary across vendors, NAC/NAP typically provides a facility by which some level of scrutiny can be placed on the security of an endpoint device before allowing it access to the internal network. Possible functionality includes: determining if OS patches are up to date; determining if the latest antivirus signatures are installed; running a lightweight; vulnerability scan against the host; checking for backdoor ports; determine if it is a known corporate asset; check for specific services. Some of this functionality is dependent upon the ability to authenticate to the endpoint system, which precludes a detailed postured assessment of external entities. NAC/NAP can prevent malware infections by potentially denying network access to an infected agent. Internal Network Security - Provide security segmentation via internal firewalls or VLAN based Access Control Lists (ACLs). Most organizations employ a Uniform Protection approach to Defense-in-Depth, which is particularly vulnerable to an internal attack (Cole, Fossen, Northcutt, Wright, p. 25, 2008). Internal firewalls can be employed to limit the internal network traffic to only that which is business necessary. Due to the cost of acquiring and managing internal firewalls, switch based VLAN Access Control Lists could be leveraged instead to limit network traffic. When designing this solution attention should be paid to zones of security and trust. Adopting this approach of internal network security could help to limit spread of malware infection to a particular network segment should any particular attached endpoint become infected. Company Managed Equipment - If 1099 workers are, or become, a considerable threat vector, then company managed equipment could be deployed to ensure consistent security configurations and controls are employed uniformly. Greater control over contractor equipment can help to prevent infection on the systems used by the contractor as well as the possibility of infections of internal systems being sourced from contractor equipment. Intrusion Prevention Systems (IPS) - Employ an Intrusion Prevention System in blocking mode capable of selectively preventing malware propagation over the network. If not already in place, an IPS could help to prevent malware infections that are occurring via the network. IPS being able to mitigate the risk of this is entirely dependent upon network placement and the vector being used for exploitation.
Limit administrative privileges - Highly privileged accounts should be limited to those that absolutely require administrative rights for normal operational activities. Although limiting administrative privileges can be considered a component of an overall secure baseline configuration strategy, it is important enough to warrant a separate line item. Quite often the exploitation of vulnerabilities only provides the attacker with the privileges of the user that started the exploited process. With greater attention being paid to client applications, limiting administrative privileges is of even greater importance.
Conclusion GIAC Enterprises tasked our group with developing an approach for dealing with malware. Of particular import to GIAC was the initial determination of whether or not GIAC systems had been compromised by Downadup. We first highlighted numerous no-cost detection techniques, which all yielded no evidence of compromise. Indeed, the only suggestion of compromise via Downadup was from an email message that was supposedly sent from GIAC Enterprises' CIO. Although we cannot state with absolute certainty that GIAC is without infection, it is our opinion that Downadup infection is very unlikely. An additional component of this project was developing three recommendations for GIAC to prevent future malware infections. In order to bolster GIAC's ability to prevent infection via malware, we suggest: a more systematic patch management solution and process; developing secure baseline configurations for GIAC systems and applications; and updating and delivering security awareness training and an acceptable use policy. A project plan for the implementation of these three approaches has been included as Appendix A. Beyond the top three recommendations, we have also provided additional approaches that could be leveraged by GIAC for the prevention of general malware infections. In conclusion, while we found no evidence of infection via Downadup, this scare, while unfounded, can be used as a stimulus to update GIAC's security infrastructure to prevent infections in the future.
References Axelsson, Stefan (2000). The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3., 186-205. Cole, E (2001). Hackers Beware: The Ultimate Guide to Network Security. Indianapolis, IN: SAMS Publishing. Cole, E. Fossen, J. Northcutt, S. Wright, J. (2008, October). Security 401: Security Essentials Bootcamp - 401.2. Bethesda, MD: SANS Institute. Microsoft Security Bulletin MS08-067 (2008, October 23) Critical Vulnerability in Server Service Could Allow Remote Code Execution (KB958644). Retrieved February 28, 2009, from Microsoft web site: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Porras, P. Saidi, H. Yegneswaran, V. (2009, February 21). An Analysis of Conficker's Logic and Rendezvous Points. Retrieved February 28, 2009, from SRI International Web site: http://mtc.sri.com/Conficker Salusky, W. (2009, January 12). Downadup / Conficker - MS08-067 exploit and Windows domain account lockout. Retrieved February 28, 2009, from SANS ISC web site: http://isc.sans.org/diary.html?storyid=5671
Turner, D (Ed.) (2008, April). Symantec Global Internet Security Threat Report. Symantec Internet Security Threat Report, XIII, from http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
W32.Downadup.B. (2008, December 31). Retrieved March 1, 2009, from Symantec Security Response Web site: http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2 zeraphis, (2005, July). Sysprep changes settings (WLAN for instance). Retrieved March 1, 2009, from PC Review Web site: http://www.pcreview.co.uk/forums/thread-613576.php
GIAC Enterprises Project Plan Sponsor: GIAC CIO Scope: This project will implement the top three recommendations proposed by the tiger team to prevent malware such as but not limited to Downadup while still allowing the growth of the business. 1) Phase: Patch Management Process Start date: 3/1/2009 End date: 5/1/2009 Tasks:
- Research patch management solutions according to scope - Craft patch management policies and procedures - Beta test chosen solution in GIAC environment - Purchase Solution - Deploy solution - Implement patch management life cycle
Milestones: - Purchase Solution - Deployed Solution
Resources: - System Administrators for implementation - CIO or IT director for policy creation - Finance for purchasing
2) Phase: Implement Hardening Templates Start date: 4/1/2009 End date: 6/1/2009 Tasks:
- Obtain / Craft hardening guides and templates - Craft security policies / standards for hardening systems - Perform Gap Analysis - Identify exceptions - Implement security configuration changes to systems - Audit systems for compliance with templates - Remediate
Milestones: - Gap analysis - Audit for compliance
Resources: - SME or Security staff - System Administrators for implementation - CIO or IT director for policy creation
3) Phase: Implement Security and Awareness Training with AUP
Start date: 5/1/2009
End date: 6/1/2009 Tasks:
- Purchase / Craft security and awareness training materials - Craft security policies around attendance and reoccurrence - Define mechanisms of communication / presentation - Present the training - Audit for complete attendance
Milestones:
- Obtain complete training materials
- Present training to users
Resources:
- Security Staff for curriculum
- Company trainers if available
- CIO or IT director for policy creation