As the sophistication of malware continues to increase, coupled with the expansion of Web 2.0 technologies and increased browser-based risk, malicious code is on the rise. Implementing a defense-in-depth strategy will help enterprises address zero-day threats by blocking installation of malicious files on endpoints with an improved approach to provide multi-dimensional protection against current and future malware threats.
Saturday, November 21, 2009
I've been working with folks at Sourcefire - Middle East to help me create a Snort Users Group in the gulf region, and I'm finally ready to announce the launch of GCC (Gulf Cooperation Council) Snort Users Group. Every Snort fan in GCC is welcome to join us.
Tuesday, March 10, 2009
Friday, February 13, 2009
Sunday, January 25, 2009
Thursday, January 22, 2009
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.
My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup:
1) Re-enable and start the following services:
Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service
2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)
3) Run Symantec FixDownadup tool
4) Install MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
5) Reboot system
This batch covers the following OS versions:
1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1
Note: Some OS versions or 64-bit are not supported by this batch, may be soon.
To start working, first we need to download the required patches + fix tool:
Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE
Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe
Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe
Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.
Here is for example, the Vista OS part (from the batch):
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ...
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
Download Batch (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)
Wednesday, December 31, 2008
Recently, a smart group of cryptography researchers have successfully exploited a bug in the MD5 hashing algorithm that allows them to hack VeriSign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet.
I won't talk about their findings here; you can check it out here: http://www.win.tue.nl/hashclash/rogue-ca/
Today I'll draw the attention to a couple of possible attack scenarios that Phishers and malware authors can use by combining techniques that would be very difficult to stop unless a number of defenses is being used against.
The techniques of this attack are:
1) DNS Cache Poisoning Attack (For directing victims to fake sites like banks)
2) SQL injection Attack (For injecting IFrame redirectors into high traffic website, to redirect visitor to the fake website)
3) Double Flex Network (botnet) that would host malicious name servers (malicious/phishing websites resolution) and webservers (host the malicious/phished site)
4) Rouge CA SSL Certificates (For fooling victims who are visiting a website that is secured by using a valid SSL certificate, and the browser is showing a padlock indicating that it's a safe and legitimate website)
So, hackers have multiple targets to meet to launch a perfect attack. Well, the first three techniques are being used nowadays, but were lacking a very important member in the crew, Trust.
1) Padlock appearance is not enough, you should move on with other ways to make sure your visiting the legitimate and secure website.
2) Upgrade your browser to the latest version (IE 8 / FF 3 / Opera 10) to use their built-in anti-phishing capabilities.
3) Install good endpoint security software to stop malwares, and make sure it's updating definitions daily. The latest versions includes online security features like (Norton Internet Security 2009 and Kaspersky Internet Security 2009)
4) Install Windows patches and service packs to stop malwares and online attacks from exploiting any vulnerability in your system.
5) Install and updates all ActiveX components in your browser by upgrading the original software (ex. PDF reader ActiveX, you should upgrade Adobe Reader. Real player embedded ActiveX; you should upgrade RealPlayer…and so on). You can use Secunia Personal Software Inspector (PSI) to scan your system for insecure softwares and utilities.
If you want to do any online transactions, use Authentium’s SafeCentral to create a secure session between a locked-down browser and your online bank. It has capabilities to defend against the following attacks: Keyloggers, Spywares, DNS poisoning, Malwares, Sniffing, Man-in-the-middle