Sekiur My Thoughts

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Related articles by Zemanta

• Your Quick Guide to the Conficker Worm (shankrila.com)
• With global effort, a new type of worm is slowed (infoworld.com)
• My Top Security and Maintenance Tools (idiomag.com)
• New Information Pages on Conficker (blogs.technet.com)
• Windows PC Worm Set to Activate on April 1st (littlegreenfootballs.com)

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

• Account lockout policies are being tripped
• Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
• Errors related to SVCHOST
• Domain Controllers are slow to respond to client requests
• Network congestion
• Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

1. Install patch KB958644 for MS08-067 if not installed
2. Attempt to remove the “Conficker”/”Downandup” worm
3. Enable Hidden Setting
4. Delete all scheduled tasks
5. Stop and disable services. (lanmanserver, schedule)
6. Run MSRT – Malicious Software Removal Tool
7. Install Autorun hotfix if not installed
8. Install KB950582 for vulnerability MS08-038
9. Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
10. Remove Hidden Setting
11. Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
12. Restart
13. Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

• Getver.exe – contained in ConfickerClean-v10.3.zip here ==> [Download not found] and script to remove “Conficker”/”Downandup” locally here ==> [Download not found].
• SC.EXE – contained in ConfickerClean-v10.3.zip
• REG.exe – contained in ConfickerClean-v10.3.zip
• windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
• windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
• sleep.exe – contained in ConfickerClean-v10.3.zip
• Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
• Place all 3 updates in the Netlogon directory.
• Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
  This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

1. Edit the <domain.com> values in the script.
2. Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
3. Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
4. Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

Sources:

All credit to Microsoft Support Engineering

A new worm has hit the Internet and its taking its toll on computers worldwide. It has been reported that over 9 million computers have already been infected.

The worm called “Downandup”, “Conficker” or “Kido” by different anti-virus vendors uses the Microsoft vulnerability which I blogged about here (Worm Takes Advantage Of Microsoft Flaw) and here (Microsoft Releases Emergency Patch).

The worm mostly spreads across networks, turning off the system restore and deleting the restore points, blocks access to security website, download additional malware from the author, attempts to infect other computers by scanning network shares and scheduled a task to re-infect the computer if removed.

What is interesting is that it can also spread by USB memory keys or devices making use of social engineering which makes it more dangerous to the untrained eye. When a USB drive is inserted it shows a modified AutoPlay screen seen below which will install the worm when the users inadvertently clicks on it.

According to SANS Internet Storm Center, one of the reasons the worm is infecting so many machines is that “Conficker” uses multiple infection vectors:

1. It exploits the MS08-067 vulnerability,
2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

• hxxp://www.getmyip.org
• hxxp://getmyip.co.uk
• hxxp://checkip.dyndns.org
• hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

• hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Suggestions -

1. Disable AutoPlay in your environment.
2. Run a good security suite.
3. Keep your computer updated with the latest patches.
4. Be PROACTIVE and look for the worm in your environment.

Sources:

http://www.nai.com

http://www.symantec.com

http://www.f-secure.com

http://isc.sans.org

The more I research on the potential and possibilities of VoIP phone systems, the more companies I see trying to get a piece of the market.

Reminds me of a blog entry I read recently “Everything I Know About Business I Learned From Poker” and more specifically the quote: “If there are too many competitors (some irrational or inexperienced), even if you’re the best it’s a lot harder to win.” which definitely rings true here.

Below is a partial list of VoIP phone systems geared towards small businesses, meaning deployments of less than 50 phones. Although several of these systems can easily scale into the hundreds of phones.

1. PhoneBochs from Rochbochs, Inc. (Duluth, MN based Rochbochs builds appliances based on Linux ranging from firewalls, asterisk telephony, Zimbra Email Collaboration and Fax over IP.)
2. GXE502X from Grandstream. (Brookline, MA based Grandstream builds the GXE502x appliance, a powerful all-in-one voice + video + fax + data communication solution for the small to medium sized business)
3. Jazinga PBX from Jazinga. (Toronto based Jazinga integrates data networking, traditional telephone service and low-cost Voice-over-IP (VoIP) service into one simple solution for small business and homes)
4. Response Point from Microsoft. (Redmond, WA based Microsoft could not miss the action and introduced their next generation phone system for small businesses.)
5. Trixbox from Fonality. (Los Angeles, CA based Fonality who acquired Trixbox which itself was re-branded from the open source project Asterisk @Home brings both software and appliance offerings to the table going beyond the small business market.)
6. Switchvox IP PBX from Digium. (Huntsville, AL based Digium and the cradle of Asterisk brings forth their flagship product Switchvox which is probably one of the most popular offerings out there today.)
7. TalkSwitch from Centrepoint Technologies. (Canada based Centrepoint, now TalkSwitch provides telecommunications solutions ideal for small and multi-location businesses with up to 32 telephone users per office.)
8. PIKA WARP by PIKA Technologies. (Ontario, Canada based PIKA builds appliances focused on Asterisk and Linux solutions for small businesses.)
9. BYOB by yourself. (Locally based, you can “Build Your Own Box” using Sangoma or Digium hardware for POTS landlines and build your own VoIP phone system using any Asterisk distribution, including Trixbox®, Elastix, AsteriskNOW, Elastix, CentPBX, and PBX-in-a-Flash, or FreeSWITCH, or YATE.

Amongst the other options available are the hosted solution where you pay a fixed cost per device, and then there’s the Colo solution where you would have one of the options above hosted by someone else.

There are many variables that need to be taken into account and every business is different.

Small businesses are likely to have some type of broadband connectivity to the Internet, whether cable or DSL and not the more reliable T1 circuit. Although I have not had any problems with my broadband connection for over 3 years, I have seen businesses add redundant cable and/or DSL because they have to stay up when their service gets interrupted occasionally during a storm.

The amount of simultanous calls at any one time and the codec used will also play a role in deciding if the hosted solution is viable, since most broadband providers do not offer symmetrical upload and download speeds but rather assimetrical where the upload is usually much lower than the download speeds.

My rule of thumb for a business with more than 10 phones and 3 lines with heavy phone usage is to stay with the premises PBX and only use VoIP trunks as secondary circuits for savings.

Just read an article over at Internet News – Which Top Apps Have the Most Security Holes? and to my surprise Firefox was right up there on first place.

I consider myself a pretty safe Internet surfer, doing the obvious and making sure that I do not visit a website that could put my PC at risk.

A long time ago when I started to use Firefox and became a fan hooked on add-ins and tabbed browsing, I decided to continue to use Internet Explorer exclusively for banking. On the Firefox side I also take preventative measures including a couple of add-ins which I think are critical. The first is Adblock Plus and the second is NoScript.

This practice makes even more sense now, although I constantly make sure that I keep up with security updates.

For enterprises, the fact spells trouble — especially since many of these apps slip in without IT knowing. Additionally, the news comes as businesses face growing security threats, punctuated by a slew of recent data breaches, while also contending sharply reduced spending on IT projects.

What is surprising is that Microsoft showed up at number 10 with only Microsoft Windows Live Messenger. I have to say that Microsoft has done a superb job and mastered patch deployment and as long as you have an Internet connection and automatic updates turned on you’re half way there.

Additional measures I have decided not to take is to privatize my Internet browsing. A couple of popular practices are to tunnel your browsing through your home Internet connection in order to prevent your employer from snooping or blocking web traffic and the other is to anonymize the traffic either by going through a proxy or using a product that will rotate source IP addresses every time a connection is made (onion routing), making it virtually impossible to analyze the traffic.

Unfortunately I believe that once you get online, there is really no way to cover your tracks. There is nothing that isn’t traceable and if someone wants to find you bad enough they will so keep it legal.

When it comes to decision making having data to make the right choice is paramount.

Creating a pilot program provides invaluable feedback from users as to the functionalities that a specific product provides and making them part of the selection process improves the success of a project greatly.

Today we will be looking at Microsoft’s e-mail hosted solution, more specifically Exchange Labs which is described in detail in a previous post here.

Once you get an invitation from Microsoft which you have to request, you will go to their administrative console http://domains.live.com. After the domain is created, the game beings and we start playing with DNS records. We will address BIND specific configurations, but these same settings will apply to other DNS servers.

The easiest way to begin is to setup a new zone named live.your-domain.com.

An MX record will need to be created pointing to the exchangelabs.com domain and the specific entry will be provided by the administrator console.

• DNS Record Type: MX
• Host: live.your-domain.com
• MX server: number_provided.mail.exchangelabs.com
• TTL: 3600 or 1 hour
• Priority: 0 (or High priority)

Create a CNAME entry to allow Outlook 2007 client to connect to Exchange Labs.

• DNS Record Type: CNAME
• Host: autodiscover
• Value: autodiscover.exchangelabs.com

Configure Sender ID to allowing destination mail servers to trust mail originating from your domain using the Sender Policy Framework (SPF).

• DNS Record Type: TXT
• Host: live.your-domain.com
• Value: v=spf1 include:exchangelabs.com ~all
• TTL: 3600 or 1 hour (if requested)

Finally if you want to have federated Windows Live Messenger access, you will need to create a SRV record.

• DNS Record Type: SRV
• Host: _sipfederationtls._tcp.live.txwes.edu
• Value: 10 2 5061 federation.messenger.msn.com

Now to test the configuration you can use DNSWatch to test your records to see how the world sees your servers. Keep in mind that it could take hours for your records to propagate throughout the Internet.

Finally there are several options for you to customize the look and feel of your hosted e-mail.

You will be able to reach the site by going to http://autodiscover.live.your-domain.com or you can enter an additional CNAME entry in your DNS which is more significant to you and point it to autodiscover.exchangelabs.com

Apparently creating multiple administrator accounts cannot be done easily on the administrative website, but rather using a tool called PowerShell and promoting existing user accounts. Further limitations include that PowerShell will only run on Vista SP1 and Windows Server 2008.

Instructions on doing this are here and here.

Just had to pass on what transpired today. I started a Tech Support call to Microsoft Partner Support at 9:05 this morning. The call was initially answered in Redmond by the Partner Group. It was then transferred (via IP) to India for First Level Support – this lasted for two hours, when it was kicked up to another level in tech support, and transferred (Again, via IP) to Montreal, CA. After another half hour, I had to attend a meeting, so the call was transferred (in house) to one of my Techs. He stayed on the line for another 1.5 hours, and then transferred the call back to me.

So at this point, I have had a live call that has been bounced over two continents, and in house over three extensions – this is at the 4-Hour point in the call.

The tech from M$FT then says that he needs a disk placed in the server – I place him on hold and call my contact, who is not there, so I transfer the call to my cel phone, and jump in the car and drive 15 minutes to the customer site. Stick the disk in, and resume troubleshooting on site and on the Cel, which has the call bridged through our Trixbox and out to my cel phone.

Two hours and 48 minutes later, and the M$FT guy is still not done, and my cell phone is going dead. Remote over to my desk at the office, call one of the people at my office and tell them I am giving them the call back, and to transfer it to a desk phone back where I am. I then bring up Flash Operator Panel, and put the call on his desk.

He then does a screened transfer to me, hits the receptionist at the school I am working at, asks for the server room, and when the phone rings and I answer, releases the call back to me!!!

Now, I am back talking to the M$FT guy, with no interruption WHATSOEVER and the call goes on for another 2 hours and 20 minutes!!!! He finally finishes what he was doing, and I sat back and looked at the statistics for the call:

9 Hours, 10 Minutes and 56 Seconds (I looked in the Log)
Three Locations and Two Continents (On the M$FT side)
Three internal Transfers, Two Offsite Transfers, and one Flash Operator Panel Call retrieval from an offsite location!!!!!!

And at no point did the call quality suffer – and all of this on a standard production Trixbox system!

Name me a system you could have done this on this easily!!!!

Source: Trixbox Forums (GSnover)

Higher Education and K-12 institutions have always either lead in the IT field with innovative solutions or been way behind in technology to the point of not having any.

Open source has always been an option, although generally for the technically inclined but several years ago the big guys (Google and Microsoft), brought hosted E-mail offerings to the table that would out perform any locally installed solution and without a price tag associated with it.

A new player recently entered the market with their very attractive offering. ZCS from Zimbra.

Zimbra Collaboration Suite (ZCS) is a groupware product created by Zimbra Inc., located in San Mateo, California, USA. The company was purchased by Yahoo! in September 2007.[1]. The software consists of both client and server components. Two versions of Zimbra are available: an open-source version, and a commercially supported version (“Zimbra Network”) with closed-source components. These software versions are available from Zimbra for download and independent use, from Zimbra-authorized partners, and included with service from a Zimbra-authorized hosting provider.

So what are the options?

1. Outsource
   1. Google Apps for Education
   2. Microsoft’s Live@edu Service
   3. Zimbra’s Hosted Collaboration Suite
2. Maintain/deploy in-house

Even thought there are legitimate issues with outsourcing, like privacy of e-mails, loosing control over the capability to access logs in case of an incident and ads displayed to the constituents amongst others; the option to provide this same level of service in-house is not economically feasible.

Lets take a look what these services offer:

Microsoft and Google are free provided that they can display ads for alumni and Zimbra costs $2 per year per student.

Resources:

Microsoft Live@edu:

Microsoft Live@edu video
Live@edu with Exchange Labs
Web Collaboration

Google Apps for Education:

Google Apps video

Zimbra:

Compare Hosted EDU Products

Just as I had predicted it would happen, there are already reports that a worm exploiting the hole in the “Server Service” has been seen in the wild. Microsoft released yesterday a critical “out-of-band” patch (MS08-067) release having known about the issue for a while.

Milw0rm, an exploit tracking Internet site has posted the exploit code required to overflow the stack. The code can be downloaded here.

Symantec is tracking an exploit “Bloodhound.Exploit.212″, via Bugtraq ID 31874 using this vulnerability, but they report it is still not widespread. Other reports points to a certain file “n2.exe” being downloaded to compromise computers, as McAfee has been tracking here.

The worm as already received several names including Gimmiv and Dropper. The guys over at Threat Expert Blog have a pretty detailed explanation of how the code works and what it does.

Both Symantec and McAfee said Friday that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting Thursday evening, they found a 25 percent jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

It is not likely that large networks will have ports 139 and/or 445 open to the Internet and even most DSL/Cable modem router will not allow this kind of inbound traffic either, but I have no doubt this will cause a false sense of security among pseudo-system admins and as this worm evolves and becomes more sophisticated, it will transverse corporate perimeter firewall through malware and spyware and then spread within the network wreaking havoc.

The same principals behind gaining a root shell for a Unix system, apply for Windows systems allowing the attacker to execute remote code.

Today Microsoft release an emergency patch with a maximum severity rating of “Critical”, for Windows 2000 SP4, Windows XP SP1, SP2 and SP3, and Windows 2003; and with a severity rating of “Important”, for Windows Vista and Windows 2008 servers.

In this particular instance the attacker would craft RPC connection to TCP port 139 and/or 445 on a target system, looking to overflow the buffer, thus gaining access to execute remote code. This would allow the attacker to gain full access to the system, with the ability to install programs, view, change and/or delete data, or create accounts.

The Microsoft Security Bulletin MS08-067, provides details on the issue as well as the download links to the patches for the affected platforms.

This particular vulnerability makes use of a buffer previously unchecked in the “Server Service”, which provides RPC, file and print, and named pipe sharing support over the network.

Microsoft has acknowledged that over the last three weeks, criminals have been targeting systems using this vulnerability, but decided to rush out the patch since after handling close to a 100 incidents relevant to this flaw, had seen that number rise significantly.

As I wrote in my past blog on Root Shell – The Holy Grail, it is very likely that a worm will surface on the Internet taking advantage of the gap between the patch release date and when this patch is actually applied by IT departments worldwide.

Install the patch immediately if you are running any of the affected systems and if you are running anything older then upgrade.

UPDATE: 9:21pm – Definitely did not expect it to happen this soon, but the New York Times is reporting that attack code to exploit the vulnerability has surfaced just hours after the patch was announced. This vulnerability is so serious that a worm with viral characteristics could be Blaster all over again.