Transcript Emergency Threat Update Nov 10, 2008 Windows Worm Breakout

Emergency Threat Update Nov 10, 2008
Windows Worm Breakout
Presented by Jose Varghese
Agenda
What is the vulnerability and associated threat ?
How does the worm work ?
What are the mitigating controls ?
How do we prepare for Incident Management?
Summary – Immediate Action and Long term solutions
2
Vulnerability and Threat
Vulnerability
Buffer overflow vulnerability in Windows server service
 Attacker sends malformed RPC requests to the server service
 Unexpected input leads to “overflow” condition
 If successful, attacker can run any code of his choice
 Example- change passwords, steal data or modify parameters
4
Previous buffer overflow vulnerabilities
Slammer worm in 2002, Blaster worm in 2003, Sasser
worm in 2004 - all exploited buffer overflow vulnerabilities
 A bit of history
On Nov 2 , 2008 , it was 20 years since the first Internet worm
“Morris “ spread – targeting buffer overflow vulnerability on
Unix systems
5
Does attacker need authentication?
Authentication requirements
 No authentication required Windows 2000/2003/Windows XP
 Authentication required for Windows 2008/ Windows Vista
Windows 2000/2003/XP more vulnerable than Windows
2008/Vista
6
Threat
Infected machines become unusable
 System try to spread the worm and also upload data to
attacker
 High CPU/memory utilization and machine becomes unusable
Data Leakage
 Password information and system details are passed to
attacker
Network choking
 Rapid propagation of worm results in high utilization of LAN
and WAN network
7
Worm – How it works and what it
steals
Worm functioning
Worm targets machine running vulnerable version of
Windows Server service
The worm file name is n1.exe, n2.exe , n*.exe
When the worm starts
 Installs a dll file in \system32\wbem directory – sysmgr.dll
 Sets up a new service in Windows
 Displayed in Control Panel as “ System Maintenance Service”
 Connects to Internet and downloads more components
 Installs and adds one more service “Windows NT Baseline”
9
Worm functioning
Worm collects the following data and passes it to attacker
 Operating system version, Antivirus version
 MSN Messenger / Outlook Express credentials
Username / Computer Name
Installed patches, applications
Recently opened documents
Network adapter / IP addresses
Uploads it after encrypting to http://www.t35.com
11
Worm functioning
Trojan also updates itself automatically from below sites
 http://summertime.1gokurimu.com
http://perlbody.t35.com
http://doradora.atzend.com
One of the images downloaded is popular
character Homer Simpson
12
Technical Controls
Prevention and Detection
Preventive Controls
Best solutions
 Disable the Server service and Browser service in the Windows
system
OR
 Apply the patch MS08-067 and use the Services
13
Impact of service stoppage
Disable the Server service and Browser service in the
Windows system
 You cannot share your folders but can still access remote
shares
 You will not be able to view others computers in your
“Network Neighbourhood”
 Netlogon service which allow domain login depends on Server
service
14
Out-of-Band patch release
Microsoft follows a monthly patch release cycle
 New patches every second Tuesday of the month
 Next one due on Nov 11
The patch for this vulnerability was released out-of-cycle
or out-of-band
 In the middle of the month on Thursday, Oct-23
Out-of-band patch release indicates the criticality associated
with this vulnerability
15
Checking Patch rollout
Is the patch deployed?
If you have an automated patch management solutions
 Easy to track status
 WSUS, BigFix, Landesk – deploy patch and report status in the
console
If patch deployment is manual, tracking is difficult
 Use Nessus and scan for this specific plug-in [ 34476]
 www.nessus.org/plugins/index.php?view=single&id=34476
 Use Microsoft MBSA tool 2.1
17
If we cannot patch nor disable
service…
1
Workarounds – Network Port blocking
Disable TCP 139/TCP 445 at Internet Firewall
 Almost all Internet firewalls will already be doing this
Disable TCP 139/ TCP 445 at Internal Firewalls and WAN
routers
 This will affect file sharing across branches and locations
 We can have this till the patch roll out is complete
19
Workaround – Checkpoint SmartDefense
Checkpoint Firewall has released Smartdefense update to
detect and block these malformed RPC requests
 Only relevant if have to allow TCP 139/ TCP 445
 Will help prevent propagation and also identify internal
infected sources
 http://www.checkpoint.com/defense/advisories/public/2008/cpai23-Oct.html
20
How do I know if I am infected ?
Early detection is key to limiting damage
Detection
Anti-Virus Tracking
IDS and IPS monitoring
Network traffic Monitoring
Internet browsing traffic logs
22
Anti-Virus detection
The proof-of-concept worm is detected by AV vendors.
Each vendor calls the worm by a different name
 TrendMicro – GIMMIV.A
 Symantec – Trojan.Gimmiv.A
 McAfee - Spy-Agent.da
Expect to see more variants from attacker and
corresponding new names from AV vendors
23
AV has limitations ..
This is a self-propagating worm and not a virus
AV can only detect and clean
Even if AV is updated , cleaned system can get re-infected
Only MS 08-067 patch can prevent re-infection
24
Anti-Virus Server Statistics
Methodology
 Check daily for Top 50 Viruses present in your network
 Look out for Gimmiv. , Infostealer or its variants
 These could be the infected PCs/Isolate and clean them before
it spreads
Pre-requisites
 All servers/desktops report infection data to central console
 All servers/desktops have the updated DAT that detects
Gimmiv
25
IDS and IPS signatures
Methodology

Have IDS sniffing on Internal WAN and Server traffic

Alert on Gimmi traffic
Pre-requisites

IDS signatures for Gimmi worm is updated in NIDS
 Snort IDS has already released the signature www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
 All leading IDS/IPS vendors have released signatures

IDS is positioned to see internal traffic
26
Network Traffic Monitoring
Methodology
 Check for denied traffic on TCP 139/445 from Internal
LAN/servers
 Look out for abnormal high amount of denied packets
 These could be the infected PCs/Isolate and clean them before
it spreads
Pre-requisites
 Denied traffic ar router/firewall is logged
 Mechanism exists for real time tracking and alerting
27
Internet Browsing Logs
Methodology
 Check URL access logs for any access to these sites
 www.t35.com
 http://summertime.1gokurimu.com
http://perlbody.t35.com
http://doradora.atzend.com
 59.106.145.58
Pre-requisites
 Internet Browsing logs are available and can be easily filtered
28
Hope for the best, prepare for the worst
What if the worm still hits us?
If the worm strikes
Identify the affected systems/office/region
Isolate the network
Clean up, patch, check and reconnect
30
From past experience ..
When an incident breaks out
 Links might not work, Email and Internet might have to be
turned off
 Designated people may not be available to help
 Decisions have to be taken with minimum delay
31
What can we do now ?
Send out the actual patch file [not the link] to all your
location administrators
 WAN links and Internet links may not work when worm strikes
Send out the worm cleanup instructions/toolkits to all your
locations
Send out the AV DAT version that detects the virus [if
possible]
Decide criteria for cutting off a link or branch or region if
virus strikes
32
How to check global activity of the virus?
SANS Incident Internet Storm Center
http://isc.sans.org
Today’s Rating – Green [ meaning Safe]
34
Symantec Threat Management Center
https://tms.symantec.com
Todays Rating - Elevated – [meaning Unsafe]
35
Summary of Action Items
Quick Checklist
Rollout MS 08-067 across Windows desktops/servers
Track patch deployment using Nessus or MBSA
 For unpatched systems turn off Server/Computer Browser
service
Update AV/IDS signatures
Track infections and alerts
Monitor TCP 139/445 traffic logs and Internet URL logs
Be prepared for incident – Distribute patches and clean up
instructions now
37
Long term planning
Worms will come again
Long term action plan
Desktop patching takes time, tracking is difficult
 Have an automated patch mgmt solution
Anti-Virus centralized tracking is critical
 Make sure AV console can provide a full view of organization
Have a vulnerability scanner operational and used regularly
 Nessus or MBSA
39
Long term action plan
Disable desktop sharing. Sharing only on designated
servers
Block vulnerable ports at branch routers and WAN
aggregation points
 Block known bad , Allow rest
Have traffic log monitoring and alerting on suspicious
patterns
 Network device and firewall logs
IDS to monitor Internal and WAN traffic
 Not just Internet side
40
Recommended Reading
More details available at ..
Microsoft Knowledge Base

www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

support.microsoft.com/kb/958644.
Detailed FAQ on patch and worm

http://blogs.securiteam.com/index.php/archives/1150
How the worm operates

http://tools.cisco.com/security/center/viewAlert.x?alertId=16947
42
Questions? Suggestions?
Thank you for your time