marklon : Security

Measure and counter measure – malware and anti-malware

marklon — Mon, 21 Apr 2008 23:04:00 GMT

There is a small, high-tech and rather geeky war going on and the battlefield is your PC. Like any war, each side is trying to learn from the other. This war is for the ownership of resources – and ultimately for money. Maybe most wars are. Let us look at some of the details.

Much as it irritates users, sometimes the kindest thing that an administrator can do is to limit the abilities of an unskilled user to harm themselves. There is also the corporate network to consider – the safety of organization sometimes requires that individuals are limited. IE has features to limit what the user can do which an administrator can set. They are detailed here:

http://technet.microsoft.com/en-us/library/bb457144.aspx

These can be turned against the user by malware and that does sometimes happen. Let us consider a few of them and how malware has used them to protect itself rather than the user:

Download signed ActiveX controls – disable that and pretty much every online virus scanner will stop working.

Various settings allow the administrator to block the downloading of various file types including .exe files – which would prevent the user from downloading a lot of the “quick fix” type of malware removers.

Sites can be added to the restricted zone – and if security sites are added to this zone, the user is effectively blocked from them.

Group policies can also be set even if the machine is not in a domain.

We have seen malware doing these things lately. Of course, if the user is an admin (and home users generally are) then the changes can be reversed if the user knows how - but many home users do not.

For quite a while, one tool in the arsenal of the techie removing malware is to alter the rights on an executable using cacls to prevent it running. The same trick has been used maliciously to block access to cmd.exe – The black hats have access to all the same tricks as we do.

The white hat community has stolen a trick or two in their turn. Anti-virus solutions increasingly hijack the kiservicetable or overwrite function prologues to try to prevent malware doing the same or to detect malware by getting underneath it. One of the truisms of malware detection is that you can only trust the layer above you because you have complete visibility of it. Conversely, it is hard to see what has happened below you because it may be changing your behavior without you knowing – a malicious kernel fooling a benign application. The phrase that we most commonly use is “He who hooks lowest wins”. Anti-virus and virus are both heading down the stack from userland to kernel and eventually to hypervisor level.

Malware tries to hide from antivirus programs and kills AV products when it can. Some AV software is now using stealth technology to hide from malware and try to avoid being killed or more commonly, crippled to leave the appearance of function without actually blocking the malware. It can be a challenge to work out whether subversion of the kernel is benign or malicious without a good rummage around in the debugger.

So, we have measure and counter measure, each sharing the same tools. The legitimate software community has more resources but the malware industry has everything to play for. The balance shifts all the time and it may well be that user education and not technology has the most to contribute. Social engineering remains the number one way to compromise a system… and maybe limiting the user is the lesser of the two evils.

Of course, we have done this in a very small but important way. Later versions of the browser on later operating systems run content with fewer rights. Most users never notice.

We live in interesting times, my friends

Signing off

Mark

Malware that wants to stay - Some passive protection tricks

marklon — Thu, 20 Mar 2008 22:31:00 GMT

Hello again

I wanted to talk about some of the things that malware does to make itself hard to remove. Most Trojans are designed to work on an average XP workstation and make assumptions based on that – which typically breaks servers in rather nasty ways.

I was recently looking at a Russian written malware implemented in VB6 – a curious choice and the developer had an odd style to his coding. It didn’t use a kernel mode rootkit which is the more common approach but relied on registry settings to do the dirty work. You might want to check these if you find yourself cleaning up a box:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

DisableSR = 0x00000001

If it is a 1, you can’t do a system restore. Simple enough to fix if you can edit the registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

DisableRegistryTools = 0x00000002

Except that you can’t because he disabled the registry tools and task manager. Well, task manager is no great loss. Process explorer from http://technet.microsoft.com/en-us/sysinternals/default.aspx will do the job at least as well. Disabling the registry tools is more of a problem unless you are on a network and able to remotely edit.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]

RestrictToPermittedSnapins = 0x00000001

This was used to make MMC effectively useless. By default, no snap-ins (things like perfmon or event viewer or SQL management or whatever) are in the permitted list.

Disabling CMD.EXE is a pain when trying to remove malware so he setting the following registry key

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

DisableCMD = 0x00000001

That is especially problematical for some tools that rely on batch files and some security tools do since old school can sometimes be the only way of doing something.

In this case, a few minutes work with WinPE was enough to rain on his parade but a bit of remote registry manipulation would have done the job just as well.

Hope that this helps someone

Signing off

Mark

Security Updates - Are they the answer?

marklon — Tue, 12 Feb 2008 16:23:00 GMT

Ah, another “update Tuesday” – known to the rest of the world as “patch Tuesday” but we are not supposed to call it that.

We have a fine crop of updates for you but I am not going to talk about those, partially because we won’t be releasing them for several hours and partially because that is the province of my much respected colleagues in the MSRC – you can always get the straight dope here: http://blogs.technet.com/msrc/

This month so far has been a fairly quiet time for me. We are seeing fewer new infections recently though the ratios of where this stuff comes from are pretty consistent. You might find the threat map at www.threatexpert.com to be an interesting read.

The Storm botnet is recruiting again, this time with Valentine cards instead of Christmas cards or promises of applications to help you track football scores. A lot of people are now aware of the techniques used by this bot and infection rates seem to be dropping a little though it is a little hard to tell. Storm uses a peer to peer protocol for its command and control mechanism and so there is no one place to monitor the network. The packets look very much like eDonkey file share activity unless you know to look for the 40 byte encrypted packet at the start.

On the subject of Storm, this is a malware that, in its most recent versions, has been very much based on social engineering. It is apparently remarkably easy to persuade people to install malware on their computers. No really, I am not making this up. Independent research shows that around 75% of malware on systems got there because a user installed it while under the impression that it was a good idea. Some of it is installed because a popup tells them that they need a video codec so they download an EXE file. Some of them respond to a popup saying that there is evidence of malware or visiting adult sites on their computer. They download the program to “fix” this problem and then the problems start. Now, you, gentle reader, I know that you would never fall for such blatant social engineering but consider your cousin, the person at the supermarket checkout, yourself when you were a kid still learning what you know now… well, they will. Not every unskilled user will fall for these tricks but enough will that it is a fertile recruiting ground. 75% of malware gets on systems this way. Who needs security vulnerabilities to spread malware?

Is it heresy to say that on a patch Tuesday? Of course, vulnerabilities matter. Wormable vulnerabilities matter a lot. A corporate network can be taken down in less than an hour by an aggressive worm if there are no mitigations in place. Targeted attacks pretty much always use some vulnerability in software. Vulnerabilities matter a lot. Updates are critical. What they are not is all of the story. Many people seem to think that they are.

One of the most common questions that I get asked when people learn what I do for a living is “Why don’t Microsoft make Windows more secure?” The answer is “We did. Look at Vista and Server 2008. We are. Look at the bulletin release schedule. Look at the malicious software removal tool.” I don’t generally say the next bit. We work very hard to improve security but we don’t have much control over the things that get exploited most often: People.

Ah, but wait a minute, I hear you say. If vulnerabilities are not the be all and end all, why are there so few malwares on (insert name of alternate OS here). The answer to this is simple and I am far from the first to say it. Why do criminals rob banks? Well, that is where the money is. Malware used to be written for bragging rights. Now it is written for money. Either way, the malware writer wants as many systems as possible affected. 19 out of 20 desktop systems run some flavor of Windows. If I want to affect as many systems as possible, which do I attack? It is a no-brainer. You develop exploits for the biggest payoff.

Does this depend on which system has the most vulnerabilities? No, not at all. If Linux had 5 times as many vulnerabilities as Windows (which I don’t think for a moment that it has) and you had a 100% success rate at compromise Linux desktops then you would have… 5% of the market. If you had a 10% success rate at compromising Windows systems then you have 9.5% of the market. It doesn’t make sense to go for Linux as a platform for malware.

All that said, vulnerabilities in the OS are less of a factor all the time. A lot of exploits target applications these days. The antivirus product, the reader for one of the common formats like Flash or PDF or Java or whatever it is this month are at least as good a target. The people are at least as good a target. In fact, looking at the numbers, the people are 3 times better targets. We can’t make better people – and we don’t want to limit what people can do because people resent that. Look at the reputation that user access control in Vista has.

It is a tricky problem. We can make better operating systems. We can not make better people.

(Edited - The original said that we could make better people - so not what I meant)

Signing off

Mark

Antimalware tools and tricks

marklon — Mon, 21 Jan 2008 19:50:00 GMT

Ah, I am back in the office and settling into to my normal day to day work.

I am fairly often asked to remove malware from systems which the anti-malware programs on that particular PC system can’t handle. In fairness, it is often not the AV products fault. Most (more than 75%) of malware is actually installed by the users of the system after some social engineering. I know that none of you out there in blog land would do that sort of thing but it does happen. We have all downloaded drivers from the web, codecs from the web and utilities. It is easy enough to get it wrong and some of the Blackhats can make some very convincing webpages and emails that would fool your brother/mother/dentist. Anyway, that is how a lot of this nasty stuff gets on systems and one of the first things that it normally does is try to break the AV solution. Sometimes it succeeds.

I am yet to find an instance in which this has happened where the machine could not be cleaned up with the SysInternals tools and a little ingenuity. I know that I have mentioned this before but I hadn’t linked to the excellent video presentation by Mark Russinovich video: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid =359

I would also like to mention a really good tool called Rootkit Unhooker. This was written by a Russian team who have since joined Microsoft. It is excellent for finding hijacks in the kiservicetable, hidden files and processes and similar rootkit tools. If you work with malware on a regular basis and haven’t tried this tool then you might want to search it out. I have had considerable success with this tool where some others have not been as useful.

Anyway, hopefully I will be back to some more code related posts soon but thought that this tools update could prove useful

Signing off

Mark

Doing it yourself.

marklon — Fri, 26 Oct 2007 22:22:00 GMT

Hello again

Two blogs in less than 48 hours? Whatever could be happening? No, this is not a reference to the issue documented in http://www.microsoft.com/technet/security/advisory/943521.mspx which is interesting but certainly not widely exploited in Europe. No, today I would like to relate what I did on Wednesday night.

I was helping a friend redecorate – our American cousins would call it home improvements but we would call it "Do It Yourself". Now, I am a firm believer in having the right tools so I stopped off on the way to get sandpaper, sugar soap, flexible sanding blocks, disposable gloves, the whole nine yards. I was sure that I was well equipped for the job at hand. This turned out not to be the case.

While I was sanding down the paintwork, I had an odd request from one of the two daughters. Could I remove IE from the home PC as it was popping up a lot of windows and they preferred Firefox in any case. Uh, pop-up ads? I went to have a look. Adware was opening a new "message from our sponsors" every 20 seconds or so. Not so good. The PC was also responding very slowly indeed and a quick check showed that an invisible instance of IE was using 1.5GB of memory – rather more than the system had.

I have removed malware from quite a few systems but I normally go armed with some very specific tools and all that I had here was a sanding block and rather slow access to the internet. So, I had to improvise and here are some of the things that I did – I relate them here in case you ever have the need to do the same.

The first thing that I did was check if there was an antivirus solution installed and whether it was current. The engine of the AV was older code but still valid (Sorry, Mr Lucas) and the signatures were current. It had blocked a Trojan the day before and didn’t seem disabled. The event logs showed that it had been removing threats on a fairly regular basis for a couple of years. The system was XP SP2 in an indifferent update state and had 4 users (father, mother, 2 daughters), all admins. A scan from the AV product (intentionally nameless, not OneCare) reported that all was well when manifestly it was nothing of the sort.

Terminating IE resulted in an immediate relaunch, apparently explicitly as it was not the default browser on that system. Hmm. Not a BHO then. A malicious Browser Helper Object can certainly do some interesting things to a loaded instance of IE but not launch a copy when there is no loaded copy of IE to host it. Clearly we were looking at another process. I started killing off processes trying to get down to a manageable list so that I could find the rogue and lo… I got to a state where there were a reasonable number of processes and they were all identifiable as harmless. So, either a legitimate process had been hijacked in some way (unlikely) or there was a hidden process – which strongly suggested a rootkit.

I downloaded Rootkit Revealler from Sysinternals (now a part of MS) and ran that. Sadly, it came back saying that all was well. The MS Malicious Software Removal Tool said that there was no malware on the box. All the while, some hidden process was kicking off instances of IE as if there were no tomorrow.

Since the automated approaches had failed, I decided to use a more manual approach and pulled down the whole SysInternals suite. I was mainly after Process Explorer and Autoruns but show me tools and I am like a big kid. I want them all!

So, I started with Autoruns. If you are not familiar with the tool, it looks for every way of starting a process when Windows starts, lists those applications and enables you to disable them – it also lists some inprocess components too which was useful. There were a couple of known Trojan droppers in the startup so I took them out. There were a lot of legitimate helper processes which seem very common on home machines. iTunes needs these and some other media player needs those and pretty soon it all looks very cluttered. Anyway, I disabled some of the more obviously malicious and rebooted. The system came back in very much the same state – with IE instances spawned over and over and many of the removed startup entries back. Interesting.

I started in with Process Explorer and there were multiple instances of Internet explorer. I terminated one and back it came – damn. Oh, hang on, the launching application flashed up for a moment. I checked and there was no sign of the launching process in the list and it disappeared as the launching process moments after the new instance of IE popped up. Interesting again. I tried a few more times and managed to get the path of the executable – which was off the "My documents" pseudo-folder in a directory with a random name that didn’t show up in explorer when browsing but would open if I gave explorer the full path. Time to dig deeper.

The executable was packed and there were no strings to mention when I opened it with notepad though process explorer was able to make more of the strings in memory of the process – quite handy when looking at malware. Yes, this used all the APIs that I would expect for what it was doing. Ok, now I had a file to look at and that was a good step forward. Now, because it was already pretty late in the day by then and I was representing a member of the public, I felt no shame at all in using www.virustotal.com which can be a very handy site indeed. You can upload a file and they will pass it against a bunch of anti-malware applications and give you the results. I sent the file to the site and that started to give me results in less than 30 seconds… you have to like that. 50% of the scanners came back with nothing detected and the remainder all came back with generic results basically saying that they thought that the file was bad but didn’t have a specific classification. This normally means that it is waiting in a queue for some human to look at. That is pretty common with new malware or new variants of old malware but unfortunately that meant that I had no specifics of how to remove the cursed thing.

Ok, back to basics. Delete the file. Nope. File is in use, can’t delete or rename. Right. The process is hidden by a rootkit but the cover is not perfect and although it doesn’t appear in the process list, I can get the process ID when it hands it to a new instance of IE as parent. Using that, I killed the process and went to delete the file. Again, it was locked. A bit more poking around with process explorer showed that another hidden process was respawning the first one.

I shifted my attention to this newly discovered process and found that I couldn’t delete it because the first process looked after it in the same way – a sort of mutual protection process. I might have been able to write an app to terminate both processes and delete the files but I didn’t have any development tools here – it was just a home PC. Anyway, it would have been a race condition with no synchronization.

Deleting the registry keys that started it on boot was pointless because they came right back – it turned out that it had a thread waiting on the key to restore it.

All in all, quite a clever defense. However, it always launched the user mode processes under the context of the logged on user so that the spawned IE instance would appear on the desktop which made sense. Because all the users were admins (like most home users) this is a good solution for malware. I managed to break it in a reversible way by dropping down to a command shell and using cacls to deny access to the launching user to IE. That caused the first user mode malware process to AV because it didn’t have any error checking and assumed that the API would succeed. The second process turned out to be very much the same and when I changed the rights on the first malware exe, it crashed. I could now pretty much break the user mode components at will.

The kernel mode process was a little tougher but the same basic approach worked and it failed to load on startup.

I would still strongly recommend rebuilding the system but I was unable to find any problems after the service was disabled. It is amazing what you can do with publicly available free tools.

The malware will be submitted to the companies that failed to recognize it – including Microsoft. It is just a shame that I didn’t get more sanding done but Do-It-Yourself malware removal is useful too. I have to thank Christie and Sherry for letting me get this new malware submitted.

Until next time!

Mark

You can't get the staff – Social engineering

marklon — Wed, 24 Oct 2007 19:17:00 GMT

Sometimes I like to talk about software engineering but today I would like to ramble on about a different subject: Social engineering.

Social engineering is a common technique for getting malware on systems and of course, for Phishing. The “419 scam” (named after the section of the Nigerian penal code which addresses fraud schemes) is the best known but it is widely practiced in all parts of the world and not just internet Cafés in Lagos. I would like to look at one that I had only this morning:

““CONTACT OUR FIDUCIARY AGENT !!!

UK NATIONAL LOTTERY
Support Center
Bevan House
51 Bevan Avenue
Conwy LL28 5AF
United Kingdom.

DEAR WINNER,
We are pleased to inform you of the announcement today,22th October 2007, of winners of the UK NATIONAL LOTTERY, Held on 24th October 2007 in Croydon,London.Your email address was attached to ticket number 023-0148-790-459, with serial number 5063-11 drew the lucky numbers 43-11-44-37-10-43, and consequently Won you the lottery in the 3rd category.You have therefore been approved for a lump sum pay Of £500,000.00 Great British Pounds(GBP) in cash credited to file REF NO. UKNL/26510460037/07. This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.
To file for your claim, please contact our fiduciary Agent;

Mr DAVID WALTER.
#999 Edgware Road,
London W2 1EY
United Kingdom.
Email: claimsagent907@yahoo.co.uk
TELEPHONE: +447xxxxxxxxxx
.
Sincerely,
Dr paul white
Zonal Co-ordinator”

Ok, the title is odd. Who would naturally in title such a mail using the word “FIDUCIARY”? Also, in a quick credibility check, why would a fiduciary officer (a much glorified accountant and financial controller) handle claims when they have a claims department? So, that doesn’t seem right.

That address has been used in at least a dozen other scams. How hard would it be to find another address? Sloppy work. A moment of research and this mail is blown sky high.

Hmm… they know my email address and not my name? They can’t even guess? Not from Mark.Long@Microsoft.com? I know that giving my email address like that will probably harvest SPAM but that is OK :-) It will go with the rest.

They announced the result of the draw on the 24th back on the 22nd? Sounds crooked to me.

Grammar alert! My email address drew the lucky numbers? All by itself? How clever is that?

The lucky numbers include 2 number “43”s – I am no expert but don’t numbers have to be unique? How would you tick 43 on the form twice?

“and consequently Won you the lottery in the 3rd category” – uh, pardon? 3rd Category? And why is there a capital “W”?

Observe the sequence of random numbers and letters. The intent is to seem very specific. So, they don’t know my name but they have the number of the ticket and the serial number of the ticket? Not convinced.

“This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.” – the strange Capitalisation continues. International winners? I am not that international, being snug and safe here in Reading. The national lottery is not the international lottery in any case. Additionally, what are the odds of the totals and the share being such round numbers?

# before the number? American convention, not used here in Blighty.

What is the second address for? Am I supposed to write to both of them? Edgware road? Really? For those not from these shores, Edgeware road (note the difference in spelling) is a well known London street and it is equally known for its underground station (one of the 7/7 bombing sites) and links Marble Arch and Edgeware. The street number given was actually that of a rather good Middle Eastern restaurant but I don’t think that is significant.

The email address is at Yahoo.co.uk? And this guy has at least 906 colleagues? Do Camelot (who run the lottery) use free emails accounts these days? It must be because of the 906 people giving away all of the money. These mails normally have a free email account associated with them and it is normally different to the email address in the mail header – it was in this case too. Watch out for

Of course, they could need to use free email accounts because they have a PhD writing their mails. That can’t be cheap. Possibly his degree is in poetry specialising in e.e.cummings since they seem to have the same approach to capitalisation. Another expense must be the mobile phone number given - all UK numbers starting with 7 are mobile (cell) phones.

Zonal? If our friend claims agent 907 is a zonal co-ordinator, how many zones do they have?

Really. C-, must try harder.

So, this was a very unremarkable bit of Phishing SPAM. Next time, I will be looking at some of the mails used to spread the storm Trojan which is often incorrectly called the storm Worm. It isn’t a worm although it does use SPAM as part of attempts to enlarge the botnet.

Oh, on a final note, I am looking at a cube note (a bit of paper dropped on my desk) claiming that an AI called Testaccount23 has escaped and is living at http://test23account.spaces.live.com – I smell a viral campaign. However, I am not sure that is within my remit :-)

Signing off

Mark

Malware: mitigating maladies might matter

marklon — Wed, 17 Oct 2007 20:40:00 GMT

Well, another update Tuesday done and dusted. We are not supposed to use the word "Patch"

So, the question that I left you with was what could be done to make it safer to run on a compromised computer; that is to ask how could you mitigate the risks?

The answer is that it very much depends on the malware in question. Let us consider what would happen with some common types. In each case, I will be assuming that the type is pure and has no function other than that stated – a little unrealistic, I know.

Adware. This is pretty common stuff. It pops up pages advertising various goods or services, often adult in nature and is normally associated with a malicious Browser Helper Object in IE or a Plug-in under Firefox. Adware typically has little effect on applications that don’t use the browser although you might be surprised what does. HTML help? Hosted in ShDocView. That could load malware into a custom application but it is unlikely that the Adware would do anything sensible injected into another process. It might well crash an application though – indeed, the first malware I ever looked at was doing just that. The Adware could have additional functionality making it not a pure Adware component, of course. Is it safe to have it in your process? No. It could be very unsafe if your application is web based.

Spyware. These monitor user action, normally in a limited context so search strings and keystrokes. A lot of them are browser based. Many of them include an adware component. Spyware tends to replace more of the system functionality but for the sake of clarity, let us assume that we are only talking about spyware that monitors and possibly redirects input in the browser. Well, in that case, all the caveats for Adware apply and some more. It wouldn’t be hard to write a bit of spyware that looked at all WM_CHAR messages processed in a browser window. For a web-based application, this could represent a huge leak of confidential information. For a non-web based app, it would again be less of a threat. Hooking in to the HMTL help would probably only send out search strings that users were entering against the help. That is probably not all that worrying but Spyware has the power to be much more dangerous than Adware – not at all safe.

Remote Admin Tools. Ouch. These are typically classed as Trojans and range from relatively simple bots which churn out bulk mail and are only controllable to a limited degree to more flexible apps that allow file transfer and command lines to be passed. It is pretty easy for a BlackHat controlling one of those to insert a more complete admin tool (several commercially available) to allow proxying of the GUI – oh, and Blackhats rarely pay license fees. Just one of those things. If one of the more flexible ones is running then pretty much all bets are off because it can do pretty much anything that a local admin could do. How much will this affect a given application? It is difficult to say as these are the most variable of malware types. Worst case, your database could change under you, your data could be snooped. Best case? You run slow because you are competing with an application which is churning out SPAM.

Keyloggers. Nasty things, keyloggers and all too common. Go to eBay and hardware and software keyloggers are freely (and legally) available – and there is no way for software to find hardware keyloggers. They generally hook in at kernel level and log all keystrokes. That would steal a lot of data from pretty much any application, browser based or not. It could steal credit card numbers, log-ons or whatever else. There is not much mitigation that is possible against these.

Not much? Well, nothing directly. However, 2 factor authentication is a helpful against these. Ok, a Blackhat could still grab the credentials to log on to your banking application but unless they exploit them on the original system with the second factor present then they have taken less than they otherwise would.

Viruses? We don’t see those so much these days and they have limited functionality typically. They want to be small and that means that they are fairly simple. It is a similar deal with Worms though they often drop Trojans.

So, is there something that mitigates against all of these? Yes, as it happens, there is :-) All of these except Adware needs to be able to contact somewhere else to do its damage. It needs to get out of the local area network and onto the world wide web. A great many companies very sensibly have great protection against packets from outside coming in. Most companies are more relaxed about requests going out.

What does most malware do if it can’t call home? Very little. Remote Admin tools sit idle. Keyloggers send their data nowhere (although beware of those that email the collected data). Spyware reports nothing to no-one.

Good protection against threats coming in can prevent infection. Good protection against data going out can be a good mitigation

Until next time, signing off

Mark

Can you break Law #1 and get away with it?

marklon — Mon, 24 Sep 2007 18:20:00 GMT

To save you scrolling down, let me restate Law #1 of the immutable laws of security:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore"

Is there any possibility that it is safe to do business with a computer that has malware on it? The blanket answer is "no – there is no way to be sure". Like all generalizations (irony by design), this is not wholly true. Malware comes in many forms and not all malware will affect all aspects of system operation. If you know exactly what the malware does then it may be possible to still trust the machine to some degree. If you know that the malware just pops up unwanted advertising and has no other function at all then it is probably fine to still accept a low value online order from that customer. If the system has a keylogger which records credit card details then it might be perfectly safe for you to accept the order but very dangerous for the user to place it. So, the more accurate answer to the question would be "In general, no, it is not safe. In some specific cases, it may be".

So, the follow-on question is "Can you determine programmatically whether it is safe or not?"

This is, I think, a better question. However, the answer is unfortunately "Almost certainly not".

"Why do I say that?", I imagine you asking. I will be delighted to answer (I am easily pleased). The reason is twofold. The first is that you can’t tell what a bit of detected malware does without extensive reverse engineering. The second is that any machine (other than one in isolation that has been built from known clean sources) could be compromised with malware that hides well. One thing that rootkits do is hide. If something has modified system behavior below the level at which you run, the results of any investigation that you do is suspect – API calls can be subverted by malware. No automated or manual process can guarantee that there is no malware on a system because absence of evidence is not evidence of absence.

The logical conclusion is that since no real world machine is 100% safe then we must regard them as wholly unsafe. However, that is logical rather than sensible. In reality, we must accept a level of risk from the systems that run our applications. Where possible, we must mitigate the risks. We should always recognize them even if we can not mitigate against them.

In my next post, I will be talking about mitigation strategies.

Signing off

Mark

Living in an unsafe world

marklon — Tue, 18 Sep 2007 18:20:00 GMT

Hello ladies, gentlemen and others

I am sorry that I have not blogged for a little while. I have been a little occupied with some pro-active stuff for a change. I was on training last week with David Solomon (smart fellow) and I have been preparing for a talk that I will be delivering in Stockholm in a few days. Fortunately for me, they are willing to speak English; I speak no Swedish at all.

So, in my last post, I said that I would be discussing limiting risks. If your computer is turned on and connected to a network then the risk to it is non-zero. All that you can do is find a good balance between risk and functionality. If your computer is turned off, it is very safe but quite non-functional. If the computer is turned on and there is no firewall protecting it and the logged on user is an admin then it is probably very functional but not at all safe. Everything else is seeking a balance point.

So, are you familiar with the ten immutable laws: http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true ?

I like law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

This might seem like it is not wholly true – if malware runs under a limited account, is that so bad? It might not be the end of the world if that account were very limited and that software only ran with that user account. What if there were an elevation of privilege vulnerability as well? It has happened before in Windows, Linux, BeOS – none of this is OS specific. These are called blended attacks. It may be that there are no elevations left or that there is no route to the elevation from the things that malware running in a compromised context can access. However, if something might be a risk, it is best to assume that it is a risk. Smart but dishonest people will work very hard to find any hole.

Given that, any computer with malware can not be fully trusted. In a near perfect world, it wouldn’t be trusted at all. Of course, in a perfect world, there would be no malware.

In this very imperfect world, it is pretty much certain that some of the computers that connect to a website will be compromised. Some of them will belong to blackhats. It has been said that politics is the art of the possible. IT security also the art of the possible – living in a world where not everything is safe.

I will talk about helping your programs survive in a dangerous world in my next post

Signing off

Mark

Trust me if you dare...

marklon — Tue, 28 Aug 2007 20:08:00 GMT

Paranoia : baseless or excessive suspicion of the motives of others

What percentage of computers are compromised in some way? No-one knows for sure but there are estimates. Not many servers – but compromises of those tend to be critical. Some of the systems in an managed environment may be compromised by malware of some kind. Many home systems are – if your system connects to many home systems, you are going to have to assume that at least some of them have malware on. Given that some of the boxes are not trustworthy and you can’t tell which, you have to assume that any (which means all) of them are bad.

Is this excessive? Maybe. It depends what you are protecting. The cost of the protection should be less than the value of the thing that it is protecting or there is no point. If you are protecting grandma’s tomato soup recipe and your name is not “Heinz” then complex protections are unnecessary but some things have to be protected by law. If your system is protecting the identity of translators in a combat zone, it could be a matter of life and death.

In that case, you need to be as certain as you can be that nothing is widening the access to the data. A keylogger could be hardware or software. Something could be sniffing the network. There could even be a hidden camera looking at the screen (no, really, it has happened). In that case, the more control over the environment, the more certain you can be that your environment is clean. In practice, you may only have limited control and that puts you in the world of trying to limit risks. That gets interesting.

I will be talking about that in some future blogs

Until then, signing off

Mark

Being held to account

marklon — Fri, 17 Aug 2007 21:20:00 GMT

Hi there

Sorry that it has been a little while since my last post. I have been away at a customer’s site. As usual, I can’t say where I was or what I was doing but I left at 3 hours notice to go there and spent pretty much an entire day in an economy class plane seat. I thought that I would share a few tips if ever you find yourself in the same situation.

The first is that the quickest way to pack seems to be the most expensive. On the way to the airport, stop at a shop that sells clothes, toiletries and suitcases. Buy all of these things. At the checkout, put the suitcase on the conveyer belt first. Pack the clothes and toiletries straight into the case. Job done.

The second is to remember that the seasons change if you change hemisphere. I forgot that bit.

So, it wouldn’t be my blog without something technical so I would like to discuss user accounts and malware. That is not as dull as it sounds.

Let’s start with a question. How many accounts should a user have? The obvious answer is 1. One person, one account, makes good sense. However, this is not true of people with multiple roles. If someone is a domain admin or an enterprise admin, they shouldn’t be using that account for anything other than the most essential work. In that case, the user needs one account per role so that they are not reading emails and surfing the web with an admin account. It sounds obvious and maybe it is… but you would be amazed how often we find that people forget to do that… and these are people who end up talking with me. You can guess that things did not go well given that.

How about another question? How many accounts have no people associated with them? That is a tougher question. It will depend on your network and what you are running but you will need service accounts. What rights those accounts need will vary but you will be doing yourself a favour if you give them as few rights as possible and an interactive logon is definitely not a right that they should have. Please, humour me while I talk about how malware (including hacking tools) gets on boxes.

The main vectors are:

1. Users running random files from bad people on the internet. These come via web-browsers or email.

2. Browser exploits. We patch it for a reason. Our competitors do the same with theirs.

3. SQL injection attacks

4. Exploits of services

Limiting account rights can help in case 1 and 2 but causes some user pushback and so negotiation is needed – but recall what I said about admins needing 2 accounts. 3 and 4 involve no user pushback and is a quick win. Clearly, a service account should have no more rights than it needs and everyone knows that. However, developers frequently test applications using domain admin accounts… and when it is time to deploy, the tendency is to deploy in the configuration that you tested in and tighten it up later. This is the same later when you will do the documentation, fix the last bug and go for a long holiday in the sun. I am still waiting for those “later”s from previous companies where I worked.

So, if malware gets in to a service which has high rights, it has high rights. If it runs as a domain admin, every system volume is an open book, every registry its registry. It can and does spread like wild fire.

Choosing rights carefully has no effect day to day but it can save your skin if something gets in to the network. If things are a little quiet as summer winds down, perhaps this is the perfect time to review the rights of your service accounts. I know that this is basic advice and obvious stuff… but if it were done universally, I wouldn’t have had to leap on a plane last week.

Until next time

Mark

Targeted attacks - a sniper rifle, not a scattergun

marklon — Wed, 25 Jul 2007 19:44:00 GMT

Malware is often thought of as an equal opportunity nasty. After all, real viruses affect the rich and poor equally. However, things are not as they once were. In the heady days of Blaster and Slammer and Nimda et al, the malware would infect anyone that it could.

Worms are not often found these days (fingers and toes crossed) but Trojans that will add your machine to a BotNet are not so much common as ubiquitous. These are not at all targeted but once in a while, we see something a bit different.

A blackhat will pick a handful of important users in an organization and they will be targeted with malware. It might be done via an email with a document that exploits a vulnerability in Office or Adobe Reader or whatever document viewer is unlikely to have been patched – large organizations often take a little while to roll out updates and longer for third party products which don’t have an auto-update mechanism. It is quite likely to have content tailored to be of interest to the user – for example, if the sales manager of a PC company was being targeted, it would make sense for the mail to claim that the document is sales figures from a competitor.

That said, there is another, simpler way. Some blackhats have been known to send (via snail-mail) a USB key or a CD with the malware on it. Most non-technical staff (and managers are normally the targets) will put the CD in or USB key in their PC without question. One quick autorun later and that box is owned. However, the purpose here is not to make the machine a spambot but to install a quiet little backdoor that will allow someone to help himself to the contents of “My documents”. Typically, the backdoor software will allow access to a command shell and a simple file transfer mechanism. Sometimes the hacker gets lucky and finds that a senior manager has insisted that he should have a similar level of control over the network but that is a bonus.

Because these attacks affect very few users, they often slide under the radar, especially because most organizations would sooner not come out and say that they got hacked. Sometimes the backdoors are specifically created for that one target if it is high value enough and so AV solutions are not useful.

Given that, what are the best defenses? There are two:

1. User education. The information that executives hold is valuable. Someone needs to tell them how to protect it. Maybe that person should be you. Hey, it is something to put on your next review document.

2. Good network egress control. I speak to a lot of customers who regard any outgoing traffic (LAN/WAN to internet) as good and all unsolicited incoming traffic as bad. Now, consider that these are customers speaking to someone who specialized in compromised systems. Most malware can’t do much if it can’t call home. Good egress control is no substitute for good training but it is an excellent adjunct.

It is possible that an attacker could try the same thing anywhere in your organization since any access is better than none so you might want to spread the word to the whole company. It might save millions of dollars though you can never measure prevention. In the worst case, it is good and harmless. Please, spread the word.

Until next time, signing off

Mark

Risky business whatever you do...

marklon — Mon, 23 Jul 2007 12:31:00 GMT

Wow – The code review entry was really popular.

I have to admit that I have never used a code review tool and they may be wonderful. I tend to plough on through the code just to be sure that I haven’t missed anything.

I don’t do that many code reviews so it comes as something of a break from routine when I do get one. Much of my time is spent on reviewing reports generated by one or other tool as part of an incident response case.

IR cases are hacking or malware – basically, a compromise of a customer. These do happen, sometimes because systems are badly patched, sometimes because of social engineering getting someone to run a malicious file or (in theory) because someone has found a new hole and exploited it. I am yet to see an attack through a previously unknown vulnerability and I hope that I never will – a wormable hole is the sort of thing that gives us nightmares. Anyway, however it happens, a customer gets malware on a client or server. What they want is for us to remove it so that they can carry on as before. They are often disappointed when we recommend rebuilding. The decision as to whether to rebuild comes down to acceptable risk.

How much risk is acceptable? In many environments, a bit of malware that just pops up the odd advert for Spong’s footcare products would be acceptable. A keylogger which records every keystroke and sends it to a black hat would not be OK in any environment.

However, how do you know exactly what a bit of malware does? It is possible to analyze a bit of malware automatically but that is always a bit risky – because all you know is what it did that time when it was being watched. Does it do that every time? Can it do something else? Would it behave differently if it were not being monitored? That isn’t as crazy a question as it seems – there are bits of malware that do that. A good way to be sure is to double-check by getting a good reverse engineer to analyze the malware as well. This is a tricky thing to do and there are not so many people who can do it, especially against the packed malware that we see these days. However, it is possible and a decent engineer using the right tools can get a pretty complete map of a simple malware in a few hours. A nightmare malware could take a couple of weeks. However, it is possible… or it would be if there were a handful of malwares released a week and they were not polymorphic and there was some mechanism that ensured that they would wait in a queue to be analyzed. In practice, there are many teams of blackhats and they release dozens of variants of each malware. No-one knows for sure how many variants there are out there. It is more than 200,000 certainly. Let us call it a quarter of a million. If we assume that an expert can analyze and report on 1 per day and that there are something like 100 analysts doing this day in and day out and sharing results (and that would be optimistic) then that would be around 10.5 years. That assumes no new malware, of course. Not a very realistic assumption given that the rate of production is increasing. In practice, the industry is hard pressed to get more than an approximate idea of what most malware is doing.

When considering risk, we have to look at the worst case. Unless we know otherwise, malware could drop other malware – Trojan droppers do – or turn off firewalls or disable AV solutions or act as a back door allowing someone else to administer the machine. We know of multiple malwares that do just that.

Now, detection is not all that certain. The best antivirus solutions get up to 9x% of known malware. That sounds OK, doesn’t it? So, they miss between 5-10% of known malware and pretty much anything that they have no signature for is missed. So, if you scan your machine and the AV solution says that it is clean, it may be right. Or it may be subverted in such a way that it is unable to tell. Or there may be a malware that is not in those signatures.

Realistically, there is a significant chance that a system reported clean is still compromised. Even the most careful checking of the kernel and user memory might miss something as humans are fallible. Any machine that is known to have been compromised once is necessarily less trustworthy because holes may have been added in the firewall or user rights changed or a bunch of other things. AV solutions don't generally do more than check for known malware.

If you are 99% sure that 1 machine is clean then that is fine for a home user. It is risky for a developer on a network. It is unacceptably dangerous in a financial, military or safety critical scenario. Of course, most of us are not controlling nuclear reactors for fun and profit but a lot of us bank online.

The question in the end is simple. I am at heart a developer. Let’s look at it that way.

Let CostOfProbableLoss = ValueOfAsset * Risk.

If CostOfProbableLoss > CostOfMitigation then RecommendMitigation

It takes hours to rebuild a compromised SQL server box. If it contains data that is worth millions… well, the risk doesn’t have to be very high for that to be the cheapest option

Signing off

Mark

How malware likes to hide

marklon — Thu, 05 Jul 2007 18:58:00 GMT

Well, technically, how malware writers like to hide malware. In my last post, I talked about subversion – hacking the OS not to see the malware. That is part of the rootkit. Not all malware uses a rootkit and all malware has to avoid detection by signature based anti-malware tools like standard anti-virus solutions and anti-spyware solutions. The way that the first AV solutions worked was that they looks for the precise pattern of bytes or the MD5 hash of the file. Polymorphic viruses were built to defeat this although polymorphism is not limited to viruses. We habitually see it in Trojans as well. There are several ways that this can work.

The first and simplest is to include random junk data in the binary image and change it when you write a copy of the executable to a location. There are two good things about this approach. The good thing for the BlackHats is that it is really easy to do this. The good thing for the Whitehats is that it is pretty much ineffective if we are looking for byte patterns in files rather than just hashing the file. AV solutions that used signature files to look for matching patterns became the norm.

The next generation tried to alter the code in ways that didn’t much matter. Add a NOP here. Have multiple code fragments which do the same job and are the same length (easy enough if you pad with NOPs) or in the case of the terminally clever, moving things around into different “slots” within the code segment. This was a bit harder to counter but there are still a limited number of possible forms and so it just requires a LOT of different signatures. Annoying and it means that malware checks take a lot longer but still possible. Typically polymorphic code that works this way doesn’t want to change the length of a section of code because then they effectively have to relink themselves “on the fly” because the relative jumps will be off. That is fairly tricky to do and it would be difficult to write a re-linker that was itself polymorphic. Fixed code makes malware easier for automated systems to find.

What we see a lot of now is packed malware – it has a decryption engine built in to the malware and if you look at the malware in a disassembler, you see the code of the unpacking tool and not of the malware – it has become an encrypted payload deployed by the packer. This makes it very hard for an investigator to work out quite what the malware is doing. However, it doesn’t have quite the effect that the malware writers want. There are only a few packers available on the underground economy. Remember that I said that fixed code is easier for automated systems to find? If we find a packer designed to hide malware, we can assume that the file is malware. Thanks for the help, guys!

The war is far from won, of course. The botnets get ever larger and the varieties of malware multiply. Most botnets just spew SPAM of course – “pump and dump” schemes AKA boiler-room SPAM, adverts for V-I-A-G-Я-A or some other spelling of counterfeit drugs or the scam-du-jour. At the moment, we are seeing a lot of mails looking to recruit machines into botnets via social engineering – “run this trojan dropper to see your ecard”. Some attacks are smarter than others and some end users are better informed than others.

We are doing the best we can to make our SPAM filtering better, our code more secure and taking what legal measures we can to shut down the bad guys. The bad guys are throwing everything that they have at us and our users… just like every day.

Until next time

Mark

Subversion... something nasty lurks

marklon — Tue, 03 Jul 2007 18:47:00 GMT

Subversion is defined by our friends in the Princeton U’s English department as follows:

subversion

noun

1. destroying someone's (or some group's) honesty or loyalty; undermining moral integrity; "corruption of a minor"; "the big city's subversion of rural innocence" [syn: corruption]

2. the act of subverting; as overthrowing or destroying a legally constituted government

I use the term most days but it means something rather more specific in the jargon of the security researcher. An application or operating system is subverted when its functionality has been changed in a way that it (and possibly other software) is not intended to detect.

There are sensible and legal and valid cases where software can be subverted. A screen reader for visually impaired users might want to hook in to the system in weird and wonderful ways if the MSAA interface doesn’t do all that is needed. A parent or employer might reasonably want to monitor some aspect of a system that they own. In both cases, it is reasonable that the developer of the additional code would not want the application to change its behavior. In the case of a screen reader, it won’t hide from the process list as it is perfectly OK, even desirable for the user to be able to detect that the process is running. An employer might not want its staff to know that they are monitored and whether that is legal depends on where you are. I suspect that it would fall foul of the German privacy laws but would be fine in some countries – although it might be necessary to warn staff that there is monitoring software in place.

Of course, malware is pretty much universally illegal. Some malware doesn’t attempt to hide at all although that is in a minority. I came across some the other day that used the rather basic approach of calling itself notepad.exe and using the notepad icon. Needless to say, that didn’t divert us for long. I have seen svehost.exe processes and scvhost.exe processes and services with all manner of names and false descriptions. One of the oddest claimed to be a service pack for Sid Meier’s Colonization (watch the hit count soar) which was running as a service. Yeah, that makes sense, nothing suspicious there at all. These are normally quite simple beasts that we can combat quite easily.

Malware that hides is a bit more interesting. It normally does this by attacking the operating system itself. You know that malware hooks in to components and changes behavior. Imagine what would happen if FindFirstFile or EnumProcesses were altered. I don’t have to imagine because we routinely see rootkits that do exactly this. You can think of a rootkit as an SDK for malware writers. It is designed to hide something from the system and the developer normally has some degree of control over what is hidden. What they normally hide is the payload and that can vary immensely. There are many more payloads than rootkits and we see the same ones over and over. Some people class rootkits as application, library or kernel but things are not that pure in the malware world. We generally just think of them as kernel or user mode.

User mode rootkits will often be fairly crude in their attacks – for example, they will typically disable antivirus solutions and leave the malware to rely on being in hidden files or odd directories. There isn’t that much that you can do in user mode and, to be frank, the developers of user mode rootkits are not the best of the blackhats.

There is a very simple rule for rootkits and it is of use to those that write them and those that hunt for them. He who hooks lowest will win. What that means is that the lower level the rootkit, the harder it is to detect. A user mode rootkit detector will struggle to detect that the operating system below it is no longer telling the truth. A kernel mode detector will be quite immune to some user mode subversion. The serious rootkits are all kernel mode now and some of them are tricky customers indeed.

One the plus side, there are some very good rootkit detectors out there now and since there are few rootkits and many payloads, it can be a very quick way of detecting if there is malware on a system even if the payload is a variant that we have never seen before.

The fight between the blackhats and whitehats goes on and we dive deeper and deeper in to the OS, both of us trying to get below each other. There are some clever people out there and the battle is not won either way as yet… but I would not be surprised if future designs of PCs had to have more security features built in. You can’t get below the hardware. Well, not unless you virtualize the hardware that is.

Oh, and I notice that I have hardly mentioned the platform in this blog and that is because rootkits come in a variety of flavors. Some are for Windows, some are for Linux and some are for BSD which is appropriate in a way. The first ones were found on Unix.

Until next time

Mark