I posted an article back in April of ‘07 bemoaning the piss-poor performance of current antivirus technology and it looks like the mainstream guys are slowly picking it up as well.

According to this article by PCWorld.com, their tests showed that “the best performer detected only one in four new malware samples.” Catching 25% of new malware is actually a very good percentage given the reactive nature of current AV technology. That might have been great in the 90’s, when the top threat was viruses who’s propagation was largely limited to the local host but viruses are a threat of the past. Worms, trojans and bots are the current soup de jour for the bad guys and reactive countermeasures are simply inadequate at preventing them. Yes, I said prevent. I want my antivirus software to stop the attack before it becomes an infection. Once it’s an infection, it’s an incident and I have to spend time, and more importantly, money to fix it and that’s after I’ve already spent time and money on AV software and its maintenance.

As I’ve said before, AV technology needs to get their peanut butter stuck in IPS technology’s chocolate. AV should be more aware of malicious behavior as well as known malicious content. Most AV software already hooks into the kernel. Why not leverage that low-level awareness more effectively? Snarf those memory calls. Sniff that NIC access. New listener? I think not! Shut that process down and quarantine it.

‘But Michael, that’s the job of your HIPS’ you say? That’s exactly my point.
(more…)

Going through our HIPS logs I see where employees allowed their children to use their laptops over the holiday. Applications such as uTorrent were installed and used to download songs and movies. TeamSpeak was installed for online gaming, etc.

Who knows what malware these machines will bring to the network, so keep them at arms length and have a big stick ready to club any malware that comes charging onto your network today.

Its important to do as much evaluation as possible after an incident. This not only sheds light on how you were pwned, but it also provides invaluable lessons on how not to be pwned by the same bug in the future.

To wit; one of our partner laptops was recently compromised by a spamming trojan, despite having best-in-class HIPS and antivirus (best-in-class AV isn’t saying much when the bar is so low anyway. Oh how I love to hate the current state of AV technology!).

The trojan came from a website on 12/16 while the user was at home and thus not behind one of the enterprise IPS appliances. The user visited a malicious website somewhere and Internet Explorer created the file ‘C:\WINDOWS\system32\~.exe’.

Then the file ‘C:\Temp\AEVEm.exe’ contacted a website in Russia (75.126.154.90), presumably to check in and report its existence. Then it created the directory ‘C:\WINDOWS\system32\AppCert\’ and the following files therein; wsil32.dll and wnl32.dll.

The file ‘C:\Temp\AEVEv.exe’, then wrote to boot.ini and then created the file ‘C:\WINDOWS\system32\rpcc.exe’.

Then Internet Explorer renamed two files to: ‘C:\WINDOWS\system32\confmspt.dll’ and ‘C:\WINDOWS\system32\d3d8o.dll’. We don’t have records of what the original file names were.

After renaming two files, it looks like the machine rebooted. After the reboot, explorer.exe started attempting to send emails to Mother Russia (194.67.23.111). The HIPS firewall blocked the SMTP traffic. There were a few more reboots that day, followed by email attempts and one attempt by Outlook.exe to access ipconfig.exe.

The machine then fell into a rhythm of attempting to send emails using the following processes:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

There is no record of what created the AVEVEm.exe and AVEVEv.exe files.

Our AV didn’t detect any part of the trojan and the trojan was able to disable AV by blanking a registry key on start-up. I still haven’t found how its doing this, as the HIPS software protects the key. It must be doing it before the HIPS software is initialized.

We ran a couple of different anti-spyware programs on the machine and CounterSpy from Sunbelt was the only one that detected ~.exe as malicious. I’m waiting with baited breath for Sunbelt to release the VIPRE stand-alone AV…

The laptop belongs to a partner and he doesn’t want it rebuilt despite our advice to nuke from orbit, so we have no choice but to try to find all the droppings the trojan left behind. The fact that it’s able to disable our AV without the HIPS even detecting it is worrisome…

Stay tuned. We still have a lot of unanswered questions.

Yet another reason not to trust HTML email. The latest Storm Worm blitz uses HTML emails to bypass attachment filters on email gateways. Instead of the email containing the worm as an attachment, it uses HTML to visit a malicious site that automatically downloads the worm.

Our HIPS blocks email programs from writing executable content, so its catching a lot of malicious activity that looks like this in the logs:

The attack was described as being conducted through several waves of phishing emails with malicious attachments, starting on Oct. 29. Although not stated, these would presumably have launched Trojans if opened, designed to bypass security systems from within, which raises the likelihood that the attacks were targeted specifically at the lab.

CSOonline.com

I would have to imagine that nothing classified *should* have been at risk, because classified systems cannot be physically connected to the Intarwebs. I’m not sure if the visitors’ log is classified or not. If it is and if it was accessible from the Internet, I’d say some heads will roll.

Keep your FUD detectors set to ‘high’ when you read the article. Be on the look out for such dramatics as this (emphasis mine):

Less is known about the attacks said to have been launched against the ORNL’s sister-institution at Los Alamos, but the two are said to be linked. It has not been confirmed that the latter facility was penetrated successfully, though given that a Los Alamos spokesman said that staff had been notified of an attack on Nov. 9 - days after the earliest attack wave on the ORNL - the assumption has to be that something untoward happened there as well, and probably at other science labs across the U.S.

We might as well assume SIPRNet is pwned if we’re going to start assuming…

However, the point I’d like to make here is that even the most secure networks still have the human node to secure, which is the most difficult. We can preach and teach until we’re blue in the face but we’ll always have that most fallible of systems; the human.