You are on page 1of 48

IBM Global Technology Services October 2009

IBM Internet Security Systems X-Force Threat Insight Quarterly

X-Force Threat Insight Quarterly Page 2

Table of Contents
About the Report Port Security One More Tool in the Toolbox What does this file do? Prolific and impacting issues of Q3 2009 References 3 4 13 25 46

X-Force Threat Insight Quarterly Page 3

About the report


The IBM Internet Security Systems X-Force Threat Insight Quarterly is designed to highlight some of the most significant threats and challenges facing security professionals today. This report is a product of IBM Managed Security Services and IBM Internet Security Systems (ISS) X-Force research and development team. Each issue focuses on specific challenges and provides a recap of the most significant recent online threats. IBM Managed Security Services are designed to help an organization improve its information security, by outsourcing security operations or supplementing your existing security teams. The IBM ISS protection on-demand platform helps deliver Managed Security Services and the expertise, knowledge and infrastructure an organization needs to secure its information assets from Internet attacks. The X-Force team provides the foundation for a preemptive approach to Internet security. The X-Force team is one of the best-known commercial security research groups in the world. This group of security experts researches and evaluates vulnerabilities and security issues, develops assessment and countermeasure technology for IBM ISS products, and educates the public about emerging Internet threats. We welcome your feedback. Questions or comments regarding the content of this report should be addressed to XFTAS@us.ibm.com.

X-Force Threat Insight Quarterly Page 4

Port Security One More Tool in the Toolbox


By Michael Vucelich
Introduction

In the past few years, we have heard a great deal about perimeter security. Organizations spend a significant amount of time and resources building a secure perimeter to protect their internal networks, which supports business operations and allows communication with both employees and the outside world. Because of the criticality of the internal network infrastructure, and because of the amount of malicious activity and would-be criminals on the Internet, this type of security barrier is an essential requirement of any robust security architecture. A typical perimeter security configuration makes use of routers and firewalls to establish multiple zones or layers of communication within a companys networkeach with a defined set of criteria for access to the resources it contains. To do this, IT security experts commonly set up a demilitarized zone (DMZ). A DMZ typically houses public facing servers such as those hosting the companys Web site or that provide other services to customers or users. Network resources placed here are public-facing and should not contain sensitive information due to their location. These DMZs are configured in such a way so that should one of its systems be compromised, the likelihood of the attack penetrating further is very low. Beyond the DMZ, inside the more secure perimeter, are the more sensitive resources. These internal resources are protected from outside attacks by firewall rules and access control lists (ACLs) that selectively restrict access from the outside world. Additionally, these internal networks are often further segmented into different zones, each with its own set of rules. Although not impenetrable, these protective measures mitigate a significant amount of threats.

X-Force Threat Insight Quarterly Page 5

A network perimeter is analogous to a castles walls or moat. While these barriers can deflect many attacks from the outside, once an enemy has penetrated them, they are no longer effective. A classic example that illustrates this point is the tale of the Trojan Horse. According to Virgils poem, The Aeneid 1, the Greeks had tried unsuccessfully for many years to penetrate the city of Troy. The citys defenses had effectively thwarted any attacks. In the end, the Greeks feigned defeat and left behind a giant wooden horse. After the Greeks left, the Trojans, believing they were victorious, opened their gates and pulled the horse into their city, claiming it as a trophy. Unfortunately for the Trojans, several Greek soldiers were actually hidden within the horse. After nightfall, the soldiers were easily able to open the city gates from the inside and allow the rest of their army to enter and take the city. The term Trojan Horse has even become a common phrase within the computer security world and refers to a file or application that appears on the surface to be innocent, but actually contains malicious code. Just as with the physical analogy, a computer network and its resources are much more susceptible to an attack from the inside, and in this article, we will discuss one way this can be accomplished using a physical port on a wired Ethernet switch.
The Road to Vulnerable Systems is Paved with Good Intentions

Although the term attack is used when we generally refer to a network security compromise, In the course of business, is it not uncommon to invite customers, contractors, potential clients, or business partners to on-site visits for meetings, sales pitches, or any number of other reasons. During these events, visitors may attempt to plug a laptop or other device into a network port with or without permission. And most of the time, the intent is not malicious; it is simply a matter of their needing network access and there also being a free network port on the wall beside them. Likewise, employees may attempt to connect other devices to the network using either cabled or wireless access points, thus unintentionally introducing security risks.

http://classics.mit.edu/Virgil/aeneid.mb.txt

X-Force Threat Insight Quarterly Page 6

So, what is the risk? Well, the obvious risk is that an individual with malicious intent might be able to bypass security restrictions and intentionally gain unauthorized access to company resources and data. The less obvious risk is that a well-intentioned individual may inadvertently connect a device that is vulnerable to compromise, or in the worst case, is already compromised. Such a system would have a vantage point from which to attack other internal systems. Businesses that have reached a certain level of maturity usually have security policies in place that are backed up by an IT department that ensures that users systems are up-to-date with security patches, compliant with company policy and running authorized software. Not surprisingly, these policies also dictate that systems not meeting certain standards are not allowed to connect to the network. Port security is another method that can be used to help enforce this policy and ensure that unauthorized systems are handled appropriately. Remember that good security is one built upon layers of security and port security is another one of these layers.
Basic Port (in)Security

In all but the smallest of organizations, it is difficult or impossible to physically protect and manage all network connections. Most modern business-grade switches provide several options for locking down ports to varying degrees. In the following examples, we use a version of Cisco Internetwork Operating System (IOS) commands to demonstrate various configurations. Other brands of switches use the same or very similar syntax to accomplish these tasks. The exact syntax for a specific switch and operating system should be available in the vendors documentation. Although this article outlines some common commands for configuring port security, it should also provide an overview of the various available options in a way that can be understood without any prior knowledge of IOS.

X-Force Threat Insight Quarterly Page 7

The basic command for configuring port security is switchport portsecurity. This command can accept several arguments, and the basic syntax is as follows:
switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]] [maximum value [vlan {vlan-list | {access | voice}}]] voice}}] | mac-address sticky [mac-address | vlan {vlan-id | {access |

or:
switchport port-security [aging] [violation {protect | restrict | shutdown | shutdown vlan}]

The simplest way to secure a port is to disable it. This works well in a static environment, but could increase the administrative overhead in a large or dynamic network. In general, it is a good idea to disable any ports that are not needed and only enable them in anticipation of them being used. This reduces the chance that a visitor or employee will be able to connect to the network by plugging a device into any random jack that can be found. To disable a port in IOS, simply issue the shutdown command from interface mode to disable a single port or a range of ports. Disabling ports will prevent unused ports from being used to connect to the network, but will do nothing to protect active ports from misuse. Consider the situation in which an employee brings his or her personal laptop from home into the office. A small hub could be used to connect that laptop to the same port as an official workstation. Alternatively, someone with more malicious intent could connect to that hub or simply unplug a system that isnt being used and replace it with their own. Switches often provide mechanisms that can be used to restrict what devices are allowed to connect to them. One simple, yet flexible way to place restrictions is through the switchport portsecurity command that was previously mentioned. This command uses media access control addresses, or MAC addresses, to keep track of which devices are connected to, or attempting to connect to, a switch. A MAC address is a unique identifier assigned to network interfaces such as the ethernet cards that most computers use to connect to wired or wireless networks.

X-Force Threat Insight Quarterly Page 8

As shown before, the switchport port-security command can accept several arguments that are used to determine what devices are allowed to connect and what action to take when an unauthorized device attempts to make a connection. The command can be used to define the maximum number of MAC addresses that are allowed to connect to a particular port. If the command is issued by itself with no arguments, the port that it is issued on will be restricted to a single MAC address. The maximum argument can be used to specify a number higher than this which would be useful if, for example, a hub were attached to that port. By default, a port-security enabled port will grab the first x MAC addresses that it detects, where x is the number specified by the maximum argument (or a single MAC address if no maximum is specified) and store them as entries in Random Access Memory (RAM). Any MAC addresses that are detected after this point are considered to be in violation of the rule. In the absence of any other arguments, these entries will be erased if the switch is reloaded and relearned once it is running again. For more granular control, the mac-address argument can be used to identify specific MAC addresses rather than learning them dynamically. This option provides a greater level of control since only pre-approved devices will have entries and will be allowed to connect. Enumerating specific MAC addresses provides administrators a great deal of control over the network, but will also result in more labor overhead since each and every change to the network will require a manual edit to the configuration. Constant manual intervention is simply not practical in large or dynamic networks. Another option combines dynamic MAC address acquisition with the persistence of static entries. If the sticky argument is used, then dynamically learned MAC addresses will be added to the running configuration of the switch as if they were entered with the mac-address argument like the previous paragraph. If the running configuration is saved as the startup configuration, then these entries will remain even after a reboot. This option is useful for creating a baseline of an existing network.

X-Force Threat Insight Quarterly Page 9

Now that the procedures for limiting which systems are allowed to connect have been established, the focus changes to what will happen if a device attempts to connect to a switch in violation of these criteria. The default behavior of most switches is to simply shutdown any port where a violation is detected allowing no more traffic to flow until it is manually re-enabled; however, several other options are also available. In IOS, the violation keyword is used in combination with one of three options to set the violation behavior. The three options are: shutdown, protect, and restrict, but as already mentioned, the default is shutdown, so it is not necessary to use this option unless one of the other states is being overridden. The shutdown option, while being the most secure, is also the most likely to cause more labor overhead and disrupt legitimate business. A shutdown could potentially be triggered by something as simple as plugging a cable into the wrong port. An administrator would be required to manually re-enable that port resulting in a delay, and possibly downtime for the user or system that needs to use that port. As with many other aspects of security, selecting a switchs violation behavior is a trade-off between security and usability, and the best solution will vary between organizations depending on their needs. A more forgiving option would be to use protect or restrict, which are very similar to each other. In protect mode, a switch will simply ignore any traffic from MAC addresses that are in excess of the specified maximum. The restrict mode does the same thing, but it also sends an SNMP trap so that administrators will be notified that a violation has occurred. Since no preexisting traffic flows will have been interrupted, the administrator is able to investigate (or ignore) the violation as time permits.

X-Force Threat Insight Quarterly Page 10

One additional option that may be useful, is error auto-recovery. With auto-recovery, ports that have gone into shutdown mode can re-enable themselves after a certain time interval specified in seconds. Unlike the previous commands in this article, this command must be entered from global configuration mode as opposed to interface mode. The syntax for setting autorecovery from port security violations after sixty seconds would look like: Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 60 This section has covered the basics of port security, but depending on the particular switch and operating system, other options may be available as well. The other port security options can be reviewed by consulting the vendors documentation. The techniques in this section are useful for preventing a wide range of problems, most of which are innocent mistakes or well intentioned, but potentially risky, actions. These techniques are likely to prevent visitors or employees from connecting unapproved devices to the network and they can also be used to prevent someone from accidentally connecting an approved device to the wrong switch or network segment. Since the majority of port security violations are likely to fall into this category, these rules should increase the overall security of the network. They should also save some time for network administrators by reducing the amount of time investigating unfamiliar devices, traffic patterns, or other problems introduced by do-it-yourself employees. Unfortunately, the techniques in this section will do little to prevent a knowledgeable person with malicious intent from accessing the network. This is because these techniques rely on MAC addresses for identifying devices that are assumed unique. The problem with this is that MAC addresses are easily spoofed. An attacker could learn the MAC address of an authorized system and use that to gain unauthorized access to the network. The next section describes a method that requires more time and effort to set up, but which provides much stronger port security, as well as several other benefits that are not necessarily security related.

X-Force Threat Insight Quarterly Page 11

IEEE 802.1X Network Access Control

The basic port security configuration described in the previous section is easy to setup and can be quickly deployed to prevent a variety of problems. Although it is not one hundred percent secure, it is nonetheless effective and easy to use. For those looking for something a little stronger, another option called 802.1X exists. 802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard for network access control. It can be used on both wired and wireless networks, but this article focuses on the wired application of the standard. It takes more time and effort to set up 802.1X on a network, but the reward for doing so is strong port security and other non-security benefits. 802.1X uses Extensible Authentication Protocol (EAP) to authenticate a device before allowing it access to a network. There are three basic components used in the processa supplicant, an authenticator and an authentication server. The supplicant is typically a device such as a laptop or workstation that is requesting access to the network. The authenticator is the switch that the supplicant is connecting to. The authentication server is the system that makes the decision of whether or not the supplicant should be granted access to the network and is typically a remote authentication dial-in user service (RADIUS) server. When a device is first connected to an 802.1X enabled network, the switch, or authenticator, will only allow 802.1X traffic to flow through the port that it is connected to, and all other types of traffic will be blocked. An attacker would not be able to do anything malicious from this state. When an authenticator detects a new device, or a new supplicant, it sends an EAP request to the device prompting it for credentials. If the supplicant responds, the authenticator passes the response on the authentication server which will either grant or deny access to the network based on the response. If the authentication server denies access, the authenticator will continue to block all trafficexcept for 802.1X trafficfrom flowing through the port that the supplicant is connected to. If the authentication server accepts the request, then the authenticator will remove the restriction and allow the supplicant to communicate freely.

X-Force Threat Insight Quarterly Page 12

802.1X allows for a great deal of flexibility in the authentication scheme. Most modern operating systems are able to act as a supplicant out of the box, while others can be made to work through third party client software. RADIUS servers also provide flexibility in how they authenticate a supplicant. They are typically set up to authenticate supplicants based on secure credentials rather than something that can be faked like the MAC addresses used in the previous section. This makes it much more difficult for attackers to gain access to network resources since they would need to compromise legitimate credentials in order to be authenticated. Although 802.1X requires more overhead in the initial setup, it can reduce workload later, especially in large or dynamic environments. It can be combined with dynamic VLANs to not only authenticate and authorize clients, but also to assign them to particular segments of the network. This can be useful for an organization that has frequent visitors requiring Internet access while onsite. Unauthorized clients can be dumped to a special VLAN that is outside of the companys protected network, allowing them access to the Internet and outside resources, but preventing them from accessing internal resources. This can be more efficient than simply blocking access since an administrator is not needed for this type of basic access. If an employee or visitor needs a higher level of access, they can be added to the authentication servers database and allowed access to the appropriate resources.
Conclusion and Recommendations

Just as a perimeter with firewalls and intrusion detection/prevention systems (IDS/IPS) is not a silver bullet for securing a network, neither is port security. Port security can, however, add another layer of security, making a would-be attackers job that much harder. Keeping systems up to date with security patches is probably the most important thing that can be done to protect a network, but patches arent always available and it also takes time to deploy them. A layered approach to security, including anti-virus software, IDS/IPS, firewalls, access control lists, and port security can help mitigate threats by keeping attackers away from vulnerable systems until they can be properly patched. Like most other security measures, port security is a trade-off between security and usability. Different organizations will have different needs and priorities, but they should be aware of what tools are available should they choose to make use of them.

X-Force Threat Insight Quarterly Page 13

What does this file do?


By Chris Ahearn
Introduction

It is a beautiful early fall evening. You are the IT Security professional and were just about to head out the door to go for that nice workout when the phone rings. You cringe as you pick up the receiver. It is the server administrator and other coworkers on a conference call you were just brought into. We think we have a virus, says one administrator. We found some files on our server after noticing some strange server activity, says the server manager. This is a revenuegenerating production system and we need you to investigate. We have a sample. What does this file do? This all too-common scenario is the bane of every IT security professionals personal life. You never know when its going to happen, or how long you will have to spend investigating, but what you do know, is that it wont be funor easy. Each security professional is different and brings different skills to bear regarding data forensics. And while it is helpful to have programming experience, it is not a requirement for doing malware analysis. There are typically two stages of analysis: behavioral analysis, and code analysis. Each stage provides the analyst with a better understanding of what the file in question is actually doing. However, if your strengths are in network and host based security, then focus on your strengths. In this article, we will focus on the behavioral aspects of malware analysis that can, and should be, expected when dealing with files of an unknown origin.

X-Force Threat Insight Quarterly Page 14

Some good tips to remember as you begin your investigation are as follows:
1. Have a thorough understanding of the tools at your disposal as well as when to use them. 2. Be mindful of the protection systems that are in place. If files must be transmitted through the company email system, make sure they are password protected. This way, you wont trip antivirus programs at the email servers or gateways. 3. When possible, conduct your analysis in an isolated lab environment, completely removed from the production network. 4. There are several online services that will provide a thorough report of a suspected malicious binary; however, keep in mind that the reports may not provide every detail you need, or there may be times when the file you want to analyze should not be shared with an outside organization. The Setup

Big shiny hardware is nice, but it is not always necessary for analyzing malware. For this setup, we will use one robust system running VMware. VMware can run on OS X, Microsoft Windows and Linux and is only limited by the amount of CPU, memory and hard drive space that is available on the host OS. Since we are going to run multiple virtual machines to conduct our analysis, it is recommended that your host system be able to support itself, the VMware application and the guest operating systems. At a minimum, we will work with one Linux analysis system and one Windows XP analysis system. Malware can exhibit different behavior on other Windows operating systems so create the ones that you are most interested in analyzing. Create the virtual machines that will best suit your environment. Running two virtual machines simultaneously will use up a lot of host resources. While it may be nice to add a second Windows analysis system to the lab environment, it may not be an efficient use of the hosts resources. Choose the setup that works best for you and the resources you are working with. Within VMware, you can choose how your systems are networked. Aside from custom network settings, there are three ways to network your guest virtual machines. They are Bridged, NAT and Host Only.

X-Force Threat Insight Quarterly Page 15

If your host computer is on an Ethernet network, this is often the easiest way to give your virtual machine access to that network. If you use Bridged networking, the virtual machine is a full participant in the network.2 It has access to other machines and can be contacted by other machines on the network as if it were a physical computer on the network. Unless you are on a specially designed and isolated network, Bridged networking is not the best choice when analyzing malware. If you want to connect to the Internet or other TCP/IP network using the host computers dial-up networking or broadband connection and you are not able to give your virtual machine an IP address on the external network, NAT is often the easiest way to give your virtual machine access to that network.3 If you use NAT, your virtual machine does not have its own IP address on the external network. Instead, a separate private network is set up on the host computer. Your virtual machine gets an address on that network from the VMware virtual DHCP server. The VMware NAT device passes network data between one or more virtual machines and the external network. It identifies incoming data packets intended for each virtual machine and sends them to the correct destination. The NAT connection should only be used in special circumstances under extremely controlled conditions. Your virtual machines would still be connected to a network, and when handling malicious code, it is essential that it not get out and into your production environment. If you must allow malicious code access to the internet, do so under extremely guarded conditions and only with a dedicated and direct line to the Internet.

VMware http://www.vmware.com/support/ws4/doc/network_bridged_ws.html VMware http://www.vmware.com/support/ws5/doc/ws_net_configurations_nat.html

X-Force Threat Insight Quarterly Page 16

The safest mode for operating in VMware when conducting malware analysis is Host Only. Host Only networking provides a network connection between the virtual machine and the host computer, using a virtual Ethernet adapter that is visible to the host operating system.4 This approach can be useful if you need to set up an isolated virtual network. If you use host-only networking, your virtual machine and the host virtual adapter are connected to a private TCP/IP network. Addresses on this network are provided by the VMware DHCP server. This is the safest environment when analyzing malicious code. Using VMware for malware analysis is not without risks. There have been vulnerabilities in VMware that could allow malicious code to break out of a guest and infect the host. Other vulnerabilities could allow an attacker to execute arbitrary code remotely. Please make sure you are keeping your VMware software patches updated. This also applies to the host operating system as well. There are a couple of reasons why using VMware to perform malware analysis is better than using physical systems. First, you have the ability to take snapshots with VMware. A snapshot saves the system in a state that allows you to quickly revert back if you need to. If you are familiar with the time it takes to image and re-image a system, you are aware of how helpful this snapshot feature is. Once you have your systems in a good working state and loaded with the tools you want to work with, take a snapshot. Another reason is portability. You can save your virtual machines onto external media and call it up as needed. Still another is machine configuration. If one system requires more memory or more hard drive space than another, it is simply a matter of changing a setting rather than allocating physical memory or physical disk space to a system.

VMware http://www.vmware.com/support/ws55/doc/ws_net_configurations_hostonly.html

X-Force Threat Insight Quarterly Page 17

The Virtual Machines

The Linux virtual machine does not have to be fancy. At a minimum, you will need sudo or root access to the system to run your network sniffer (tcpdump) and netcat. Using a Linux LiveCD, such as Backtrack, Knoppix or a Live Install CD, such as Ubuntu or Fedora would be fine. Some distributions may contain additional services such as an IRC server, DNS, Web and/or a SQL server. The example here will use Ubuntu with tcpdump and netcat. The commands should work with some slight variations depending on your analysis system. The Windows system is an XP Professional with Service Pack 2. You do not want to add any additional patches. Since we are analyzing malware, we want to give it a wide enough target to operate in. There are enough vulnerabilities between XP Service Pack 2 and the latest service pack with patches that there is a lot of opportunity for the malware to exploit. We also want to include some additional tools to the Windows XP system to assist in the system monitoring. The first tool is Capture BAT from the Honeynet Project. From the description on the Capture BAT Web page:
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. 5

The next two tools are from Microsoft, formerly SysInternals. They are Process Monitor6 and Process Explorer.7 Process Monitor can monitor and log file system and registry activity on a machine while Process Explorer can assist in determining what .dll files are used by a particular process. Both of these tools will help in the analysis.

The Honeynet Project Capture-BAT Download page https://honeynet.org/node/315 Sysinternals Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Sysinternals Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

X-Force Threat Insight Quarterly Page 18

The last tool is RegShot.8 RegShot allows the analyst to take a snapshot of the Windows Registry. Once you have your snapshot, you can then launch your malware and take another snapshot with RegShot. Now you are able to compare the differences, though you will have to filter out some of the background noise. The registry is being written to all the time. Once your tools are loaded, verify your network connectivity. You should be using Host Only in VMware and not have a connection to the production network. Make sure you can ping the other system.
Take a Look at the File

Once you receive your malware sample, start by calculating the MD5 and SHA1 hashes. Search on the hashes in your favorite search engine. There is a very good chance that the file you are about to analyze has already been analyzed by someone else. While the file name may be different, the content of the file is still the same and a hash search for this information can save you a lot of time. It is also recommended to input the hash into VirusTotal.9 VirusTotal is an online tool that will analyze a binary file for malicious code against multiple antivirus engines. This will give you an idea of what products have coverage and with what virus definitions. When possible and permissible, take advantage of some online tools such as ThreatExpert,10 Anubis,11 and CWSandbox.12 These online tools offer a quick analysis of an unknown binary and provide some very detailed information regarding what the file is doing. However, it is not recommended as the only source for your analysis. These, along with VirusTotal are not 100% accurate and may miss an important element that is critical to your investigation. Use them to compliment your analysis.
8 SourceForge Regshot http://sourceforge.net/projects/regshot/ VirusTotal http://www.virustotal.com/ ThreatExpert http://threatexpert.com/ Anubis http://anubis.iseclab.org/ CW Sandbox http://www.sunbeltsecurity.com/Submit.aspx?type=cwsandbox&cs=A41CD150B37359889A553671 CBFD2360

10

11

12

X-Force Threat Insight Quarterly Page 19

The sample we will examine here is a variant of the Neeris worm, which was found in April 2009. The malicious binary is 1sass.exe with an MD5 of 540acfa138b32e706d5bb8b3f2db1f8b. Start the Linux virtual machine and begin your sniffer with the IP address of your Windows system. You can add the -w [ filename] to save your tcpdump output to a packet capture file.

On the Windows system, start Process Explorer and Process Monitor and take the first shot with RegShot.

X-Force Threat Insight Quarterly Page 20

Launch Capture BAT and then launch your malware sample. You can also have CaptureBAT save to file by piping it to a text file. CaptureBAT.exe > capturebat_output.txt.

Once you have launched your malware sample, and have let TCPDUMP run for a few minutes to capture the network traffic, you can hit CTRL+C to exit the Capture BAT, run RegShot again to get your second snapshot, and then begin the log file analysis. When we examine the Capture BAT output first, we notice a few interesting registry and file changes.
registry: SetValueKey C:\Documents and Settings\Administrator\Desktop\1sass.exe -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass registry: SetValueKey C:\Documents and Settings\Administrator\Desktop\1sass.exe -> HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lsass registry: SetValueKey C:\Documents and Settings\Administrator\Desktop\1sass.exe -> HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\lsass file: Write C:\Documents and Settings\Administrator\Desktop\1sass.exe -> C:\WINDOWS\system\1sass.exe file: Write C:\Documents and Settings\Administrator\Desktop\1sass.exe -> C:\WINDOWS\system\1sass.exe file: Write System -> C:\WINDOWS\system\1sass.exe

X-Force Threat Insight Quarterly Page 21

A little further down we see something else worth checking into:


registry: SetValueKey C:\WINDOWS\system\1sass.exe -> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system\1sass.exe

And just beyond that, we can see more interesting entries:


file: Write C:\WINDOWS\system\1sass.exe -> C:\WINDOWS\system32\drivers\sysdrv32.sys registry: SetValueKey System -> HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSDRV32\0000\Control\ActiveService file: Write C:\WINDOWS\system\1sass.exe -> F:\autorun.inf file: Write C:\WINDOWS\system\1sass.exe -> F:\Key-Installer.exe (we will talk about this later)

We can see that this malware is trying to load itself on startup by getting placed in the RUN key. We also see that the malware is storing itself in C:\WINDOWS\System\1sass.exe. It appears as if it is trying to make some changes to the Windows Firewall as well. This malware is a little unique as it creates a second file called sysdrv32.sys and stores itself in the C:\WINDOWS\System32\drivers directory. Also note the registry location. This is trying to load as a device driver. Lets shift our focus toward the registry comparison. We can see several keys and values added to the registry. Many of which are related to 1sass.exe and sysdrv32.sys. We can also see the name of the driver it tries to load as:
HKLM\SYSTEM\ControlSet001\Services\sysdrv32\DisplayName: Play Port I/O Driver

X-Force Threat Insight Quarterly Page 22

This malware is entrenching itself quite deep in the Windows registry. It would be difficult to remove. It starts up and continues to start up despite the efforts of many system administrators. Now we look at the packet capture in either tcpdump or Wireshark. There are a lot of ARP requests as well as SMB traffic. It appears as if the malicious code is trying to spread through Netbios. There is also a packet we havent seen before:
08:35:26.526398 IP (tos 0x0, ttl 128, id 2807, offset 0, flags [none], proto UDP (17), length 78) 192.168.135.128.137 > 192.168.135.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x8023 OpCode=0 NmFlags=0x11 Rcode= 0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=3.KDJ2JX.COM NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 0x0000: 4500 004e 0af7 0000 8011 9ed7 c0a8 8780 E..N............ 0x0010: c0a8 87ff 0089 0089 003a 4cfc 8023 0110 .........:L..#.. 0x0020: 0001 0000 0000 0000 2044 4443 4f45 4c45 .........DDCOELE 0x0030: 4545 4b44 4345 4b46 4943 4f45 4445 5045 EEKDCEKFICOEDEPE 0x0040: 4e43 4143 4143 4141 4100 0020 0001 NCACACAAA.....

X-Force Threat Insight Quarterly Page 23

It now appears as if the malware sample is trying to resolve 3.KDJ2JX.com. A quick Google search does not yield much information on the domain and we dont know what it is trying to do. There are many solutions to this problem. You could create your own DNS server and point the record to a system you control or, you can modify the Windows Hosts file. In this case, it is the easiest way to tell the infected system where to go to find the system. We will launch tcpdump on the Linux system again, and then edit the hosts file on the Windows system. Open C:\WINDOWS\System32\drivers\etc\hosts with Notepad.exe and add an entry just below the localhost with the IP address of your Linux analysis system like the following: 127.0.0.1 192.168.135.133 localhost 3.kdj2jx.com

We are attempting to have the infected Windows system think our Linux analysis system is the intended destination. When we review our newly created packet capture, we see our Windows system trying to communicate to the Linux system on TCP port 449. Lets use our handy tool, netcat to create a listener and see whats trying to happen. root@ubuntu:/home/ubuntu# nc -l -p 449 PASS h4xg4ng NICK [00-USA-XP-9766673] USER SP2-bqo * 0 :CHRIS-MEP75LWOM CHRIS-MEP75LWOM is the name of the Windows analysis system.

X-Force Threat Insight Quarterly Page 24

Conclusion

At this point, we know that the malware is putting itself deep in the Windows registry, loading itself as a device driver and service as well as trying to communicate with a password protected IRC server. There is also one other item. Earlier, there were two entries in Capture BAT that needed to be explained. file: Write C:\WINDOWS\system\1sass.exe -> F:\autorun.inf file: Write C:\WINDOWS\system\1sass.exe -> F:\Key-Installer.exe The malware was loaded onto the Windows system via USB key. In addition to infecting the Windows system, the malware also loaded itself onto the USB key that was still attached. When that USB key gets used on another Windows system, the autorun will attempt to infect that system too. As we have demonstrated here, malware analysis does not have to be scary if you approach the malicious code with a fair amount of caution. Behavioral code analysis is only one aspect of investigating malware; however, it may provide the insight you are looking for during your incident handling. Look for changes to the Windows registry and file system as well as the network activity that is taking place. Then you will be in a better position to answer the question, What does that file do?

X-Force Threat Insight Quarterly Page 25

Prolific and impacting issues of Q3 2009


Significant disclosures

In Q3 2009, the X-Force team analysts researched and assessed 1692 security related threats. A significant percentage of the vulnerabilities featured within the X-Force team database became the focal point of malicious code writers whose productions include malware and targeted exploits.

Total Vulnerabilities in Q3 2009: 1692

Critical
Vulnerability

High
Vulnerability

Medium
Vulnerability

Low
Vulnerability

16

534

1040

102

X-Force Threat Insight Quarterly Page 26

The chart below categorizes the vulnerabilities researched by X-Force team analysts according to what they believe would be the greatest categories of security consequences resulting from exploitation of the vulnerability. The categories are: Bypass Security, Data Manipulation, Denial of Service, File Manipulation, Gain Access, Gain Privileges, Obtain Information, and Other. *

47.14% 0.89% 2.42% 4.49% 5.67% 7.56% 17.48% 14.35%


* Represent unique vulnerability count.

Bypass Security 5.67% Circumvent security restrictions such as a firewall or proxy, and IDS system or a virus scanner. Data Manipulation 17.48% Manipulate data used or stored by the host associated with the service or application. Denial of Service 14.35% Crash or disrupt a service or system to take down a network. File Manipulation 0.89% Create, delete, read, modify, or overwrite files. Gain Access 47.14% Obtain local and remote access. This also includes vulnerabilities by which an attacker can execute code or commands, because this usually allows the attacker to gain access to the system. Gain Privileges 2.42% Privileges can be gained on the local system only. Obtain Information 7.56% Obtain information such as file and path names, source code, passwords, or server configuration details. Other 4.49% Anything not covered by the other categories.

X-Force Threat Insight Quarterly Page 27

The third quarter commenced with a number of critical cyber issues threatening organizations networks. On July 6, the IBM ISS Threat Level was raised to AlertCon 2 in response to a serious Microsoft Video Controller ActiveX Library, MSVidCtl, remote code execution vulnerability. The primary vector for this attack is to compromise Web servers and modify the page source to redirect victims to the sites serving the DirectShow exploit code. There were multiple versions of the exploit code circulating, which may indicate that the attack was being used by more than one criminal organization. In addition, the payload for at least one of these variations contained key logging functionality that can result in the loss of data including financial and system credential information. The IBM ISS Protection Advisory published this same day actually addresses two vulnerabilities discovered by the X-Force team affecting this ActiveX control. The vulnerability mentioned above, CVE-2008-0015, has been exploited in the wild since June 11, 2009, (as discovered by the X-Force team) and was touted by the media and SANS as being exploited in the wild on July 6, 2009.13 The second issue, (CVE-2008-0020), is a memory corruption vulnerability.

13

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks http://isc.sans.org/diary.html?storyid=6733

X-Force Threat Insight Quarterly Page 28

This ActiveX control is installed by default on Microsoft XP SP 0 through SP 3. In addition to Internet Explorer, this control may also be loaded through WordPad and Microsoft Office. Microsoft issued a patch that sets the kill bit for this vulnerable control on July 14, 2009.
A protection advisory provided by IBM ISS: Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities 14 IBM ISS Protection Signatures: Script_ATL_Stream_Load* 15, HTML_ATLStream_BO* 16, JavaScript_Obfuscation_Fre, HTML_IE_ ActiveX_Loader_Heap_Corruption* 17 CVE-2008-0015 and CVE-2008-0020 Microsoft Security Bulletin MS09-032 Critical: Cumulative Security Update of ActiveX Kill Bits (973346) 18

On July 13, Microsoft released a Security Advisory to address a remote code execution vulnerability affecting Microsoft Office Web Components.19 Microsoft noted it observed limited attacks utilizing this vulnerability. The Microsoft Office Web Components Control is installed by default with various Office products, but may also be loaded on demand by the browser from the Microsoft Web site. According to a Microsoft Security Response Center (MSRC) blog post, Although the Microsoft Office Web Components ActiveX control has been deprecated for some time now, we still recommend customers implement the workarounds as provided in the Advisory. 20
14 A protection advisory provided by IBM ISS: Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities http://iss.net/threats/329.html Refer to the associated protection advisory for additional information. Refer to the associated protection advisory for additional information. Refer to the associated protection advisory for additional information. Microsoft Security Bulletin MS09-032 Critical: Cumulative Security Update of ActiveX Kill Bits (973346) http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/973472.mspx Microsoft Security Advisory 973472 Released http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

15 16 17 18

19

20

X-Force Threat Insight Quarterly Page 29

During this time, the Threat Level, originally elevated in response to the Microsoft Video Controller ActiveX Library vulnerability (CVE-2008-0015), maintained AlertCon 2 status to also draw awareness to this Microsoft Office Web Components Control issue. A report surfaced indicating that this vulnerability is being utilized in SQL injection attacks.21 The Microsoft July Security Release did not address this issue and we continued to recommend that customers set the kill bit for this ActiveX control to mitigate this threat. While doing so helps block known attack vectors, it also prevents the use of the OWC Spreadsheet functionality within the Office Web Components ActiveX Control in Internet Explorer, Microsoft Office, or any application that honors kill bits. The vendor provided an update for this vulnerability in its August Security Release. The X-Force team also released a Protection Alert detailing the available IBM ISS product coverage.
A protection alert provided by IBM ISS: Microsoft Office Web Components Spreadsheet ActiveX Control RCE 22 IBM ISS Protection Signatures: JavaScript_NOOP_Sled, JavaScript_ Unescape_Obfuscation, HTML_IE_ActiveX_Loader_Heap_Corruption, and Script_OWC_Heap CVE-2009-1136 Microsoft Security Bulletin MS09-043 - Critical: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution 23 (957638)

21

OWC exploits used in SQL injection attacks http://isc.sans.org/diary.html?storyid=6811 A protection alert provided by IBM ISS: Microsoft Office Web Components Spreadsheet ActiveX Control RCE http://iss.net/threats/334.html Microsoft Security Bulletin MS09-043 - Critical: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

22

23

X-Force Threat Insight Quarterly Page 30

Already considered a month of serious disclosures, the security industry was granted another blow with the release of Microsofts Security Bulletins on July 14. Of the six bulletins published, X-Force analysts found two of the bulletins to be of great concern. One bulletin addressed multiple vulnerabilities found in the embedded OpenType Font Engine in Microsoft Windows. These vulnerabilities could allow remote code execution when a victim opens an office document or visits a malicious Web page containing specially-crafted embedded fonts. The second bulletin highlights multiple vulnerabilities affecting Microsoft DirectShow. Microsoft DirectX is a core component of Microsoft Windows 2000, XP, and Windows Server 2003 and is enabled by default. Successful exploitation of the issues addressed in MS09-028 and MS09-029 would provide an attacker with complete control over the endpoint target. The use of malicious Web content, which could be easily integrated into an exploit for the MS09-029 vulnerability, has been prevalent in the past few years. Similarly, the use of media files, such as images and movies, has also been prevalent in past years and the use of malicious movies, in particular, substantially increased near the end of 2008.

X-Force Threat Insight Quarterly Page 31

A protection alert provided by IBM ISS: Multiple Vulnerabilities in the Embedded OpenType Font Engine of Microsoft Windows Could Allow Remote Code Execution 24 IBM ISS Protection Signatures: EOT_Data_Record_Heap_Overflow, EOT_ OpenTypeFont_Detected and EOT_Compressed_OpenTypeFont_Detected CVE-2009-0231 and CVE-2009-0232 Microsoft Security Bulletin MS09-029 - Critical: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) 25 A protection alert provided by IBM ISS: Multiple Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution 26 IBM ISS Protection Signatures: MOV_Container_Overflow (CVE-2009-1539) and QuickTime_DirectShow_Pointer_Code_Execution (CVE-2009-1538) CVE-2009-1539 and CVE-2009-1538 Microsoft Security Bulletin MS09-028 - Critical: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) 27

24

A protection alert provided by IBM ISS: Multiple Vulnerabilities in the Embedded OpenType Font Engine of Microsoft Windows Could Allow Remote Code Execution http://www.iss.net/threats/333.html Microsoft Security Bulletin MS09-029 - Critical: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) http://www.microsoft.com/technet/security/Bulletin/MS09-029.mspx A protection alert provided by IBM ISS: Multiple Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution http://www.iss.net/threats/332.html Microsoft Security Bulletin MS09-028 - Critical: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) http://www.microsoft.com/technet/security/Bulletin/MS09-028.mspx

25

26

27

X-Force Threat Insight Quarterly Page 32

In addition to the Alerts highlighting the Microsoft issues, the X-Force also produced a Protection Alert the same day to address a remote code execution vulnerability affecting the ISC dhclient (DHCP Client). By sending a specially crafted DHCP ACK message, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
A protection alert provided by IBM ISS: ISC DHCP Client Buffer Overflow 28 IBM ISS Protection Signature: DHCP_Client_Overflow CVE-2009-0692 DHCP Stack Overflow in dhclient script_write_params() 29

One day prior to the July 14 releases (which also included an Oracle Critical Patch Update not mentioned above), proof-of-concept code targeting a 0-day remote code execution vulnerability affecting Mozilla Firefox was made publicly available. The issue is in the Just-in-time (JIT) JavaScript compiler for Firefox version 3.5. The exploitation of this vulnerability provides the attacker with the privileges of the end user, which could allow complete control over the targeted endpoint. As the dust settled on the July Microsoft Security Bulletins, attention turned to the Mozilla Firefox issue and was reported as being exploited in the wild on July 16, 2009. Browser vulnerabilities are one of the top targets of malicious Web exploit toolkit developers. These Web exploit toolkits now account for nearly all browser-related exploits seen in the wild. IBM ISS published a Protection Alert to address this issue.

28

A protection alert provided by IBM ISS: ISC DHCP Client Buffer Overflow http://www.iss.net/threats/331.html DHCP Stack Overflow in dhclient script_write_params() https://www.isc.org/node/472

29

X-Force Threat Insight Quarterly Page 33

A protection alert provided by IBM ISS: Mozilla Firefox Font HTML Tags Remote Code Execution 30 IBM ISS Protection Signatures: JavaScript_Shellcode_Detected*, JavaScript_Large_Unescape, JavaScript_NOOP_Sled*, HTTP_IE_Script_ Error_Code_Execution* * Blocked by default CVE-2009-2477 Mozilla Foundation Security Advisory 2009-41 31

July continued the momentum of being one of the busiest months for security professionals this year when exploitation of a 0-day high risk vulnerability in Adobe Reader, Acrobat and Flash was discovered on July 21, 2009. The vulnerability is found in the authplay.dll file and is related to a Microsoft ATL vulnerability that is disclosed later in the month. This vulnerability could result in remote code execution if a victim opens a specially-crafted movie. In some cases, these movies have been seen embedded in an Adobe Acrobat (.pdf) document. Links to these malicious documents and movies can easily be sent through spam or through links on seemingly non-malicious Web sites.

30

Mozilla Firefox Font HTML Tags Remote Code Execution http://www.iss.net/threats/335.html Mozilla Foundation Security Advisory 2009-41 http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

31

X-Force Threat Insight Quarterly Page 34

On July 23, 2009, the Threat Level was elevated to AlertCon 2 for the second time that month. This time the elevation was due to increasing reports of active exploitation of this vulnerability affecting Adobe Reader, Acrobat and Flash. Initially, Adobe published mitigation steps for this vulnerability. On July 30, Adobe released a security bulletin containing patches for multiple vulnerabilities within Flash player including the aforementioned vulnerability. The following day, the bulletin was updated with Adobe Reader and Acrobat updates.
A protection alert provided by IBM ISS: Adobe Acrobat and Adobe Flash Remote Code Execution 32 IBM ISS Protection Signature: JavaScript_Obfuscation_Fre CVE-2009-1862 Adobe Security Bulletin APSB09-10 33

The month of July concluded with the release of two Protection Advisories to address a vulnerability in Microsoft Active Template Library (ATL). The ATL is commonly used as a building block by developers; so many third party applications are potentially affected by this vulnerability. Additionally, Microsoft released two out-of-cycle Security Bulletins related to this issue that provide mitigation capabilities to Internet Explorer (MS09-034) and update Visual Studio to replace the vulnerable library (MS09-035). Internet Explorer itself isnt directly vulnerable to the ATL issue, but the update adds some protective measures that will block attempts to exploit this vulnerability through other controls or components. One way that it does this is by addressing a method of bypassing killbits which was also discussed in a presentation at BlackHat 2009 by members of the X-Force team.34 Software developers can use the updated Visual Studio to rebuild applications that contain the vulnerable version of the ATL.

32

A protection alert provided by IBM ISS: Adobe Acrobat and Adobe Flash Remote Code http://www.iss.net/threats/336.html Adobe Security Bulletin APSB09-10 http://www.adobe.com/support/security/bulletins/apsb09-10.html The Language of Trust: Exploiting Trust Relationships in Active Content http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Dowd

33

34

X-Force Threat Insight Quarterly Page 35

A protection advisory provided by IBM ISS: Microsoft Internet Explorer ATL Killbit Evasion 35 IBM ISS Protection Signature: HTML_ATLStream_BO Microsoft Security Bulletin MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) 36 Microsoft Security Bulletin MS09-034: Cumulative Security Update for Internet Explorer (972260) 37 A protection advisory provided by IBM ISS: Multiple Vulnerabilities in the Microsoft Visual Studio Active Template Library Could Allow Remote Code Execution 38 IBM ISS Protection Signatures: Script_ATL_Stream_Load and HTML_ ATLStream_BO CVE-2009-0901, CVE-2009-2493, CVE-2009-2494, CVE-2009-2495 Microsoft Security Bulletin MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) 39 Microsoft Security Bulletin MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) 40

35

A protection advisory provided by IBM ISS: Microsoft Internet Explorer ATL Killbit Evasion http://www.iss.net/threats/337.html Microsoft Security Bulletin MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx Microsoft Security Bulletin MS09-034: Cumulative Security Update for Internet Explorer (972260) http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx A protection advisory provided by IBM ISS: Multiple Vulnerabilities in the Microsoft Visual Studio Active Template Library Could Allow Remote Code Execution http://www.iss.net/threats/338.html Microsoft Security Bulletin MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx Microsoft Security Bulletin MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx

36

37

38

39

40

X-Force Threat Insight Quarterly Page 36

August also proved to be a month of serious disclosures. The X-Force team published three Protection Alerts to address critical vulnerabilities disclosed in Microsofts August Security Bulletins. The first Alert addresses a vulnerability caused by the improper handling of AVI files by the Media Files component and is present on all modern Microsoft Windows operating systems, including Microsoft Vista. Successful exploitation of this issue would provide an attacker with complete control over the endpoint target. The use of malicious media files like images and movies has been prevalent in the past years and the use of malicious movies, in particular, substantially increased near the end of 2008.
A protection alert provided by IBM ISS: Microsoft Windows AVI Remote Code Execution 41 IBM ISS Protection Signature: AVI_Malformed_Header CVE-2009-1545 Microsoft Security Bulletin MS09-038: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557) 42

The second Alert highlights a heap-based buffer overflow vulnerability in Microsoft WINS. By sending a specially-crafted WINS replication packet, a remote attacker could execute arbitrary code on the system with elevated privileges or cause the service to crash. This vulnerability is present, but not enabled by default on Microsoft Windows 2000 and 2003 operating systems.
A protection alert provided by IBM ISS: Microsoft WINS Replication Remote Code Execution 43 IBM ISS Protection Signature: WINS_Replication_Heap_Overflow CVE-2009-1923 Microsoft Security Bulletin MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
41 A protection alert provided by IBM ISS: Microsoft Windows AVI Remote Code Execution http://www.iss.net/threats/339.html Microsoft Security Bulletin MS09-038: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557) http://www.microsoft.com/technet/security/bulletin/ms09-038.mspx A protection alert provided by IBM ISS: Microsoft WINS Replication Remote Code Execution http://www.iss.net/threats/340.html

42

43

X-Force Threat Insight Quarterly Page 37

The third Alert addresses a remote code execution issue affecting the Microsoft Remote Desktop Connection ActiveX control. Plug-ins, like this ActiveX control, are one of the top targets of malicious Web exploit toolkit developers. These Web exploit toolkits now account for nearly all browser-related exploits seen in the wild. The exploitation of this ActiveX control provides the attacker with the privileges of the end user, which could allow complete control over the targeted endpoint. This ActiveX control is installed by default on recent Microsoft XP and Vista operating system service packs. Although the control is not installed by default on other operating systems and service packs, the attacker could request the browser to load the control if it is not already present on a targeted system.
A protection alert provided by IBM ISS: Microsoft Windows RDP Services Client ActiveX Control RCE 44 IBM ISS Protection Signature: JavaScript_RDP_ActiveX_Overflow CVE-2009-1929 Microsoft Security Bulletin MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927) 45

In addition to the aforementioned Protection Alerts, three other Protection Alerts were also published by X-Force researchers that same day. Two of the Alerts focused on vulnerabilities in Network Security Services (NSS), a component of many Mozilla products and some operating systems. One of the vulnerabilities could allow remote code execution through a specially-crafted certificate signed by a trusted Certificate Authority (CA) or through a specially-crafted self-signed certificate.
A protection alert provided by IBM ISS: Network Security Services (NSS) Parser RCE 46 IBM ISS Protection Signature: ASN1_Mozilla_NSS_Parser_Overflow CVE-2009-2404 Multiple vendors have released patches. See IBM ISS protection alert for more details.
44 A protection alert provided by IBM ISS: Microsoft Windows RDP Services Client ActiveX Control RCE http://www.iss.net/threats/341.html Microsoft Security Bulletin MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927) http://www.microsoft.com/technet/security/bulletin/ms09-044.mspx A protection alert provided by IBM ISS: Network Security Services (NSS) Parser RCE http://www.iss.net/threats/342.html

45

46

X-Force Threat Insight Quarterly Page 38

NSS could also allow a remote attacker to bypass security restrictions, caused by an error when parsing x509 certificate domain names. Signed certificates underpin one of the main tenants of trust on the Internetauthentication. This security bypass is easy to achieve and could easily be used from a socialengineering standpoint to further compromise victims.
A protection alert provided by IBM ISS: Network Security Services (NSS) Certificate Security Bypass 47 IBM ISS Protection Signature: ASN1_NSS_Cert_Sec_Bypass CVE-2009-2408 Multiple vendors have released patches. See IBM ISS protection alert for more details.

The last of the Alerts published in August details an issue affecting ISC BIND which could allow an attacker to send a specially-crafted dynamic update message to a specific zone to cause the server to crash. The ISC BIND software is a common component of Domain Name Servers (DNS), which are considered critical infrastructure. Public exploit code is readily available.
A protection alert provided by IBM ISS: ISC BIND dns_db_findrdataset() DoS 48 IBM ISS Protection Signature: DNS_ISC_BIND_DoS CVE-2009-0696 Internet Systems Consortium: BIND Dynamic Update DoS 49

As far as the quantity of alerts and advisories go, September didnt match Augusts numbers, though the issues disclosed still packed quite a cyber security punch. One day prior to the start of the month, August 31, proof-ofconcept exploit code targeting a 0-day vulnerability in Microsoft Internet Information Services (IIS) 5.0 FTPd was posted publicly.50
47 A protection alert provided by IBM ISS: Network Security Services (NSS) Certificate Security Bypass http://www.iss.net/threats/344.html A protection alert provided by IBM ISS: ISC BIND dns_db_findrdataset() DoS http://www.iss.net/threats/343.html Internet Systems Consortium: BIND Dynamic Update DoS http://www.iss.net/threats/343.html [Full-disclosure] Microsoft Internet Information Server ftpd zeroday http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0444.html

48

49

50

X-Force Threat Insight Quarterly Page 39

The FTPd service in Microsoft IIS is vulnerable to a remote buffer overflow, allowing remote code execution (versions 5.0 and 5.1) or causing the application to crash (versions 5.0, 5.1, and 6.0). Exploits have been published for this vulnerability on the milw0rm exploit site and an exploit module also targeting this issue has been released for the Metasploit Framework. Administrators of affected servers are strongly advised to follow the mitigation steps documented in the Microsoft Security Advisory. A protection alert provided by IBM ISS was published to address this issue.
A protection alert provided by IBM ISS: Microsoft Internet Information Services FTP Remote Code Execution 51 IBM ISS Protection Signature: FTP_Mkd_Overflow and FTP_Commands_With_Binary CVE-2009-3023 Microsoft Security Advisory (975191): Vulnerabilities in the FTP Service in Internet Information Services 52 http://www.microsoft.com/technet/security/advisory/975191.mspx

Shortly following the excitement of the Microsoft IIS FTPd issue, Microsofts September Security Release was published. The X-Force team published a Protection Alert to address a critical vulnerability affecting the Microsoft Windows JScript scripting engine.
51 A protection alert provided by IBM ISS: Microsoft Internet Information Services FTP Remote Code Execution http://www.iss.net/threats/345.html Microsoft Security Advisory (975191): Vulnerabilities in the FTP Service in Internet Information Services http://www.microsoft.com/technet/security/advisory/975191.mspx

52

X-Force Threat Insight Quarterly Page 40

Browser-related vulnerabilities, such as this one, are one of the top targets of malicious Web exploit toolkit developers. The exploitation of this vulnerability provides the attacker with the privileges of the end user, which could allow complete control over the targeted endpoint. As of the time of this publication, we are not aware of proof-of-concept exploit code nor are we aware of reports of in-the-wild exploitation of this issue.
A protection alert provided by IBM ISS: Microsoft Windows JScript Remote Code Execution 53 IBM ISS Protection Signature: JavaScript_IE_Decoding CVE-2009-1920 Microsoft Security Bulletin MS09-045: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) 54

Sneaking in between the disclosure of the Microsoft IIS FTPd issue and the Microsoft September Security Release, a 0-day Microsoft Windows SMB 2 (SRV2.SYS) vulnerability surfaced. This vulnerability was originally announced as a DoS and the discoverer published proof-of-concept code that easily and reliably produced a Blue Screen of Death, or BSOD.
53 A protection alert provided by IBM ISS: Microsoft Windows JScript Remote Code Execution http://iss.net/threats/346.html Microsoft Security Bulletin MS09-045: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) http://www.microsoft.com/technet/security/bulletin/ms09-045.mspx

54

X-Force Threat Insight Quarterly Page 41

However, research conducted by the X-Force team and others proved that remote code execution was indeed possible, making this vulnerability much more severe than originally anticipated. On September 28, 2009, a working remote code execution PoC was publicly released.
A protection alert provided by IBM ISS: Microsoft Windows SRV2.SYS Remote Code Execution 55 IBM ISS Protection Signature: SMB_Negotiate_ProcessID_Exec CVE-2009-3103 Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution 56

55

Microsoft Windows SRV2.SYS Remote Code Execution http://iss.net/threats/347.html Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/975497.mspx

56

X-Force Threat Insight Quarterly Page 42

Additional Q3 2009 highlights

This section of the report briefly covers some of the additional threats facing security professionals during Q3 2009.
Major security breaches

A number of high-profile security breaches are reported every year drawing attention to the need to protect consumer and employee information from the risk of exposure to malicious individuals/identity (ID) theft rings. In addition to the loss or misplacement of information, corporations and individuals are at risk to exposure via malware, hacking, phishing attacks and various social engineering tactics. There are also non-cyber related methods such as stealing mail, dumpster-diving (rummaging through trash bins), or obtaining information from employees or stolen records. Below are some of the major security breaches that became public during the third Quarter:
Mitsubishi Corp. Attackers obtained credit card details on 52,000 customers by hacking the servers of a Mitsubishi Corp. internet shopping unit. Moores Cancer Center Sensitive information was compromised when a hacker breached the centers computers. 30,000 patients were affected. National Guard Bureau A laptop was stolen containing personal information on about 131,000 former and current Army Guard members. Network Solutions Attackers hacked into Web servers used by the company to provide e-commerce services compromising more than 573,000 debit and credit card accounts. Sagebrush Medical Plaza/Kern Medical Center Criminals broke into a locked storage area that contained sensitive information on thousands of patients. UNC Chapel Hill The personal data of 236,000 research participants was exposed as a result of a compromised server.

X-Force Threat Insight Quarterly Page 43

Malcode corner

The IBM ISS X-Force Virus Prevention System (VPS) teams categorization of malcode is based on the most dominant features of the threat. The primary malcode categories are:
Backdoor Provides functionality for a remote attacker to log on and/or execute arbitrary commands on the affected system. Other Unclassified malicious programs not falling within the other primary categories. Potentially Unwanted Programs (PUP) Programs which the user may consent on being installed but may affect the security posture of the system or may be used for malicious purposes. Examples are Adwares, Dialers and Hacktools/hacker tools (which includes sniffers, port scanners, malware constructor kits, etc.) Trojan Performs a variety of malicious functions such as spying, stealing information, logging key strokes and downloading additional malware. Virus Propagates by infecting a host file. Worm Self-propagates via e-mail, network shares, removable drives, file sharing or instant messaging applications.

Q3 2009 Primary Malware Categorization Breakdown

Virus 3.24% Worm 4.10% Other 5.49% PUP 7.00%

Trojan 57.52%

Backdoor 22.64%

X-Force Threat Insight Quarterly Page 44

The Trojan subcategories are as follows:


Clicker Generates website traffic, the purpose of which is to generate revenue or other malicious purposes. Downloader Downloads one or more malware components from a remote site and then installs them on the affected system. Dropper Drops and installs one or more malware components into an affected system. Exploit Documents or media files containing exploit code. FraudTool Malware used to commit fraud, an example of which are malware that displays fake error or infection messages which then incites the user to purchase fake tools or security software. Generic Trojans that do not fall within the other subcategories. Infostealer Spies and/or steals information; this includes password stealers, keystroke loggers and spywares. Proxy Allows a remote attacker to relay connection via the affected system in order to hide its real origin. Rootkit Components used by other malware in order to have the capability to hide themselves from the user and security software.

Q3 2009 Trojan Categorization Breakdown Other 39.93% Proxy 0.35% Rootkit 0.73% Clicker 0.75% Exploit 1.02% Infostealer 20.79%

FraudTool 1.81% Injector 6.10% Downloader 13.67%

Dropper 14.85%

X-Force Threat Insight Quarterly Page 45

List of Contributors for this paper include: Michael Vucelich Threat Analyst, IBM MSS Intelligence Center, Chris Ahearn Security Intelligence Analyst, IBM MSS Intelligence Center Michelle Alvarez Team Lead, IBM MSS Intelligence Center IBM ISS X-Force Database IBM ISS X-Force Virus Prevention System (VPS) team

X-Force Threat Insight Quarterly Page 46

References
Mitsubishi Corp. Unit Lost Credit Card Data on 52,000 Clients http://www.bloomberg.com/apps/news?pid=20601080&sid=ad4L3.m_ZQOI Cancer center warns patients of computer breach http://www.fox5sandiego.com/news/kswb-cancer-hack,0,933278.story Stolen laptop holds Army Guard members data http://www.msnbc.msn.com/id/32304147/ns/technology_and_science-security/ Network Solutions Says Hackers Accessed 573,000 Card Accounts http://www.washingtonpost.com/wp-dyn/content/article/2009/07/24/ AR2009072403527.html Hacker hits UNC-Chapel Hill study data http://www.databreaches.net/?p=7511

X-Force Threat Insight Quarterly Page 47

*Information in this document concerning non-IBM products was obtained from the suppliers of these products, published announcement material or other publicly available sources. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All performance data contained in this publication was obtained in the specific operating environment and under the conditions described above and is presented as an illustration. Performance obtained in other operating environments may vary and customers should conduct their own testing.

Copyright IBM Corporation 2009.

IBM Global Services Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America. October 2009 All Rights Reserved.

IBM, the IBM logo, ibm.com, Internet Security Systems, Ahead of the threat and X-Force are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft, Windows. Server, Vista, ActiveX, DirectShow, Office, Internet Explorer and Visual Studio are trademarks or registered trademarks of the Microsoft Corporation in the United States, other countries, or both. Mozilla and Firefox are registered trademarks of the Mozilla Foundation. Adobe, Acrobat, Reader and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries Other company, product and service names may be trademarks or service marks of others. The use of third-party data, studies and/or quoted material does not represent an endorsement by IBM of the publishing organization, nor does it necessarily represent the viewpoint of IBM. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. U.S. Patent No. 7,093,239

SEL03007-USEN-00