Friday, March 21, 2008

IE ActiveX Security 101



Now it is the time to open the books and read about how we can achieve a safe browsing experiment in a time when you can’t trust any site you visit on the Internet. If you depend on your antivirus alone to stop all of those invaders. You’ll be another addition to the “False Sense of Security believers” List.


Recently we’ve faced a lot of aggressive attacks against vulnerable systems, which exploit the following ActiveX vulnerabilities:


Baofeng Storm ActiveX
Ourgame GLChat ActiveX
Qvod Player ActiveX
Microsoft RDS.Dataspace ActiveX
RealPlayer playlist ActiveX
Storm Player ActiveX
Microsoft Windows WebViewFolderIcon ActiveX
Xunlei Thunder DapPlayer ActiveX


Leaving your windows machines unpatched till that time is a shame, besides also running insecure browsers or let me say it better, “Browsers with insecure settings” is a big mistake nowadays where every single malware writer will use this point in his side because the next layer he needs to exploit, is the weak link; humans.

So as a system admin, you should make sure no user during your watch works with any vulnerable browser. For achieving a good and secure configuration, I’ll show you the recommended IE ActiveX related settings that could leave you insecure if it’s not done the secure way.

click to enlarge the image:


Usually disabling everything will break many features which make browsing as “drinking a glass of bitter lemonade”. Thanks for IE “Trusted Sites security zone”, which as the name says, we use to put the trusted sites inside it and we’ll authorize any script or ActiveX to be downloaded and run. You can use “Internet Explorer 5 Power Tweaks Web Accessory” from Microsoft; this tool will add a menu choice "Add to Trusted Zone" to the tools menu of Internet Explorer.

100% Safe Browsing … is it a dream? What do you think?

Saturday, March 15, 2008

DNS-redirection techniques



We talked previously about malwares fighting and containment techniques, today I’ll talk about an interesting way to prevent internal hosts from reaching malicious websites.

Malwares today are more sophisticated, and depend on multi-staged infection, which means that the current code is always updated and replaced by another to add more functions or to use new evasion techniques.

To use DNS-redirection we need to know the original problem first. Malware writer’s aim is to infect as much as possible of machines using many ways, such as Spams, Malicious web pages, or P2P infected shares. Spams and malicious web pages use domain names mostly, and obfuscated or numeric URLs. And we know that to reach any web page in the Internet, the browser needs to translate the domain name to IP.

To imagine an example, Joe received an e-mail about love cards and he as usual (we need user awareness here folks!) will follow the instructions and open the URL (www.lovecards2008.com) and visit it to download some lovely cards to send them to his girlfriend … but our friend didn’t realized that it’s not a legitimate cards website, but it’s a fake one that provides malicious malwares instead of cards. And at the moment he downloaded an executable faked card Boom! His computer got infected.


What we can do here to prevent the infection as early as possible? We can use the DNS server to send back “fake and not reachable” replies to the client. Such as the IP of www.lovecards2008.com is (127.0.0.1). This is called the “Loopback Redirection”. With such reply, there is no way to reach this malicious site and this will give “Web site unavailable” error to the user. Good, let it be, we don’t want the user to access any malicious pages from now on.


You can implement such technique using two ways, while getting the same result. Either using the HOSTFILE, by inserting as many entries as you can with fake answers. Or use your internal DNS server (MS DNS or BIND) to create a “Malware Domains Blacklist Zone”. The latest is the best, because you have a centralized place to control name resolutions.

This is a cheap way to prevent users from accessing such domains. It’s different from Web sites filtering solutions which depend on a database contains millions of URLs and provide policy-based filtering. Here we use the DNS server, which serves every host in the network.

If you want a starting point, visit www.malwaredomains.com and download their free blacklists of malicious domains and import them and start prevention.

Monday, March 3, 2008

Malwares Containment: Quarantine the infected



We’ll continue today our discussion, by starting with the next step you should do after detecting the malicious traffic in your network. We should isolate infected machines from the rest of the network, the easy way is just unplug the cable and physically disconnect them. Good option, but suppose you got a lot of them, you can use your L3-switch to be a good alliance here. Create a “Quarantine Vlan” to group infected machines and prevent any type of communications from/to these machines.


This Vlan will stop broadcast and scanning for other computers. If creating Vlans is impossible for some reason, switch to plan B, ACLs. ACLs are important to stop/slow down malware propagation in your network.

Take the following Cisco Switch ACL example:

access-list 101 remark outgoing packet access list
access-list 101 permit tcp any any established
access-list 101 permit tcp any host [allowed destination] eq %protocol%
access-list 101 permit ip any host [insert %host% here]
access-list 101 deny tcp any any eq smtp
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any

These ACL’s will deny outbound SMTP/SMB/NetBIOS connections to other machines. You should replace [allowed destination] with any host that has to be reached by the infected machines, for example (Antivirus server, WSUS server to get windows patches), and %protocol% with destination port or protocol. [insert %host% here] is the same thing before.

Click on image to see the full size:


Isolating infected machines, will give you a lot of points:

1. Slowing the propagation of the malware from reaching other clean machines.
2. Decreasing the broadcast storms.
3. Testing disinfection procedures on these machines till you get the virus definitions from the vendor.
4. Deploy a honeypot and monitor the malware behavior and try to learn and reverse its actions.
5. Malwares today are getting more dynamic and modular by depending on
built-in downloader to update their code from the mother-ship (server), so we can use this feature to trick the infected machine to download a curing executable.
For example, if you sniffed and watched outbound connections from the infected machine targeting another host online to (http://xxx.xxx.xxx.xxx/xyz.exe), this means it’s trying to get something. Simply, hardcode the domain name in the infected machine’s HOSTFILE and redirected it to the honeypot machine or a machine running
Netcat and listening to port 80 and see the http request, if it’s an executable, we’ll mimic the server and write a batch file that contains temporary disinfecting procedures like (killing a process, deleting files, stopping services, deleting registry keys, or even installing patches), then convert the batch file to .exe and place it in the correct path on the web server and wait. This technique has been before using honeyd to fight worms (Blaster, Sasser).