Sunday, November 02, 2008

Security Watch #1

Been a busy couple of weeks over at my favorite security blogs.  Lots of goings on.

Here are a number of the highlights for interested folks.

Know your adversaries.  This way you can better craft your defense and recovery responses.

Microsoft Threat Teams

Microsoft® Malware Protection Center : Get Protected, Now! - Begins the discussion on why MS08-067 was such a critical patch that it had to be release out of schedule, so closely after Patch Tuesday.  “On some versions of Windows, an unauthenticated attacker can remotely execute code on a vulnerable computer. Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable. File sharing is enabled in several scenarios though it is disabled by default in XP SP2 and newer operating systems.”

The Microsoft Security Response Center (MSRC) : Microsoft Security Advisory 958963 – Updated information that some malicious software has been seen attempting to exploit the MS08-067 vulnerability  Appears to be trojan-based rather than self-replicating.

Security Vulnerability Research & Defense : More detail about MS08-067, the out-of-band netapi32.dll security update – A more technical post about the attack method for the issue, and specifically how UAC in Vista can protect the system;

Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level "Untrusted" while the named pipe requires at least a "Low" integrity level. Since "Untrusted" is lower than "Low" integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously.


There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because "Medium" integrity level is a higher integrity level than "Low", the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section.

Microsoft® Malware Protection Center : Uprooting Win32/Rustock – Really wonderfully written analysis of the distribution method of the Rustock trojan; more frequently being found responsible for malicious “fake” Windows security program scans. The dropper actually kicks off a installer which hooks in as a system driver.  This kicks off the rootkit installer which further hooks into the system.  Clever stuff, but even cleverer work by the analysis team.  I love that stuff!

SWF for Malware Deployment – Brief on how SWF files can be used for malicious downloader methods.  Be careful of all those attachments and unsolicited “fun-things” you find in your in-box!

Web Attacks Using Microsoft Help and Support Center Viewer - Vulnerabilities & Exploits - STN Peer-to-Peer Discussion Forums - Symantec DeepSight Threat Analysis found a curious method for malicious payload delivery.  What makes this method a bit different is that in some circumstances, malicious code could be executed immediately.  And it begins with a visit to a malicious web-page…

1.    An attacker creates a malicious Web page that uses an arbitrary file-overwrite issue to place their malicious binary on the victim's machine. The attacker then tricks their victim into visiting this page.

2.    When the victim visits the page, the attacker exploits the same vulnerability to overwrite one of the Help and Support Center's HTML files, such as "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm." The attacker overwrites this file with script code that performs malicious actions on their behalf.

3.    Once the previous steps have been carried out successfully the attacker redirects the victim's browser using the "window.location" method such as "window.location = hcp://system/sysinfo/sysinfomain.htm."

4.    The Microsoft Help and Support Center viewer, which handles "hcp://" links, runs the attacker's script, which in turn executes their malicious binary.

What makes this attack remarkable is that because the Help and Support Center can run script commands in the context of the local user, attackers can utilize inherent ActiveX controls not marked as "Safe for Scripting" to execute a malicious binary that they have already placed on the vulnerable user's computer.

It's worth noting at this point that in order for this attack to be successful the user must be logged in with Administrator privileges.

Windows Incident Response Blog

Windows Incident Response: What do you need as a responder? – Harlan’s question is perfectly poised coming behind the threats just mentioned.  And it is a good one.  When a threat (or violation) is detected, what DO you need to respond? It might start with an understanding of the company policy and procedures.  Each incident also carries a different flavor, and likely will need a different set of tools.  As Harlan points out, sometimes it is even more important to know the answers your customers will need, before they themselves even know the questions they want to ask.  Most of this comes with experience.  My philosophy is to capture as much data as you can ahead of time, as quickly as possible.  That’s a lot more stuff to sort through in terms of data-sets, but in the long-run it will give you even more flexibility in the long-run.

Windows Incident Response: New Tools – Harlan brings our attention to a few more new tools in the forensics and incident response field.

Windows Incident Response: Bridging the Gap – Harlan mentions a few of the links I’ve posted to above with malware incidents.  He also finds value in finding the How of an incident. Additionally, Harlan illustrates how some choice forensic tools can be applied to those events.

Windows Incident Response: Random Updates – More odd’s-n-ends from the every active world of forensics and event response. Some good tools and tips in there.

Miscellaneous Bits and Bytes

TaoSecurity: CWSandbox Offers Pcaps – I’ve used CWSandbox before to analyze suspected malicious files. What I didn’t know is that it now can provide Pcap file data for you to download and examine with your favorite network packet tools.  That is really cool to know!

TaoSecurity: Windows Syslog Agents Plus Splunk – Richard also investigates how to collect system logs remotely for review and analysis. I’m thinking that in an organization our size, that would be a lot of logs to handle, however if there were some workstations that had a history of problems or infections, this might be a good way to collect data on them specifically.  Certainly interesting.

The Case of the Corrupted Stream Object « Didier Stevens – Didier is quickly becoming the guru of PDF files and how they can be hacked, manipulated, and misused for malicious purposes.

Analyzing a Malicious PDF File « Didier Stevens – Didier is starting a new series (with video) on how to analyze a malicious PDF file.  This is very, very good information because many users and organizations use and trust PDF files as they seem “innocuous” and safe. See a .exe that slipped in via e-mail, no way they would run that now.  But if it is an unsolicited PDF file, hmm. That’s a “safe” file format.  No harm there.  Let’s see what it says…BAM!  Exploited! – Didier’s tool to break down a PDF file to its elements. Must have. (Although in all fairness, Didier’s expertise makes it look so simple.)

Filterbit - OPSWAT Metascan Demo – A GSD commenter left a tip to this additional on-line malware file-scanning service.  Looks pretty good.  I’m adding it to my bookmark list already filled with others from my Online System Security Scanners post.

Thanks to all the researchers and experts who share their learning and work to keep us in the know!


No comments: