sans technology institute group discussion/written project ... ?· sans technology institute group...

Download SANS Technology Institute Group Discussion/Written Project ... ?· SANS Technology Institute Group Discussion/Written…

Post on 08-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • SANS Technology Institute Group Discussion/Written Project

    GIAC Enterprises Downadup Incident

    3/1/2009

    Tim Proffitt Seth Misenar John Jarocki

  • Table of Contents

    Executive Summary ..........................................................................................................................................3

    Introduction.......................................................................................................................................................3

    Detection Techniques........................................................................................................................................3

    Detection Testing Results and Certainty ........................................................................................................5

    Top Three Recommendations ..........................................................................................................................6

    Conclusion..........................................................................................................................................................9

    References ........................................................................................................................................................10

    GIAC Enterprises Project Plan .....................................................................................................................11

  • Executive Summary The malware of 2009 is not the virii of 10 years ago where the threat was a rebooting computer or corrupted hard drive. Malware of the present is designed to steal your information assets, take control of your infrastructure, join a botnet or a host of many other criminal activities. In April 8, 2008 Symantec Corp.'s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone. Nearly two-thirds of all the threats that Symantec has ever uncovered have been found since 2007 (Turner, 2008). The trending of these statistics makes it difficult to believe that traditional antivirus solutions will be sufficient in mitigating malware variants. This should be an alarming statistic for GIAC Enterprises or any organization with information to protect.

    GIAC Enterprises has provided a secure web application and backend database infrastructure for the workforce to submit and process intellectual property. Although this does provide a layer of defense, it does not protect GIAC Enterprises from all attack vectors. One such attack vector, which is the focus of this report, is malware. Contained within this report, we are recommending several solutions for GIAC Enterprises to utilize to protect its information systems. First, the report outlines the various techniques and tools utilized for detection of Downadup malware. Second, as requested, the tiger team has identified three recommendations for the prevention of malware to GIAC enterprises. Additionally, several general malware prevention solutions are documented for future initiatives as GIAC Enterprises experiences success and growth.

    Introduction GIAC Enterprises has tasked our group with developing an approach for dealing with malware. In particular, GIAC is concerned with determining: if they are currently infected with Downadup (a.k.a. Conficker); three recommended techniques that could be employed to prevent future malware infections; and a project plan associated with the implementation of these recommendations. While detection and prevention of malware is not an exact science, some basic measures can certainly be employed to mitigate the threat of initial infection and propagation.

    Detection Techniques The Downadup worm and its variants (Downadup.A, Downadup.B, Downadup.B++) have been highly successful at infecting large numbers of hosts due to a combination of both old and new techniques of propagation, survivability, and self-updating. Some of the specific features that enabled Downadup's growth include (Porras, Saidi, Yegneswaran, 2009):

    1. Remote exploitation of a fairly recent RPC-DCOM vulnerability (MS08-067) and then patching that exploit in memory (netapi32.dll).

    2. Injection of the worm into a critical system process (service.exe). 3. Detection of attempt to remotely exploit a Downadup-patched system and use this as a peer-to-peer

    update communication channel. 4. Multiple propagation methods, including direct remote MS08-067 exploitation, propagation via

    NetBIOS shares (using brute force password attempts), and creation of autorun.inf files to infect via

  • attached USB devices or other removable media. 5. Manipulation of Universal Plug and Play (UPnP) to modify the local Internet gateway to allow

    connections to the locally installed HTTP server for remote computers to connect to. 6. Patching of DNS APIs in memory to monitor and prevent access to security software update sites. 7. Authentication of new worm code updates through the use of digital signatures.

    Although these variants have been successful, an organization patched for MS08-067, using strong passwords, with firewalls that do not allow inbound connections or self-modification via UPnP, and with Windows AutoRun disabled should have minimal risk of Downadup infections. Although we cannot be 100% sure there has not been an infection, we can recommend some techniques for detecting infected hosts and preventing future infections. At the request of the CIO, the team implemented several techniques to attempt to detect the presence of Downadup-infected hosts.

    Tasks Executed:

    - Ran a full virus scan of GIAC Enterprise systems using the existing antivirus solution. This scan was run overnight, to minimize impact to workers processing fortune cookie sayings.

    - Searched for scheduled tasks of the form "run32dll.exe.*" (using a list of GIAC systems to inspect in hosts.txt): (W32.Downadup.B, 2008)

    wmic /node:@hosts.txt job list where (command like "run32dll.exe%") list /format:csv

    - Checked for systems that were vulnerable because they did not have the MS08-067 patch installed (Microsoft Security Bulletin MS08-067, 2008). The following wmic command creates a report of all hosts that have the Windows XP version of the patch applied (KB958644):

    wmic /node:@hosts.txt qfe where hotfixid="KB958644" list brief /format:HTABLE > ms08-067-xp.html

    - Checked for disabled services - Error Reporting Services, BITS, Automatic Updates, Defender

    wmic /node:@hosts.txt service where (name="ERSvc" OR name="BITS" OR name="Wuauserv" OR name="WinDefend") get name, state /format:HTABLE > services.html

    - Looked for increased network congestion - via network monitoring tools (netflow, firewalls),

    - Checked for failed logins, account lockouts, and lockout resets - in Windows Domain Controller event logs,

    - Check if System Restore Points have been disabled (On a system where these are enabled, one or more restore points will be listed with the following command. Otherwise, the string No Instance(s) Available. is printed (zeraphis, 2005)),

  • wmic /namespace:\\root\default path SystemRestore get | find "No Instance"

    - Deployed IDS signatures for detection of Downadup as well as other known malware signatures.

    - Reviewed firewall logs for evidence of outbound propagation traffic or attempts to open ports via UPnP.

    Detection Testing Results and Certainty The result of our testing did not indicate the presence of Downadup infection, propagation, or post-infection communication at GIAC Enterprises. Although this is excellent news, we cannot state with 100% certainty that an infection has not occurred because of the built in fallibility of each test coupled with the base-rate fallacy (Axelsson, 2000). This is a phenomenon of Bayesian statistics that states that the true positive rate of any detection technique is built from a combination of two factors:

    1. The likelihood of an occurrence in the general population (in this case, what percentage of hosts connected to the Internet, directly or indirectly, are infected with Downadup), and

    2. The accuracy of the particular test itself. For example, if a service that we test for could be disabled for reasons other than Downadup, then our test does not have a high fidelity.

    Although calculating the true detection rate of our tests is outside the scope of this assignment, we accept that 100% accuracy is not possible nor required to allow us to state with reasonable certainty that GIAC Enterprises has not been infected with Downadup. Finally, we should note that this investigation was prompted by a notification to the GIAC Enterprises CIO from a peer who received an email, apparently from the CIO, that was marked as infected with Downadup. We obtained a sample of this email, including full header information. Our review of the headers illuminated that this email was spam -- spoofed to appear to come from our CIO's email account. Additionally, the currently known Downadup worm variants have multiple propagation vectors, but none of them include transmission via email (Porras, et al, 2009).

    Prevention Techniques

    Attackers being able to more easily and effectively craft malicious code capable of bypassing antivirus detection coupled with the fact that targeted attacks are increasingly impacting small to medium enterpri

Recommended

View more >