DNS Chanager 2.0

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

The question is how to protect and prevent such attacks. Here is my compiled checklist:

1) As always, keep your systems up-to-date and make sure you are using/deployed the latest browser (IE 7/8, FF 3, Google Chrome, and Opera 10) in your network. Because it's always start from exploiting your old browser and process with the rest of the attack.

2) Make sure your antivirus is prepared to detect and block this malware. If you detect any suspicious process which listens on port 67, you can upload it your vendor or use virustotal.com.

3) If you are a Cisco shop, you are lucky enough because they have implemented a built-in security mechanism called "DHCP Snooping", is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. Read more about it.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf

This is an example of enabling DHCP Snooping on a Cisco Switch:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan {,}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate
!Sets rate limit for DHCP Snooping!


4) Use " DHCPLOC Utility" to detect rogue DHCP servers on your network, Get it from here (http://technet2.microsoft.com/windowsserver/en/library/8fa42e83-ec08-4a9b-9057-8909f7ed433e1033.mspx?mfr=true)

With this tool, you can determine which DHCP servers are available to a DHCP client and to detect unauthorized DHCP servers on a subnet.

5) Use " DhcpExplorer" , it’s a tool that allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network (rogue DHCP servers) as well as checking the expected output of known servers. The tool is designed with a user-friendly interface and is easy to use. Download it from here:
http://www.filesland.com/companies/Nsasoft-LLC/download/DhcpExplorer.exe

6) Use " DHCPing", it is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect. Get it from here: http://www.securiteam.com/tools/5TP0G0KDFG.html


7) If you are a Microsoft shop, make sure that you have configured authorized DHCP server correctly, read here for more details:
http://technet.microsoft.com/en-us/library/cc781697.aspx

8) If you use Nmap, and you should by the way. You can scan your network for hosts that listen to port 67. See this example:

nmap -sU -P0 -p 67-68 -oN dhcp-scan-results > 192.168.0-3.*

Replace 192.168.0-3.* with your network's IP range.

9) Snort, is your watch dog while you are busy. Modify your snort.conf file to add a new servers list, like this:

var Authorized_DHCP [1.1.1.1,2.2.2.2]

replace 1.1.1.1, 2.2.2.2 with your production servers

And use this rule to detect rogue dhcp servers:

alert udp !$AUTHORIZED_DHCP 67 -> 255.255.255.255 any (msg: "Rogue DHCP Server OnNetwork"; sid:1000001;)


10)If you have tcpdump around, you can run and use this Bpf filter to detect rogue dhcp servers:

tcpdump -i eth0 -nn 'udp port 67 and !(host x.x.xx or host x.x.xx)'

11)And last, double check with your host-based firewall vendor that their product dose support NDIS-level firewalling. This means the FW will protect against unauthorized NDIS protocol registration by hooking NdisRegisterProtocol()/NdisOpenAdapter(). So, the FW will be notified when a NDIS protocol is trying to be registered or when it’s binding to some adapter.


Related Posts:

Use default passwords, get hijacked !

The Honeynet Project - Kuwait Chapter

The first Arabian chapter of the honeynet project is going to see the light soon. I'd like to announce the creation of the "Kuwait Chapter" of the honeynet Project. Our goal is to study Internet attacks and threats which target Kuwait and Middle East. We are in progress of contacting third-parties for donations and sponsorships. If you are interested in helping us, please contact me at (a.qarta@gmail.com).



Also, we are looking for volunteers who want to join the team, the required skills are:

1) Malwares analysis

2) Packets analysis

3) Linux/Windows Forensics

4) IDS / IPS / Firewalls

5) Honeypots


If you would like to donate, we accept:


1) Cash


2) Computers


3) Servers


4) Internet public IP's


5) Internet connections


For more information, please contact me at (a.qarta@gmail.com)

Malwares Forensics Dojo in Kuwait

By Aa’ed Alqarta (Symantec STS)

This course is targeted to systems and security administrators who are responsible of securing their clients and networks. Without concepts and technical skills, you can’t defend against the latest generations of malwares. This course will prepare you with the required knowledge to fight malwares. You’ll learn from an experienced and trained instructor who will guide you step-by-step through the training.

Course Agenda:

- Introduction to malwares: We will talk about malwares basics, and history of malwares.

- Types of malwares: We will talk about all malwares categories and how to defend against them.

- Tools for malware analysis: We will talk about malwares analysis tools that will help the system admin during investigating an infected computer.

- Malwares disinfection: We will talk about the techniques that will teach a system admin how to disinfect and clean any infected system using special techniques, tools and live CDs.

- Malwares detection: We will talk about how to detect any malware that is propagating in your network using traffic analysis, honeypots and IDS.

- Security policies and defenses against malwares: We will talk about effective security policies and defense strategies against malwares.

For registration details, just send to (a.qarta [ at ] gmail.com)

"Malwares Resistance" Assessment

We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?

Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.

It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:

1) Do you have the latest version of the current antivirus which is running on your system?

2) Is the antivirus capable to detect known malwares, rootkits, zer0-day exploits using a proactive technique?

3) Is the antivirus capable to detect unknown malwares, rootkits, zer0-day exploits using a proactive technique?

4) Do you have a patch-management strategy to fix operating systems and third-party applications vulnerabilities?

5) Do you have an Internet content filtering solution to block access to websites that host malicious codes?

6) Do you have an antispam solution to filter spams and scan for malicious attachments and embedded links?

7) Do you have the latest versions of the running softwares/applications that require installing an Activex component?

8) Do you have the latest version of the running Internet browser? “The latest browser have been engineered to add phishing/malware filtering”

9) Do you have a policy that forbid and block the usage of removable drives in your network?

10) Do you have a policy that forbid and block to install unapproved softwares?

11) Do you have a bandwidth monitoring solution to track network and Internet protocols usage in real-time?

12) Do you have a firewall/UTM solution that supports Internet traffic virus scanning?

13) Do you have an IDS/IPS solution that can observe malwares activities in your network?

14) Do you run a honeypot that monitors the dark-space in your network/DMZ for malware propagations?

15) Do you have the proper FW ACL’s that prevent inbound/outbound traffic related to malware communications?

16) Do you have a “malware outbreak incident response” plan?

17) Do you follow the concept of “Least Privilege” whenever you install/configure a software/service?

18) Do you have a training program that gives you or your team the needed malware-related skills?

19) Do you have a “malware containment strategy” in case of any large-scale propagation?

20) Do you have a solid backup & recovery of data and system in case of data loss due to a malware infection?

21) Do you have security awareness training for users to reduce the number of infections or to improve the user’s actions in reporting incidents?

22) Do you have a secure deployment of new machines in your network? (Up-to-date OS, up-to-date AV, hardened OS, approved applications are installed, limited user permissions).

23) Do you follow a password security policy in your network? (network shares passwords, administrator account password, complex passwords, password expiration, changing default passwords)

If you have anything not mentioned in this list, you’re welcome.

related Posts:

1. Opera 9 vs. FF 3: antifishing review
2. Use default password, get hijacked
3. Stop malwares using device control
4. Block malware domains using Squid
5. IE Activex security 101
6. DNS redirection techniques
7. Malwares containment: quarantine the infected
8. Malwares containment: level II
9. Malwares containment - the basics
10. Analyze malware infections on your own - 1
11. Analyze maware infections on your own - 2

Firefox vs. Opera: Anti-phishing Review

The war is still burning between Opera Vs FF, and they have improved the code to secure the user’s online life. As working with security products as a daily basis task, I have the habit of testing their capabilities to approve what they are suppose to protect against. Sometimes when you put anything to the test, you’ll get surprising results and mostly disappointing. Today, I got two contenders, Opera 9 and Firefox 3. We heard some claims about their readiness to stop the bad. I’m not sure if this is the correct way to benchmark both of them. But my test was simple, as simulating a normal user who received a phishing spam which contains a link to a fake website such as, Paypal.

The Test:
------------


URL:hxxp://www.warning-s-on-your-boa-account.com/

OPERA: PASS

FF: FAIL

----------------------------------------------------------
URL: hxxp://dell.cfun.fr/

OPERA: PASS

FF: FAIL

----------------------------------------------------------
URL: hxxp://peppegol96.altervista.org/loader.html

OPERA: PASS

FF: FAIL

----------------------------------------------------------
URL: hxxp://membres.lycos.fr/p4ypal/

OPERA: PASS

FF: FAIL

-----------------------------------------------------------
URL: hxxp://payypalll.com/

OPERA: PASS

FF: FAIL

-----------------------------------------------------------
URL: hxxp://www.masterequipamentos.com.br/sas/explorer/paypal.com/PayPal/

OPERA: PASS

FF: FAIL


---------------------------------------------------------
URL: hxxp://wmserver.stcable.co.yu/~matthew/Service-Paypal.htm

OPERA: PASS

FF: FAIL

--------------------------------------------------------------
URL:

hxxp://www.mindblade-studios.com/forum/style_images/amazon.fr/ref=ya_hp_oc_3.htm

OPERA: PASS

FF: FAIL

What makes Opera 9 better than FF in my opinion? Is the higher number of blocked websites, plus the warning notification when a fraud website is detected. While FF is not blocking any of them and there is no notification except that it's not receiving the identify information of the site.

Download both of them and try the test by yourself:

Opera 9

Firefox 3

Adios,

Book Review: Endpoint Security

I've just finished reading this book by Mark Kadrich, and I have to admit that it's highly informative and focus on the pain points. We are fighting malwares everyday and spending millions of dollars on solutions built to stop known attacks and fail to stop the unknown. I'd like to share with you some interesting quotes from the book:

(I’m not aware of any SOx template that ever stopped a worm. Granted, it was a great
example of “find a need and fill it” mentality, but it also gave many people the false
impression that being SOx compliant meant being secure.)

And

(How can this be? We have antivirus! We have firewalls! We have IDSs! We have
authentication systems! We have HIPAA, SOx and let’s not forget GLBA! With all this
heavy artillery, how can the evil worms of war still manage to break through our
defenses? Why do we have systems infected with bots? How can we have all this security
and still have a polluted network?)


What we can understand from this?

I think the problem is either the current security standards are not as effective as before to stop malwares, or we are not implementing them correctly. A security standard will give you the foundation of the whole security architecture which your network needs. If you don't follow the book, it's your problem. I've seen many security administrators who give no attention to patch machines properly. Or even, check the firewall logs to observe any botnet activity!. Such case, is a big example of how malwares manage to penetrate your defenses to infect the endpoints.

I'll give you some tips from my daily work:

To stop malwares we need to close all the holes, which are:

1) Internet - We have different sources of risks, so let's break them down:

Websites: Install a content filtering solution (e.g, Websense)
Spam: Install a respected antispam solution (e.g, Bordware MXstream, Cisco IronMail)
P2P: Block these applications using a firewall or IPS. Or even prevent the installation of them at all.
Malwares: Block risky ports on the FW. Deploy a network IPS. Deploy a gateway Antivirus (HTTP scanning)

2) Removable drives - these devices are "Mobile Mass Infections" weapons, which I'll never allow them during my watch.

The only countermeasure against them is device blocking policies using some software that will give a full control of them.

The list still not yet finished, please keep reading:

- Patch management strategy: OS + Applications patching. 80% of malwares are targeting a specific vulnerability in your system. I always say "A patched machine with a real IP is safer than unpatched one behind a 100 FW".

- Browser security: Get a secure browser (FF3 or Opera9). Read my lips: No *F* ActiveX anymore!

- Network Access Control: check Cisco NAC or Symantec SNAC solutions.

- User Awareness: e-mails with some cartoons, sessions, screenshots of malicious activities and how to report them.

- Training and reading: If your admin spends his day playing "FreeCell", it's the time to level up his knowledge. Because an ignorant admin will decrease the value of any security solution. Most customers will utilize 40% of the solution because their lack of knowledge on how to use the advanced features which may help them to compact the original problem.

here's the link for the book on Amazon. Click here

I'm done here,

USB dongle auto malwares scanning with clamav

How many of you folks use a USB dongle for his daily tasks? I think most of you, but since this blog is about security & malwares. Today, I’m going to show you a trick using a windows batch file and the portable version of clamav for arming your dongle when you have to copy/move files in a non-secure environment. For me personally, when I need to get a new/additional USB dongle, I prefer the ones that have read-write protection. This is a very effective way to protect your USB when you need to transfer files between you laptop for instance, and other machines. But suppose yours doesn’t support this feature. You need to create some kind of armor around it.

Let’s work:

1) Get the latest copy of ClamAv_Portable for Windows. Download Here (install and rename the folder to ClamWinPortable)

2) Copy the following batch and call it (scan.cmd):

@echo off
set @1=%cd%
echo Updating ClamAV definitions ...
.\ClamWinPortable\App\clamwin\bin\freshclam -v --config-file=".\ClamWinPortable\App\clamwin\bin\freshclam.conf" --datadir="\..\ClamWinPortable\Data\db"
echo Scaning USB for Malwares ...
.\ClamWinPortable\App\clamwin\bin\clamscan.exe --database=".\ClamWinPortable\Data\db" -v --show-progress -u -k --bell --remove -i --detect-broken -l scan-resultes.txt %cd%
explorer.exe %cd%
exit

3) Copy the following auto run instructions and save it as (autorun.inf):

[autorun]
shell\Open\Command=scan.cmd
ShellExecute=scan.cmd

Copy all of these files to the root of your USB dongle, then close the windows, reopen it again and see the magic.