Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Internet Storm Center panel tonight at SANSFIRE

Published: 2010-06-07
Last Updated: 2010-06-07 17:39:29 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

If you happen to be at SANSFIRE, don't miss the Internet Storm Center panel at Francis Scott Key 12 room 7:00 PM EDT. If you are not there and want to follow this event live on twitter, please visit http://twitter.com/sans_isc_fast.

-- Manuel Humberto Santander Peláez  |  http://twitter.com/manuelsantander  |  http://manuel.santander.name | msantand at isc dot sans dot org 

 

Keywords: ISC panel SANSFIRE
1 comment(s)

Software Restriction Policy to keep malware away

Published: 2010-06-07
Last Updated: 2010-06-07 16:17:25 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

Windows is an operating system that has controls that preserve the safety of equipment. These security policies are configured using Global Policy Objects that apply to all computers in the domain. There is a specific group of these directives called Software Restriction Policies, which have the ability to restrict the type of software running on computers. It is a cheap and quick way to set restrictions on the ability of users to execute programs.

We have received a report of a piece of malware that poses as a flash postcard downloaded from the Tarjetasnico website (http://tarjetasnico.com). This malware is responsible for disabling any existing restrictions on the computer configured inside the Software Restriction Policy and also downloads the real malware from a website in Germany.

The initial program is run and sets up the following registry key:

Registry Path Key Value
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel 262144

The number 262144 indicates a SAFER_LEVELID_FULLYTRUSTED level, which means that all execution policy are Unrestricted, so that any program can be run no matter of what restrictions are in place.

Please enforce the permissions to this registry key and its value of 0 on computers of your company so it cannot be modified by users and restriction policies remain active.

-- Manuel Humberto Santander Peláez  |  http://twitter.com/manuelsantander  |  http://manuel.santander.name | msantand at isc dot sans dot org

1 comment(s)
Diary Archives