Sekiur My Thoughts

As professionals in security we are constantly researching new technologies to keep our skills sharp. The Internet Storm Center was formed to assist with keeping our peers aware of the fast paced changes in vulnerabilities, patches, hacks, worms, Trojans and threats in general.

How we communicate these risks to our key decision makers sometimes can be a challenge. A recent example would be the Conficker April 1st situation. It was important for us to convey the sense of urgency we felt to have MS08-067 patched, as well as cross checking all our systems for updates being rejected, anti-virus definitions up-to-date and so on. My question to you is “did you communicate the risk effectively”? Were you able to give a complete and accurate risk assessment to your management?

Remember that risk assessment is the process of identifying a threat, understanding how that threat relates (vulnerability) to your organization, assessing the cost and providing that information to management. The formula is simple, let’s break it down.

Risk = Threat x Vulnerability x Cost

1. State the threat in language that is easily understood. It is your job to decrypt the threat for your management team.
2. Portray clearly and accurately what the threat could do and how it would possibly perform in your environment.
3. Identify the number of assets which may be affected by the threat. What is percentage of vulnerable devices in relation to the total devices? (Servers, workstations, operating systems, Internet exposure)
4. Identify the corrective measures which are available to be taken.
5. Calculate the SLE (Single Loss Expectancy). What is the dollar value of the cost that equals the total cost of the risk?
6. State how the remediation would lower the exposure to the organization and give a cost for those actions.
7. Recalculate the SLE with projected remediation included.
8. Provide status of the protection mechanisms already in place (anti-virus definitions, IPS signature detections, patching statistics).
9. Then allow management to make an educated decision based on risk to the enterprise, not just the security event itself.

By utilizing this concrete methodology, we can lessen the influence of media hype and provide a professional cost based opinion to those best equipped to make enterprise decisions.

Source:  http://www.dshield.org/diary.html?storyid=6223 by Mari Nichols

Related articles by Zemanta

• Top Ten Ways to Know If You Have the Conficker Virus (ethelthefrog.com)

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Related articles by Zemanta

• Your Quick Guide to the Conficker Worm (shankrila.com)
• With global effort, a new type of worm is slowed (infoworld.com)
• My Top Security and Maintenance Tools (idiomag.com)
• New Information Pages on Conficker (blogs.technet.com)
• Windows PC Worm Set to Activate on April 1st (littlegreenfootballs.com)

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

• Account lockout policies are being tripped
• Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
• Errors related to SVCHOST
• Domain Controllers are slow to respond to client requests
• Network congestion
• Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

1. Install patch KB958644 for MS08-067 if not installed
2. Attempt to remove the “Conficker”/”Downandup” worm
3. Enable Hidden Setting
4. Delete all scheduled tasks
5. Stop and disable services. (lanmanserver, schedule)
6. Run MSRT – Malicious Software Removal Tool
7. Install Autorun hotfix if not installed
8. Install KB950582 for vulnerability MS08-038
9. Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
10. Remove Hidden Setting
11. Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
12. Restart
13. Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

• Getver.exe – contained in ConfickerClean-v10.3.zip here ==> [Download not found] and script to remove “Conficker”/”Downandup” locally here ==> [Download not found].
• SC.EXE – contained in ConfickerClean-v10.3.zip
• REG.exe – contained in ConfickerClean-v10.3.zip
• windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
• windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
• sleep.exe – contained in ConfickerClean-v10.3.zip
• Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
• Place all 3 updates in the Netlogon directory.
• Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
  This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

1. Edit the <domain.com> values in the script.
2. Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
3. Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
4. Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

Sources:

All credit to Microsoft Support Engineering

A new worm has hit the Internet and its taking its toll on computers worldwide. It has been reported that over 9 million computers have already been infected.

The worm called “Downandup”, “Conficker” or “Kido” by different anti-virus vendors uses the Microsoft vulnerability which I blogged about here (Worm Takes Advantage Of Microsoft Flaw) and here (Microsoft Releases Emergency Patch).

The worm mostly spreads across networks, turning off the system restore and deleting the restore points, blocks access to security website, download additional malware from the author, attempts to infect other computers by scanning network shares and scheduled a task to re-infect the computer if removed.

What is interesting is that it can also spread by USB memory keys or devices making use of social engineering which makes it more dangerous to the untrained eye. When a USB drive is inserted it shows a modified AutoPlay screen seen below which will install the worm when the users inadvertently clicks on it.

According to SANS Internet Storm Center, one of the reasons the worm is infecting so many machines is that “Conficker” uses multiple infection vectors:

1. It exploits the MS08-067 vulnerability,
2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

• hxxp://www.getmyip.org
• hxxp://getmyip.co.uk
• hxxp://checkip.dyndns.org
• hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

• hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Suggestions -

1. Disable AutoPlay in your environment.
2. Run a good security suite.
3. Keep your computer updated with the latest patches.
4. Be PROACTIVE and look for the worm in your environment.

Sources:

http://www.nai.com

http://www.symantec.com

http://www.f-secure.com

http://isc.sans.org

This will give you the capability to scan e-mails for spam, viruses and phishing using a variety of open source programs before they arrive to your e-mail server.

From Sekipedia
Jump to: navigation, search

* Install CentOS 5.1 barebones (customizing the install with nothing checked.)

* Update the system

yum update

* Install Additional packages

yum install ntp

yum install vixie-cron crontabs

* Download and install Webmin

cd /opt

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.430-1.noarch.rpm

yum install perl-Net-SSLeay

rpm -ivh webmin-1.430-1.noarch.rpm

* Disabled unneeded services

service iptables stop
service ip6tables stop
service netfs stop
chkconfig iptables off
chkconfig ip6tables off
chkconfig netfs off

* Install Postfix

yum install postfix

* Configure Postfix

myhostname = titan.corp.com
mydomain = localhost
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetwork_style = class

* Configure Postfix to forward email

relay_domains = lab.net

This tells Postfix which domains it should relay mail. All mail destined for this domain (and only this domain) will be forwarded to its remote SMTP server. You can put multiple domains here, just separate them with a comma or whitespace.

Add line to end of main.cf

transport_maps = hash:/etc/postfix/transport
mailbox_size_limit = 20480000
mailbox_size_limit = 20480000

This tells Postfix what method to use to resolve the destination address for relayed mail:

Add line to end of “/etc/postfix/transport”

lab.net smtp:[192.168.2.225]

This command specifically maps the domain “lab.net” to the IP address 192.168.2.225 and tells Postfix to use SMTP as the transport. All mail destined for lab.net which is relayed through this Spam Gateway will be forwarded via SMTP to 192.168.2.225.

Then run command:

postmap /etc/postfix/transport

This command builds the hash table/file which Posfix will use to forward mail. If you don’t do this, it wont work.

Finally add this line to main.cf

append_at_myorigin = no

These lines will make sure your Spam Gateway does not add any of its own header domain info to the mail as it passes thru.

* Test Again

Stop and start postfix to make sure all changes take.

service postfix stop
service postfix start

I know this is redundant, but you really should test your system again before installing MailScanner. Make sure that mail gets passed through the system without problem. If you do encounter a problem, it will be a lot easier to fix it now than after you’ve installed MailScanner, SpamAssassin and ClamAV.

At this point incoming e-mail should go through the Mail Relay and be forwarded to the internal E-mail server.

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install perl modules and dependencies for MailScanner

yum install –enablerepo=rpmforge perl-Archive-Zip perl-Convert-BinHex perl-Convert-TNEF perl-DBD-SQLite perl-Filesys-Df perl-HTML-Parser

yum install –enablerepo=rpmforge perl-IO-stringy perl-MIME-tools perl-Net-CIDR perl-Sys-Hostname-Long perl-OLE-Storage_Lite

yum install tnef

* Download and Install MailScanner

wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.71.10-1.rpm.tar.gz

tar -zxvf MailScanner-4.71.10-1.rpm.tar.gz

cd MailScanner-4.71.10-1

rpm -ivh mailscanner-4.71.10-1.noarch.rpm

chkconfig postfix off

service postfix stop

chkconfig MailScanner on

* Configure MailScanner Settings

Updates to postfix’s main.cf by adding this line:

header_checks = regexp:/etc/postfix/header_checks

In the file /etc/postfix/header_checks add this line:

/^Received:/ HOLD

Here are the edits to Mailscanner – place / update in /etc/MailScanner/MailScanner.conf

Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Optional edits to MailScanner

Change %org-name%
Change %org-long-name%
Change %web-site%

Here’s some file permissions changes you’ll need to make:

chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine

service MailScanner start

Its a good idea to test the server now. Send a message to the remote server and see if it goes through. It should, and then you can move to installing SpamAssassin.

* Install perl modules for SpamAssassin

yum install perl-Digest-SHA1 perl-Net-DNS perl-Archive-Tar perl-IO-Zlib

yum install –enablerepo=rpmforge perl-Encode-Detect perl-Mail-SPF perl-IP-Country perl-Mail-DKIM perl-Net-Ident

* Update the system

yum update

* Install and Configure SpamAssassin

yum install spamassassin

You don’t need to edit any of the SpamAssassin conf files because all of the configuration is done through MailScanner.

In /etc/MailScanner/MailScanner.conf we will make these changes:

Change this line:

Use SpamAssassin = no

to:

Use SpamAssassin = yes

Update the SpamAssassin User State Dir setting:

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

and then run commands:

mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin

Restart MailScanner to make changes stick.

service MailScanner restart

* SELinux exception for Clamav

setsebool -P clamd_disable_trans=1 or disable SELinux while Clamav is installed.

* Install ClamAV

yum install clamav clamav-db –enablerepo=rpmforge

* Configure ClamAV and MailScanner Settings

In /etc/freshclam.conf make the following edits:

Add ‘#’ in front of the word ‘Example’

Do the same in /etc/freshclam.conf

Now you need to update ClamAV’s virus signature files

[root@smtp]# freshclam

ClamAV update process started at Fri Sep 19 12:45:42 2008
main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven)
daily.cvd is up to date (version: 8287, sigs: 29596, f-level: 35, builder: arnaud)

Update MailScanner’s configuration file to use ClamAV

‘Virus Scanners = clamav’

In MailScanner.conf, check the setting of ‘Monitors for ClamAV Updates’ to ensure it matches the location of your ClamAV virus database files.

This should be “/var/clamav/*.cld /var/clamav/*.cvd”.

* Installing Postgrey

yum install postgrey

* Configuring Postgrey

Edit /etc/postfix/main.cf and add the following to smtpd_recipient_restrictions.

permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
check_policy_service unix:postgrey/socket

check_policy_service unix:postgrey/socket performs the greylisting while adding reject_unlisted_recipient before it enables Postfix to immediately reject unknown recipients instead of having clients go through the greylisting process before being informed that the recipient does not exist.

To disable greylisting for certain IP addresses or hostnames, add the IP address, hostname or regular expression to match hostnames into the file /etc/postfix/postgrey_whitelist_clients.local.

Hostnames are identified by performing a reverse DNS on the client’s IP address.

For sample entries, view the file /etc/postfix/postgrey_whitelist_clients.

* Update the system

Make one last final update to make sure your system is updated.

yum update

Great article at Lifehacker on Windows maintenance tools that anyone wanting to run a healthy PC should have installed.

Apart from CCleaner, Revo Uninstaller, Auslogic Disk Defrag, and Spybot – Search & Destroy, I would also add some in case virus/malware/spyware removal is required. RootKitRevealer, Ad-Aware, ATF-Cleaner, Avenger, HijackThis and Trojan Remover.