Tag Archive for vulnerability

Conficker Gets Ready To Strike

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

[ad]

https://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
https://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
https://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Reblog this post [with Zemanta]

Step by Step In Dealing With Conficker

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

  • Account lockout policies are being tripped
  • Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
  • Errors related to SVCHOST
  • Domain Controllers are slow to respond to client requests
  • Network congestion
  • Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

  1. Install patch KB958644 for MS08-067 if not installed
  2. Attempt to remove the “Conficker”/”Downandup” worm
  3. Enable Hidden Setting
  4. Delete all scheduled tasks
  5. Stop and disable services. (lanmanserver, schedule)
  6. Run MSRT – Malicious Software Removal Tool
  7. Install Autorun hotfix if not installed
  8. Install KB950582 for vulnerability MS08-038
  9. Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
  10. Remove Hidden Setting
  11. Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
  12. Restart
  13. Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

  • Getver.exe – contained in ConfickerClean-v10.3.zip here ==>  and script to remove “Conficker”/”Downandup” locally here ==> .
  • SC.EXE – contained in ConfickerClean-v10.3.zip
  • REG.exe – contained in ConfickerClean-v10.3.zip
  • windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
  • windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
  • sleep.exe – contained in ConfickerClean-v10.3.zip
  • Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
  • Place all 3 updates in the Netlogon directory.
  • Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
    This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

  1. Edit the <domain.com> values in the script.
  2. Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
  3. Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
  4. Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

[ad]

Sources:

All credit to Microsoft Support Engineering

Locking Down The Blackberry Network

Early last year India threatened to discontinue Blackberry service if Research In Motion (RIM), the company behind the Blackberry did not allow the Indian Government to monitor the Blackberry network traffic raising serious security concerns. Here are a few articles from PCWorld, InfoWorld, and CNet.

Now president-elect Barack Obama vows to keep his Blackberry despite hacking fears and concerns by the Secret Service.

This will not only be a headache for the Secret Service but its pretty likely that hacking attempts towards the RIM network will increase exponentially.

Generally people just don’t think about the risk that a smart-phone poses, specially if its connected to a Blackberry Enterprise Server. How could my phone be a risk to anyone? Well a smartphone is not just a phone, but rather a miniature computer that is not just capable of making calls but it also an un-metered gateway into the corporate network.

In order to understand what actions to take to protect a smart-phone, in particular the Blackberry you have to understand how it works and how it interacts with the Blackberry Enterprise Server.

Vulnerabilities:

  • Lack of authentication
  • Lack of encryption
  • Lack of mobile code execution controls
  • Difficult to enforce controls
  • Peripheral devices introduce additional vulnerabilities
  • Infrastructure vulnerabilities service specific operating systems, platforms, applications, etc.
  • Small size is prone to theft and loss
  • All devices may not be corporate owned
  • Multiple configurations of the Blackberry Enterprise Server (BES) architecture
  • Limited centralized update mechanisms
  • Limited IT/CIO Control

Sources of Recommended Controls and Security Guidelines:

  • The Vendor (Microsoft, Treo, RIM, etc.)
  • SANS (www.sans.org)
  • NIST has a great publication
  • Other existing guidelines
  • 3rd Party Solutions often fill the gaps

Once the vulnerabilities have been identified we proceed to implement controls and audits.

Controls:

Controls will include policies, standards, practices, procedures, guidelines, awareness, authentication, encryption, and asset management.

Audits:

Once the scope has been defined, allow to review the implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents. Audits also allow the review of configuration and options to ensure that security is not just available but implemented. Additionally configurations pushed down to end devices need to be audited as well.

The infrastructure design and configuration of network components (firewalls, routers, switches, VLANs, etc.) will need to be audited as they play an intricate part of the overall security of the system.

Risk Assessment:

Although this requires additional resources and expertise, its a must in certain environments like corporate or government. A risk assessment will identity security vulnerabilities and provide a 2nd chance to identify all “assets”.

Once this has been completed, validating the risk by performing an “ethical hack” will remove any uncertainty by proving the vulnerabilities identified actually exist.

Conclusion:

Providing documentation on the findings is vital. The documentation required will contain an executive summary, action items and details for system administrators, and a clear and concise report with both the good and the bad findings.

A couple of things that should not fall through the cracks are ensuring that the corrective actions are implementable within the organization and the next audit scheduled.

Sample Policy:

Sample Blackberry Enterprise Server Policy

[ad]

Microsoft Releases Emergency Patch

The same principals behind gaining a root shell for a Unix system, apply for Windows systems allowing the attacker to execute remote code.

Today Microsoft release an emergency patch with a maximum severity rating of “Critical”, for Windows 2000 SP4, Windows XP SP1, SP2 and SP3, and Windows 2003; and with a severity rating of “Important”, for Windows Vista and Windows 2008 servers.

In this particular instance the attacker would craft RPC connection to TCP port 139 and/or 445 on a target system, looking to overflow the buffer, thus gaining access to execute remote code. This would allow the attacker to gain full access to the system, with the ability to install programs, view, change and/or delete data, or create accounts.

The Microsoft Security Bulletin MS08-067, provides details on the issue as well as the download links to the patches for the affected platforms.

This particular vulnerability makes use of a buffer previously unchecked in the “Server Service”, which provides RPC, file and print, and named pipe sharing support over the network.

Microsoft has acknowledged that over the last three weeks, criminals have been targeting systems using this vulnerability, but decided to rush out the patch since after handling close to a 100 incidents relevant to this flaw, had seen that number rise significantly.

As I wrote in my past blog on Root Shell – The Holy Grail, it is very likely that a worm will surface on the Internet taking advantage of the gap between the patch release date and when this patch is actually applied by IT departments worldwide.

Install the patch immediately if you are running any of the affected systems and if you are running anything older then upgrade.

[ad]

UPDATE: 9:21pm – Definitely did not expect it to happen this soon, but the New York Times is reporting that attack code to exploit the vulnerability has surfaced just hours after the patch was announced. This vulnerability is so serious that a worm with viral characteristics could be Blaster all over again.