Micro defense in depth

Intrusion Detection/Prevention,Security

I had another laptop get partially compromised by the Big Yellow worm, which attacks Symantec Antivirus. I learned my lesson after the first compromise by locking down the HIPS rules to the point of specifying the IP’s of our SAV servers being the only IP’s allowed to talk through the HIPS to the SAV.

Unfortunately, one of our laptops was on a hotel network in Australia, which happens to use the same subnet we do and as the planets aligned, the right IP was compromised and popped our laptop. Granted, we should have all our SAV clients updated by now but unfortunately we simply don’t and that’s just reality.

Luckily, I didn’t stop with just firewall rules on the HIPS. I also wrote rules that stated that FTP and TFTP clients can’t write to the Symantec program directory. That stopped the payload delivery dead in its tracks, several times. Evidently that hotel network is infested with Big Yellow.

The point of the story is to maintain defense-in-depth at the micro level. Yes, defense in depth means firewalls, IPS, etc on the network. But it also means analyzing attack patterns and countering them at every point possible using any means possible. It means building defenses at every phase of the worm’s life cycle, whenever possible.

The typical phases of a worm are:

Worm Phase Defensive options
1. Initial compromise of the vulnerable app/service Sometimes detectable/blockable by IDS/IPS, sometimes block-able by firewall rules
2. Download of worm payload (now usually in the form of a bot), typically using tftp.exe or ftp.exe Sometimes block-able by AV, sometimes detectable/blockable by IDS/IPS
3 or 4. Scanning for vulnerable hosts Sometimes detectable/blockable by IDS/IPS, block-able by firewall rules
3 or 4. Phone home to C&C for additional orders Sometimes detectable/blockable by IDS/IPS*, block-able by firewall rules

*I had a run-in with an IRCBot a short while ago, delivered by a similar Big Yellow worm, that uses custom commands when joining the IRC server. Instead of issuing the standard “/join” and “/nick” commands, it simply uses “join” and “nick”, which sailed right past my IPS. The reason I caught it was because by default I block ports 6661-7000 outbound at the firewalls. I got curious what it was and opened the firewall temporarily while running a packet capture to see what it was.

Some tricks you can use if your HIPS is configurable enough:

  1. Only allow approved FTP clients to use the FTP protocol
  2. Treat all FTP clients as untrusted
  3. Protect security directories from write access
  4. Protect the major registry launch points
  5. Once you identify a payload app by name, block access to that filename. Yes this is reactive but is fairly effective in preventing an outbreak of the same variant.

For more information about this topic

posted by Michael on 06.11.07 @ 10:51 am | 5 Comments

What HIPS do you use? What you use won’t affect our movement to HIPS since we’re already in deep with McAfee, but I was just curious. :)

By LonerVamp on 06.11.07 11:56 am

Unfortunately I can’t divulge that information.

By Michael on 06.11.07 1:27 pm

Bugger!

By LonerVamp on 06.11.07 2:50 pm

LOL

By Michael on 06.11.07 4:55 pm

  • mcwresearch.com » Makes ya feel good:

    [...] of any Symantec vulnerabilities that we should be aware of and I told him ‘yeah, we had a dust-up with a worm a few months ago but we’ve since addressed it’ and he went on to tell me [...]

RSS feed for comments on this post. TrackBack URI