14.6 Additional Defense Tools

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 14.  Defense

14.6 Additional Defense Tools

The battle against malicious mobile code cannot be won by antivirus scanners alone. In the next section, I will discuss other tools that cannot only help keep rogue code at bay, but strengthen your larger security strategy.

14.6.1 Firewalls

I consider firewalls to be essential defense components in any company or on any standalone PC connected to the Internet, although even more so for broadband connections. A firewall, at its most basic level, blocks network traffic by port number and IP address. A good firewall strategy allows only predefined ports to be open and blocks all others by default. If a program, like a Trojan, tries to initiate an Internet conversation across a blocked port, its attempt will be unsuccessful and logged. And even more importantly, a firewall will block hack attempts and probes into your network or PC. Many home cable modem users are used to dozens of daily hack probes and scans against their PC. Once you have a firewall you will wonder how you did without one.

For more information on firewalls, you can refer to Building Internet Firewalls , 2 nd ed., by Elizabeth B. Zwicky, Simon Cooper, and D. Brent Chapman.

Corporations should consider an enterprise-level firewall with solid reviews and awards from third-party security organizations (like ICSAlabs). Some are hardware-based solutions, like SonicWall's Internet Firewall Appliance figs/u2122.gif or Cisco's PIX figs/u2122.gif . Others, like Check Point's Firewall-1 figs/u2122.gif , Axent's Raptor Firewall figs/u2122.gif , and Network Associates Gauntlet figs/u2122.gif are software based.

Personal firewalls are low-cost, software-based firewalls intended for home users or single PCs. ZoneAlarm figs/u2122.gif (http://www.zonelabs.com) and Network ICE's BlackICE Defender figs/u2122.gif (http://www.networkice.com) are the two most popular personal firewalls. ZoneAlarm is free to individuals and nonprofit corporations, and a more functional ZoneAlarm Pro figs/u2122.gif is available for a low fee. Both Symantec and McAfee offer personal firewalls as part of their suite of offerings. Microsoft's upcoming Windows XP is touted to have a personal firewall built-in. All personal firewalls try to make configuration and default settings easier for the end user .

Personal firewalls govern access based on applications and the ports they use. It would be easy for a Trojan to install itself with the same name as a known program, such as Real Player, and attempt to fool the user into allowing the communications. Key to implementing any firewall is a strong understanding of TCP/IP ports and the legitimate uses of the Internet. In most firewall deployments, once the firewall is turned on lots of denied traffic is reported . It is up to the firewall administrator to determine what should be generating traffic and what should not.

Figure 14-5 shows ZoneAlarm's alert message in action as I purposefully ran a BackOrifice server Trojan. Note, ZoneAlarm does not identify this file as a Trojan, only that it is attempting to open up a connection to the Internet and act as a server. Even if I say No to the alert message, the Trojan is still able to modify my local system, startup areas, and run in memory. A personal firewall only stops its ability to communicate with its client partner over the Internet.

Figure 14-5. ZoneAlarm alert message caused by BackOrifice Trojan
figs/mmc_1405.gif

14.6.2 Intrusion Detection

Intrusion Detection Systems (IDS) programs can work one of two ways. One method is for the IDS to take a snapshot of your system and report any attempts to modify monitored areas. Another, more sophisticated method, is to monitor PC or network activities looking for malicious activities (called hacking signatures ). An example of a hacking signature would be a port scan across multiple subnets. Like firewalls, IDS can reside on and monitor a single PC, or monitor an enterprise network environment. When protecting a PC it might monitor registry changes, changes to startup areas, modifications to program files, and suspicious network activity. A network IDS monitors larger network-specific events. It might look for the taletale signs of a denial of service attack against a specific server. When an attack signature is detected , the IDS alerts administrators about a potential attack. Internet Security Systems, Cisco, Axent, and Network Associates are all leaders in Intrusion Detection Systems.

There are two main problems with IDS programs. First, IDS programs rely on signatures that need constant updating with an antivirus scanner. Certainly this has not gone unnoticed by antivirus vendors and several of them are now making IDS components. Regardless, developing an antihacking signature is more difficult than pulling a common set of bytes out of a malicious code program. And hacking sites are full of ways to bypass network-based IDS programs. The second problem is that network-based IDSs monitor the wire and are more at home on shared networks. In order for an IDS to recognize an enterprise-wide attack, it must monitor several network segments at once and be able to look into the data packet. IDS programs are severely hampered in today's world of switched networks and encrypted traffic.

14.6.3 Honey Pots

Honey pots are an interesting, related concept. They are premised on the concept that your network will be broken into and explored by hackers. Honey pots are "fake" systems designed to mimic legitimate-looking important servers. Some honey pots go as far as containing hundreds of authentic -looking emails and files discussing a fake important product. They are intentionally made easy to break into. It is a honey pot's user's hope that the unsuspecting hacker will spend his time inside the honey pot, doing no real damage, while providing security administrators with lots of evidence. Administrators can find out how the hacker operates, what tools they use, what exploits they attempt to find, and where they are physically located.

Honey pots have little to do with malicious mobile code, but some antivirus vendors are beginning to use honey pot-like emulated environments to trap malicious code. The antivirus software places suspicious programs into an emulated environment where the program is free to manipulate fake system resources. The antivirus program watches what the program does, and if it notices malicious behavior, it alerts the user. And the user's real environment is left untouched because of the emulated honey pot.

14.6.4 Port Monitors and Scanners

A smaller cousin of a firewall, port monitors and scanners look for active TCP/IP ports. A port scanner (or port mapper ), and there are dozens of them that can be downloaded off of the Internet, can be used to find active ports on a particular machine or on an entire network. Usually you plug in a target IP address or range of addresses and the scanner begins trying all ports from 1 to 1024, or higher. If you have never used a port scanner before, you will probably be surprised to see all sorts of unknown traffic actively engaged in communication.

In any case, if you discover a port number you don't understand, you need to trace it to the program or process that is using it. Port scanners will tell you what machine is using the port. Go to that machine and run a program that will tell you what process or program is using a particular port. This can be the hard part as most port scanners do not tell you what file or process the port is originating from. One of my favorites that does is the Portuguese Atelier Web Security Port Scanner (AWSPS) (http://www.atelierweb.com). It is one of the most complete and inexpensive port mappers I've used. It works on Windows 9x, ME, NT, and 2000. Its Ports Finder module will dig into your system and let you know what programs are using what ports. Once you've located the file, you can examine it for legitimacy . There are several commercial port scanners and several defense suites that include a port scanner as just one of their features.

Although version 4 of AWSPS works on NT and 2000, its current Ports Finder feature does not map back to services, which is a significant weakness when looking for Trojans on those types of PCs. According to its developers, the next version will be able to map NT and 2000 services as readily as it does Windows 9x machines.

14.6.5 Security Scanners

Ever since Dan Farmer (quoted in Chapter 8 testifying to Congress) released his System Administration Tool for Analyzing Networks (SATAN) freeware software, Security Scanners (also called Vulnerability Scanners ) have been a required defense tool. In a nutshell , security scanners interrogate target machines for weaknesses. They often start by looking for active TCP/IP ports, but they do much more than that. They will automate the process of finding out what operating system and applications are running, and then attempt to see if they are vulnerable to known exploits. They will look for buffer overflows, sample script vulnerabilities, SMTP holes, weak security rights, weak password rules, etc. Every malicious hacker has a good security scanner in his goodie bag and network administrators must use them against their own networks to find and fix the weaknesses. In order to protect your network you must attack it.

There are dozens of free and commercial security scanners. Some of the more well-known ones include Internet Security Systems Internet Scanner figs/u2122.gif , eEye Digital Security Retina figs/u2122.gif , and Network Associates CyberCop Scanner figs/u2122.gif . Although each product has its weaknesses, all of these products are considered to be among the best. Certain scanners are better at different platforms (i.e., Windows NT versus Unix), so make sure to pick a security scanner with strengths in your area of need.

14.6.6 Internet Content Scanners

Another great malicious code protection tool is the Internet content scanner . Unlike regular antivirus scanners that concentrate on signature databases, content scanners look for malicious coding behaviors. The most sophisticated products provide sandbox-like security for all Internet-downloaded code and use emulated honey pot environments. Not only are Java applets placed in a sandbox and unable to manipulate system resources, but ActiveX controls, VBScript files, and executables. The most popular Internet content scanner is Finjan Software's (http://www.finjan.com) SurfinShield figs/u2122.gif . It interfaces with Internet Explorer or Netscape Navigator to perform on-the-fly inspection of Internet-based code (see Figure 14-6), and provides protection to sensitive areas. When it detects content trying to access local system resources it alerts the user and blocks the action.

Figure 14-6. Finjan's SurfinShield in action
figs/mmc_1406.gif

Internet content inspectors do a good job at protecting users against malicious HTML-derived code, but cannot replace antivirus scanners. In fact, most content inspectors will not detect most of the known viruses in existence. If you do use a content scanner that is not from an antivirus vendor, I recommend running an antivirus scanner, too. If you are looking for a content scanner with antivirus abilities , you are in luck. Several antivirus vendors make Internet content scanning engines that interface with their antivirus scanners, including Trend Micro, Network Associates, and eSafe.

14.6.7 Miscellaneous Utilities

I use dozens of miscellaneous utilities to help detect and prevent malicious mobile code attacks. Here are some of them.

14.6.7.1 SmartWhoIs

One of my favorite utilities is SmartWhoIs figs/u2122.gif by Tamos Soft (http://www.tamos.com/sw.htm). In my line of work I often come across attacks and probes originating from some unknown source. If I have the IP address, hostname, or domain, I can use SmartWhoIs to pull as much publicly available information about that connection. It will even tell me if the attacker is currently online. I use it mostly to track down malicious hackers to their originating domain, where I then inform their ISP of their activities. If the ISP cooperates, it makes most kiddie hackers quit messing around. They know they can be found. If the hacker is still online, I usually send messages and probes of my own letting the hacker know that whenever he is hacking, he is opening himself up to exploits from me, too. Again, I've prematurely stopped the careers of many budding malicious hackers. Tamos Soft also makes an excellent NetBIOS scanner, NBScan. It is a user-friendly replacement for NBTSTAT.EXE .

14.6.7.2 Locking programs down

There are several utilities on the market that allow administrators to control the programs that are allowed to run on a machine and when. SmartLine Inc.'s Advanced Security Control figs/u2122.gif (http://www.protect-me.com/asc) is one such product. Although NT can be locked down with a strict policy file, ASC makes it child's play. Administrators can dictate what programs can be run, by whom, and when. Unauthorized users can be prevented from executing programs from removal disks, RAM disks, ZIP disks, and prevents access to command-line executables, like Telnet.

14.6.7.3 Filemon and Regmon

Filemon figs/u2122.gif and Regmon figs/u2122.gif from Winternals (http://www.winternals.com) are two terrific utilities for viewing what file and registry changes a particular program makes. It is not unusual to see hundreds of registry changes made during one program install. I use them on test machines when examining a piece of unknown code. Malicious code can be encrypted, packed, and hidden, but with these two utilities I'm going to see what the code does when it activates. Winternals has many excellent utilities that should be part of any NT administrator's kit.

Winternals has an excellent TCP/IP troubleshooting utility called TCPView Pro figs/u2122.gif , which includes a flawless NT port mapper.

14.6.7.4 Goat files

Like sacrificial goats in the Bible, goat files are for sacrificing for the greater good. A goat file is a file you place in a common login script, so that if someone gets infected, the goat file will probably get infected, too. The goat file is monitored by an intrusion detection software or antivirus checksum program for activity and prevented from being modified. If a virus attempts to modify the file, alerts will immediately be sent and hopefully the original, infected file will be caught quickly.

True goat files are blank .COM and .EXE files waiting to capture a clean copy of the virus. When inspecting a new virus file, I will often execute it, and then load some goat files. If it is a file virus, usually they will take the bait and infect the goat files. Because most of the executable file in a goat file is blank, the disassembly is pure virus code.

14.6.8 Good Backup

Nothing beats a good backup. If malicious mobile code attacks and causes un-repairable damage, and you have a good backup, you can rest assured that its consequences have been minimized. If you are not sure about the reliability of your backups, then be afraid. No defense scheme is perfect, and in most organizations malicious mobile code will break past defenses from time to time. When I am called to consult on a large virus outbreak, the first thing I ask when I arrive is whether or not they have reliable, current backups ? If so, I mentally breathe a sigh of relief. Having a good backup even allows me to be a bit more aggressive in my treatment.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net