Fighting the malware fight all over again
Kevin Beaver, CISSP
Updated: 02-11-2011 10:46 am

Remember the good old days of floppy disks and macro viruses? Back then, we thought things were complex. How could enterprises possibly gain any semblance of control over these new-fangled security threats that were targeting their users?

As years went by, we finally got our arms around this malware thing – until now. Maybe it’s just me, but malware is all we seem to be hearing about in the IT headlines, and it is only getting worse. Bots, advanced persistent threats and the like seem to be the hot-button issue in IT security right now.

Spam, denial of service attacks and information leakage (to name a few) can all be sourced with ease from widespread malware infections. For example, Symantec’s MessageLabs Intelligence has found that infected computers in some botnets send on average more than 600 spam e-mails per second. This is big business!

Of course, I also realize that the marketing machine is at work here and we cannot believe everything we hear. Trend Micro claims that 3.5 new malware threats are released every second. So what is that tens, if not hundreds, of thousands of encounters with malware in any given enterprise on any given day? Wow, is the sky falling?

On the other hand, Cisco ScanSafe claims that in 2010, a representative 15,000-seat enterprise would experience about 5.5 encounters with malware on any given day. That’s a relatively low number I suppose, but it is still a very big problem.

Remember that security is about control and visibility. Reality has shown us that many enterprises do not really have the necessary control and visibility into their networks to keep the bad guys at bay. This is especially true when it comes to malware. Suddenly (albeit shortsightedly), security issues like Web-based SQL injection and lost laptops are taking a backseat so enterprises can get their arms around this “new wave” of malware out there.

I can attest to the complexities and problems associated with both sides of the equation. On the proactive side, people are not being, well, proactive enough with information security. The assumption is that we have policies, we have technical controls in place and we are not getting hit with malware (as far as we know), therefore all is well. It’s not that simple, but still it is the way that many enterprises operate.

On the reactive side of the equation – that is once network administrators determine that’s something is awry and an infection is present – enterprises tend not to have a reasonable response plan in place. Even when a seemingly appropriate response is carried out, it is often not adequately dealt with and the malware often comes back.

Case in point: I worked on a recent project where a large enterprise originally got hit with some nasty command and control malware. A few thousand computers were infected. They responded by cleaning up the affected systems but they didn’t look deeply and broadly enough throughout their network to see where else the malware was lurking. A few months later, the bot reared its ugly head again. This time they were hit much harder and had more than 10,000 systems become infected. Ouch.

So what do we have to do if we are going to stand a chance against this (re)emerging malware threat? Big government politicians like Joe Lieberman believe that more regulation is the answer. In reality, if you look at the details of the proposed Rockefeller-Snowe Cybersecurity Act of 2009 (Senate Bill 773) and the Lieberman-Collins-Carper Protecting Cyberspace as a National Asset Act of 2010 (Senate Bill 3480) and combine them with the Federal government’s track record, regulation will likely serve to cause more problems than it fixes. In fact, regulation and government interference in the free market is arguably one of the greatest threats to information security today.

Sure, given the right scenarios and people public-private partnerships could work well. In fact, many are saying that we need more cooperation between the Federal government and the private sector to help fend off cyber-threats. Isn’t that called InfraGard?

Back to my main point, with the large majority of malware now gaining its foothold via the Web, we no doubt have a huge problem on our hands.

It seems we have reached a point where we have gotten this perimeter security thing down pat. Ditto with wireless networks. Patch management and strong password enforcement is even coming of age. All in all things are good. But as with world politics and religion and all their associated threats, we must not let our guard down – especially with malware. The bad guys definitely have the upper hand right now and I suspect that’s not going to change any time soon. Good for our industry, not so good for business.

Source: http://www.securityinfowatch.com/get-with-it-7

User forum Whirlpool was hit by a distributed denial-of-service (DDoS) attack last night, according to the site’s hosting provider BulletProof Networks.

Although BulletProof Networks chief operating officer (COO) Lorenzo Modesto first said that Whirlpool was the only one of its customers to be affected by the attack, he said later that its public and private managed cloud customers were experiencing intermittent degraded network performance also.

“BulletProof customers have been kept in the loop throughout (per our standard procedures),” Modesto said.

Modesto added that BulletProof had discussed the issue with Whirlpool, resulting in the site being offline last night while the provider gathered more information. The site is back online this morning.

“We made the decision to bring Whirlpool back online in the early hours of this morning through one of our international [content distribution network points of presence] that are usually used to deliver local high-speed content to the offshore users of customers like Movember,” Modesto said.

“We’re continuing the forensics just in case they’re needed and are keeping an eye Whirlpool,” he added.

The attack had come from servers in the US and Korea, according to BulletProof.

“We’ve also been able to record server addresses and other relevant details and have escalated the source servers to the relevant providers in Korea and the US,” he said. “If we need to, we’ll pass all details onto the [Australian Federal Police] with whom we’ve built a good relationship, but we’ll see how this pans out for the moment.”.

This has not been the first DDoS attack to hit the popular site. Last June it experienced ten hours of downtime from a DDoS attack.

BulletProof Networks had also collected internet protocol addresses from that attack, but decided not to prosecute as a “sign of good will”, saying that DDoS was recognised more as a protest than a crime.

However, not all DDoS perpetrators have received the same treatment in the past. Recently Steven Slayo, who was part of the anonymous band which launched attacks against government sites last year over the government’s planned mandatory internet service provider level internet filter was taken to court over his actions.

He pleaded guilty, but escaped criminal conviction because the magistrate deemed him an “intelligent and gifted student whose future would be damaged by a criminal record”.

Source: http://www.zdnet.com.au/whirlpool-hit-by-ddos-attack-339308730.htm

The Wireshark development team has released version 1.2.14 and 1.4.3 of its open source, cross-platform network protocol analyser. According to the developers, the security updates address a high-risk vulnerability (CVE-2010-4538) that could allow a remote attacker to initiate a denial of service (DoS) attack or possibly execute arbitrary code on a victim’s system.

Affecting both the 1.2.x and 1.4.x branches of Wireshark, the issue is reportedly caused by a buffer overflow in ENTTEC (epan/dissectors/packet-enttec.c) – the vulnerability is said to be triggered by injecting a specially crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. A buffer overflow issue in MAC-LTE has also been resolved in both versions. In version 1.4.3, a vulnerability in the ASN.1 BER dissector that could have caused Wireshark to exit prematurely has been corrected.

All users are encouraged to upgrade to the latest versions. Alternatively, users that are unable to upgrade to the latest releases can disable the affected dissectors by selecting “Analyze”, then “Enabled Protocols” from the menu and un-checking “ENTTEC” and “MAC-LTE”.

More details about the updates, including a full list of changes, can be found in the 1.2.14 and 1.4.3 release notes. Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is provided. Wireshark, formerly known as Ethereal, is licensed under version 2 of the GNU General Public Licence (GPLv2).

Source: http://www.h-online.com/open/news/item/Wireshark-updates-address-vulnerabilities-1168888.html

Wikileaks isn’t the only site struggling to stay up these days because service providers are pulling their support. It appears that at least one person who wants to provide mirror access to Wikileaks documents is having the same trouble.

Recently we heard from a user who mirrored the Cablegate documents on his website. His hosting provider SiteGround suspended his account, claiming that he “severely” violated the SiteGround Terms of Use and Acceptable Use Policy. SiteGround explained that it had gotten a complaint from an upstream provider, SoftLayer, and had taken action “in order to prevent any further issues caused by the illegal activity.”

SiteGround told the user that he would need to update his antivirus measures and get rid of the folder containing the Wikileaks cables to re-enable his account. When the user asked why it was necessary to remove the Wikileaks folder, SiteGround sent him to SoftLayer. The user asked SoftLayer about the problem, but the company refused to discuss it with him because he isn’t a SoftLayer customer. Finally, SiteGround told the user that SoftLayer wanted the mirror taken down because it was worried about the potential for distributed denial of service (DDOS) attacks. When the user pointed out that no attack had actually happened, and that this rationale could let the company use hypothetical future events to take down any site, SiteGround said that it was suspending the account because a future DDOS attack might violate its terms of use.

If this sounds like a lame excuse, that’s because it is a lame excuse. It’s incredibly disappointing to see more service providers cutting off customers simply because they decide (or fear) that content is too volatile or unpopular to host. And the runaround that this user received from his host and its upstream provider demonstrates the broader problems with the lack of any real transparency or process around such important decisions.

Internet intermediaries — whether directly in contract with their users or further up the chain — need to stick up for their customers, not undermine their freedom to speak online. As we’ve said before, your speech online is only as free as the weakest intermediary.

This incident shows that censorship is a slippery slope. The first victim here was Wikileaks. Now it’s a Wikileaks mirror. Will a news organization that posts cables and provides journalistic analysis be next? Or a blogger who posts links to news articles describing the cables? If intermediaries are willing to use the potential for future DDOS attacks as a reason to cut off users, they can cut off anyone for anything.

EFF urges SiteGround, SoftLayer and other service providers to champion user rights and say no to online censorship.

Source: http://www.eff.org/deeplinks/2010/12/weakest-links-host-buckles-when-upstream-provider

In today’s mammoth Patch Tuesday, Microsoft delivers 16 security bulletins that address 49 vulnerabilities affecting Windows, Internet Explorer, Microsoft Office, and the .NET Framework.

Only one of the addressed flaws is currently being exploited in the wild, but the vulnerabilities described in the first four bulletins are rated “Critical”, so a swift patching process is in order.

To learn more about patching challenges and techniques read our interview with Qualys CTO Wolfgang Kandek who offers his extensive knowledge on the subject.

Cumulative Security Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in the Microsoft Windows Media Player network sharing service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.

Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in .NET Framework Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.

Vulnerabilities in SafeHTML Could Allow Information Disclosure
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft SharePoint and Windows SharePoint Services. The vulnerabilities could allow information disclosure if an attacker submits specially crafted script to a target site using SafeHTML.

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
This security update resolves several publicly disclosed vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege
This security update resolves two privately reported vulnerabilities in the Windows OpenType Font (OTF) format driver. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted OpenType font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
This security update resolves thirteen privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file or a specially crafted Lotus 1-2-3 file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in the Windows common control library. The vulnerability could allow remote code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Media Player Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs specially crafted code that sends an LPC message to the local LRPC Server. The message could then allow an authenticated user to access resources that are running in the context of the NetworkService account. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Vulnerability in SChannel Could Allow Denial of Service
This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow denial of service if an affected Internet Information Services (IIS) server hosting a Secure Sockets Layer (SSL)-enabled Web site received a specially crafted packet message. By default, IIS is not configured to host SSL Web sites.

Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user is logged on with administrative user rights and opens an application built with the MFC Library. An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Shared Cluster Disks Could Allow Tampering
This security update resolves a privately reported vulnerability in Windows Server 2008 R2 when used as a shared failover cluster. The vulnerability could allow data tampering on the administrative shares of failover cluster disks. By default, Windows Server 2008 R2 servers are not affected by this vulnerability. This vulnerability only applies to the cluster disks used in a failover cluster.

Source: http://www.net-security.org/secworld.php?id=9984