Tuesday, February 24, 2015

Noodling down in the Bayou for Superfish-like SSL Shenanigans

Come on in and get mucky. The Bayou water is cold but fine. Nothing in here that won’t probably bite you (hard enough to draw blood) or cause weird growths (on your system) if you dip in.

When we last hauled in the Superfish mess, Lenovo had ping-ponged back and forth about it not being a problem, then conceding it was a problem, issuing a removal tool, and now going into apology-mode.

Great. We are making progress.

Only as time goes on and the security folks noodle the bayou, they keep hauling out additional examples of this exploit and the mess grows deeper.

I don’t Twitter but do manually follow InfoSec Taylor Swift (@SwiftOnSecurity) and found this mindful tweet in the stream:

I think it is a great point of context with all the SuperCookies, mobile-app ID trackers, and the whole Internet of Things (IoT) we now live with daily.

So were are we now with this Superfish story?

This post is excellent (and highly Valca recommended for IT readers of all age levels) to bring everyone up to speed on the dangers of third-party “enhanced” download and installer file bundling.

Even more companies are using the same technique as Superfish and doing HTTPS-Hijacking & HTTPS-validation disabling.

The post goes in ways to check your Trusted Root Certification Authorities store and check around for some HTTPS MITM hijackers that are listed.

Then there are some very good recommendations and reminders for protection against that threat.

Test to see if your browser(s) are vulnerable:

Superfish, Komodia, PrivDog vulnerability test – Filippo.IO

Filippo Valsorda has coded up a page that allows you to visit it with EACH of your installed web-browsers to see if they are vulnerable to the Superfish, Komodia, PrivDog vulnerability. Easy to do and a great place to start assessing your system’s security.

Now for noodling in deeper waters:

Feed Me!

I want to highlight these blogs which much of the research and analysis documentation listed here. Some offer RSS feeds and have ongoing posts of themes that may be useful for the for/sec crowd. I’m always on the lookout and want to draw attention to the work behind great technical writers and researchers.

Constant Vigilance!

--Claus Valca

Saturday, February 21, 2015

Time to set up a CERT/CSIRT? Yes!

One clear lesson learned organizationally from fighting a Hydra named Drye/Dyreza/Upatre is that while a entity can have clearly defined security groups and functions, unless there is a mechanism in place to bring them all together in unified communication and intelligence sharing, coordination of response can be seriously hampered.

Precious time may be lost as each group (network ops, AV ops, board of directors, executive branch, field staff) focuses the response effort based on their skill set and operational authority.

Communications and threat-intelligence may not make it to key decision-makers, general employees, or remediation responders.  This can provide just enough head-room for the threat to grow, morph, and dig-in.

It is mission critical that some structure be available for everyone to come together so the incident response can be coordinated and laser-focused; not just to block and remediate the incident, but to understand if it was a opportunistic attack, collateral damage, or a probe as part of a wider and more stealthy attack campaign.

I am happy to report that efforts are now underway on the ranch to get the fencing crews, the coyote kill-squad, and the herd wranglers all talking to one-another and develop our very own CERT/CSIRT team.

To that end, I’m dropping the following linkages as a starting place for reference as the workgroup forms.

I have found these resources make an excellent starting point for gaining foundational understanding of what an effective CERT/CSIRT team looks like and the many ways it can be structured depending on the organization’s needs/limitations.

Obviously this is just the tip of the iceberg, but I have found that as my knowledge of key CERT/CSIRT concepts and terminology has grown, so has my ability to find more advanced material on particular related items of interest.

If any CERT/CSIRT team leaders or members happen to be reading GSD, I would deeply appreciate any additional resources URL’s or links from you in the comments that could be valuable to those just getting started in CERT/CSIRT formation and operations.

ENISA - European Union Agency for Network and Information Security – Yes they are from across the pond but this is some of the very best publically available material I have found (so far) on CERT concepts and operations.

And here are additional reading resources for CERT/CSIRT teams; raging from basic to complex.

One crazy-big tome for Cybersecurity Operations

The SANS Institute InfoSec Reading Room (link) has lots of great material

Another training resource for CERT team-members is OpenSecurityTraining.info

One course of particular note there might be the Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review

Finally, for some “perspective” I found these posts to be insightful and encouraging as this daunting task is considered.


--Claus Valca

Fighting a Hydra named Drye/Dyreza/Upatre

So pretty much for the past month across the ranchlands, we have been doing non-stop battle with a nasty piece of work known as Drye/Dyreza/Upatre.

From all appearances it slipped in past the security perimeters via an outside email source and bundled with a simple social-engineering attack email body, the trap was laid.

Patient-zero clicked the attachment to view a “fax message” helpfully attached to the email and the game was on.

Gradually the various security and response teams were able to tighten the noose and finally gain the upper hand.

Our network deep-packet inspection tools were quickly refined and able to better hone-in and identify infected systems’ communications so they could be targeted for remediation.

The noose tightened as our email systems were able to be updated to filter out emails containing these payloads and prevent them from reaching employees.

Momentum mounted as our AV providers’ signature detection file sets caught up and became sharper and significantly more effective with on-system detection.

Fast responding network administrators were able to use the gathered incident intelligence and track down infected systems showing up in various reports and disable them from the networks.

Relentlessly persistent technical first-line teams were able to secure-wipe and reimage infected systems as they were detected and eventually return the users to production capability.

Passwords were changed and users of infected systems strongly encouraged to change any personal passwords as well if they had logged into any non-business secure websites – say online banking or bill-paying sites.

So here are some resources regarding this particular type of malware; it pays to know your enemy.

Constant Vigilance!

--Claus Valca

First (or Second) Pass AV/AM Scanner Tools

This past week at the church house, one of the secretaries reported some slowness on her system.

We did some troubleshooting and fixed a number of obvious issues, however the slowness persisted.

It was running Symantec AV and it had quarantined a few things. Those were deleted and removed, but time did not allow a second pass with a different AV/AM tool.

A few days later (and a few new SAV update packages) Symantec reported some more items were detected and quarantined.

I wasn’t able to get back to the system but another IT administrator at the church house did. This time Symantec reported finding a possible threat called “Kaeria Dust Remover”.

The core file name was “mvsbtej.exe” and here is some limited information on I was able to uncover:

To be sure things were cleaned, he installed (alongside Symantec) the 30-day trial of Kaspersky AV and kicked off a scan.

The user did report that once that malware was pulled off, the system performance returned to normal and things were so much better again.

While I don’t usually recommend installing more than one AV/AM product on a system at the same time (Malwarebytes excepted), if you aren’t planning on “nuking” a system (zero-out the drive, and reinstall the OS from source disks) it always is good to run a second or third AV scan from a different AV/AM vendor on a system.

There are some “standalone\light-install” and “cloud” based AV/AM scanners that can be used independently of the primary AV/AM software installed on a Windows system. I find these provide the perfect solution to getting a second/third opinion of a system’s post-infection status. Download or copy over to a system from a USB drive. Most do a temporary unpacking of the core scan engine files, may download the latest DAT files, and scan away. They typically quarantine anything they find, then you can delete the files once everything is done. 

Some other products pack the DAT files together with the scan engine. This can be handy if you don’t have a network connection either due to the attack or because you don’t want to place the system back on your network until you are sure it is remediated.

Then there are the cloud-based solutions than you can run and will upload the scan results to the vendor’s cloud server and match the files looking for issues. These may have a benefit of using the newest signature detection patterns available.

And by being “standalone\light-install” tools, the impact/conflict with an already-installed AV/AM product might be minimized.

And here are some “cloud-based” AV/AM scanners. They typically still download some components to the local system before doing the threat-analysis work in the cloud.

For a deeper look


--Claus Valca

Lenovo Superfish – Cleanup in Seafood Isle Needed!

What a mess.

I guess there is something to be said about “clean” OS installs…even for brand-spanking-new hardware.

What I find interesting in this particular event (now that the initial dust seems to have settled) are both the analysis of the threat created and the removal techniques; especially the manual removal process.

For Cleanup

For Background

Better bring an extra mop…

--Claus Valca

Monday, February 16, 2015

Anti-Virus Software Update - GSD Thoughts

Quick post.

I’ve been doing some PC support for friends and family these past few weeks.

Some have had expired ($) AV products on their systems and weren’t getting current DAT downloads. Others were running good free solutions.

I’ve continued to use Microsoft Security Essentials on all our home systems coupled with a paid version of Malwarebytes Anti-Malware. I also run EMET so there is that.

I liked Bitdefender Antivirus Free when I ran it on my primary laptop at home for a while, but the whitelisting management was frustrating, particularly with my special tools that are often treated as PUP’s.

So I pondered this How to Install Free, Effective Antivirus Software (for Beginners) - post at Lifehacker that recommended Bitdefender Free again for general users and Avast Free for advanced users.

I then encountered an installation of Avast (2014) Free that one of those family members had on a PC they brought me. I upgraded it to Avast 2015 Free so it was current and generally liked what I saw.

It seems to have been since forever when I posted Freeware Anti-Virus Solutions for Windows so that led to this updated quick-reference post for Freeware AV solutions.

First, I recommend starting with the following resources to get some understanding of AV products and their general ratings/evaluations.

Neither of these will point you magically to the “perfect” solution, but it will give you some background on the lay-of-the-land across different AV vendor products.

My layered use of the following products meets my own household needs but may not be adequate for less-than-advanced users.

  1. Free Firewall Software by GlassWire - Monitors and logs network connections…more used for logging than “active firewall blocking”.
  2. Sysmon - Sysinternals core service to log application/network executions
  3. Enhanced Mitigation Experience Toolkit - EMET - TechNet Security
  4. Microsoft Security Essentials - Microsoft Windows - Core AV protection
  5. Malwarebytes Premium - Supplemental real-time AV/AM protection
  6. (Optionally) Malwarebytes Anti-Exploit - Free Zero-Day Exploit Protection - browser layer protection

However, if all this is too much, and I had to offer alternative AV/AM freeware products for family or friends, here is what I would go with:

I don’t tend to lean to the “Cloud-AV” protection camp, however, these cloud-based free AV/AM products might be worth considering.

Not directly related but I saw news this week that Google and Microsoft are working to create better whitelists for good files.

Constant Vigilance!

--Claus Valca

Virtual Grumbles

So I saw this past week that Oracle had come out with a new build of VirtualBox.

Downloads – Oracle VM VirtualBox - version 4.3.22

I’ve had some real headaches lately with recent VirtualBox builds so I should have known better.

The upgrade went first onto my “Alister” laptop and in less than a minute the update process had smoothly completed.  That gave me hope and confidence.

Then I tried it the following day on my “Tatiana” laptop. That took over 15 minutes, (apparently) stalled update applications, one very exciting BSOD, multiple repair/install/remove routines, and significant banging of forehead on desk surface.

I did manage to get VirtualBox pulled off Tatiana, and to recover with no lingering harm from the BSOD, but as Tatiana remains my “primary” beloved system, VirtualBox is now “VERBOTEN” on Tatiana.

I do still need access to it on Tatiana, so I’m going to stick with VMware Player 6.0 only which I’ve had no issues with, and then run VirtualBox inside one of my tester Windows VM’s.

It’s a long tail solution, but it’s the safest, and with an i7 processor, 8 GB of RAM, and careful selection of the VM RAM allocations, Tatiana should be up to the task.


--Claus V.