Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Trojan

Friday, February 5, 2010

Operation Aurora: The Dawn of a New Era of Network Attacks

By Toby Weir-Jones, Vice President – Product Development, Managed Security Solutions Group, BT Global Services

Over the past few weeks, there has been a great deal of coverage given to Google’s announcement that it has been the target of sophisticated network attacks from China.  While many have suspected that western companies and government agencies have been attacked by the Chinese, Operation Aurora was confirmation that online espionage, if not cyber war, is prevalent. 

It’s interesting to note that the purpose of the attacks was not to gain information for immediate profit, as is typically the case, but to keep tabs on the movement of information between individuals, groups, corporations, and government agencies without needing to filter content. 

As has been well documented, Operation Aurora took advantage of a vulnerability in Microsoft’s IE platform.  This continues a pattern of browser-based attacks originating in China against US networks, the most notable of which, until now, being Titan Rain back in 2003.  The specific mode of attack is not new and is not really the story in this case; sadly we’re all familiar with proliferation of attacks against browsers and their plugins, the resulting malware, and ceaseless buffer overflow attacks against thoroughly-vetted products.

But what can companies do to combat these attacks and secure their operations?  After all, not doing business in China isn’t really an option for most companies that are recovering from the economic downturn.  And really, we shouldn’t single out China as the only source of suspicious firewall logs, nor should we assume that addresses originating in the US and Europe should be benign.

What can the CSO do, then, to protect the company and customers?

Product vendors will universally claim they could have detected the attacks because they would have seen it either in the raw network traffic (for NIDS products) or in the application data in memory (for AV and HIDS products).  However, this level of detection relies on buffer overflow alerts that are so generic you’ll never know where the threat is coming from.  In their defense, host products, such as AV and HIDS, can potentially detect the source of the attack as they are application aware.  However, as is often the case, to use these host products effectively, the advanced application protections need to be enabled and not turned off—as many are—to avoid reporting false positives.

On the front-end what we advise our customers to do is to ensure they are monitoring the right devices, and logging is configured correctly.  They also need to ensure that a well-documented and rehearsed incident response plan is in place in the event that a breach occurs.

In the SOC what we’re doing is much more time-consuming.  Our analysts and engineers are relentlessly scouring every log, every security and non-security event, collecting every piece of contextual evidence and sending it back to the lab for analysis, comparing the results of a single customer network against our global customer base to document quickly and accurately that one host in a thousand within a monitored subnet is actually compromised. 

Whether the motivation is fraud, spam, or espionage is technically immaterial because it has no bearing on finding infected hosts or revealing the methods of attack.  What we rely on instead is dozens of combined years of experience in monitoring network security activity; we’re not limited to expertise on one or two technologies, we have extensive knowledge across numerous vendor platforms.  Our CMAL and CBOT modules (first released in 2008) are great examples of advanced technology that solves real business problems, and they don’t simply offer up pretty reports about knee-jerk reactions performed by other devices. 

We want to know where it’s coming from first, and then worry about the details behind what it’s doing.  Security policies don’t distinguish between the details of buffer overflow attacks vs. brute-force — they focus on intent, so focusing efforts purely on signature-based detection can dangerously restrict your view. 

This is the first post in a series about Aurora that we’re working on.  Next up, Rob Jamison, our Manager of Network Intelligence, will offer up more insights into Aurora’s methods of propagation and detection.

Posted at 7:16 PM in SecureAlert | No Comments »
Tags: , , , , , , , , , , , , ,

Bookmark and Share

Wednesday, February 11, 2009

Conficker: What’s Next?

Senthil Venkatachalam

While the Conficker worm has caught everyone’s attention because of its ability to propagate rapidly, what comes next may be even more damaging and costly to businesses.

Conficker is a classic worm in that it propagates through un-patched windows systems, specifically through a particular service known as Windows SMB (port 445). In addition to the classic worm behavior of self-propagation by finding other un-patched MS Windows computers, this worm also takes advantage of the “autorun” facility within memory sticks to propagate itself. While this is a nuisance, the greater security threat comes from the fact that the worm tries to crack the administrator password of the host system.

If the worm is successful in cracking the administrator password, it effectively has “the keys to the kingdom” and it has the potential to reach out to controllers out on the internet, participate in a botnet and turn the host system into a zombie.

Our concern that infected hosts could be roped in to participate in a botnet, seems to be coming true. The Trojan – which is the malicious executable placed by the worm in the infected system – has coded into it instructions to contact command and control servers out on the internet. Since “static” internet domains can be easily identified and shutdown by law enforcement, the malicious command and control servers controlling the Trojan use clever and sophisticated methods known as fast flux DNS to cover their tracks and make detection very difficult.

Monitoring a customer network’s security devices such as IDS/IPS platforms and firewalls provides significant protection against the propagation and further spread of the worm; the new software updates and signature sets from vendors of these security devices will help. However, despite these measures, Trojans could go undetected without further protections in place. Consider for example, an infected laptop that is inserted into the network: even if the worm’s propagation attempts are blocked via the firewall and the host system is patched for the worm – the Trojan is still active until the host is clean up. During this period, the Trojan can and will contact the preprogrammed malicious C&C domains.

In order to detect such behavior, BT has developed custom signatures for the SNORT IDS/IPS platforms. Once installed, these signatures will fire when they detect Trojans attempting to contact C&C hosts, alerting the BT SOC to their presence. Customers can then pinpoint the location of the infected host location, isolate it and perform clean up to get rid of the problem and not just the symptoms.

BT MSSG also recommends several steps to protect their networks and systems on a proactive basis:

  • Keep all Windows systems updated with the most current Windows OS patch levels as well as the most current Anti-Virus (AV) engine and definition files
  • Keep all security devices including firewalls and intrusion detection/prevention systems (IDS/IPS) up-to-date on signatures and software patches
  • Close the Microsoft/SMB port 445 to traffic that traverse firewalls
  • Strengthen administrative passwords on host systems and follow best practices on password protection
  • Monitor firewalls, IDS/IPS systems and hosts for greatest protection
  • Educate users on strong password policies as well as the need to actively scan new media including memory sticks using AV client products

For further technical details, visit:

http://bt.counterpane.com/Risk_Assessment_W32.Conficker_Worm_Update2.pdf

Posted at 9:55 PM in SecureAlert | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

subscribe - log in