Monday, March 3, 2008

Malwares Containment: Quarantine the infected

We’ll continue today our discussion, by starting with the next step you should do after detecting the malicious traffic in your network. We should isolate infected machines from the rest of the network, the easy way is just unplug the cable and physically disconnect them. Good option, but suppose you got a lot of them, you can use your L3-switch to be a good alliance here. Create a “Quarantine Vlan” to group infected machines and prevent any type of communications from/to these machines.

This Vlan will stop broadcast and scanning for other computers. If creating Vlans is impossible for some reason, switch to plan B, ACLs. ACLs are important to stop/slow down malware propagation in your network.

Take the following Cisco Switch ACL example:

access-list 101 remark outgoing packet access list
access-list 101 permit tcp any any established
access-list 101 permit tcp any host [allowed destination] eq %protocol%
access-list 101 permit ip any host [insert %host% here]
access-list 101 deny tcp any any eq smtp
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any

These ACL’s will deny outbound SMTP/SMB/NetBIOS connections to other machines. You should replace [allowed destination] with any host that has to be reached by the infected machines, for example (Antivirus server, WSUS server to get windows patches), and %protocol% with destination port or protocol. [insert %host% here] is the same thing before.

Click on image to see the full size:

Isolating infected machines, will give you a lot of points:

1. Slowing the propagation of the malware from reaching other clean machines.
2. Decreasing the broadcast storms.
3. Testing disinfection procedures on these machines till you get the virus definitions from the vendor.
4. Deploy a honeypot and monitor the malware behavior and try to learn and reverse its actions.
5. Malwares today are getting more dynamic and modular by depending on
built-in downloader to update their code from the mother-ship (server), so we can use this feature to trick the infected machine to download a curing executable.
For example, if you sniffed and watched outbound connections from the infected machine targeting another host online to (, this means it’s trying to get something. Simply, hardcode the domain name in the infected machine’s HOSTFILE and redirected it to the honeypot machine or a machine running
Netcat and listening to port 80 and see the http request, if it’s an executable, we’ll mimic the server and write a batch file that contains temporary disinfecting procedures like (killing a process, deleting files, stopping services, deleting registry keys, or even installing patches), then convert the batch file to .exe and place it in the correct path on the web server and wait. This technique has been before using honeyd to fight worms (Blaster, Sasser).