Friday, March 21, 2008

IE ActiveX Security 101



Now it is the time to open the books and read about how we can achieve a safe browsing experiment in a time when you can’t trust any site you visit on the Internet. If you depend on your antivirus alone to stop all of those invaders. You’ll be another addition to the “False Sense of Security believers” List.


Recently we’ve faced a lot of aggressive attacks against vulnerable systems, which exploit the following ActiveX vulnerabilities:


Baofeng Storm ActiveX
Ourgame GLChat ActiveX
Qvod Player ActiveX
Microsoft RDS.Dataspace ActiveX
RealPlayer playlist ActiveX
Storm Player ActiveX
Microsoft Windows WebViewFolderIcon ActiveX
Xunlei Thunder DapPlayer ActiveX


Leaving your windows machines unpatched till that time is a shame, besides also running insecure browsers or let me say it better, “Browsers with insecure settings” is a big mistake nowadays where every single malware writer will use this point in his side because the next layer he needs to exploit, is the weak link; humans.

So as a system admin, you should make sure no user during your watch works with any vulnerable browser. For achieving a good and secure configuration, I’ll show you the recommended IE ActiveX related settings that could leave you insecure if it’s not done the secure way.

click to enlarge the image:


Usually disabling everything will break many features which make browsing as “drinking a glass of bitter lemonade”. Thanks for IE “Trusted Sites security zone”, which as the name says, we use to put the trusted sites inside it and we’ll authorize any script or ActiveX to be downloaded and run. You can use “Internet Explorer 5 Power Tweaks Web Accessory” from Microsoft; this tool will add a menu choice "Add to Trusted Zone" to the tools menu of Internet Explorer.

100% Safe Browsing … is it a dream? What do you think?

Monday, March 17, 2008

IFRAME Attacks - Actions to be taken




The massive campaign against Internet websites is getting harder to be contained because the huge number of vulnerable websites which are not secured enough to face such kind of attacks. Mass IFRAME attacks against highly ranked sites made it a successful one. So as a system admin you have to raise the security bar in your network to prevent your clients from getting exploited and redirected to the malicious pages on those websites.

I've compiled a first-aid list to help you in this situation:

- Monitor outgoing DNS requests to the Internet, which bypass your local legitimate DNS server.

- Disable ActiveX

- Upgrade Internet browsers to latest the versions, IE 8 beta 1 or Firefox 3.

- Update the current Anti Virus (also check your Anti Virus server report and track not updating clients and fix their problems) and make sure it can detect Zlob variants.

- block clients from reaching the infected domains by using the following techniques:


  • URL filtering software (ex. Websense): block *all* of your clients from reaching malicious and porno sites. Add the new infected by the IFRAME attack to a custom group till they got fixed. Also filter any downloaded executable that contains the keyword “codec” for example, *codec*.exe

  • In this case block (porn-popular.com) and all request attempts to download (democodec1292.exe)

  • Firewall Rule: block all http/https request to the infected domains.

  • DNS redirection: create a DNS zone (call evil-websites) and add the domain records with bogus IP’s, such as 127.0.0.1

  • If you already running Snort, use this signature to detect the download of the fake codec executable:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Likely Zlob variant Binary Requested (democodec1292.exe)"; flow:established,to_server; uricontent:"/democodec1292.exe"; nocase; classtype:trojan-activity; reference:url,http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html; rev:1;)


  • patch your windows machines, and track this using WSUS (free) from Microsoft. Don't ever leave any system without the latest updates.

  • upgrade the installed softwares to the latest versions; treat them as the operating system patch process. RealPlayer and “Apple QuickTime Real-Time Streaming Protocol vulnerability” recently caused a lot of browser exploitation and got the client redirected to malicious sites.

  • keep your eyes on http://www.malwaredomains.com/ and add those domains in the FW blacklist or the URL filtering software and be proactive. This will close the door against any infection.

  • educate your users, by creating awareness sessions to show them how to evade such social-engineering based attacks. The weak link is the end user; train them to inform IT guys on anything strange while they are browsing, such as asking them to install this xyz antivirus to protect their machines, or that xyz video codec to watch the online video of Paris Hilton!

Saturday, March 15, 2008

DNS-redirection techniques



We talked previously about malwares fighting and containment techniques, today I’ll talk about an interesting way to prevent internal hosts from reaching malicious websites.

Malwares today are more sophisticated, and depend on multi-staged infection, which means that the current code is always updated and replaced by another to add more functions or to use new evasion techniques.

To use DNS-redirection we need to know the original problem first. Malware writer’s aim is to infect as much as possible of machines using many ways, such as Spams, Malicious web pages, or P2P infected shares. Spams and malicious web pages use domain names mostly, and obfuscated or numeric URLs. And we know that to reach any web page in the Internet, the browser needs to translate the domain name to IP.

To imagine an example, Joe received an e-mail about love cards and he as usual (we need user awareness here folks!) will follow the instructions and open the URL (www.lovecards2008.com) and visit it to download some lovely cards to send them to his girlfriend … but our friend didn’t realized that it’s not a legitimate cards website, but it’s a fake one that provides malicious malwares instead of cards. And at the moment he downloaded an executable faked card Boom! His computer got infected.


What we can do here to prevent the infection as early as possible? We can use the DNS server to send back “fake and not reachable” replies to the client. Such as the IP of www.lovecards2008.com is (127.0.0.1). This is called the “Loopback Redirection”. With such reply, there is no way to reach this malicious site and this will give “Web site unavailable” error to the user. Good, let it be, we don’t want the user to access any malicious pages from now on.


You can implement such technique using two ways, while getting the same result. Either using the HOSTFILE, by inserting as many entries as you can with fake answers. Or use your internal DNS server (MS DNS or BIND) to create a “Malware Domains Blacklist Zone”. The latest is the best, because you have a centralized place to control name resolutions.

This is a cheap way to prevent users from accessing such domains. It’s different from Web sites filtering solutions which depend on a database contains millions of URLs and provide policy-based filtering. Here we use the DNS server, which serves every host in the network.

If you want a starting point, visit www.malwaredomains.com and download their free blacklists of malicious domains and import them and start prevention.

Monday, March 3, 2008

Malwares Containment: Quarantine the infected



We’ll continue today our discussion, by starting with the next step you should do after detecting the malicious traffic in your network. We should isolate infected machines from the rest of the network, the easy way is just unplug the cable and physically disconnect them. Good option, but suppose you got a lot of them, you can use your L3-switch to be a good alliance here. Create a “Quarantine Vlan” to group infected machines and prevent any type of communications from/to these machines.


This Vlan will stop broadcast and scanning for other computers. If creating Vlans is impossible for some reason, switch to plan B, ACLs. ACLs are important to stop/slow down malware propagation in your network.

Take the following Cisco Switch ACL example:

access-list 101 remark outgoing packet access list
access-list 101 permit tcp any any established
access-list 101 permit tcp any host [allowed destination] eq %protocol%
access-list 101 permit ip any host [insert %host% here]
access-list 101 deny tcp any any eq smtp
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any

These ACL’s will deny outbound SMTP/SMB/NetBIOS connections to other machines. You should replace [allowed destination] with any host that has to be reached by the infected machines, for example (Antivirus server, WSUS server to get windows patches), and %protocol% with destination port or protocol. [insert %host% here] is the same thing before.

Click on image to see the full size:


Isolating infected machines, will give you a lot of points:

1. Slowing the propagation of the malware from reaching other clean machines.
2. Decreasing the broadcast storms.
3. Testing disinfection procedures on these machines till you get the virus definitions from the vendor.
4. Deploy a honeypot and monitor the malware behavior and try to learn and reverse its actions.
5. Malwares today are getting more dynamic and modular by depending on
built-in downloader to update their code from the mother-ship (server), so we can use this feature to trick the infected machine to download a curing executable.
For example, if you sniffed and watched outbound connections from the infected machine targeting another host online to (http://xxx.xxx.xxx.xxx/xyz.exe), this means it’s trying to get something. Simply, hardcode the domain name in the infected machine’s HOSTFILE and redirected it to the honeypot machine or a machine running
Netcat and listening to port 80 and see the http request, if it’s an executable, we’ll mimic the server and write a batch file that contains temporary disinfecting procedures like (killing a process, deleting files, stopping services, deleting registry keys, or even installing patches), then convert the batch file to .exe and place it in the correct path on the web server and wait. This technique has been before using honeyd to fight worms (Blaster, Sasser).