Emergency Threat Update Nov 10, 2008 Windows Worm Breakout Presented by  Jose Varghese
Agenda <ul><li>What is the vulnerability and associated threat ? </li></ul><ul><li>How does the worm work ? </li></ul><ul>...
Vulnerability and Threat
Vulnerability <ul><li>Buffer overflow vulnerability in Windows server service </li></ul><ul><ul><li>Attacker sends malform...
Previous buffer overflow vulnerabilities <ul><li>Slammer worm in 2002, Blaster worm in 2003, Sasser worm in 2004  - all ex...
Does attacker need authentication? <ul><li>Authentication requirements </li></ul><ul><ul><li>No authentication required Wi...
Threat  <ul><li>Infected machines become unusable </li></ul><ul><ul><li>System try to spread the worm and also upload data...
Worm – How it works and what it steals
Worm functioning  <ul><li>Worm targets machine running vulnerable version of Windows Server service </li></ul><ul><li>The ...
Worm functioning <ul><li>Worm collects the following data and passes it to attacker  </li></ul><ul><ul><li>Operating syste...
Worm functioning <ul><li>Trojan also updates itself automatically from below sites </li></ul><ul><ul><li>http://summertime...
Prevention and Detection Technical Controls
Preventive Controls <ul><li>Best solutions </li></ul><ul><ul><li>Disable the Server service and Browser service in the Win...
Impact of service stoppage <ul><li>Disable the Server service and Browser service in the Windows system </li></ul><ul><ul>...
Out-of-Band patch release <ul><li>Microsoft follows a monthly patch release cycle  </li></ul><ul><ul><li>New patches every...
Checking Patch rollout
Is the patch deployed? <ul><li>If you have an automated patch management solutions  </li></ul><ul><ul><li>Easy to track st...
If we cannot patch nor disable service … 1
Workarounds – Network Port blocking <ul><li>Disable TCP 139/TCP 445 at Internet Firewall </li></ul><ul><ul><li>Almost all ...
Workaround – Checkpoint SmartDefense <ul><li>Checkpoint Firewall has released Smartdefense update to detect and block thes...
How do I know if I am infected ? Early detection is key to limiting damage
Detection <ul><li>Anti-Virus Tracking </li></ul><ul><li>IDS and IPS monitoring </li></ul><ul><li>Network traffic  Monitori...
Anti-Virus detection <ul><li>The proof-of-concept worm is detected by AV vendors. </li></ul><ul><li>Each vendor calls the ...
AV has limitations .. <ul><li>This is a self-propagating worm and not a virus  </li></ul><ul><li>AV can only detect and cl...
Anti-Virus Server Statistics <ul><li>Methodology </li></ul><ul><ul><li>Check daily for Top 50 Viruses present in your netw...
IDS and IPS signatures <ul><li>Methodology </li></ul><ul><ul><li>Have IDS sniffing on Internal WAN and Server traffic  </l...
Network Traffic Monitoring <ul><li>Methodology </li></ul><ul><ul><li>Check for denied traffic on TCP 139/445 from Internal...
Internet Browsing Logs <ul><li>Methodology </li></ul><ul><ul><li>Check URL access logs for any access to these sites </li>...
Hope for the best, prepare for the worst What if the worm still hits us?
If the worm strikes <ul><li>Identify the affected systems/office/region  </li></ul><ul><li>Isolate the network  </li></ul>...
From past experience .. <ul><li>When an incident breaks out  </li></ul><ul><ul><li>Links might not work, Email and Interne...
What can we do now ? <ul><li>Send out the actual patch file [not the link] to all your location administrators </li></ul><...
How to check global activity of the virus?
SANS Incident Internet Storm Center  <ul><li>http://isc.sans.org  </li></ul><ul><li>Today’s Rating – Green [ meaning Safe]...
Symantec Threat Management Center <ul><li>https://tms.symantec.com   </li></ul><ul><li>Todays Rating - Elevated – [meaning...
Summary of Action Items
Quick Checklist <ul><li>Rollout MS 08-067 across Windows desktops/servers </li></ul><ul><li>Track patch deployment using N...
Worms will come again Long term planning
Long term action plan <ul><li>Desktop patching takes time, tracking is difficult  </li></ul><ul><ul><li>Have an automated ...
Long term action plan <ul><li>Disable desktop sharing. Sharing only on designated servers </li></ul><ul><li>Block vulnerab...
Recommended Reading
More details available at .. <ul><li>Microsoft Knowledge Base  </li></ul><ul><ul><li>www.microsoft.com/technet/security/Bu...
Questions? Suggestions?
Thank you for your time
Upcoming SlideShare
Loading in …5
×

Emergency Threat Update Nov 10, 2008

513 views
438 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
513
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sasser – LSASS service Blaster – RPC service
  • Snort signatures supported in IBM ISS also
  • Emergency Threat Update Nov 10, 2008

    1. 1. Emergency Threat Update Nov 10, 2008 Windows Worm Breakout Presented by Jose Varghese
    2. 2. Agenda <ul><li>What is the vulnerability and associated threat ? </li></ul><ul><li>How does the worm work ? </li></ul><ul><li>What are the mitigating controls ? </li></ul><ul><li>How do we prepare for Incident Management? </li></ul><ul><li>Summary – Immediate Action and Long term solutions </li></ul>2
    3. 3. Vulnerability and Threat
    4. 4. Vulnerability <ul><li>Buffer overflow vulnerability in Windows server service </li></ul><ul><ul><li>Attacker sends malformed RPC requests to the server service </li></ul></ul><ul><ul><li>Unexpected input leads to “overflow” condition </li></ul></ul><ul><ul><li>If successful, attacker can run any code of his choice </li></ul></ul><ul><ul><ul><li>Example- change passwords, steal data or modify parameters </li></ul></ul></ul>4
    5. 5. Previous buffer overflow vulnerabilities <ul><li>Slammer worm in 2002, Blaster worm in 2003, Sasser worm in 2004 - all exploited buffer overflow vulnerabilities </li></ul><ul><ul><li>A bit of history </li></ul></ul><ul><ul><li>On Nov 2 , 2008 , it was 20 years since the first Internet worm “Morris “ spread – targeting buffer overflow vulnerability on Unix systems </li></ul></ul>5
    6. 6. Does attacker need authentication? <ul><li>Authentication requirements </li></ul><ul><ul><li>No authentication required Windows 2000/2003/Windows XP </li></ul></ul><ul><ul><li>Authentication required for Windows 2008/ Windows Vista </li></ul></ul><ul><li>Windows 2000/2003/XP more vulnerable than Windows 2008/Vista </li></ul>6
    7. 7. Threat <ul><li>Infected machines become unusable </li></ul><ul><ul><li>System try to spread the worm and also upload data to attacker </li></ul></ul><ul><ul><li>High CPU/memory utilization and machine becomes unusable </li></ul></ul><ul><li>Data Leakage </li></ul><ul><ul><li>Password information and system details are passed to attacker </li></ul></ul><ul><li>Network choking </li></ul><ul><ul><li>Rapid propagation of worm results in high utilization of LAN and WAN network </li></ul></ul>7
    8. 8. Worm – How it works and what it steals
    9. 9. Worm functioning <ul><li>Worm targets machine running vulnerable version of Windows Server service </li></ul><ul><li>The worm file name is n1.exe, n2.exe , n*.exe </li></ul><ul><li>When the worm starts </li></ul><ul><ul><li>Installs a dll file in system32wbem directory – sysmgr.dll </li></ul></ul><ul><ul><li>Sets up a new service in Windows </li></ul></ul><ul><ul><ul><li>Displayed in Control Panel as “ System Maintenance Service” </li></ul></ul></ul><ul><ul><li>Connects to Internet and downloads more components </li></ul></ul><ul><ul><ul><li>Installs and adds one more service “Windows NT Baseline” </li></ul></ul></ul>9
    10. 10. Worm functioning <ul><li>Worm collects the following data and passes it to attacker </li></ul><ul><ul><li>Operating system version, Antivirus version </li></ul></ul><ul><ul><li>MSN Messenger / Outlook Express credentials Username / Computer Name Installed patches, applications Recently opened documents Network adapter / IP addresses </li></ul></ul><ul><li>Uploads it after encrypting to http://www.t35.com </li></ul>11
    11. 11. Worm functioning <ul><li>Trojan also updates itself automatically from below sites </li></ul><ul><ul><li>http://summertime.1gokurimu.com http://perlbody.t35.com http://doradora.atzend.com </li></ul></ul><ul><li>One of the images downloaded is popular </li></ul><ul><li>character Homer Simpson </li></ul>12
    12. 12. Prevention and Detection Technical Controls
    13. 13. Preventive Controls <ul><li>Best solutions </li></ul><ul><ul><li>Disable the Server service and Browser service in the Windows system </li></ul></ul><ul><ul><li>OR </li></ul></ul><ul><ul><li>Apply the patch MS08-067 and use the Services </li></ul></ul>13
    14. 14. Impact of service stoppage <ul><li>Disable the Server service and Browser service in the Windows system </li></ul><ul><ul><li>You cannot share your folders but can still access remote shares </li></ul></ul><ul><ul><li>You will not be able to view others computers in your “Network Neighbourhood” </li></ul></ul><ul><ul><li>Netlogon service which allow domain login depends on Server service </li></ul></ul>14
    15. 15. Out-of-Band patch release <ul><li>Microsoft follows a monthly patch release cycle </li></ul><ul><ul><li>New patches every second Tuesday of the month </li></ul></ul><ul><ul><li>Next one due on Nov 11 </li></ul></ul><ul><li>The patch for this vulnerability was released out-of-cycle or out-of-band </li></ul><ul><ul><li>In the middle of the month on Thursday, Oct-23 </li></ul></ul><ul><li>Out-of-band patch release indicates the criticality associated with this vulnerability </li></ul>15
    16. 16. Checking Patch rollout
    17. 17. Is the patch deployed? <ul><li>If you have an automated patch management solutions </li></ul><ul><ul><li>Easy to track status </li></ul></ul><ul><ul><li>WSUS, BigFix, Landesk – deploy patch and report status in the console </li></ul></ul><ul><li>If patch deployment is manual, tracking is difficult </li></ul><ul><ul><li>Use Nessus and scan for this specific plug-in [ 34476] </li></ul></ul><ul><ul><ul><li>www.nessus.org/plugins/index.php?view=single&id=34476 </li></ul></ul></ul><ul><ul><li>Use Microsoft MBSA tool 2.1 </li></ul></ul>17
    18. 18. If we cannot patch nor disable service … 1
    19. 19. Workarounds – Network Port blocking <ul><li>Disable TCP 139/TCP 445 at Internet Firewall </li></ul><ul><ul><li>Almost all Internet firewalls will already be doing this </li></ul></ul><ul><li>Disable TCP 139/ TCP 445 at Internal Firewalls and WAN routers </li></ul><ul><ul><li>This will affect file sharing across branches and locations </li></ul></ul><ul><ul><li>We can have this till the patch roll out is complete </li></ul></ul>19
    20. 20. Workaround – Checkpoint SmartDefense <ul><li>Checkpoint Firewall has released Smartdefense update to detect and block these malformed RPC requests </li></ul><ul><ul><li>Only relevant if have to allow TCP 139/ TCP 445 </li></ul></ul><ul><ul><li>Will help prevent propagation and also identify internal infected sources </li></ul></ul><ul><ul><ul><li>http://www.checkpoint.com/defense/advisories/public/2008/cpai-23-Oct.html </li></ul></ul></ul>20
    21. 21. How do I know if I am infected ? Early detection is key to limiting damage
    22. 22. Detection <ul><li>Anti-Virus Tracking </li></ul><ul><li>IDS and IPS monitoring </li></ul><ul><li>Network traffic Monitoring </li></ul><ul><li>Internet browsing traffic logs </li></ul>22
    23. 23. Anti-Virus detection <ul><li>The proof-of-concept worm is detected by AV vendors. </li></ul><ul><li>Each vendor calls the worm by a different name </li></ul><ul><ul><li>TrendMicro – GIMMIV.A </li></ul></ul><ul><ul><li>Symantec – Trojan.Gimmiv.A </li></ul></ul><ul><ul><li>McAfee - Spy-Agent.da </li></ul></ul><ul><li>Expect to see more variants from attacker and corresponding new names from AV vendors </li></ul>23
    24. 24. AV has limitations .. <ul><li>This is a self-propagating worm and not a virus </li></ul><ul><li>AV can only detect and clean </li></ul><ul><li>Even if AV is updated , cleaned system can get re-infected </li></ul><ul><li>Only MS 08-067 patch can prevent re-infection </li></ul>24
    25. 25. Anti-Virus Server Statistics <ul><li>Methodology </li></ul><ul><ul><li>Check daily for Top 50 Viruses present in your network </li></ul></ul><ul><ul><li>Look out for Gimmiv. , Infostealer or its variants </li></ul></ul><ul><ul><li>These could be the infected PCs/Isolate and clean them before it spreads </li></ul></ul><ul><li>Pre-requisites </li></ul><ul><ul><li>All servers/desktops report infection data to central console </li></ul></ul><ul><ul><li>All servers/desktops have the updated DAT that detects Gimmiv </li></ul></ul>25
    26. 26. IDS and IPS signatures <ul><li>Methodology </li></ul><ul><ul><li>Have IDS sniffing on Internal WAN and Server traffic </li></ul></ul><ul><ul><li>Alert on Gimmi traffic </li></ul></ul><ul><li>Pre-requisites </li></ul><ul><ul><li>IDS signatures for Gimmi worm is updated in NIDS </li></ul></ul><ul><ul><ul><li>Snort IDS has already released the signature -www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html </li></ul></ul></ul><ul><ul><ul><li>All leading IDS/IPS vendors have released signatures </li></ul></ul></ul><ul><ul><li>IDS is positioned to see internal traffic </li></ul></ul>26
    27. 27. Network Traffic Monitoring <ul><li>Methodology </li></ul><ul><ul><li>Check for denied traffic on TCP 139/445 from Internal LAN/servers </li></ul></ul><ul><ul><li>Look out for abnormal high amount of denied packets </li></ul></ul><ul><ul><li>These could be the infected PCs/Isolate and clean them before it spreads </li></ul></ul><ul><li>Pre-requisites </li></ul><ul><ul><li>Denied traffic ar router/firewall is logged </li></ul></ul><ul><ul><li>Mechanism exists for real time tracking and alerting </li></ul></ul>27
    28. 28. Internet Browsing Logs <ul><li>Methodology </li></ul><ul><ul><li>Check URL access logs for any access to these sites </li></ul></ul><ul><ul><ul><li>www.t35.com </li></ul></ul></ul><ul><ul><ul><li>http://summertime.1gokurimu.com http://perlbody.t35.com http://doradora.atzend.com </li></ul></ul></ul><ul><ul><ul><li>59.106.145.58 </li></ul></ul></ul><ul><li>Pre-requisites </li></ul><ul><ul><li>Internet Browsing logs are available and can be easily filtered </li></ul></ul>28
    29. 29. Hope for the best, prepare for the worst What if the worm still hits us?
    30. 30. If the worm strikes <ul><li>Identify the affected systems/office/region </li></ul><ul><li>Isolate the network </li></ul><ul><li>Clean up, patch, check and reconnect </li></ul>30
    31. 31. From past experience .. <ul><li>When an incident breaks out </li></ul><ul><ul><li>Links might not work, Email and Internet might have to be turned off </li></ul></ul><ul><ul><li>Designated people may not be available to help </li></ul></ul><ul><ul><li>Decisions have to be taken with minimum delay </li></ul></ul>31
    32. 32. What can we do now ? <ul><li>Send out the actual patch file [not the link] to all your location administrators </li></ul><ul><ul><li>WAN links and Internet links may not work when worm strikes </li></ul></ul><ul><li>Send out the worm cleanup instructions/toolkits to all your locations </li></ul><ul><li>Send out the AV DAT version that detects the virus [if possible] </li></ul><ul><li>Decide criteria for cutting off a link or branch or region if virus strikes </li></ul>32
    33. 33. How to check global activity of the virus?
    34. 34. SANS Incident Internet Storm Center <ul><li>http://isc.sans.org </li></ul><ul><li>Today’s Rating – Green [ meaning Safe] </li></ul>34
    35. 35. Symantec Threat Management Center <ul><li>https://tms.symantec.com </li></ul><ul><li>Todays Rating - Elevated – [meaning Unsafe] </li></ul>35
    36. 36. Summary of Action Items
    37. 37. Quick Checklist <ul><li>Rollout MS 08-067 across Windows desktops/servers </li></ul><ul><li>Track patch deployment using Nessus or MBSA </li></ul><ul><ul><li>For unpatched systems turn off Server/Computer Browser service </li></ul></ul><ul><li>Update AV/IDS signatures </li></ul><ul><li>Track infections and alerts </li></ul><ul><li>Monitor TCP 139/445 traffic logs and Internet URL logs </li></ul><ul><li>Be prepared for incident – Distribute patches and clean up instructions now </li></ul>37
    38. 38. Worms will come again Long term planning
    39. 39. Long term action plan <ul><li>Desktop patching takes time, tracking is difficult </li></ul><ul><ul><li>Have an automated patch mgmt solution </li></ul></ul><ul><li>Anti-Virus centralized tracking is critical </li></ul><ul><ul><li>Make sure AV console can provide a full view of organization </li></ul></ul><ul><li>Have a vulnerability scanner operational and used regularly </li></ul><ul><ul><li>Nessus or MBSA </li></ul></ul>39
    40. 40. Long term action plan <ul><li>Disable desktop sharing. Sharing only on designated servers </li></ul><ul><li>Block vulnerable ports at branch routers and WAN aggregation points </li></ul><ul><ul><li>Block known bad , Allow rest </li></ul></ul><ul><li>Have traffic log monitoring and alerting on suspicious patterns </li></ul><ul><ul><li>Network device and firewall logs </li></ul></ul><ul><li>IDS to monitor Internal and WAN traffic </li></ul><ul><ul><li>Not just Internet side </li></ul></ul>40
    41. 41. Recommended Reading
    42. 42. More details available at .. <ul><li>Microsoft Knowledge Base </li></ul><ul><ul><li>www.microsoft.com/technet/security/Bulletin/MS08-067.mspx </li></ul></ul><ul><ul><li>support.microsoft.com/kb/958644. </li></ul></ul><ul><li>Detailed FAQ on patch and worm </li></ul><ul><ul><li>http://blogs.securiteam.com/index.php/archives/1150 </li></ul></ul><ul><li>How the worm operates </li></ul><ul><ul><li>http://tools.cisco.com/security/center/viewAlert.x?alertId=16947 </li></ul></ul>42
    43. 43. Questions? Suggestions?
    44. 44. Thank you for your time

    ×