Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware propagation information from microsoft.

Published: 2006-06-22
Last Updated: 2006-06-24 00:32:30 UTC
by donald smith (Version: 1)
0 comment(s)

Microsoft recently released a report on the statistics they are collecting via MSRT.

If you need to know what kinds of malware is being detected and removed by the Malicious software removal tool this is a great report. It only covers windows of course but that makes sense.

There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.

The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.

Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.

Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past. 

So if you have a little time and you are interested in malware propagation I recommend reading this report.

Keywords:
0 comment(s)

Top 100 security tools

Published: 2006-06-22
Last Updated: 2006-06-23 14:38:42 UTC
by donald smith (Version: 1)
0 comment(s)
Fyodor, the author of Nmap, has released the results of his 2006 network security tool survey. This list is full of tools that can assist in network auditing, defense and forensics. Although it is near the top of my personal list, nmap didn't make the list because Fyodor excluded it. The list includes a short description, cross links leading to categories, intuitive icons to show what OS it runs on natively and icons for availability of source code, GUI, and CLI.
You can find the list at http://SecTools.Org

From that link
`I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also will be pointing newbies to this site whenever they write me saying "I don't know where to start".
Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.'

Keywords:
0 comment(s)

isc.org provides attack mitigation

Published: 2006-06-22
Last Updated: 2006-06-23 14:28:42 UTC
by donald smith (Version: 2)
0 comment(s)

A new version of BIND 9.3.3b1 was recently released. The changes file had one security fix listed. That fix addresses a ddos reflection issue.

ISSUE:
Some services respond to potentially spoofed udp packets. 

MITIGATION for DNS servers.

Upgrade to bind 9.3.3b1 OR

Drop udp packets from standard services ports 7,13,19, 37 and 464 (echo, daytime, chargen, time, and kpasswd) towards your DNS server(s). You will probably never see any valid queries from such a low port. In general dns queries should be sourced from ports > 1024.

MITIGATION for other udp services:

Disable or restrict access to UDP services that don't need to be open to the internet.

Detailed Description:
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."  

If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.

7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.

From the CHANGES file from 9.3.3b1 source code directory.
--- 9.3.3b1 released ---
<SNIP>
1951.    [security]           Drop queries from particular well known ports.
<SNIP>

Keywords:
0 comment(s)
Diary Archives